envoyproxy · wrowe · Jul 22, 2021 · Dec 9, 2020 · Dec 13, 2020 · Dec 13, 2020
diff --git a/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto
@@ -52,7 +52,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //       cache_duration:
 //         seconds: 300
 //
-// [#next-free-field: 11]
+// [#next-free-field: 12]
 message JwtProvider {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider";
@@ -211,6 +211,16 @@ message JwtProvider {
   // Specify the clock skew in seconds when verifying JWT time constraint,
   // such as `exp`, and `nbf`. If not specified, default is 60 seconds.
   uint32 clock_skew_seconds = 10;
+
+  // Enables JWT cache, its size is specified by *jwt_cache_size*.
+  // Only valid JWT tokens are cached.
+  JwtCacheConfig jwt_cache_config = 11;
+}
+
+// This message specifies JWT Cache configuration.
+message JwtCacheConfig {
+  // The unit is number of JWT tokens, default to 100.
+  uint32 jwt_cache_size = 1;
 }
 
 // This message specifies how to fetch JWKS from remote and how to cache it.

diff --git a/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/api/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
@@ -880,6 +880,11 @@ def _com_github_google_jwt_verify():
         actual = "@com_github_google_jwt_verify//:jwt_verify_lib",
     )
 
+    native.bind(
+        name = "simple_lru_cache_lib",
+        actual = "@com_github_google_jwt_verify//:simple_lru_cache_lib",
+    )
+
 def _com_github_luajit_luajit():
     external_http_archive(
         name = "com_github_luajit_luajit",

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -467,13 +467,13 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "jwt_verify_lib",
         project_desc = "JWT verification library for C++",
         project_url = "https://github.com/google/jwt_verify_lib",
-        version = "28efec2e4df1072db0ed03597591360ec9f80aac",
-        sha256 = "7a5c35b7cbf633398503ae12cad8c2833e92b3a796eed68b6256d22d51ace5e1",
+        version = "e5d6cf7067495b0868787e1fd1e75cef3242a840",
+        sha256 = "0d294dc8697049a0d7f2aaa81d08713fea581061c5359d6edb229b3e7c6cf58e",
         strip_prefix = "jwt_verify_lib-{version}",
         urls = ["https://github.com/google/jwt_verify_lib/archive/{version}.tar.gz"],
         use_category = ["dataplane_ext"],
         extensions = ["envoy.filters.http.jwt_authn"],
-        release_date = "2020-11-05",
+        release_date = "2021-03-05",
         cpe = "N/A",
     ),
     com_github_nodejs_http_parser = dict(

diff --git a/docs/root/configuration/http/http_filters/jwt_authn_filter.rst b/docs/root/configuration/http/http_filters/jwt_authn_filter.rst
@@ -41,6 +41,7 @@ JwtProvider
 * *from_headers*: extract JWT from HTTP headers.
 * *from_params*: extract JWT from query parameters.
 * *forward_payload_header*: forward the JWT payload in the specified HTTP header.
+* *jwt_cache_config*: Enables JWT cache, its size can be specified by *jwt_cache_size*. Only valid JWT tokens are cached.
 
