fixup! use singleflight.Group and fix data race

Signed-off-by: Bryce Palmer <bpalmer@redhat.com>

Author: everettraven

openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"time"
 
+	"golang.org/x/sync/singleflight"
 	"k8s.io/apimachinery/pkg/api/validation"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
@@ -33,7 +34,7 @@ func Register(plugins *admission.Plugins) {
 				configv1.GroupVersion.WithKind("Authentication"): authenticationV1{
 					cel: &celStore{
 						compiledStore:  lru.New(100),
-						compilingStore: lru.New(100),
+						compilingGroup: new(singleflight.Group),
 						compiler:       authenticationcel.NewDefaultCompiler(),
 					},
 				},
@@ -58,7 +59,7 @@ func toAuthenticationV1(uncastObj runtime.Object) (*configv1.Authentication, fie
 }
 
 type celStore struct {
-	compilingStore *lru.Cache
+	compilingGroup *singleflight.Group
 	compiledStore  *lru.Cache
 	compiler       authenticationcel.Compiler
 }
@@ -266,69 +267,66 @@ func validateCELExpression(ctx context.Context, cel *celStore, accessor authenti
 		return err, ""
 	}
 
-	// expression is currently being compiled
-	if val, ok := cel.compilingStore.Get(accessor.GetExpression()); ok {
-		// we use a channel to determine if it has finished compiling
-		select {
-		case res := <-val.(chan compileResult):
-			// done compiling
-			return res.err, res.warn
-		case <-ctx.Done(): // handle the case of context cancelling while waiting
-			return ctx.Err(), ""
-		}
-	}
+	result, err, _ := cel.compilingGroup.Do(accessor.GetExpression(), func() (interface{}, error) {
+		// if the expression is not currently being compiled, it might have already been compiled
+		if val, ok := cel.compiledStore.Get(accessor.GetExpression()); ok {
+			if val != nil {
+				res := val.(compileResult)
+				return res, nil
+			}
 
-	// if the expression is not currently being compiled, it might have already been compiled
-	// either successfully or unsucessfully
-	if val, ok := cel.compiledStore.Get(accessor.GetExpression()); ok {
-		if val != nil {
-			res := val.(compileResult)
-			return res.err, res.warn
+			return nil, nil
 		}
 
-		return nil, ""
-	}
-
-	// expression is not currently being compiled, and has not been compiled before (or has been long enough since it was last compiled that we dropped it).
-	// Let's compile it.
-	warningString := ""
-	compiled := make(chan error)
-	defer close(compiled)
+		// expression is not currently being compiled, and has not been compiled before (or has been long enough since it was last compiled that we dropped it).
+		// Let's compile it.
+		warningString := ""
+		compiled := make(chan error)
+		defer close(compiled)
 
-	compiling := make(chan compileResult, 1)
-	defer close(compiling)
+		go func() {
+			defer func() {
+				if r := recover(); r != nil {
+					// convert the panic into an error state for the expression
+					compiled <- fmt.Errorf("recovered from a panic while compiling expression %q: %v", accessor.GetExpression(), r)
+				}
+			}()
 
-	cel.compilingStore.Add(accessor.GetExpression(), compiling)
-	defer cel.compilingStore.Remove(accessor.GetExpression())
+			_, err := cel.compiler.CompileClaimsExpression(accessor)
 
-	go func() {
-		defer func() {
-			if r := recover(); r != nil {
-				// convert the panic into an error state for the expression
-				compiled <- fmt.Errorf("recovered from a panic while compiling expression %q: %v", accessor.GetExpression(), r)
-			}
+			compiled <- err
 		}()
 
-		_, err := cel.compiler.CompileClaimsExpression(accessor)
+		warning := make(chan string, 1)
+		timer := time.AfterFunc(time.Second, func() {
+			defer close(warning)
+			warning <- fmt.Sprintf("cel expression %q took more than 1 second to compile", accessor.GetExpression())
+		})
 
-		compiled <- err
-	}()
+		err := <-compiled
 
-	timer := time.AfterFunc(time.Second, func() {
-		warningString = fmt.Sprintf("cel expression %q took more than 1 second to compile", accessor.GetExpression())
-	})
+		timer.Stop()
 
-	err := <-compiled
-
-	timer.Stop()
+		// check if we received a warning. If not, continue
+		select {
+		case warn := <-warning:
+			warningString = warn
+		default:
+			break
+		}
 
-	compilationResult := compileResult{
-		err, warningString,
-	}
+		compilationResult := compileResult{
+			err, warningString,
+		}
 
-	cel.compiledStore.Add(accessor.GetExpression(), compilationResult)
+		cel.compiledStore.Add(accessor.GetExpression(), compilationResult)
 
-	compiling <- compilationResult
+		return compilationResult, nil
+	})
+	if err != nil {
+		return fmt.Errorf("running compilation of expression %q: %v", accessor.GetExpression(), err), ""
+	}
 
