ssh: rework cached record invalidation (#5688)

Add an additional method to the ssh.Evaluator interface for invalidating cached databroker records. Invalidating the global cache is not sufficient, because there may be sync queriers as well. Make sure to invalidate the User record (in addition to the Session record) during the login flow.
2025-08-06 10:21:05 +02:00 · 2025-07-02 12:21:39 -07:00 · 2025-07-02 12:21:39 -07:00 · 8463020e68
commit 8463020e68
parent 177677f239
3 changed files with 14 additions and 13 deletions
--- a/authorize/ssh_grpc.go
+++ b/authorize/ssh_grpc.go
@ -12,8 +12,10 @@ import (
 	extensions_ssh "github.com/pomerium/envoy-custom/api/extensions/filters/network/ssh"
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 	"github.com/pomerium/pomerium/pkg/ssh"
+	"github.com/pomerium/pomerium/pkg/storage"
 )

 func (a *Authorize) ManageStream(stream extensions_ssh.StreamManagement_ManageStreamServer) error {
@ -129,3 +131,7 @@ func (a *Authorize) EvaluateSSH(ctx context.Context, req *ssh.Request) (*evaluat

 	return res, nil
 }
+
+func (a *Authorize) InvalidateCacheForRecords(ctx context.Context, records ...*databroker.Record) {
+	storage.InvalidateCacheForDataBrokerRecords(a.withQuerierForCheckRequest(ctx), records...)
+}
--- a/pkg/ssh/auth.go
+++ b/pkg/ssh/auth.go
@ -27,12 +27,12 @@ import (
 	"github.com/pomerium/pomerium/pkg/identity"
 	"github.com/pomerium/pomerium/pkg/identity/manager"
 	"github.com/pomerium/pomerium/pkg/policy/criteria"
-	"github.com/pomerium/pomerium/pkg/storage"
 )

 type Evaluator interface {
 	EvaluateSSH(context.Context, *Request) (*evaluator.Result, error)
 	GetDataBrokerServiceClient() databroker.DataBrokerServiceClient
+	InvalidateCacheForRecords(context.Context, ...*databroker.Record)
 }

 type Request struct {
@ -271,7 +271,7 @@ func (a *Auth) DeleteSession(ctx context.Context, info StreamAuthInfo) error {
 		return err
 	}
 	err = session.Delete(ctx, a.evaluator.GetDataBrokerServiceClient(), sessionID)
-	a.invalidateCacheForRecord(ctx, &databroker.Record{
+	a.evaluator.InvalidateCacheForRecords(ctx, &databroker.Record{
 		Type: "type.googleapis.com/session.Session",
 		Id:   sessionID,
 	})
@ -313,27 +313,20 @@ func (a *Auth) saveSession(
 		}
 	}
 	u.PopulateFromClaims(claims.Claims)
-	_, err := databroker.Put(ctx, a.evaluator.GetDataBrokerServiceClient(), u)
+	resp, err := databroker.Put(ctx, a.evaluator.GetDataBrokerServiceClient(), u)
 	if err != nil {
 		return err
 	}
+	a.evaluator.InvalidateCacheForRecords(ctx, resp.GetRecord())

-	resp, err := session.Put(ctx, a.evaluator.GetDataBrokerServiceClient(), sess)
+	resp, err = session.Put(ctx, a.evaluator.GetDataBrokerServiceClient(), sess)
 	if err != nil {
 		return err
 	}
-	a.invalidateCacheForRecord(ctx, resp.GetRecord())
+	a.evaluator.InvalidateCacheForRecords(ctx, resp.GetRecord())
 	return nil
 }

-func (a *Auth) invalidateCacheForRecord(ctx context.Context, record *databroker.Record) {
-	ctx = storage.WithQuerier(ctx,
-		storage.NewCachingQuerier(
-			storage.NewQuerier(a.evaluator.GetDataBrokerServiceClient()),
-			storage.GlobalCache))
-	storage.InvalidateCacheForDataBrokerRecords(ctx, record)
-}
-
 func (a *Auth) getAuthenticator(ctx context.Context, hostname string) (identity.Authenticator, error) {
 	opts := a.currentConfig.Load().Options

--- a/pkg/ssh/auth_test.go
+++ b/pkg/ssh/auth_test.go
@ -446,6 +446,8 @@ func (f fakePolicyEvaluator) GetDataBrokerServiceClient() databroker.DataBrokerS
 	return f.client
 }

+func (f fakePolicyEvaluator) InvalidateCacheForRecords(_ context.Context, _ ...*databroker.Record) {}
+
 type fakeDataBrokerServiceClient struct {
 	databroker.DataBrokerServiceClient