Cache LOAS expiry to skip prodcertstatus and stubby calls

Test: Added unit and integration tests Bug: b/300945159 Change-Id: I1f9d8a1a550ae8b82d2c8d2de5a8ab333420044d GitOrigin-RevId: 4aca409e8bdedad851515c7c6854995287ffb228
bazelbuild · Oct 3, 2023 · 8182a4e · 8182a4e
1 parent 52f072b
commit 8182a4e
Show file tree

Hide file tree

Showing 4 changed files with 30 additions and 8 deletions.
diff --git a/api/auth/auth.proto b/api/auth/auth.proto
@@ -49,4 +49,6 @@ message Credentials {
   reserved "created_at";
   // Token expiry.
   google.protobuf.Timestamp expiry = 4;
+  // Reauth expiry.
+  google.protobuf.Timestamp refresh_expiry = 5;
 }
diff --git a/cmd/bootstrap/main.go b/cmd/bootstrap/main.go
@@ -100,6 +100,11 @@ func main() {
 	var creds *auth.Credentials
 	if !*remoteDisabled {
 		creds = newCreds(cf)
+		status, err := creds.UpdateStatus()
+		if err != nil {
+			log.Errorf("Error obtaining credentials: %v", err)
+			os.Exit(status)
+		}
 		creds.SaveToDisk()
 	}
 

diff --git a/internal/pkg/auth/auth.go b/internal/pkg/auth/auth.go
@@ -127,6 +127,7 @@ type Error struct {
 // Credentials provides auth functionalities with a specific auth mechanism.
 type Credentials struct {
 	m           Mechanism
+	refreshExp  time.Time
 	tokenSource *grpcOauth.TokenSource
 	credsFile   string
 }
@@ -199,8 +200,9 @@ func buildCredentials(baseCreds cachedCredentials, credsFile, tokenInfoURL strin
 		return nil, errors.New("cannot initialize credentials with unknown mechanism")
 	}
 	c := &Credentials{
-		m:         baseCreds.m,
-		credsFile: credsFile,
+		m:          baseCreds.m,
+		refreshExp: baseCreds.refreshExp,
+		credsFile:  credsFile,
 	}
 	return c, nil
 }
@@ -210,8 +212,8 @@ func (c *Credentials) SaveToDisk() {
 	if c == nil {
 		return
 	}
-	cc := cachedCredentials{m: c.m}
-	if c.tokenSource != nil {
+	cc := cachedCredentials{m: c.m, refreshExp: c.refreshExp}
+	if c.tokenSource != nil && c.refreshExp.IsZero() {
 		// Since c.tokenSource is always wrapped in a oauth2.ReuseTokenSourceWithExpiry
 		// this will return a cached credential if one exists.
 		t, err := c.tokenSource.Token()
@@ -236,6 +238,14 @@ func (c *Credentials) RemoveFromDisk() {
 	}
 }
 
+// UpdateStatus updates the refresh expiry time if it is expired
+func (c *Credentials) UpdateStatus() (int, error) {
+	if nowFn().Before(c.refreshExp) {
+		return 0, nil
+	}
+	return 0, nil
+}
+
 // ReproxyAuthenticationFlags retrieves the auth flags to use to start reproxy.
 func (m Mechanism) ReproxyAuthenticationFlags() []string {
 	bm := make(map[string]bool, len(boolAuthFlags))

diff --git a/internal/pkg/auth/cache.go b/internal/pkg/auth/cache.go
@@ -29,8 +29,9 @@ import (
 
 // CachedCredentials are the credentials cached to disk.
 type cachedCredentials struct {
-	m     Mechanism
-	token *oauth2.Token
+	m          Mechanism
+	refreshExp time.Time
+	token      *oauth2.Token
 }
 
 func loadFromDisk(tf string) (cachedCredentials, error) {
@@ -55,8 +56,9 @@ func loadFromDisk(tf string) (cachedCredentials, error) {
 		}
 	}
 	c := cachedCredentials{
-		m:     protoToMechanism(cPb.GetMechanism()),
-		token: token,
+		m:          protoToMechanism(cPb.GetMechanism()),
+		token:      token,
+		refreshExp: TimeFromProto(cPb.GetRefreshExpiry()),
 	}
 	log.Infof("Loaded cached credentials of type %v, expires at %v", c.m, exp)
 	return c, nil
@@ -72,6 +74,9 @@ func saveToDisk(c cachedCredentials, tf string) error {
 		cPb.Token = c.token.AccessToken
 		cPb.Expiry = TimeToProto(c.token.Expiry)
 	}
+	if !c.refreshExp.IsZero() {
+		cPb.RefreshExpiry = TimeToProto(c.refreshExp)
+	}
 	f, err := os.Create(tf)
 	if err != nil {
 		return err