Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Composite configurable mutator cache key per rule. #885

Draft
wants to merge 24 commits into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .schema/config.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -1133,6 +1133,11 @@
"enabled": {
"$ref": "#/definitions/handlerSwitch"
},
"key": {
"type": "string",
"title": "Cache Key",
"description": "Custom cache key per rule, i.e using templating '{{ print .Subject }}'. All templated properties must be in AuthenticationSession."
},
"ttl": {
"type": "string",
"pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
Expand Down
118 changes: 62 additions & 56 deletions pipeline/mutate/mutator_hydrator.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
"fmt"
"net/http"
"net/url"
"strings"
"time"

"github.com/dgraph-io/ristretto"
Expand All @@ -44,7 +45,6 @@

const (
ErrMalformedResponseFromUpstreamAPI = "The call to an external API returned an invalid JSON object"
ErrMissingAPIURL = "Missing URL in mutator configuration"
ErrInvalidAPIURL = "Invalid URL in mutator configuration"
ErrNon200ResponseFromAPI = "The call to an external API returned a non-200 HTTP response"
ErrInvalidCredentials = "Invalid credentials were provided in mutator configuration"
Expand All @@ -54,10 +54,9 @@
)

type MutatorHydrator struct {
c configuration.Provider
client *http.Client
d mutatorHydratorDependencies

c configuration.Provider
client *http.Client
d mutatorHydratorDependencies
hydrateCache *ristretto.Cache
cacheTTL *time.Duration
}
Expand Down Expand Up @@ -85,8 +84,8 @@
type cacheConfig struct {
Enabled bool `json:"enabled"`
TTL string `json:"ttl"`

ttl time.Duration
Key string `json:"key"`
ttl time.Duration
}

type MutatorHydratorConfig struct {
Expand All @@ -102,73 +101,76 @@
cache, _ := ristretto.NewCache(&ristretto.Config{
// This will hold about 1000 unique mutation responses.
NumCounters: 10000,
// Allocate a max of 32MB
// Allocate a max of 32 MB
MaxCost: 1 << 25,
// This is a best-practice value.
BufferItems: 64,
})
return &MutatorHydrator{c: c, d: d, client: httpx.NewResilientClientLatencyToleranceSmall(nil), hydrateCache: cache}
return &MutatorHydrator{c: c, d: d,
client: httpx.NewResilientClientLatencyToleranceSmall(nil), hydrateCache: cache}
}

func (a *MutatorHydrator) GetID() string {
return "hydrator"
}

func (a *MutatorHydrator) cacheKey(config *MutatorHydratorConfig, session string) string {
return fmt.Sprintf("%s|%x", config.Api.URL, md5.Sum([]byte(session)))
// cacheKey creates a (composite) cache key.
func (a *MutatorHydrator) cacheKey(keys ...string) string {
return fmt.Sprintf("%x", md5.Sum([]byte(strings.Join(keys, ""))))
}

func (a *MutatorHydrator) hydrateFromCache(config *MutatorHydratorConfig, session string) (*authn.AuthenticationSession, bool) {
if !config.Cache.Enabled {
return nil, false
}

item, found := a.hydrateCache.Get(a.cacheKey(config, session))
func (a *MutatorHydrator) hydrateFromCache(key string) (*authn.AuthenticationSession, bool) {
item, found := a.hydrateCache.Get(key)
if !found {
return nil, false
}

return item.(*authn.AuthenticationSession).Copy(), true
}

func (a *MutatorHydrator) hydrateToCache(config *MutatorHydratorConfig, key string, session *authn.AuthenticationSession) {
if !config.Cache.Enabled {
return
}

if a.hydrateCache.SetWithTTL(a.cacheKey(config, key), session.Copy(), 0, config.Cache.ttl) {
if a.hydrateCache.SetWithTTL(key, session.Copy(), 0, config.Cache.ttl) {
a.d.Logger().Debug("Cache reject item")
}
}

func (a *MutatorHydrator) Mutate(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error {
func (a *MutatorHydrator) Mutate(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, p pipeline.Rule) error {
cfg, err := a.Config(config)
if err != nil {
return err
}

var b bytes.Buffer
if err := json.NewEncoder(&b).Encode(session); err != nil {
return errors.WithStack(err)
}
s := &bytes.Buffer{}
s.Grow(2048)

encodedSession := b.String()
if cacheSession, ok := a.hydrateFromCache(cfg, encodedSession); ok {
*session = *cacheSession
return nil
err = json.NewEncoder(s).Encode(session)
switch {
case err != nil:
return errors.WithStack(err)