-	return compilationResult.err, compilationResult.warn
+	compileRes := result.(compileResult)
+	return compileRes.err, compileRes.warn
 }

openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication_test.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	configv1 "github.com/openshift/api/config/v1"
+	"golang.org/x/sync/singleflight"
 	"k8s.io/apimachinery/pkg/util/rand"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	authenticationcel "k8s.io/apiserver/pkg/authentication/cel"
@@ -97,7 +98,7 @@ func TestFailValidateAuthenticationSpec(t *testing.T) {
 	for tcName, tc := range errorCases {
 		errs, _ := validateAuthenticationSpec(context.TODO(), tc.spec, &celStore{
 			compiler:       authenticationcel.NewDefaultCompiler(),
-			compilingStore: lru.New(100),
+			compilingGroup: new(singleflight.Group),
 			compiledStore:  lru.New(100),
 		})
 		if (len(errs) > 0) != (len(tc.errorType) != 0) {
@@ -188,7 +189,7 @@ func TestSucceedValidateAuthenticationSpec(t *testing.T) {
 	for tcName, s := range successCases {
 		errs, _ := validateAuthenticationSpec(context.TODO(), s, &celStore{
 			compiler:       authenticationcel.NewDefaultCompiler(),
-			compilingStore: lru.New(100),
+			compilingGroup: new(singleflight.Group),
 			compiledStore:  lru.New(100),
 		})
 		if len(errs) != 0 {
@@ -277,7 +278,7 @@ func TestValidateCELExpression(t *testing.T) {
 						delay: 200 * time.Millisecond,
 						err:   nil,
 					},
-					compilingStore: lru.New(1),
+					compilingGroup: new(singleflight.Group),
 					compiledStore:  lru.New(1),
 				}
 			},
@@ -291,7 +292,7 @@ func TestValidateCELExpression(t *testing.T) {
 						delay: 1500 * time.Millisecond,
 						err:   nil,
 					},
-					compilingStore: lru.New(1),
+					compilingGroup: new(singleflight.Group),
 					compiledStore:  lru.New(1),
 				}
 			},
@@ -306,7 +307,7 @@ func TestValidateCELExpression(t *testing.T) {
 						delay: 1500 * time.Millisecond,
 						err:   errors.New("boom"),
 					},
-					compilingStore: lru.New(1),
+					compilingGroup: new(singleflight.Group),
 					compiledStore:  lru.New(1),
 				}
 			},
@@ -322,7 +323,7 @@ func TestValidateCELExpression(t *testing.T) {
 						delay: 1500 * time.Millisecond,
 						err:   nil,
 					},
-					compilingStore: lru.New(1),
+					compilingGroup: new(singleflight.Group),
 					compiledStore:  lru.New(1),
 				}
 			},
@@ -336,45 +337,28 @@ func TestValidateCELExpression(t *testing.T) {
 		{
 			name: "waits for already compiling expression to finish compiling and returns its results",
 			cel: func() *celStore {
-				compilingLRU := lru.New(1)
-				compiled := make(chan compileResult)
-				compilingLRU.Add(expression.Expression, compiled)
-				time.AfterFunc(time.Second, func() { compiled <- compileResult{err: errors.New("boom"), warn: "warning"} })
+				compGroup := new(singleflight.Group)
+
+				_ = compGroup.DoChan(expression.Expression, func() (interface{}, error) {
+					// Hog the group for a bit
+					time.Sleep(time.Second)
+
+					return compileResult{
+						err:  errors.New("boom"),
+						warn: "warning",
+					}, nil
+				})
 
 				return &celStore{
 					compiler:       nil, // should never end up calling this
-					compilingStore: compilingLRU,
+					compilingGroup: compGroup,
 					compiledStore:  lru.New(1),
 				}
 			},
 			ctx:        func() context.Context { return context.TODO() },
 			shouldErr:  true,
 			shouldWarn: true,
 		},
-		{
-			name: "stops waiting for already compiling expression if context is canceled",
-			cel: func() *celStore {
-				compilingLRU := lru.New(1)
-				compiled := make(chan compileResult)
-				compilingLRU.Add(expression.Expression, compiled)
-				time.AfterFunc(time.Second, func() { close(compiled) })
-
-				return &celStore{
-					compiler:       nil, // should never end up calling this
-					compilingStore: compilingLRU,
-					compiledStore:  lru.New(1),
-				}
-			},
-			ctx: func() context.Context {
-				ctx, cancel := context.WithCancel(context.TODO())
-				time.AfterFunc(500*time.Millisecond, func() {
-					cancel()
-				})
-
-				return ctx
-			},
-			shouldErr: true,
-		},
 		{
 			name: "returns already compiled expression results if the expression has been compiled before",
 			cel: func() *celStore {
@@ -387,7 +371,7 @@ func TestValidateCELExpression(t *testing.T) {
 
 				return &celStore{
 					compiler:       nil, // should never end up calling this
-					compilingStore: lru.New(1),
+					compilingGroup: new(singleflight.Group),
 					compiledStore:  compiledLRU,
 				}
 			},
@@ -399,8 +383,8 @@ func TestValidateCELExpression(t *testing.T) {
 			name: "handles panic in compilation goroutine",
 			cel: func() *celStore {
 				return &celStore{
-					compiler:       nil, // should never end up calling this
-					compilingStore: lru.New(1),
+					compiler:       nil, // causes panic
+					compilingGroup: new(singleflight.Group),
 					compiledStore:  lru.New(1),
 				}
 			},
@@ -459,7 +443,7 @@ func BenchmarkValidateClaimMappingsAllSameMaxed(b *testing.B) {
 
 	celStore := &celStore{
 		compiler:       authenticationcel.NewDefaultCompiler(),
-		compilingStore: lru.New(100),
+		compilingGroup: new(singleflight.Group),
 		compiledStore:  lru.New(100),
 	}
 	for b.Loop() {
@@ -486,7 +470,7 @@ func BenchmarkValidateClaimMappingsAllDifferentMaxed(b *testing.B) {
 
 	celStore := &celStore{
 		compiler:       authenticationcel.NewDefaultCompiler(),
-		compilingStore: lru.New(100),
+		compilingGroup: new(singleflight.Group),
 		compiledStore:  lru.New(100),
 	}
 	for b.Loop() {