Skip to content

Commit ed2def1

Browse files
stgraberstgraber
authored
Merge pull request #1515 from breml/fga-online-data-race
incusd/auth: fix FGA online data race
2 parents eb1d537 + 465af0b commit ed2def1

File tree

1 file changed

+11
-3
lines changed

1 file changed

+11
-3
lines changed

internal/server/auth/driver_openfga.go

+11-3
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ import (
66
"fmt"
77
"net/http"
88
"slices"
9+
"sync"
910
"time"
1011

1112
openfga "github.com/openfga/go-sdk"
@@ -26,7 +27,9 @@ type FGA struct {
2627
apiToken string
2728
storeID string
2829

29-
online bool
30+
onlineMu sync.Mutex
31+
online bool
32+
3033
shutdownCtx context.Context
3134
shutdownCancel context.CancelFunc
3235

@@ -116,7 +119,10 @@ func (f *FGA) load(ctx context.Context, certificateCache *certificate.Cache, opt
116119
logger.Warn("Connection with OpenFGA established")
117120
}
118121

122+
f.onlineMu.Lock()
123+
defer f.onlineMu.Unlock()
119124
f.online = true
125+
120126
return
121127
}
122128

@@ -276,6 +282,8 @@ func (f *FGA) CheckPermission(ctx context.Context, r *http.Request, object Objec
276282
}
277283

278284
// If offline, return a clear error to the user.
285+
f.onlineMu.Lock()
286+
defer f.onlineMu.Unlock()
279287
if !f.online {
280288
return api.StatusErrorf(http.StatusForbidden, "The authorization server is currently offline, please try again later")
281289
}
@@ -881,6 +889,8 @@ func (f *FGA) DeleteStorageBucket(ctx context.Context, projectName string, stora
881889
// updateTuples sends an object update to OpenFGA if it's currently online.
882890
func (f *FGA) updateTuples(ctx context.Context, writes []client.ClientTupleKey, deletions []client.ClientTupleKeyWithoutCondition) error {
883891
// If offline, skip updating as a full sync will happen after connection.
892+
f.onlineMu.Lock()
893+
defer f.onlineMu.Unlock()
884894
if !f.online {
885895
return nil
886896
}
@@ -1118,7 +1128,6 @@ func (f *FGA) GetInstanceAccess(ctx context.Context, projectName string, instanc
11181128
Relation: relation,
11191129
UserFilters: userFilters,
11201130
}).Execute()
1121-
11221131
if err != nil {
11231132
fgaAPIErr, ok := err.(openfga.FgaApiValidationError)
11241133
if !ok || fgaAPIErr.ResponseCode() != openfga.ERRORCODE_RELATION_NOT_FOUND {
@@ -1173,7 +1182,6 @@ func (f *FGA) GetProjectAccess(ctx context.Context, projectName string) (*api.Ac
11731182
Relation: relation,
11741183
UserFilters: userFilters,
11751184
}).Execute()
1176-
11771185
if err != nil {
11781186
fgaAPIErr, ok := err.(openfga.FgaApiValidationError)
11791187
if !ok || fgaAPIErr.ResponseCode() != openfga.ERRORCODE_RELATION_NOT_FOUND {

0 commit comments

Comments
 (0)