Check warning on line 148 in pipeline/mutate/mutator_hydrator.go

View check run for this annotation

Codecov / codecov/patch

pipeline/mutate/mutator_hydrator.go#L147-L148

Added lines #L147 - L148 were not covered by tests
case !cfg.Cache.Enabled:
case len(cfg.Cache.Key) > 0:
// Build a composite cache key with property from configuration.
if cacheSession, ok := a.hydrateFromCache(a.cacheKey(
Copy link
Author

@anderslauri anderslauri Dec 25, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Key is a composite key based on configuration property + three distinct repeatable properties (URL for hydrator, rule id and subject of session).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if that is enough! What about extra properties of the session, such as e.g. "scope" or "permissions"? These could all influence the hydrator response and could lead to eventual security vulnerabilities down the road. I think we need to take the full session in a serialized form if we want to be sure that the cache can actually be reused!

Copy link
Author

@anderslauri anderslauri Dec 26, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If using complete AuthenticationSession one is not benefiting given the volatiltity of this structure - using subject, rule id, hydrator URL as part of the composition is enabling flexibility while ensuring a certain level of constraint. The user is also free given flexibility to set a key which can include all of the above (i.e. JWT-claims) using templating.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. I am unsure though wether I can agree here. I think it points to a deeper issue though which is manifesting in this pr: It is not possible to define the cache key reliably. Actually, one would probably like to define the cache key themselves (e.g. subject + scope) to make the system more efficient. For example, the AuthSession might contain vital info such as a "permissions" array. Yet, it may also contain a counter or timestamp which is changing for most of the requests - invalidating the cache if included.

We are still not there yet with a new concept for Ory Oathkeeper, but I think this is a very interesting problem that could very well warrant a realignment on Ory Oathkeeper which would be to make access control at the reverse proxy as efficient and flexible as possible.

I think this too could benefit from JsonNet, as JsonNet is typable, lintable, and can produce errors (go templating fulfills none of these properties).

Unfortunately, for this PR in particular, I don't think the current implementation can be accepted because it still bears too many risks and this particular type of issue has already caused a CVE in Ory Oathkeeper which is why I am so hyper-sensible about this topic: GHSA-qvp4-rpmr-xwrr

Copy link
Author

@anderslauri anderslauri Jan 6, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. Let us inverse the solution. If you feel a user can't define a cache key freely (given cause of concerns as mentioned) - what about allowing the user to define exclusion of request/response headers (I also believe I saw an issue regarding this)? If the whole AuthenticationSession is used as a cache key headers represents a volatile part (i.e. subject to middleware enrichment which is hard to predict and control). extra is defined as part of previous steps in the pipeline and can be more controlled. What is your thoughts?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a brilliant idea! Exclusion is much safer (because explicit) :)

cfg.Api.URL, cfg.Cache.Key, p.GetID(), session.Subject)); ok {
*session = *cacheSession
return nil
}
a.d.Logger().Debugf("Cache key %s in rule %s was not found. Falling back on default.",
cfg.Cache.Key, p.GetID())
fallthrough
default:
if cacheSession, ok := a.hydrateFromCache(a.cacheKey(cfg.Api.URL, s.String())); ok {
*session = *cacheSession
return nil
}
}

if cfg.Api.URL == "" {
return errors.New(ErrMissingAPIURL)
} else if _, err := url.ParseRequestURI(cfg.Api.URL); err != nil {
if _, err = url.ParseRequestURI(cfg.Api.URL); err != nil {
return errors.New(ErrInvalidAPIURL)
}
req, err := http.NewRequest("POST", cfg.Api.URL, &b)

req, err := http.NewRequest("POST", cfg.Api.URL, s)
if err != nil {
return errors.WithStack(err)
}

