This repository has been archived by the owner on Apr 5, 2024. It is now read-only.
/
fetch.go
232 lines (201 loc) · 5.29 KB
/
fetch.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
package main
import (
"context"
"errors"
"fmt"
"net/http"
"net/url"
"path"
"sync"
"time"
"github.com/basemachina/bridge"
"github.com/basemachina/bridge/internal/auth"
"github.com/go-logr/logr"
"github.com/lestrrat-go/jwx/jwk"
)
var _ auth.PublicKeyGetter = (*FetchWorker)(nil)
type FetchWorker struct {
sync.RWMutex
// config
apiURL *url.URL
interval time.Duration
timeout time.Duration
// store
publicKey jwk.Set
readyOnce sync.Once
// Once a public-key is obtained, it becomes ready.
readyCh chan struct{}
// Emits if it encounters an error that cannot be made ready.
readyErrCh chan error
// canceller
ctx context.Context
logger logr.Logger
}
// NewFetchWorker creates a new worker to fetch (or update) public-key.
func NewFetchWorker(env *bridge.Env, l logr.Logger) (*FetchWorker, func(), error) {
u, err := url.Parse(env.APIURL)
if err != nil {
return nil, nil, fmt.Errorf("failed to parse %q: %w", env.APIURL, err)
}
ctx, cancel := context.WithCancel(context.Background())
f := &FetchWorker{
apiURL: u,
interval: env.FetchInterval,
timeout: env.FetchTimeout,
ctx: ctx,
readyCh: make(chan struct{}),
readyErrCh: make(chan error, 1),
logger: l,
}
return f, cancel, nil
}
// - If the public key has never been obtained
// - If status code is kind of 400, I want the process to die.
// - If the error is retriable, keep retrying until it can be obtained
// - Wait for serve until public key can be obtained
// - If you have already obtained the public key
// - If it is a retriable error, keep retrying until it can be obtained.
// - Even if status code is kind of 400, the process continues to use the previously
// acquired public key without dying, and retries to acquire a new key.
func (f *FetchWorker) StartWorker() {
go func() {
ctrler := newWorkController(f.interval)
defer ctrler.Stop()
defer f.logger.Info("finished running worker")
for ctrler.Next(f.ctx) {
publicKey, err := f.fetchPublicKey()
if err != nil {
if errors.Is(err, ErrRetryable) {
ctrler.Retry()
time.Sleep(3 * time.Second)
continue
}
select {
// If you have already obtained the public-key
// Wait for the next ticker to emit
case <-f.readyCh:
f.logger.Error(err, "failed to refresh public-key",
"retry after", f.interval,
)
continue
default:
}
// If the public-key has never been obtained, the
// return error and immediately finish the process
f.readyErrCh <- err
return
}
f.RWMutex.Lock()
f.publicKey = publicKey
f.readyOnce.Do(func() { close(f.readyCh) })
f.RWMutex.Unlock()
}
}()
}
func (f *FetchWorker) WaitForReady(ctx context.Context) error {
select {
case <-ctx.Done():
return ctx.Err()
case <-f.ctx.Done():
return f.ctx.Err()
case err := <-f.readyErrCh:
return err
case <-f.readyCh:
return nil
}
}
type workController struct {
retryCh chan struct{}
ticker *time.Ticker
}
func newWorkController(interval time.Duration) *workController {
retryCh := make(chan struct{}, 1)
retryCh <- struct{}{} // to invoke immediately
return &workController{
retryCh: retryCh,
ticker: time.NewTicker(interval),
}
}
func (w *workController) Retry() {
w.retryCh <- struct{}{}
}
func (w *workController) Stop() {
w.ticker.Stop()
}
func (w *workController) Next(ctx context.Context) bool {
// In select, there is no order guarantee for channel processing.
// If the context is cancelled and this method is called again
// Always return false when called.
select {
case <-ctx.Done():
return false
default:
}
// no order guarantee, but while retryCh, ticker's channel is not sent
// returns false if context is cancelled
select {
case <-ctx.Done():
return false
case <-w.retryCh:
case <-w.ticker.C:
}
return true
}
func (f *FetchWorker) GetPublicKey() jwk.Set {
f.RWMutex.RLock()
publicKey := f.publicKey
f.RWMutex.RUnlock()
return publicKey
}
const publicKeyTargetPath = "/v1/bridge_authn_pubkey"
var ErrRetryable = errors.New("retry")
func (f *FetchWorker) fetchPublicKey() (jwk.Set, error) {
url := f.buildURL(publicKeyTargetPath)
ctx, cancel := context.WithTimeout(f.ctx, f.timeout)
defer cancel()
req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
if err != nil {
return nil, fmt.Errorf("failed to create a new request: %w", err)
}
req.Header.Add("User-Agent", serviceName+"/"+version)
resp, err := http.DefaultClient.Do(req)
if err != nil {
select {
case <-ctx.Done(): // check timeout or not
// retry
return nil, ErrRetryable
default:
}
return nil, fmt.Errorf("failed to send request %q: %w", url, err)
}
defer resp.Body.Close()
if resp.StatusCode != 200 {
// retry
if 500 <= resp.StatusCode && resp.StatusCode <= 599 {
return nil, ErrRetryable
}
return nil, fmt.Errorf("unexpected status code %d", resp.StatusCode)
}
key, err := jwk.ParseReader(resp.Body)
if err != nil {
return nil, fmt.Errorf("failed to parse response body: %w", err)
}
return key, nil
}
func (f *FetchWorker) buildURL(endpoint string) string {
u := cloneURL(f.apiURL)
u.Path = path.Join(u.Path, endpoint)
return u.String()
}
func cloneURL(u *url.URL) *url.URL {
if u == nil {
return nil
}
u2 := new(url.URL)
*u2 = *u
// if u.User != nil {
// u2.User = new(url.Userinfo)
// *u2.User = *u.User
// }
return u2
}