-
-
Notifications
You must be signed in to change notification settings - Fork 954
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: reduce db lookups in whoami for aal check (#3372)
Significantly improves performance by reducing the amount of queries we need to do when checking for the different AAL levels.
- Loading branch information
Showing
19 changed files
with
371 additions
and
60 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,6 +9,8 @@ import ( | |
"testing" | ||
"time" | ||
|
||
"github.com/gofrs/uuid" | ||
|
||
"github.com/ory/x/sqlxx" | ||
|
||
"github.com/ory/kratos/internal/testhelpers" | ||
|
@@ -65,10 +67,82 @@ func TestManager(t *testing.T) { | |
|
||
t.Run("method=Create", func(t *testing.T) { | ||
t.Run("case=should create identity and track extension fields", func(t *testing.T) { | ||
email := uuid.Must(uuid.NewV4()).String() + "@ory.sh" | ||
original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID) | ||
original.Traits = newTraits("[email protected]", "") | ||
original.Traits = newTraits(email, "") | ||
require.NoError(t, reg.IdentityManager().Create(context.Background(), original)) | ||
checkExtensionFieldsForIdentities(t, "[email protected]", original) | ||
checkExtensionFieldsForIdentities(t, email, original) | ||
got, ok := original.AvailableAAL.ToAAL() | ||
require.True(t, ok) | ||
assert.Equal(t, identity.NoAuthenticatorAssuranceLevel, got) | ||
}) | ||
|
||
t.Run("case=correctly set AAL", func(t *testing.T) { | ||
t.Run("case=should set AAL to 0 if no credentials are available", func(t *testing.T) { | ||
email := uuid.Must(uuid.NewV4()).String() + "@ory.sh" | ||
original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID) | ||
original.Traits = newTraits(email, "") | ||
require.NoError(t, reg.IdentityManager().Create(context.Background(), original)) | ||
got, ok := original.AvailableAAL.ToAAL() | ||
require.True(t, ok) | ||
assert.Equal(t, identity.NoAuthenticatorAssuranceLevel, got) | ||
}) | ||
|
||
t.Run("case=should set AAL to 1 if password is set", func(t *testing.T) { | ||
email := uuid.Must(uuid.NewV4()).String() + "@ory.sh" | ||
original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID) | ||
original.Traits = newTraits(email, "") | ||
original.Credentials = map[identity.CredentialsType]identity.Credentials{ | ||
identity.CredentialsTypePassword: { | ||
Type: identity.CredentialsTypePassword, | ||
Identifiers: []string{email}, | ||
Config: sqlxx.JSONRawMessage(`{"hashed_password":"$2a$08$.cOYmAd.vCpDOoiVJrO5B.hjTLKQQ6cAK40u8uB.FnZDyPvVvQ9Q."}`), | ||
}, | ||
} | ||
require.NoError(t, reg.IdentityManager().Create(context.Background(), original)) | ||
got, ok := original.AvailableAAL.ToAAL() | ||
require.True(t, ok) | ||
assert.Equal(t, identity.AuthenticatorAssuranceLevel1, got) | ||
}) | ||
|
||
t.Run("case=should set AAL to 2 if password and TOTP is set", func(t *testing.T) { | ||
email := uuid.Must(uuid.NewV4()).String() + "@ory.sh" | ||
original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID) | ||
original.Traits = newTraits(email, "") | ||
original.Credentials = map[identity.CredentialsType]identity.Credentials{ | ||
identity.CredentialsTypePassword: { | ||
Type: identity.CredentialsTypePassword, | ||
Identifiers: []string{email}, | ||
Config: sqlxx.JSONRawMessage(`{"hashed_password":"$2a$08$.cOYmAd.vCpDOoiVJrO5B.hjTLKQQ6cAK40u8uB.FnZDyPvVvQ9Q."}`), | ||
}, | ||
identity.CredentialsTypeTOTP: { | ||
Type: identity.CredentialsTypeTOTP, | ||
Identifiers: []string{email}, | ||
Config: sqlxx.JSONRawMessage(`{"totp_url":"otpauth://totp/test"}`), | ||
}, | ||
} | ||
require.NoError(t, reg.IdentityManager().Create(context.Background(), original)) | ||