 Default Extract Location
 ~~~~~~~~~~~~~~~~~~~~~~~~

diff --git a/docs/root/version_history/current.rst b/docs/root/version_history/current.rst
@@ -105,6 +105,7 @@ New Features
 * http: added the ability to :ref:`unescape slash sequences <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.path_with_escaped_slashes_action>` in the path. Requests with unescaped slashes can be proxied, rejected or redirected to the new unescaped path. By default this feature is disabled. The default behavior can be overridden through :ref:`http_connection_manager.path_with_escaped_slashes_action<config_http_conn_man_runtime_path_with_escaped_slashes_action>` runtime variable. This action can be selectively enabled for a portion of requests by setting the :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling<config_http_conn_man_runtime_path_with_escaped_slashes_action_enabled>` runtime variable.
 * http: added upstream and downstream alpha HTTP/3 support! See :ref:`quic_options <envoy_v3_api_field_config.listener.v3.UdpListenerConfig.quic_options>` for downstream and the new http3_protocol_options in :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` for upstream HTTP/3.
 * input matcher: a new input matcher that :ref:`matches an IP address against a list of CIDR ranges <envoy_v3_api_file_envoy/extensions/matching/input_matchers/ip/v3/ip.proto>`.
+* jwt_authn: added support for :ref:`Jwt Cache <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.jwt_cache_config>` and its size can be specified by :ref:`jwt_cache_size <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtCacheConfig.jwt_cache_size>`.
 * jwt_authn: added support to fetch remote jwks asynchronously specified by :ref:`async_fetch <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.RemoteJwks.async_fetch>`.
 * listener: added ability to change an existing listener's address.
 * local_rate_limit_filter: added suppoort for locally rate limiting http requests on a per connection basis. This can be enabled by setting the :ref:`local_rate_limit_per_downstream_connection <envoy_v3_api_field_extensions.filters.http.local_ratelimit.v3.LocalRateLimit.local_rate_limit_per_downstream_connection>` field to true.

diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v3/config.proto
diff --git a/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto b/generated_api_shadow/envoy/extensions/filters/http/jwt_authn/v4alpha/config.proto
@@ -56,6 +56,7 @@ envoy_cc_library(
     ],
     deps = [
         "jwks_async_fetcher_lib",
+        ":jwt_cache_lib",
         "//source/common/config:datasource_lib",
         "@envoy_api//envoy/extensions/filters/http/jwt_authn/v3:pkg_cc_proto",
     ],
@@ -143,3 +144,17 @@ envoy_cc_library(
         "@envoy_api//envoy/extensions/filters/http/jwt_authn/v3:pkg_cc_proto",
     ],
 )
+
+envoy_cc_library(
+    name = "jwt_cache_lib",
+    srcs = ["jwt_cache.cc"],
+    hdrs = ["jwt_cache.h"],
+    external_deps = [
+        "jwt_verify_lib",
+        "simple_lru_cache_lib",
+    ],
+    deps = [
+        "//source/common/protobuf:utility_lib",
+        "@envoy_api//envoy/extensions/filters/http/jwt_authn/v3:pkg_cc_proto",
+    ],
+)
@@ -57,6 +57,9 @@ class AuthenticatorImpl : public Logger::Loggable<Logger::Id::jwt>,
   // Verify with a specific public key.
   void verifyKey();
 
+  // Handle Good Jwt either Cache JWT or verified public key.
+  void handleGoodJwt(bool cache_hit);
+
   // Calls the callback with status.
   void doneWithStatus(const Status& status);
 
@@ -79,10 +82,9 @@ class AuthenticatorImpl : public Logger::Loggable<Logger::Id::jwt>,
   std::vector<JwtLocationConstPtr> tokens_;
   JwtLocationConstPtr curr_token_;
   // The JWT object.
-  std::unique_ptr<::google::jwt_verify::Jwt> jwt_;
+  std::unique_ptr<::google::jwt_verify::Jwt> new_jwt_;
   // The JWKS data object
   JwksCache::JwksData* jwks_data_{};
-
   // The HTTP request headers
   Http::HeaderMap* headers_{};
   // The active span for the request
@@ -98,6 +100,7 @@ class AuthenticatorImpl : public Logger::Loggable<Logger::Id::jwt>,
   const bool is_allow_failed_;
   const bool is_allow_missing_;
   TimeSource& time_source_;
+  ::google::jwt_verify::Jwt* jwt_{};
 };
 
 std::string AuthenticatorImpl::name() const {
@@ -139,9 +142,20 @@ void AuthenticatorImpl::startVerify() {
   curr_token_ = std::move(tokens_.back());
   tokens_.pop_back();
 
-  jwt_ = std::make_unique<::google::jwt_verify::Jwt>();
+  if (provider_) {
+    jwks_data_ = jwks_cache_.findByProvider(provider_.value());
+    jwt_ = jwks_data_->getJwtCache().lookup(curr_token_->token());
+    if (jwt_) {
+      handleGoodJwt(/*cache_hit=*/true);
+      return;
+    }
+  }
+
   ENVOY_LOG(debug, "{}: Parse Jwt {}", name(), curr_token_->token());
-  Status status = jwt_->parseFromString(curr_token_->token());
+  new_jwt_ = std::make_unique<::google::jwt_verify::Jwt>();
+  Status status = new_jwt_->parseFromString(curr_token_->token());
