Invalidate auth cache on reload

yandex · Aug 1, 2023 · 66ebabb · 66ebabb
1 parent 6bf2cfa
commit 66ebabb
Show file tree

Hide file tree

Showing 12 changed files with 80 additions and 35 deletions.
diff --git a/config-examples/odyssey-dev.conf b/config-examples/odyssey-dev.conf
@@ -12,10 +12,10 @@ log_syslog no
 log_syslog_ident "odyssey"
 log_syslog_facility "daemon"
 
-log_debug yes
+log_debug no
 log_config yes
 log_session yes
-log_query yes
+log_query no
 log_stats yes
 stats_interval 60
 log_general_stats_prom yes
@@ -58,14 +58,16 @@ database default {
 	user default {
 		authentication "md5"
 
+		password "md588cb17a149f659b9a78ec4a33cbb3c7f"
+
 		storage "postgres_server"
 		pool "transaction"
 		pool_size 0
 
-		auth_query "SELECT usename, passwd FROM pg_shadow WHERE usename=$1"
-		auth_query_db "postgres"
-		auth_query_user "reshke"
-		storage_password "reshke"
+#		auth_query "SELECT usename, passwd FROM pg_shadow WHERE usename=$1"
+#		auth_query_db "postgres"
+#		auth_query_user "reshke"
+#		storage_password "reshke"
 
 		pool_timeout 0
 

diff --git a/sources/auth.c b/sources/auth.c
@@ -1032,8 +1032,8 @@ int od_auth_backend(od_server_t *server, machine_msg_t *msg,
 		return -1;
 	}
 
-	od_debug(&instance->logger, "auth", NULL, server, 
-		"recieved msg type %u", auth_type);
+	od_debug(&instance->logger, "auth", NULL, server,
+		 "recieved msg type %u", auth_type);
 
 	msg = NULL;
 

diff --git a/sources/auth_query.c b/sources/auth_query.c
@@ -107,7 +107,7 @@ int od_auth_query(od_client_t *client, char *peer)
 	* doing any actual work
 	*/
 	/* username -> password cache */
-	od_hashmap_elt_t* value;
+	od_hashmap_elt_t *value;
 	od_hashmap_elt_t key;
 	od_auth_cache_value_t *cache_value;
 	od_hash_t keyhash;
@@ -119,24 +119,28 @@ int od_auth_query(od_client_t *client, char *peer)
 	keyhash = od_murmur_hash(key.data, key.len);
 	/* acquire hash map entry lock */
 	value = od_hashmap_lock_key(storage->acache, keyhash, &key);
-	
+
 	if (value->data == NULL) {
 		/* one-time initialize */
 		value->data = malloc(sizeof(od_auth_cache_value_t));
 		value->len = sizeof(od_auth_cache_value_t);
 	}
 
-	cache_value = (od_auth_cache_value_t *) value->data;
+	cache_value = (od_auth_cache_value_t *)value->data;
 
 	current_time = machine_time_us();
 
-	if (cache_value != NULL 
-	/* password cached for 10 sec */
-	&& current_time - cache_value->timestamp < 10 * interval_usec) {
+	if (cache_value != NULL
+	    /* password cached for 10 sec */
+	    && current_time - cache_value->timestamp < 10 * interval_usec) {
+		od_debug(&instance->logger, "auth_query", NULL, NULL,
+			 "reusing cached password for user %.*s",
+			 user->name_len, user->name);
 		/* unlock hashmap entry */
 		password->password_len = cache_value->passwd_len;
 		password->password = malloc(password->password_len + 1);
-		strncpy(password->password, cache_value->passwd, cache_value->passwd_len);
+		strncpy(password->password, cache_value->passwd,
+			cache_value->passwd_len);
 		password->password[password->password_len] = '\0';
 		od_hashmap_unlock_key(storage->acache, keyhash, &key);
 		return OK_RESPONSE;
@@ -153,6 +157,10 @@ int od_auth_query(od_client_t *client, char *peer)
 		goto error;
 	}
 
