Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix authenticators bug: stop allowing usage when validation fails #2013

Merged
merged 2 commits into from
Jul 17, 2024
Merged

fix authenticators bug: stop allowing usage when validation fails #2013

merged 2 commits into from
Jul 17, 2024

Conversation

cfryanr
Copy link
Member

@cfryanr cfryanr commented Jul 12, 2024
edited
Loading

When the spec of a JWTAuthenticator or WebhookAuthenticator changes, and if the resource goes from being valid to being invalid, then that authenticator should not be used anymore. This PR removes it from the in-memory cache so it cannot be used during auth anymore.

This PR also reduces how often the WebhookAuthenticators are revalidated. When the spec has not changed since it was previously validated, then skip performing validations and leave it in the in-memory cache for usage during auth.

These changes also have the side benefit of making the code for controller for WebhookAuthenticators and the controller for JWTAuthenticator more similar/consistent.

Release note:

WebhookAuthenticators and JWTAuthenticators which were previously validated,
and then become invalid due to a spec change, are not considered usable for
authentication anymore. WebhookAuthenticators that are already validated by
a Concierge pod will not be validated again by that same pod unless the spec
changes or the pod restarts, to reduce the number of TCP dials to the remote
webhook server.

@cfryanr cfryanr marked this pull request as draft July 12, 2024 22:07
@codecov Codecov
Copy link

codecov bot commented Jul 12, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 98.82353% with 1 line in your changes missing coverage. Please review.

Project coverage is 30.73%. Comparing base (6b722a1) to head (a2be4b7).

Files Patch % Lines
...ler/authenticator/jwtcachefiller/jwtcachefiller.go 97.36% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2013      +/-   ##
==========================================
+ Coverage   30.68%   30.73%   +0.04%     
==========================================
  Files         365      365              
  Lines       60594    60644      +50     
==========================================
+ Hits        18591    18636      +45     
- Misses      41468    41472       +4     
- Partials      535      536       +1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cfryanr cfryanr marked this pull request as ready for review July 16, 2024 17:01
@cfryanr cfryanr changed the title WIP: fix authenticators bug, stop allowing usage when validation fails fix authenticators bug, stop allowing usage when validation fails Jul 16, 2024
@cfryanr cfryanr changed the title fix authenticators bug, stop allowing usage when validation fails fix authenticators bug: stop allowing usage when validation fails Jul 16, 2024
@cfryanr cfryanr enabled auto-merge July 17, 2024 17:57
@cfryanr cfryanr merged commit 00301e3 into main Jul 17, 2024
43 checks passed
@cfryanr cfryanr deleted the authenticators_bugfix branch July 17, 2024 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuatcasey joshuatcasey joshuatcasey approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cfryanr @joshuatcasey @vmwclabot