got, ok := original.AvailableAAL.ToAAL() | ||
require.True(t, ok) | ||
assert.Equal(t, identity.AuthenticatorAssuranceLevel2, got) | ||
}) | ||
|
||
t.Run("case=should set AAL to 0 if only TOTP is set", func(t *testing.T) { | ||
email := uuid.Must(uuid.NewV4()).String() + "@ory.sh" | ||
original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID) | ||
original.Traits = newTraits(email, "") | ||
original.Credentials = map[identity.CredentialsType]identity.Credentials{ | ||
identity.CredentialsTypeTOTP: { | ||
Type: identity.CredentialsTypeTOTP, | ||
Identifiers: []string{email}, | ||
Config: sqlxx.JSONRawMessage(`{"totp_url":"otpauth://totp/test"}`), | ||
}, | ||
} | ||
require.NoError(t, reg.IdentityManager().Create(context.Background(), original)) | ||
got, ok := original.AvailableAAL.ToAAL() | ||
require.True(t, ok) | ||
assert.Equal(t, identity.NoAuthenticatorAssuranceLevel, got) | ||
}) | ||
}) | ||
|
||
t.Run("case=should expose validation errors with option", func(t *testing.T) { | ||
|
@@ -100,6 +174,63 @@ func TestManager(t *testing.T) { | |
checkExtensionFieldsForIdentities(t, "[email protected]", original) | ||
}) | ||
|
||
t.Run("case=should set AAL to 1 if password is set", func(t *testing.T) { | ||
email := uuid.Must(uuid.NewV4()).String() + "@ory.sh" | ||
original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID) | ||
original.Traits = newTraits(email, "") | ||
require.NoError(t, reg.IdentityManager().Create(context.Background(), original)) | ||
original.Credentials = map[identity.CredentialsType]identity.Credentials{ | ||
identity.CredentialsTypePassword: { | ||
Type: identity.CredentialsTypePassword, | ||
Identifiers: []string{email}, | ||
Config: sqlxx.JSONRawMessage(`{"hashed_password":"$2a$08$.cOYmAd.vCpDOoiVJrO5B.hjTLKQQ6cAK40u8uB.FnZDyPvVvQ9Q."}`), | ||
}, | ||
} | ||
require.NoError(t, reg.IdentityManager().Update(context.Background(), original, identity.ManagerAllowWriteProtectedTraits)) | ||
assert.EqualValues(t, identity.AuthenticatorAssuranceLevel1, original.AvailableAAL.String) | ||
}) | ||
|
||
t.Run("case=should set AAL to 2 if password and TOTP is set", func(t *testing.T) { | ||
email := uuid.Must(uuid.NewV4()).String() + "@ory.sh" | ||
original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID) | ||
original.Traits = newTraits(email, "") | ||
original.Credentials = map[identity.CredentialsType]identity.Credentials{ | ||
identity.CredentialsTypePassword: { | ||
Type: identity.CredentialsTypePassword, | ||
Identifiers: []string{email}, | ||
Config: sqlxx.JSONRawMessage(`{"hashed_password":"$2a$08$.cOYmAd.vCpDOoiVJrO5B.hjTLKQQ6cAK40u8uB.FnZDyPvVvQ9Q."}`), | ||
}, | ||
} | ||
require.NoError(t, reg.IdentityManager().Create(context.Background(), original)) | ||
assert.EqualValues(t, identity.AuthenticatorAssuranceLevel1, original.AvailableAAL.String) | ||
require.NoError(t, reg.IdentityManager().Update(context.Background(), original, identity.ManagerAllowWriteProtectedTraits)) | ||
assert.EqualValues(t, identity.AuthenticatorAssuranceLevel1, original.AvailableAAL.String, "Updating without changes should not change AAL") | ||
original.Credentials[identity.CredentialsTypeTOTP] = identity.Credentials{ | ||
Type: identity.CredentialsTypeTOTP, | ||
Identifiers: []string{email}, | ||
Config: sqlxx.JSONRawMessage(`{"totp_url":"otpauth://totp/test"}`), | ||
} | ||
require.NoError(t, reg.IdentityManager().Update(context.Background(), original, identity.ManagerAllowWriteProtectedTraits)) | ||
assert.EqualValues(t, identity.AuthenticatorAssuranceLevel2, original.AvailableAAL.String) | ||
}) | ||
|
||
t.Run("case=should set AAL to 0 if only TOTP is set", func(t *testing.T) { | ||
