Skip to content

Commit b2d8fd6

Browse files
sorindumitrusorindumitru
committed
Improve performance of NewJWTSVID
1 parent f4904f9 commit b2d8fd6

File tree

5 files changed

+54
-4
lines changed

5 files changed

+54
-4
lines changed

pkg/server/api/api.go

+1
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import (
1313

1414
// AuthorizedEntryFetcher is the interface to fetch authorized entries
1515
type AuthorizedEntryFetcher interface {
16+
IsAuthorizedForEntryID(ctx context.Context, id spiffeid.ID, entryID string) *types.Entry
1617
// FetchAuthorizedEntries fetches the entries that the specified
1718
// SPIFFE ID is authorized for
1819
FetchAuthorizedEntries(ctx context.Context, id spiffeid.ID) ([]*types.Entry, error)

pkg/server/api/svid/v1/service.go

+14-4
Original file line numberDiff line numberDiff line change
@@ -205,6 +205,18 @@ func (s *Service) BatchNewX509SVID(ctx context.Context, req *svidv1.BatchNewX509
205205
return &svidv1.BatchNewX509SVIDResponse{Results: results}, nil
206206
}
207207

208+
// fetchEntries fetches authorized entries using caller ID from context
209+
func (s *Service) isAuthorizedForSPIFFEID(ctx context.Context, entryID string, log logrus.FieldLogger) (*types.Entry, error) {
210+
callerID, ok := rpccontext.CallerID(ctx)
211+
if !ok {
212+
return nil, api.MakeErr(log, codes.Internal, "caller ID missing from request context", nil)
213+
}
214+
215+
entry := s.ef.IsAuthorizedForEntryID(ctx, callerID, entryID)
216+
return entry, nil
217+
218+
}
219+
208220
// fetchEntries fetches authorized entries using caller ID from context
209221
func (s *Service) fetchEntries(ctx context.Context, log logrus.FieldLogger) (map[string]*types.Entry, error) {
210222
callerID, ok := rpccontext.CallerID(ctx)
@@ -350,14 +362,12 @@ func (s *Service) NewJWTSVID(ctx context.Context, req *svidv1.NewJWTSVIDRequest)
350362
return nil, api.MakeErr(log, status.Code(err), "rejecting request due to JWT signing request rate limiting", err)
351363
}
352364

353-
// Fetch authorized entries
354-
entriesMap, err := s.fetchEntries(ctx, log)
365+
entry, err := s.isAuthorizedForSPIFFEID(ctx, req.EntryId, log)
355366
if err != nil {
356367
return nil, err
357368
}
358369

359-
entry, ok := entriesMap[req.EntryId]
360-
if !ok {
370+
if entry == nil {
361371
return nil, api.MakeErr(log, codes.NotFound, "entry not found or not authorized", nil)
362372
}
363373

pkg/server/cache/entrycache/fullcache.go

+29
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ var _ Cache = (*FullEntryCache)(nil)
2828
// Cache contains a snapshot of all registration entries and Agent selectors from the data source
2929
// at a particular moment in time.
3030
type Cache interface {
31+
IsAuthorizedForEntryID(agentID spiffeid.ID, entryID string) *types.Entry
3132
GetAuthorizedEntries(agentID spiffeid.ID) []*types.Entry
3233
}
3334

@@ -173,6 +174,34 @@ func Build(ctx context.Context, entryIter EntryIterator, agentIter AgentIterator
173174
}, nil
174175
}
175176

177+
func (c *FullEntryCache) IsAuthorizedForEntryID(agentID spiffeid.ID, entryID string) *types.Entry {
178+
seen := allocSeenSet()
179+
defer freeSeenSet(seen)
180+
181+
return c.isAuthorizedForEntryID(spiffeIDFromID(agentID), entryID, seen)
182+
}
183+
184+
func (c *FullEntryCache) isAuthorizedForEntryID(id spiffeID, entryID string, seen map[spiffeID]struct{}) *types.Entry {
185+
entries := c.crawl(id, seen)
186+
187+
for _, descendant := range entries {
188+
if descendant.GetId() == entryID {
189+
return descendant
190+
}
191+
if entry := c.isAuthorizedForEntryID(id, entryID, seen); entry != nil {
192+
return entry
193+
}
194+
}
195+
196+
for _, alias := range c.aliases[id] {
197+
if entry := c.isAuthorizedForEntryID(alias.id, entryID, seen); entry != nil {
198+
return entry
199+
}
200+
}
201+
202+
return nil
203+
}
204+
176205
// GetAuthorizedEntries gets all authorized registration entries for a given Agent SPIFFE ID.
177206
func (c *FullEntryCache) GetAuthorizedEntries(agentID spiffeid.ID) []*types.Entry {
178207
seen := allocSeenSet()

pkg/server/endpoints/authorized_entryfetcher.go

+4
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,10 @@ func NewAuthorizedEntryFetcherWithEventsBasedCache(ctx context.Context, log logr
5656
}, nil
5757
}
5858

59+
func (a *AuthorizedEntryFetcherWithEventsBasedCache) IsAuthorizedForEntryID(_ context.Context, agentID spiffeid.ID, entryID string) *types.Entry {
60+
return nil
61+
}
62+
5963
func (a *AuthorizedEntryFetcherWithEventsBasedCache) FetchAuthorizedEntries(_ context.Context, agentID spiffeid.ID) ([]*types.Entry, error) {
6064
return a.cache.GetAuthorizedEntries(agentID), nil
6165
}

pkg/server/endpoints/entryfetcher.go

+6
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,12 @@ func NewAuthorizedEntryFetcherWithFullCache(ctx context.Context, buildCache entr
4949
}, nil
5050
}
5151

52+
func (a *AuthorizedEntryFetcherWithFullCache) IsAuthorizedForEntryID(_ context.Context, agentID spiffeid.ID, entryID string) *types.Entry {
53+
a.mu.RLock()
54+
defer a.mu.RUnlock()
55+
return a.cache.IsAuthorizedForEntryID(agentID, entryID)
56+
}
57+
5258
func (a *AuthorizedEntryFetcherWithFullCache) FetchAuthorizedEntries(_ context.Context, agentID spiffeid.ID) ([]*types.Entry, error) {
5359
a.mu.RLock()
5460
defer a.mu.RUnlock()

0 commit comments

Comments
 (0)