Unify file watching strategy in TLS config pool (#297)

Signed-off-by: Ignasi Barrera <[email protected]>

Author: nacx

cmd/main.go

@@ -24,19 +24,21 @@ import (
 	"github.com/tetratelabs/telemetry"
 
 	"github.com/istio-ecosystem/authservice/internal"
+	"github.com/istio-ecosystem/authservice/internal/http"
 	"github.com/istio-ecosystem/authservice/internal/k8s"
 	"github.com/istio-ecosystem/authservice/internal/oidc"
 	"github.com/istio-ecosystem/authservice/internal/server"
+	"github.com/istio-ecosystem/authservice/internal/watch"
 )
 
 func main() {
 	var (
-		lifecycle   = run.NewLifecycle()
 		configFile  = &internal.LocalConfigFile{}
 		logging     = internal.NewLogSystem(log.New(), &configFile.Config)
-		tlsPool     = internal.NewTLSConfigPool(lifecycle.Context())
+		fileWatcher = &watch.FileWatcherService{}
+		tlsPool     = http.NewTLSConfigPool(fileWatcher)
 		jwks        = oidc.NewJWKSProvider(&configFile.Config, tlsPool)
-		sessions    = oidc.NewSessionStoreFactory(&configFile.Config)
+		sessions    = oidc.NewSessionStoreFactory(&configFile.Config, fileWatcher)
 		envoyAuthz  = server.NewExtAuthZFilter(&configFile.Config, tlsPool, jwks, sessions)
 		authzServer = server.New(&configFile.Config, envoyAuthz.Register)
 		healthz     = server.NewHealthServer(&configFile.Config)
@@ -58,9 +60,9 @@ func main() {
 	g := run.Group{Logger: internal.Logger(internal.Default)}
 
 	g.Register(
-		lifecycle,         // manage the lifecycle of the run.Services
 		configFile,        // load the configuration
 		logging,           // Set up the logging system
+		fileWatcher,       // watch for file changes
 		secretCtrl,        // watch for secret updates and update the configuration
 		configLog,         // log the configuration
 		fipsLog,           // log whether FIPS is enabled

config/README.md

@@ -87,7 +87,7 @@ via the standard authorization code grant flow from an OIDC Provider.
 | idle_session_timeout | [uint32](#uint32) |  | The Authservice associates obtained OIDC tokens with a session ID in a session store. It also stores some temporary information during the login process into the session store, which will be removed when the user finishes the login. This configuration option sets the number of seconds since the most recent incoming request from that user until the user's session with the Authservice should expire. When configured to `0`, which is the default value, session expiration will not consider idle time, but can still consider timeout based on maximum absolute time since added. When both `absolute_session_timeout` and `idle_session_timeout` are zero, then sessions will never expire. These settings do not affect how quickly the OIDC tokens contained inside the user's session expire. Optional. |
 | trusted_certificate_authority | [string](#string) |  | String PEM-encoded certificate authority to trust when performing HTTPS calls to the OIDC Identity Provider. Optional. |
 | trusted_certificate_authority_file | [string](#string) |  | The file path to the PEM-encoded certificate authority to trust when performing HTTPS calls to the OIDC Identity Provider. Optional. |
-| trusted_certificate_authority_refresh_interval | [google.protobuf.Duration](#google-protobuf-Duration) |  | The duration between refreshes of the trusted certificate authority if `trusted_certificate_authority_file` is set. Unset or 0 (the default) disables the refresh, useful is no rotation is expected. Is a String that ends in `s` to indicate seconds and is preceded by the number of seconds, e.g. `120s` (represents 2 minutes). Optional. |
+| trusted_certificate_authority_refresh_interval | [google.protobuf.Duration](#google-protobuf-Duration) |  | The duration between refreshes of the trusted certificate authority if `trusted_certificate_authority_file` is set. Unset or 0 (the default) disables the refresh, useful is no rotation is expected. Is a String that ends in `s` to indicate seconds and is preceded by the number of seconds, e.g. `120s` (represents 2 minutes). Optional. Deprecated. The file will be automatically reloaded when it changes. |
 | proxy_uri | [string](#string) |  | The Authservice makes two kinds of direct network connections directly to the OIDC Provider. Both are POST requests to the configured `token_uri` of the OIDC Provider. The first is to exchange the authorization code for tokens, and the other is to use the refresh token to obtain new tokens. Configure the `proxy_uri` when both of these requests should be made through a web proxy. The format of `proxy_uri` is `http://proxyserver.example.com:8080`, where `:<port_number>` is optional. Userinfo (usernames and passwords) in the `proxy_uri` setting are not yet supported. The `proxy_uri` should always start with `http://`. The Authservice will upgrade the connection to the OIDC provider to HTTPS using an HTTP CONNECT request to the proxy server. The proxy server will see the hostname and port number of the OIDC provider in plain text in the CONNECT request, but all other communication will occur over an encrypted HTTPS connection negotiated directly between the Authservice and the OIDC provider. See also the related `trusted_certificate_authority` configuration option. Optional. |
 | redis_session_store_config | [RedisConfig](#authservice-config-v1-oidc-RedisConfig) |  | When specified, the Authservice will use the configured Redis server to store session data. Optional. |
 | skip_verify_peer_cert | [google.protobuf.Value](#google-protobuf-Value) |  | If set to true, the verification of the destination certificate will be skipped when making a request to the Token Endpoint. This option is useful when you want to use a self-signed certificate for testing purposes, but basically should not be set to true in any other cases. Optional. keep this field out from the trusted_ca_config one of for backward compatibility. |

config/gen/go/v1/oidc/config.pb.go

@@ -338,6 +338,7 @@ message OIDCConfig {
   // Unset or 0 (the default) disables the refresh, useful is no rotation is expected.
   // Is a String that ends in `s` to indicate seconds and is preceded by the number of seconds, e.g. `120s` (represents 2 minutes).
   // Optional.
+  // Deprecated. The file will be automatically reloaded when it changes.
   google.protobuf.Duration trusted_certificate_authority_refresh_interval = 22;
 