email := uuid.Must(uuid.NewV4()).String() + "@ory.sh" | ||
original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID) | ||
original.Traits = newTraits(email, "") | ||
require.NoError(t, reg.IdentityManager().Create(context.Background(), original)) | ||
original.Credentials = map[identity.CredentialsType]identity.Credentials{ | ||
identity.CredentialsTypeTOTP: { | ||
Type: identity.CredentialsTypeTOTP, | ||
Identifiers: []string{email}, | ||
Config: sqlxx.JSONRawMessage(`{"totp_url":"otpauth://totp/test"}`), | ||
}, | ||
} | ||
require.NoError(t, reg.IdentityManager().Update(context.Background(), original, identity.ManagerAllowWriteProtectedTraits)) | ||
assert.True(t, original.AvailableAAL.Valid) | ||
assert.EqualValues(t, identity.NoAuthenticatorAssuranceLevel, original.AvailableAAL.String) | ||
}) | ||
|
||
t.Run("case=should not update protected traits without option", func(t *testing.T) { | ||
original := identity.NewIdentity(config.DefaultIdentityTraitsSchemaID) | ||
original.Traits = newTraits("[email protected]", "") | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
17 changes: 17 additions & 0 deletions
17
persistence/sql/migratest/fixtures/identity/0149ce5f-76a8-4efe-b2e3-431b8c6cceb6.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"id": "0149ce5f-76a8-4efe-b2e3-431b8c6cceb6", | ||
"schema_id": "default", | ||
"schema_url": "https://www.ory.sh/schemas/ZGVmYXVsdA", | ||
"state": "active", | ||
"traits": { | ||
"email": "[email protected]" | ||
}, | ||
"metadata_public": { | ||
"foo": "bar" | ||
}, | ||
"metadata_admin": { | ||
"baz": "bar" | ||
}, | ||
"created_at": "2013-10-07T08:23:19Z", | ||
"updated_at": "2013-10-07T08:23:19Z" | ||
} |
17 changes: 17 additions & 0 deletions
17
persistence/sql/migratest/fixtures/identity/0149ce5f-76a8-4efe-b2e3-431b8c6cceb7.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"id": "0149ce5f-76a8-4efe-b2e3-431b8c6cceb7", | ||
"schema_id": "default", | ||
"schema_url": "https://www.ory.sh/schemas/ZGVmYXVsdA", | ||
"state": "active", | ||
"traits": { | ||
"email": "[email protected]" | ||
}, | ||
"metadata_public": { | ||
"foo": "bar" | ||
}, | ||
"metadata_admin": { | ||
"baz": "bar" | ||
}, | ||
"created_at": "2013-10-07T08:23:19Z", | ||
"updated_at": "2013-10-07T08:23:19Z" | ||
} |
11 changes: 11 additions & 0 deletions
11
persistence/sql/migratest/testdata/20230706000000_testdata.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
INSERT INTO identities (id, nid, schema_id, traits, created_at, updated_at, metadata_public, metadata_admin, | ||
available_aal) | ||
VALUES ('0149ce5f-76a8-4efe-b2e3-431b8c6cceb6', '884f556e-eb3a-4b9f-bee3-11345642c6c0', 'default', | ||
'{"email":"[email protected]"}', '2013-10-07 08:23:19', '2013-10-07 08:23:19', '{"foo":"bar"}', '{"baz":"bar"}', | ||
'aal1'); | ||
|
||
INSERT INTO identities (id, nid, schema_id, traits, created_at, updated_at, metadata_public, metadata_admin, | ||
available_aal) | ||
VALUES ('0149ce5f-76a8-4efe-b2e3-431b8c6cceb7', '884f556e-eb3a-4b9f-bee3-11345642c6c0', 'default', | ||
'{"email":"[email protected]"}', '2013-10-07 08:23:19', '2013-10-07 08:23:19', '{"foo":"bar"}', '{"baz":"bar"}', | ||
NULL); |
1 change: 1 addition & 0 deletions
1
persistence/sql/migrations/sql/20230706000000000001_available_aal.down.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
ALTER TABLE identities DROP COLUMN available_aal; |
1 change: 1 addition & 0 deletions
1
persistence/sql/migrations/sql/20230706000000000001_available_aal.up.sql
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
ALTER TABLE identities ADD COLUMN available_aal VARCHAR(4) NULL; |
Oops, something went wrong.