-
Notifications
You must be signed in to change notification settings - Fork 22
/
provider.go
90 lines (79 loc) · 2.56 KB
/
provider.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
// Copyright 2023 The Cockroach Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// SPDX-License-Identifier: Apache-2.0
package jwt
import (
"fmt"
"os"
"os/signal"
"syscall"
"time"
"github.com/cockroachdb/field-eng-powertools/stopper"
"github.com/cockroachdb/replicator/internal/types"
"github.com/cockroachdb/replicator/internal/util/ident"
"github.com/google/wire"
"github.com/pkg/errors"
log "github.com/sirupsen/logrus"
)
// Set is used by Wire.
var Set = wire.NewSet(ProvideAuth)
// ProvideAuth is called by Wire to construct a JWT-based authenticator.
// This provider will also start a background goroutine to look for
// configuration changes in the database.
func ProvideAuth(
ctx *stopper.Context, db types.StagingQuerier, stagingDB ident.StagingSchema,
) (auth types.Authenticator, err error) {
keyTable := ident.NewTable(stagingDB.Schema(), PublicKeysTable)
revokedTable := ident.NewTable(stagingDB.Schema(), RevokedIdsTable)
// Boostrap the schema.
if _, err = db.Exec(ctx, fmt.Sprintf(ensureKeysTemplate, keyTable)); err != nil {
err = errors.WithStack(err)
return
}
if _, err = db.Exec(ctx, fmt.Sprintf(ensureRevokedTemplate, revokedTable)); err != nil {
err = errors.WithStack(err)
return
}
impl := &authenticator{}
impl.sql.selectKeys = fmt.Sprintf(selectKeysTemplate, keyTable)
impl.sql.selectRevoked = fmt.Sprintf(selectRevokedTemplate, revokedTable)
// Initial data load also sets up fields in the mu struct.
if err = impl.refresh(ctx, db); err != nil {
return
}
// Start a refresh loop that will also listen for HUP signals.
if *RefreshDelay > 0 {
ch := make(chan os.Signal, 1)
signal.Notify(ch, syscall.SIGHUP)
ctx.Go(func(ctx *stopper.Context) error {
defer close(ch)
defer signal.Stop(ch)
for {
select {
case <-ctx.Stopping():
return nil
case <-ch:
log.Debug("reloading JWT data due to SIGHUP")
case <-time.After(*RefreshDelay):
}
if err := impl.refresh(ctx, db); err != nil {
log.WithError(err).Warn("could not refresh JWT data")
}
}
})
}
auth = impl
return
}