+	od_debug(&instance->logger, "auth_query", auth_client, NULL,
+		 "acquiring password for user %.*s", user->name_len,
+		 user->name);
+
 	/* set auth query route user and database */
 	kiwi_var_set(&auth_client->startup.user, KIWI_VAR_UNDEF,
 		     rule->auth_query_user, strlen(rule->auth_query_user) + 1);
@@ -241,7 +249,8 @@ int od_auth_query(od_client_t *client, char *peer)
 	}
 	cache_value->passwd_len = password->password_len;
 	cache_value->passwd = malloc(password->password_len);
-	strncpy(cache_value->passwd, password->password, cache_value->passwd_len);
+	strncpy(cache_value->passwd, password->password,
+		cache_value->passwd_len);
 
 	cache_value->timestamp = current_time;
 

diff --git a/sources/backend.c b/sources/backend.c
@@ -125,10 +125,9 @@ static inline int od_backend_startup(od_server_t *server,
 		{ NULL, 0 }
 	};
 
-
 	od_debug(&instance->logger, "startup", NULL, server,
-			"startup server connection with user %s & database %s",  route->id.user, route->id.database);
-
+		 "startup server connection with user %s & database %s",
+		 route->id.user, route->id.database);
 
 	for (size_t i = 0; i < route->rule->backend_startup_vars_sz; i++) {
 		argv[i << 1].name = route->rule->backend_startup_vars[i].name;

diff --git a/sources/hashmap.c b/sources/hashmap.c
@@ -111,6 +111,26 @@ od_retcode_t od_hashmap_free(od_hashmap_t *hm)
 	return OK_RESPONSE;
 }
 
+od_retcode_t od_hashmap_empty(od_hashmap_t *hm)
+{
+	for (size_t i = 0; i < hm->size; ++i) {
+		pthread_mutex_lock(&hm->buckets[i]->mu);
+
+		od_list_t *j, *n;
+
+		od_list_foreach_safe(&hm->buckets[i]->nodes->link, j, n)
+		{
+			od_hashmap_list_item_t *it;
+			it = od_container_of(j, od_hashmap_list_item_t, link);
+			od_hashmap_list_item_free(it);
+		}
+
+		pthread_mutex_unlock(&hm->buckets[i]->mu);
+	}
+
+	return OK_RESPONSE;
+}
+
 static inline od_hashmap_elt_t *od_bucket_search(od_hashmap_bucket_t *b,
 						 void *value, size_t value_len)
 {
@@ -193,10 +213,9 @@ od_hashmap_elt_t *od_hashmap_find(od_hashmap_t *hm, od_hash_t keyhash,
 	return ptr;
 }
 
-
-od_hashmap_elt_t *
-od_hashmap_lock_key(od_hashmap_t *hm, od_hash_t keyhash,
-				  od_hashmap_elt_t *key) {
+od_hashmap_elt_t *od_hashmap_lock_key(od_hashmap_t *hm, od_hash_t keyhash,
+				      od_hashmap_elt_t *key)
+{
 	size_t bucket_index = keyhash % hm->size;
 	pthread_mutex_lock(&hm->buckets[bucket_index]->mu);
 
@@ -221,9 +240,9 @@ od_hashmap_lock_key(od_hashmap_t *hm, od_hash_t keyhash,
 }
 
 int od_hashmap_unlock_key(od_hashmap_t *hm, od_hash_t keyhash,
-				  od_hashmap_elt_t *key) {
-
+			  od_hashmap_elt_t *key)
+{
 	size_t bucket_index = keyhash % hm->size;
 	pthread_mutex_unlock(&hm->buckets[bucket_index]->mu);
-	return 0/* OK */;
+	return 0 /* OK */;
 }
diff --git a/sources/hashmap.h b/sources/hashmap.h
@@ -51,15 +51,17 @@ od_hashmap_elt_t *od_hashmap_find(od_hashmap_t *hm, od_hash_t keyhash,
 int od_hashmap_insert(od_hashmap_t *hm, od_hash_t keyhash,
 		      od_hashmap_elt_t *key, od_hashmap_elt_t **value);
 
