X on auth info refresh ...

d528e25c · Kirill Smelkov · b8c0fedd · d528e25c
Commit d528e25c authored Nov 26, 2015 by Kirill Smelkov
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 14 deletions

blob.go blob.go +50 -14

No files found.
--- a/blob.go
+++ b/blob.go
@@ -33,25 +33,40 @@ func blobPreAuthorizeHandler(handleFunc serviceHandleFunc) serviceHandleFunc {
 type authInfo struct {
 	authResponse	authorizationResponse
-	timestamp	int64	// in seconds
+	Tauth		int64	// in seconds
+	Naccess		int64
 }
 // project -> authInfo
 // FIXME it have to be not only project (privateToken etc...)
 var authCache = make(map[string]authInfo)
-// verify that download access is authorized by auth backend
+const authCacheRefresh	= 30	// in seconds
-func verifyDownloadAccess(w http.ResponseWriter, r *gitRequest, project string) bool {
-	// XXX do we need mutex to lock authCache ?
+// refresh cache entry periodically while it is used
-	auth, ok := authCache[project]
+// if the entry is detected to be not used - remove it from cache and stop rereshing
-	if ok {
+func authRefresh(u *upstream, project string) {
-		log.Printf("downloadOk cached %v ago: %v",
+	for ;; {
-				time.Since(time.Unix(auth.timestamp, 0)),
+		time.Sleep(authCacheRefresh)
-				auth.authResponse)
-		r.authorizationResponse = auth.authResponse
+		// XXX lock?
-		return (auth.authResponse.RepoPath != "")	// XXX ok?
+		auth, ok := authCache[project]
+		if !ok {	// someone removed the entry from cache - no
+			break	// need to further refresh	XXX ok?
+		}
+		if auth.Naccess == 0 {	// not used - we can remove and stop refreshing
+			delete(authCache, project)
+			break
+		}
+		askAuthBackend(u, project)
 	}
+}
+// ask auth backend whether download is ok for project
+func askAuthBackend(u *upstream, project string) authorizationResponse {
 	// request to verify whether download is possible via asking as git fetch would do
 	// XXX privateToken not propagated, etc ...
 	reqDownloadAccess, err := http.NewRequest("GET", project + ".git/info/refs?service=git-upload-pack", nil)
@@ -62,16 +77,37 @@ func verifyDownloadAccess(w http.ResponseWriter, r *gitRequest, project string)
 	// swap original request to 'verify-download' one
 	//requestBlob := r.Request
-	r.Request = reqDownloadAccess
+	r := &gitRequest{
+		Request: reqDownloadAccess,
+		u:	 u,
+	}
-	downloadOk := false
+	// downloadOk := false
 	preAuthorizeHandler(
 		func(w http.ResponseWriter, r *gitRequest) {
 			// if we ever get to this point - auth handler approved
 			// access and thus it is ok to download
-			downloadOk = true
+			// downloadOk = true
 		}, "") (w, r)
+	return r.authorizationResponse
+}
+// verify that download access is authorized by auth backend
+func verifyDownloadAccess(w http.ResponseWriter, r *gitRequest, project string) bool {
+	// XXX do we need mutex to lock authCache ?
+	auth, ok := authCache[project]
+	if ok {
+		log.Printf("downloadOk cached %v ago: %v",
+				time.Since(time.Unix(auth.Tauth, 0)),
+				auth.authResponse)
+		r.authorizationResponse = auth.authResponse
+		return (auth.authResponse.RepoPath != "")	// XXX ok?
+	}
+	r.authorizationResponse = askAuthBackend(r.u, project)
 	// XXX do we need to lock authCache ?
 	authCache[project] = authInfo{r.authorizationResponse, time.Now().Unix()}
 	return downloadOk