+  jwt_ = new_jwt_.get();
+
   if (status != Status::Ok) {
     doneWithStatus(status);
     return;
@@ -156,9 +170,10 @@ void AuthenticatorImpl::startVerify() {
     }
   }
 
-  // Check the issuer is configured or not.
-  jwks_data_ = provider_ ? jwks_cache_.findByProvider(provider_.value())
-                         : jwks_cache_.findByIssuer(jwt_->iss_);
+  // Issuer is configured
+  if (!provider_) {
+    jwks_data_ = jwks_cache_.findByIssuer(jwt_->iss_);
+  }
   // When `provider` is valid, findByProvider should never return nullptr.
   // Only when `allow_missing` or `allow_failed` is used, `provider` is invalid,
   // and this authenticator is checking tokens from all providers. In this case,
@@ -199,6 +214,7 @@ void AuthenticatorImpl::startVerify() {
     // the key cached, if we do proceed to verify else try a new JWKS retrieval.
     // JWTs without a kid header field in the JWS we might be best to get each
     // time? This all only matters for remote JWKS.
+
     verifyKey();
     return;
   }
@@ -245,11 +261,15 @@ void AuthenticatorImpl::onDestroy() {
 void AuthenticatorImpl::verifyKey() {
   const Status status =
       ::google::jwt_verify::verifyJwtWithoutTimeChecking(*jwt_, *jwks_data_->getJwksObj());
+
   if (status != Status::Ok) {
     doneWithStatus(status);
     return;
   }
+  handleGoodJwt(/*cache_hit=*/false);
+}
 
+void AuthenticatorImpl::handleGoodJwt(bool cache_hit) {
   // Forward the payload
   const auto& provider = jwks_data_->getJwtProvider();
   if (!provider.forward_payload_header().empty()) {
@@ -265,7 +285,10 @@ void AuthenticatorImpl::verifyKey() {
   if (set_payload_cb_ && !provider.payload_in_metadata().empty()) {
     set_payload_cb_(provider.payload_in_metadata(), jwt_->payload_pb_);
   }
-
+  if (provider_ && !cache_hit) {
+    // move the ownership of "new_jwt_" into the function.
+    jwks_data_->getJwtCache().insert(curr_token_->token(), std::move(new_jwt_));
+  }
   doneWithStatus(Status::Ok);
 }
 
@@ -292,6 +315,7 @@ void AuthenticatorImpl::doneWithStatus(const Status& status) {
     callback_ = nullptr;
     return;
   }
+
   startVerify();
 }
 

@@ -4,6 +4,7 @@
 
 #include "source/extensions/filters/http/jwt_authn/extractor.h"
 #include "source/extensions/filters/http/jwt_authn/jwks_cache.h"
+#include "source/extensions/filters/http/jwt_authn/jwt_cache.h"
 
 #include "jwt_verify_lib/check_audience.h"
 #include "jwt_verify_lib/status.h"

@@ -1,6 +1,7 @@
 #include "source/extensions/filters/http/jwt_authn/jwks_cache.h"
 
 #include <chrono>
+#include <memory>
 
 #include "envoy/common/time.h"
 #include "envoy/extensions/filters/http/jwt_authn/v3/config.pb.h"
@@ -34,8 +35,11 @@ class JwksDataImpl : public JwksCache::JwksData, public Logger::Loggable<Logger:
       audiences.push_back(aud);
     }
     audiences_ = std::make_unique<::google::jwt_verify::CheckAudience>(audiences);
-
-    tls_.set([](Envoy::Event::Dispatcher&) { return std::make_shared<ThreadLocalCache>(); });
+    bool enable_jwt_cache = jwt_provider_.has_jwt_cache_config();
+    const auto& config = jwt_provider_.jwt_cache_config();
+    tls_.set([enable_jwt_cache, config](Envoy::Event::Dispatcher& dispatcher) {
+      return std::make_shared<ThreadLocalCache>(enable_jwt_cache, config, dispatcher.timeSource());
+    });
 
     const auto inline_jwks =
         Config::DataSource::read(jwt_provider_.local_jwks(), true, context.api());
@@ -77,10 +81,19 @@ class JwksDataImpl : public JwksCache::JwksData, public Logger::Loggable<Logger:
     return shared_jwks.get();
   }
 
+  JwtCache& getJwtCache() override { return *tls_->jwt_cache_; }
+
 private:
   struct ThreadLocalCache : public ThreadLocal::ThreadLocalObject {
+    ThreadLocalCache(bool enable_jwt_cache,
+                     const envoy::extensions::filters::http::jwt_authn::v3::JwtCacheConfig& config,
+                     TimeSource& time_source)
+        : jwt_cache_(JwtCache::create(enable_jwt_cache, config, time_source)) {}
+
     // The jwks object.
     JwksConstSharedPtr jwks_;
+    // The JwtCache object
+    const JwtCachePtr jwt_cache_;
     // The pubkey expiration time.
     MonotonicTime expire_;
   };

@@ -1,5 +1,7 @@
 #pragma once
 
+#include <memory>
+
 #include "envoy/api/api.h"
 #include "envoy/common/pure.h"
 #include "envoy/common/time.h"
@@ -8,6 +10,7 @@
 
 #include "source/extensions/filters/http/common/jwks_fetcher.h"
 #include "source/extensions/filters/http/jwt_authn/jwks_async_fetcher.h"
+#include "source/extensions/filters/http/jwt_authn/jwt_cache.h"
 #include "source/extensions/filters/http/jwt_authn/stats.h"
 
 #include "jwt_verify_lib/jwks.h"
@@ -65,6 +68,9 @@ class JwksCache {
 
     // Set a remote Jwks.
     virtual const ::google::jwt_verify::Jwks* setRemoteJwks(JwksConstPtr&& jwks) PURE;
+
+    // Get Token Cache
+    virtual JwtCache& getJwtCache() PURE;
   };
 
   // Lookup issuer cache map. The cache only stores Jwks specified in the config.