-
 /* LOCK-UNLOCK API */
 /* given key and its 
 * keyhash (murmurhash etc) return poitner 
 * to hashmap mutex-locked value pointer  */
 od_hashmap_elt_t *od_hashmap_lock_key(od_hashmap_t *hm, od_hash_t keyhash,
-				  od_hashmap_elt_t *key);
+				      od_hashmap_elt_t *key);
 
 int od_hashmap_unlock_key(od_hashmap_t *hm, od_hash_t keyhash,
-				  od_hashmap_elt_t *key);
+			  od_hashmap_elt_t *key);
+
+/* clear hashmap */
+od_retcode_t od_hashmap_empty(od_hashmap_t *hm);
 
 #endif /* OD_HASHMAP_H */
diff --git a/sources/ldap.c b/sources/ldap.c
@@ -195,7 +195,8 @@ od_retcode_t od_ldap_server_prepare(od_logger_t *logger, od_ldap_server_t *serv,
 				   &search_message);
 
 		od_debug(logger, "auth_ldap", client, NULL,
-				 "basedn search entries with filter: %s and attrib %s ", filter, attributes[0]);
+			 "basedn search entries with filter: %s and attrib %s ",
+			 filter, attributes[0]);
 
 		if (rc != LDAP_SUCCESS) {
 			od_error(logger, "auth_ldap", client, NULL,

diff --git a/sources/router.c b/sources/router.c
@@ -367,9 +367,9 @@ od_router_status_t od_router_route(od_router_t *router, od_client_t *client)
 		 "matching rule: %s %s with %s routing type to %s client",
 		 rule->db_name, rule->user_name,
 		 rule->pool->routing_type == NULL ? "client visible" :
-						    rule->pool->routing_type,
+							  rule->pool->routing_type,
 		 client->type == OD_POOL_CLIENT_INTERNAL ? "internal" :
-							   "external");
+								 "external");
 	if (!od_rule_matches_client(rule->pool, client->type)) {
 		// emulate not found error
 		od_router_unlock(router);

diff --git a/sources/rules.c b/sources/rules.c
@@ -584,6 +584,8 @@ __attribute__((hot)) int od_rules_merge(od_rules_t *rules, od_rules_t *src,
 		rule = od_container_of(i, od_rule_t, link);
 		rule->mark = 1;
 		count_mark++;
+
+		od_hashmap_empty(rule->storage->acache);
 	}
 
 	/* select dropped rules */

diff --git a/sources/storage.c b/sources/storage.c
@@ -184,6 +184,8 @@ od_rule_storage_t *od_rules_storage_copy(od_rule_storage_t *storage)
 		}
 	}
 
+	/* storage auth cache not copied */
+
 	copy->target_session_attrs = storage->target_session_attrs;
 
 	return copy;

diff --git a/sources/storage.h b/sources/storage.h
@@ -51,11 +51,10 @@ typedef enum {
 	OD_TARGET_SESSION_ATTRS_ANY,
 } od_target_session_attrs_t;
 
-
 typedef struct od_auth_cache_value od_auth_cache_value_t;
 struct od_auth_cache_value {
 	uint64_t timestamp;
-	char * passwd;
+	char *passwd;
 	uint32_t passwd_len;
 };
 

diff --git a/sources/system.c b/sources/system.c
@@ -389,6 +389,7 @@ void od_system_config_reload(od_system_t *system)
 	od_router_t *router = system->global->router;
 	od_extention_t *extentions = system->global->extentions;
 	od_hba_t *hba = system->global->hba;
+	od_list_t *i;
 
 	od_log(&instance->logger, "config", NULL, NULL,
 	       "importing changes from '%s'", instance->config_file);
@@ -440,10 +441,19 @@ void od_system_config_reload(od_system_t *system)
 	od_config_reload(&instance->config, &config);
 	od_hba_reload(hba, &hba_rules);
 
+	/* auto-generate default rule for auth_query if none specified */
+	rc = od_rules_autogenerate_defaults(&rules, &instance->logger);
+
+	if (rc == -1) {
+		pthread_mutex_unlock(&router->rules.mu);
+		od_config_free(&config);
+		od_rules_free(&rules);
+		return;
+	}
+
 	pthread_mutex_unlock(&router->rules.mu);
 
 	/* Reload TLS certificates */
-	od_list_t *i;
 	od_list_foreach(&router->servers, i)
 	{
 		od_system_server_t *server;