mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-06 10:21:05 +02:00
ssh: rework cached record invalidation (#5688)
Add an additional method to the ssh.Evaluator interface for invalidating cached databroker records. Invalidating the global cache is not sufficient, because there may be sync queriers as well. Make sure to invalidate the User record (in addition to the Session record) during the login flow.
This commit is contained in:
Kenneth Jenkins
GitHub
parent
177677f239
commit
8463020e68
3 changed files with 14 additions and 13 deletions
|
|
@ -27,12 +27,12 @@ import (
|
|||
"github.com/pomerium/pomerium/pkg/identity"
|
||||
"github.com/pomerium/pomerium/pkg/identity/manager"
|
||||
"github.com/pomerium/pomerium/pkg/policy/criteria"
|
||||
"github.com/pomerium/pomerium/pkg/storage"
|
||||
)
|
||||
|
||||
type Evaluator interface {
|
||||
EvaluateSSH(context.Context, *Request) (*evaluator.Result, error)
|
||||
GetDataBrokerServiceClient() databroker.DataBrokerServiceClient
|
||||
InvalidateCacheForRecords(context.Context, ...*databroker.Record)
|
||||
}
|
||||
|
||||
type Request struct {
|
||||
|
|
@ -271,7 +271,7 @@ func (a *Auth) DeleteSession(ctx context.Context, info StreamAuthInfo) error {
|
|||
return err
|
||||
}
|
||||
err = session.Delete(ctx, a.evaluator.GetDataBrokerServiceClient(), sessionID)
|
||||
a.invalidateCacheForRecord(ctx, &databroker.Record{
|
||||
a.evaluator.InvalidateCacheForRecords(ctx, &databroker.Record{
|
||||
Type: "type.googleapis.com/session.Session",
|
||||
Id: sessionID,
|
||||
})
|
||||
|
|
@ -313,27 +313,20 @@ func (a *Auth) saveSession(
|
|||
}
|
||||
}
|
||||
u.PopulateFromClaims(claims.Claims)
|
||||
_, err := databroker.Put(ctx, a.evaluator.GetDataBrokerServiceClient(), u)
|
||||
resp, err := databroker.Put(ctx, a.evaluator.GetDataBrokerServiceClient(), u)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
a.evaluator.InvalidateCacheForRecords(ctx, resp.GetRecord())
|
||||
|
||||
resp, err := session.Put(ctx, a.evaluator.GetDataBrokerServiceClient(), sess)
|
||||
resp, err = session.Put(ctx, a.evaluator.GetDataBrokerServiceClient(), sess)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
a.invalidateCacheForRecord(ctx, resp.GetRecord())
|
||||
a.evaluator.InvalidateCacheForRecords(ctx, resp.GetRecord())
|
||||
return nil
|
||||
}
|
||||
|
||||
func (a *Auth) invalidateCacheForRecord(ctx context.Context, record *databroker.Record) {
|
||||
ctx = storage.WithQuerier(ctx,
|
||||
storage.NewCachingQuerier(
|
||||
storage.NewQuerier(a.evaluator.GetDataBrokerServiceClient()),
|
||||
storage.GlobalCache))
|
||||
storage.InvalidateCacheForDataBrokerRecords(ctx, record)
|
||||
}
|
||||
|
||||
func (a *Auth) getAuthenticator(ctx context.Context, hostname string) (identity.Authenticator, error) {
|
||||
opts := a.currentConfig.Load().Options
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue