adding reauth support for both pubsub and shardedpubsub

Author: atakavci

src/main/java/redis/clients/jedis/Connection.java

@@ -46,9 +46,8 @@ public class Connection implements Closeable {
   private String strVal;
   protected String server;
   protected String version;
-  protected AtomicReference<RedisCredentials> currentCredentials = new AtomicReference<RedisCredentials>(
-      null);
-  private boolean isTokenBasedAuthenticationEnabled = false;
+  private AtomicReference<RedisCredentials> currentCredentials = new AtomicReference<>(null);
+  private AuthXManager authXManager;
 
   public Connection() {
     this(Protocol.DEFAULT_HOST, Protocol.DEFAULT_PORT);
@@ -68,6 +67,7 @@ public Connection(final HostAndPort hostAndPort, final JedisClientConfig clientC
 
   public Connection(final JedisSocketFactory socketFactory) {
     this.socketFactory = socketFactory;
+    this.authXManager = null;
   }
 
   public Connection(final JedisSocketFactory socketFactory, JedisClientConfig clientConfig) {
@@ -458,9 +458,8 @@ protected void initializeFromClientConfig(final JedisClientConfig config) {
 
       Supplier<RedisCredentials> credentialsProvider = config.getCredentialsProvider();
 
-      AuthXManager authXManager = config.getAuthXManager();
+      authXManager = config.getAuthXManager();
       if (authXManager != null) {
-        isTokenBasedAuthenticationEnabled = true;
         credentialsProvider = authXManager;
       }
 
@@ -608,7 +607,11 @@ public boolean ping() {
     return true;
   }
 
-  public boolean isTokenBasedAuthenticationEnabled() {
-    return isTokenBasedAuthenticationEnabled;
+  protected boolean isTokenBasedAuthenticationEnabled() {
+    return authXManager != null;
+  }
+
+  protected AuthXManager getAuthXManager() {
+    return authXManager;
   }
 }

src/main/java/redis/clients/jedis/JedisPubSubBase.java

@@ -4,6 +4,7 @@
 
 import java.util.Arrays;
 import java.util.List;
+import java.util.function.Consumer;
 
 import redis.clients.jedis.Protocol.Command;
 import redis.clients.jedis.exceptions.JedisException;
@@ -12,7 +13,8 @@
 public abstract class JedisPubSubBase<T> {
 
   private int subscribedChannels = 0;
-  private volatile Connection client;
+  private final JedisSafeAuthenticator authenticator = new JedisSafeAuthenticator();
+  private final Consumer<Object> pingResultHandler = this::processPingReply;
 
   public void onMessage(T channel, T message) {
   }
@@ -36,12 +38,7 @@ public void onPong(T pattern) {
   }
 
   private void sendAndFlushCommand(Command command, T... args) {
-    if (client == null) {
-      throw new JedisException(getClass() + " is not connected to a Connection.");
-    }
-    CommandArguments cargs = new CommandArguments(command).addObjects(args);
-    client.sendCommand(cargs);
-    client.flush();
+    authenticator.sendAndFlushCommand(command, args);
   }
 
   public final void unsubscribe() {
@@ -63,7 +60,8 @@ public final void psubscribe(T... patterns) {
   }
 
   private void checkConnectionSuitableForPubSub() {
-    if (client.protocol == RedisProtocol.RESP2 && client.isTokenBasedAuthenticationEnabled()) {
+    if (authenticator.client.protocol != RedisProtocol.RESP3
+        && authenticator.client.isTokenBasedAuthenticationEnabled()) {
       throw new JedisException(
           "Blocking pub/sub operations are not supported on token-based authentication enabled connections with RESP2 protocol!");
     }
@@ -78,7 +76,13 @@ public final void punsubscribe(T... patterns) {
   }
 
   public final void ping() {
-    sendAndFlushCommand(Command.PING);
+    authenticator.commandSync.lock();
+    try {
+      sendAndFlushCommand(Command.PING);
+      authenticator.resultHandler.add(pingResultHandler);
+    } finally {
+      authenticator.commandSync.unlock();
+    }
   }
 
   public final void ping(T argument) {
@@ -94,24 +98,24 @@ public final int getSubscribedChannels() {
   }
 
   public final void proceed(Connection client, T... channels) {
-    this.client = client;
-    this.client.setTimeoutInfinite();
+    authenticator.registerForAuthentication(client);
+    authenticator.client.setTimeoutInfinite();
     try {
       subscribe(channels);
       process();
     } finally {
-      this.client.rollbackTimeout();
+      authenticator.client.rollbackTimeout();
     }
   }
 
   public final void proceedWithPatterns(Connection client, T... patterns) {
-    this.client = client;
-    this.client.setTimeoutInfinite();
+    authenticator.registerForAuthentication(client);
+    authenticator.client.setTimeoutInfinite();
     try {
       psubscribe(patterns);
       process();
     } finally {
-      this.client.rollbackTimeout();
+      authenticator.client.rollbackTimeout();
     }
   }
 
@@ -121,7 +125,7 @@ public final void proceedWithPatterns(Connection client, T... patterns) {
   private void process() {
 
     do {
-      Object reply = client.getUnflushedObject();
+      Object reply = authenticator.client.getUnflushedObject();
 
       if (reply instanceof List) {
         List<Object> listReply = (List<Object>) reply;
@@ -175,12 +179,8 @@ private void process() {
           throw new JedisException("Unknown message type: " + firstObj);
         }
       } else if (reply instanceof byte[]) {
-        byte[] resp = (byte[]) reply;
-        if ("PONG".equals(SafeEncoder.encode(resp))) {
-          onPong(null);
-        } else {
-          onPong(encode(resp));
-        }
+        Consumer<Object> resultHandler = authenticator.resultHandler.remove();
+        resultHandler.accept(reply);
       } else {
         throw new JedisException("Unknown message type: " + reply);
       }
@@ -189,4 +189,13 @@ private void process() {
     //    /* Invalidate instance since this thread is no longer listening */
     //    this.client = null;
   }
+
+  private void processPingReply(Object reply) {
+    byte[] resp = (byte[]) reply;
+    if ("PONG".equals(SafeEncoder.encode(resp))) {
+      onPong(null);
+    } else {
+      onPong(encode(resp));
+    }
+  }
 }

src/main/java/redis/clients/jedis/JedisSafeAuthenticator.java

@@ -0,0 +1,105 @@
+package redis.clients.jedis;
+
+import java.util.Queue;
+import java.util.concurrent.ConcurrentLinkedQueue;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.concurrent.locks.ReentrantLock;
+import java.util.function.Consumer;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import redis.clients.authentication.core.SimpleToken;
+import redis.clients.authentication.core.Token;
+import redis.clients.jedis.Protocol.Command;
+import redis.clients.jedis.authentication.JedisAuthenticationException;
+import redis.clients.jedis.exceptions.JedisException;
+import redis.clients.jedis.util.SafeEncoder;
+
+public class JedisSafeAuthenticator {
+
+  private static final Token PLACEHOLDER_TOKEN = new SimpleToken(null, null, 0, 0, null);
+  private static final Logger logger = LoggerFactory.getLogger(JedisSafeAuthenticator.class);
+
+  protected volatile Connection client;
+  protected final Consumer<Object> authResultHandler = this::processAuthReply;
+  protected final Consumer<Token> authenticationHandler = this::safeReAuthenticate;
+
+  protected final AtomicReference<Token> pendingTokenRef = new AtomicReference<Token>(null);
+  protected final ReentrantLock commandSync = new ReentrantLock();
+  protected final Queue<Consumer<Object>> resultHandler = new ConcurrentLinkedQueue<Consumer<Object>>();
+
+  protected void sendAndFlushCommand(Command command, Object... args) {
+    if (client == null) {
+      throw new JedisException(getClass() + " is not connected to a Connection.");
+    }
+    CommandArguments cargs = new CommandArguments(command).addObjects(args);
+
+    Token newToken = pendingTokenRef.getAndSet(PLACEHOLDER_TOKEN);
+
+    // lets send the command without locking !!IF!! we know that pendingTokenRef is null replaced with PLACEHOLDER_TOKEN and no re-auth will go into action
+    // !!ELSE!! we are locking since we already know a re-auth is still in progress in another thread and we need to wait for it to complete, we do nothing but wait on it!
+    if (newToken != null) {
+      commandSync.lock();
+    }
+    try {
+      System.out.println("Sending command: " + command.toString());
+      client.sendCommand(cargs);
+      client.flush();
+    } finally {
+      Token newerToken = pendingTokenRef.getAndSet(null);
+      // lets check if a newer token received since the beginning of this sendAndFlushCommand call
+      if (newerToken != null && newerToken != PLACEHOLDER_TOKEN) {
+        safeReAuthenticate(newerToken);
+      }
+      if (newToken != null) {
+        commandSync.unlock();
+      }
+    }
+  }
+
+  protected void registerForAuthentication(Connection newClient) {
+    Connection oldClient = this.client;
+    if (oldClient == newClient) return;
+    if (oldClient != null && oldClient.getAuthXManager() != null) {
+      oldClient.getAuthXManager().removePostAuthenticationHook(authenticationHandler);
+    }
+    if (newClient != null && newClient.getAuthXManager() != null) {
+      newClient.getAuthXManager().addPostAuthenticationHook(authenticationHandler);
+    }
+    this.client = newClient;
+  }
+
+  private void safeReAuthenticate(Token token) {
+    try {
+      byte[] rawPass = client.encodeToBytes(token.getValue().toCharArray());
+      byte[] rawUser = client.encodeToBytes(token.getUser().toCharArray());
+
+      Token newToken = pendingTokenRef.getAndSet(token);
+      if (newToken == null) {
+        commandSync.lock();
+        try {
+          sendAndFlushCommand(Command.AUTH, rawUser, rawPass);
+          resultHandler.add(this.authResultHandler);
+        } finally {
+          pendingTokenRef.set(null);
+          commandSync.unlock();
+        }
+      }
+    } catch (Exception e) {
+      logger.error("Error while re-authenticating connection", e);
+      client.getAuthXManager().getListener().onConnectionAuthenticationError(e);
+    }
+  }
+
+  protected void processAuthReply(Object reply) {
+    byte[] resp = (byte[]) reply;
+    String response = SafeEncoder.encode(resp);
+    if (!"OK".equals(response)) {
+      String msg = "Re-authentication failed with server response: " + response;
+      Exception failedAuth = new JedisAuthenticationException(msg);
+      logger.error(failedAuth.getMessage(), failedAuth);
+      client.getAuthXManager().getListener().onConnectionAuthenticationError(failedAuth);
+    }
+  }
+}

src/main/java/redis/clients/jedis/JedisShardedPubSubBase.java

@@ -4,14 +4,15 @@
 
 import java.util.Arrays;
 import java.util.List;
+import java.util.function.Consumer;
 
 import redis.clients.jedis.Protocol.Command;
 import redis.clients.jedis.exceptions.JedisException;
 
 public abstract class JedisShardedPubSubBase<T> {
 
   private int subscribedChannels = 0;
-  private volatile Connection client;
+  private final JedisSafeAuthenticator authenticator = new JedisSafeAuthenticator();
 
   public void onSMessage(T channel, T message) {
   }
@@ -23,12 +24,7 @@ public void onSUnsubscribe(T channel, int subscribedChannels) {
   }
 
   private void sendAndFlushCommand(Command command, T... args) {
-    if (client == null) {
-      throw new JedisException(getClass() + " is not connected to a Connection.");
-    }
-    CommandArguments cargs = new CommandArguments(command).addObjects(args);
-    client.sendCommand(cargs);
-    client.flush();
+    authenticator.sendAndFlushCommand(command, args);
   }
 
   public final void sunsubscribe() {
@@ -40,9 +36,18 @@ public final void sunsubscribe(T... channels) {
   }
 
   public final void ssubscribe(T... channels) {
+    checkConnectionSuitableForPubSub();
     sendAndFlushCommand(Command.SSUBSCRIBE, channels);
   }
 
+  private void checkConnectionSuitableForPubSub() {
+    if (authenticator.client.protocol != RedisProtocol.RESP3
+        && authenticator.client.isTokenBasedAuthenticationEnabled()) {
+      throw new JedisException(
+          "Blocking pub/sub operations are not supported on token-based authentication enabled connections with RESP2 protocol!");
+    }
+  }
+
   public final boolean isSubscribed() {
     return subscribedChannels > 0;
   }
@@ -52,23 +57,22 @@ public final int getSubscribedChannels() {
   }
 
   public final void proceed(Connection client, T... channels) {
-    this.client = client;
-    this.client.setTimeoutInfinite();
+    authenticator.registerForAuthentication(client);
+    authenticator.client.setTimeoutInfinite();
     try {
       ssubscribe(channels);
       process();
     } finally {
-      this.client.rollbackTimeout();
+      authenticator.client.rollbackTimeout();
     }
   }
 
   protected abstract T encode(byte[] raw);
 
-//  private void process(Client client) {
   private void process() {
 
     do {
-      Object reply = client.getUnflushedObject();
+      Object reply = authenticator.client.getUnflushedObject();
 
       if (reply instanceof List) {
         List<Object> listReply = (List<Object>) reply;
@@ -96,6 +100,9 @@ private void process() {
         } else {
           throw new JedisException("Unknown message type: " + firstObj);
         }
+      } else if (reply instanceof byte[]) {
+        Consumer<Object> resultHandler = authenticator.resultHandler.remove();
+        resultHandler.accept(reply);
       } else {
         throw new JedisException("Unknown message type: " + reply);
       }

src/test/java/redis/clients/jedis/authentication/RedisEntraIDIntegrationTests.java

@@ -270,13 +270,6 @@ public void allConnectionsReauthTest() throws InterruptedException, ExecutionExc
     }
   }
 
-  // T.3.2
-  // Test system behavior when some connections fail to re-authenticate during bulk authentication. e.g when a network partition occurs for 1 or more of them
-  @Test
-  public void partialReauthFailureTest() {
-
-  }
-
   // T.3.3
   // Verify behavior when attempting to authenticate a single connection with an expired token.
   @Test