if r.URL != nil {
} else if r.URL != nil {
q := r.URL.Query()
req.URL.RawQuery = q.Encode()
}
Expand All @@ -190,21 +192,23 @@
giveUpAfter := time.Millisecond * 50
if len(cfg.Api.Retry.MaxDelay) > 0 {
if d, err := time.ParseDuration(cfg.Api.Retry.MaxDelay); err != nil {
a.d.Logger().WithError(err).Warn("Unable to parse max_delay in the Hydrator Mutator, falling pack to default.")
a.d.Logger().WithError(err).Warn("Unable to parse max_delay in the Hydrator Mutator, " +
"falling pack to default.")

Check warning on line 196 in pipeline/mutate/mutator_hydrator.go

View check run for this annotation

Codecov / codecov/patch

pipeline/mutate/mutator_hydrator.go#L195-L196

Added lines #L195 - L196 were not covered by tests
} else {
maxRetryDelay = d
}
}
if len(cfg.Api.Retry.GiveUpAfter) > 0 {
if d, err := time.ParseDuration(cfg.Api.Retry.GiveUpAfter); err != nil {
a.d.Logger().WithError(err).Warn("Unable to parse max_delay in the Hydrator Mutator, falling pack to default.")
a.d.Logger().WithError(err).Warn("Unable to parse max_delay in the Hydrator Mutator, " +
"falling pack to default.")

Check warning on line 204 in pipeline/mutate/mutator_hydrator.go

View check run for this annotation

Codecov / codecov/patch

pipeline/mutate/mutator_hydrator.go#L203-L204

Added lines #L203 - L204 were not covered by tests
} else {
giveUpAfter = d
}
}

client.Transport = httpx.NewResilientRoundTripper(a.client.Transport, maxRetryDelay, giveUpAfter)
}
sessionCacheKey := a.cacheKey(cfg.Api.URL, s.String())

res, err := client.Do(req.WithContext(r.Context()))
if err != nil {
Expand All @@ -217,25 +221,29 @@
case http.StatusUnauthorized:
if cfg.Api.Auth != nil {
return errors.New(ErrInvalidCredentials)
} else {
return errors.New(ErrNoCredentialsProvided)
}
return errors.New(ErrNoCredentialsProvided)
default:
return errors.New(ErrNon200ResponseFromAPI)
}

sessionFromUpstream := authn.AuthenticationSession{}
err = json.NewDecoder(res.Body).Decode(&sessionFromUpstream)
if err != nil {

if err := json.NewDecoder(res.Body).Decode(&sessionFromUpstream); err != nil {
return errors.WithStack(err)
}
if sessionFromUpstream.Subject != session.Subject {
} else if sessionFromUpstream.Subject != session.Subject {
return errors.New(ErrMalformedResponseFromUpstreamAPI)
}
*session = sessionFromUpstream

a.hydrateToCache(cfg, encodedSession, session)

switch {
case !cfg.Cache.Enabled:
case len(cfg.Cache.Key) > 0:
a.hydrateToCache(cfg, a.cacheKey(
cfg.Api.URL, cfg.Cache.Key, p.GetID(), session.Subject), session)
default:
a.hydrateToCache(cfg, sessionCacheKey, session)
}
return nil
}

Expand All @@ -258,14 +266,12 @@
var err error
c.Cache.ttl, err = time.ParseDuration(c.Cache.TTL)
if err != nil {
a.d.Logger().WithError(err).WithField("ttl", c.Cache.TTL).Error("Unable to parse cache ttl in the Hydrator Mutator.")
a.d.Logger().WithError(err).WithField("ttl",
c.Cache.TTL).Error("Unable to parse cache ttl in the Hydrator Mutator.")

Check warning on line 270 in pipeline/mutate/mutator_hydrator.go

View check run for this annotation

Codecov / codecov/patch

pipeline/mutate/mutator_hydrator.go#L269-L270

Added lines #L269 - L270 were not covered by tests
return nil, NewErrMutatorMisconfigured(a, err)
}

if c.Cache.ttl == 0 {
} else if c.Cache.ttl == 0 {
c.Cache.ttl = time.Minute
}
}

return &c, nil
}
Loading