   // The Authservice makes two kinds of direct network connections directly to the OIDC Provider.

config/v1/oidc/config.proto

@@ -15,7 +15,6 @@
 package istio
 
 import (
-	"context"
 	"fmt"
 	"os"
 	"os/exec"
@@ -82,7 +81,7 @@ func (i *IstioSuite) SetupSuite() {
 
 	i.T().Log("deploying the test services...")
 	for _, f := range testManifests {
-		i.MustApply(context.Background(), manifestsDir+"/"+f)
+		i.MustApply(i.T().Context(), manifestsDir+"/"+f)
 	}
 	i.WaitForPods(client, "keycloak", "job-name=setup-keycloak", corev1.PodSucceeded, e2e.PodInitialized)
 	i.WaitForPods(client, "redis", "", corev1.PodRunning, e2e.PodReady)
@@ -113,7 +112,7 @@ func (i *IstioSuite) installIstio() {
 }
 
 func (i *IstioSuite) istioInstalled(client kubernetes.Interface) bool {
-	_, err := client.CoreV1().Services("istio-system").Get(context.Background(), "istiod", metav1.GetOptions{})
+	_, err := client.CoreV1().Services("istio-system").Get(i.T().Context(), "istiod", metav1.GetOptions{})
 	return err == nil
 }
 

e2e/istio/suite_test.go

@@ -177,7 +177,7 @@ func (k *K8sSuite) WaitForPods(client kubernetes.Interface, namespace, selector
 		opts := metav1.ListOptions{
 			LabelSelector: selector,
 		}
-		pods, err := client.CoreV1().Pods(namespace).List(context.Background(), opts)
+		pods, err := client.CoreV1().Pods(namespace).List(k.T().Context(), opts)
 		if err != nil || len(pods.Items) == 0 {
 			return false
 		}

e2e/k8s_suite.go

@@ -15,7 +15,6 @@
 package mock
 
 import (
-	"context"
 	"os"
 	"testing"
 	"time"
@@ -66,7 +65,7 @@ func TestRedisTokenResponse(t *testing.T) {
 	store, err := oidc.NewRedisStore(&oidc.Clock{}, client, 0, 1*time.Minute)
 	require.NoError(t, err)
 
-	ctx := context.Background()
+	ctx := t.Context()
 
 	tr, err := store.GetTokenResponse(ctx, "s1")
 	require.NoError(t, err)
@@ -102,7 +101,7 @@ func TestRedisAuthorizationState(t *testing.T) {
 	store, err := oidc.NewRedisStore(&oidc.Clock{}, client, 0, 1*time.Minute)
 	require.NoError(t, err)
 
-	ctx := context.Background()
+	ctx := t.Context()
 
 	as, err := store.GetAuthorizationState(ctx, "s1")
 	require.NoError(t, err)
@@ -134,7 +133,7 @@ func TestSessionExpiration(t *testing.T) {
 	store, err := oidc.NewRedisStore(&oidc.Clock{}, client, 2*time.Second, 0)
 	require.NoError(t, err)
 
-	ctx := context.Background()
+	ctx := t.Context()
 
 	t.Run("expire-token", func(t *testing.T) {
 		tr := &oidc.TokenResponse{

e2e/redis/store_test.go

@@ -15,7 +15,6 @@
 package authz
 
 import (
-	"context"
 	"testing"
 
 	envoy "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
@@ -42,7 +41,7 @@ func TestProcessMock(t *testing.T) {
 				req  = &envoy.CheckRequest{}
 				resp = &envoy.CheckResponse{}
 			)
-			err := m.Process(context.Background(), req, resp)
+			err := m.Process(t.Context(), req, resp)
 			require.NoError(t, err)
 			require.Equal(t, int32(tt.want), resp.Status.Code)
 		})

internal/authz/mock_test.go

@@ -65,7 +65,7 @@ var (
 type oidcHandler struct {
 	log        telemetry.Logger
 	config     *oidcv1.OIDCConfig
-	tlsPool    internal.TLSConfigPool
+	tlsPool    inthttp.TLSConfigPool
 	jwks       oidc.JWKSProvider
 	sessions   oidc.SessionStoreFactory
 	sessionGen oidc.SessionGenerator
@@ -74,7 +74,7 @@ type oidcHandler struct {
 }
 
 // NewOIDCHandler creates a new OIDC implementation of the Handler interface.
-func NewOIDCHandler(cfg *oidcv1.OIDCConfig, tlsPool internal.TLSConfigPool, jwks oidc.JWKSProvider,
+func NewOIDCHandler(cfg *oidcv1.OIDCConfig, tlsPool inthttp.TLSConfigPool, jwks oidc.JWKSProvider,
 	sessions oidc.SessionStoreFactory, clock oidc.Clock, sessionGen oidc.SessionGenerator) (Handler, error) {
 
 	client, err := inthttp.NewHTTPClient(cfg, tlsPool, internal.Logger(internal.IDP))
@@ -599,7 +599,7 @@ func (o *oidcHandler) refreshToken(ctx context.Context, log telemetry.Logger, ex
 	}
 
 	// validate the id token
-	if ok, _ := o.isValidIDToken(context.Background(), log, newTokenResponse.IDToken, expectedNonce, false); !ok {
+	if ok, _ := o.isValidIDToken(ctx, log, newTokenResponse.IDToken, expectedNonce, false); !ok {
 		return nil
 	}