JointCloud
/
JCS-pub
Not watched
1
0
Fork 0
Code
Releases 0 Wiki evaluate Activity
Issues 0 Pull Requests 0 Datasets Model Cloudbrain HPC
You can not select more than 25 topics Topics must start with a chinese character,a letter or number, can include dashes ('-') and can be up to 35 characters long.
Tree: 3d2499ebad
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3d2499ebad'
${ noResults }
JCS-pub/common/pkgs/accesstoken/accesstoken.go

234 lines
5.4 kB
Raw Blame History 

  1. package accesstoken

  2. 

  3. import (

  4. 	"crypto/ed25519"

  5. 	"encoding/hex"

  6. 	"fmt"

  7. 	"sync"

  8. 	"time"

  9. 

  10. 	"gitlink.org.cn/cloudream/common/pkgs/async"

  11. 	"gitlink.org.cn/cloudream/common/pkgs/logger"

  12. 	"gitlink.org.cn/cloudream/jcs-pub/common/pkgs/rpc"

  13. 	cortypes "gitlink.org.cn/cloudream/jcs-pub/coordinator/types"

  14. )

  15. 

  16. type CacheEvent interface {

  17. 	IsAccessTokenCacheEvent() bool

  18. }

  19. 

  20. type ExitEvent struct {

  21. 	CacheEvent

  22. 	Err error

  23. }

  24. 

  25. type CacheKey struct {

  26. 	UserID  cortypes.UserID

  27. 	TokenID cortypes.AccessTokenID

  28. }

  29. 

  30. var ErrTokenNotFound = fmt.Errorf("token not found")

  31. 

  32. type AccessTokenLoader func(key CacheKey) (cortypes.UserAccessToken, error)

  33. 

  34. type CacheEntry struct {

  35. 	IsTokenValid bool

  36. 	Token        cortypes.UserAccessToken

  37. 	PublicKey    ed25519.PublicKey

  38. 	LoadedAt     time.Time

  39. 	LastUsedAt   time.Time

  40. }

  41. 

  42. type Cache struct {

  43. 	lock   sync.Mutex

  44. 	cache  map[CacheKey]*CacheEntry

  45. 	done   chan any

  46. 	loader AccessTokenLoader

  47. }

  48. 

  49. func New(loader AccessTokenLoader) *Cache {

  50. 	return &Cache{

  51. 		cache:  make(map[CacheKey]*CacheEntry),

  52. 		done:   make(chan any, 1),

  53. 		loader: loader,

  54. 	}

  55. }

  56. 

  57. func (nc *Cache) Start() *async.UnboundChannel[CacheEvent] {

  58. 	log := logger.WithField("Mod", "AccessTokenCache")

  59. 

  60. 	ch := async.NewUnboundChannel[CacheEvent]()

  61. 	go func() {

  62. 		ticker := time.NewTicker(time.Second * 10)

  63. 		defer ticker.Stop()

  64. 

  65. 	loop:

  66. 		for {

  67. 			select {

  68. 			case <-nc.done:

  69. 				break loop

  70. 

  71. 			case <-ticker.C:

  72. 				nc.lock.Lock()

  73. 				for key, entry := range nc.cache {

  74. 					if !entry.IsTokenValid {

  75. 						// 无效Token的记录5分钟后删除

  76. 						if time.Since(entry.LoadedAt) > time.Minute*5 {

  77. 							log.WithField("UserID", key.UserID).WithField("TokenID", key.TokenID).Infof("delete expired invalid token")

  78. 							delete(nc.cache, key)

  79. 							continue

  80. 						}

  81. 					} else {

  82. 						// 5分钟没有使用的Token则删除

  83. 						if time.Since(entry.LastUsedAt) > time.Minute*5 {

  84. 							log.WithField("UserID", key.UserID).WithField("TokenID", key.TokenID).Infof("delete unused token")

  85. 							delete(nc.cache, key)

  86. 							continue

  87. 						}

  88. 

  89. 						// 过期Token标记为无效

  90. 						if time.Now().After(entry.Token.ExpiresAt) {

  91. 							entry.IsTokenValid = false

  92. 							entry.LastUsedAt = time.Now()

  93. 							log.WithField("UserID", key.UserID).WithField("TokenID", key.TokenID).Infof("token expired")

  94. 

  95. 						} else if time.Since(entry.LoadedAt) > time.Minute*5 {

  96. 							// 依然有效的Token,则5分钟检查一次有效性

  97. 							go nc.load(key)

  98. 						}

  99. 					}

  100. 				}

  101. 				nc.lock.Unlock()

  102. 			}

  103. 		}

  104. 

  105. 		ch.Send(&ExitEvent{})

  106. 	}()

  107. 	return ch

  108. }

  109. 

  110. func (mc *Cache) Stop() {

  111. 	select {

  112. 	case mc.done <- true:

  113. 	default:

  114. 	}

  115. }

  116. 

  117. func (mc *Cache) Get(key CacheKey) (*CacheEntry, bool) {

  118. 	var ret *CacheEntry

  119. 	var ok bool

  120. 

  121. 	for i := 0; i < 2; i++ {

  122. 		mc.lock.Lock()

  123. 		entry, getOk := mc.cache[key]

  124. 

  125. 		if getOk {

  126. 			ret = entry

  127. 			ok = true

  128. 			ret.LastUsedAt = time.Now()

  129. 

  130. 			// 如果Token已经过期,则直接设置为无效Token。因为Token是随机生成的,几乎不可能把一个过期的Token再用上

  131. 			if entry.IsTokenValid && time.Now().After(entry.Token.ExpiresAt) {

  132. 				entry.IsTokenValid = false

  133. 				entry.LastUsedAt = time.Now()

  134. 			}

  135. 		}

  136. 

  137. 		mc.lock.Unlock()

  138. 

  139. 		if ok {

  140. 			break

  141. 		}

  142. 

  143. 		mc.load(key)

  144. 	}

  145. 

  146. 	return ret, ok

  147. }

  148. 

  149. func (mc *Cache) NotifyTokenInvalid(key CacheKey) {

  150. 	log := logger.WithField("Mod", "AccessTokenCache")

  151. 

  152. 	mc.lock.Lock()

  153. 	defer mc.lock.Unlock()

  154. 

  155. 	entry, ok := mc.cache[key]

  156. 	if !ok {

  157. 		entry = &CacheEntry{

  158. 			IsTokenValid: false,

  159. 			LoadedAt:     time.Now(),

  160. 			LastUsedAt:   time.Now(),

  161. 		}

  162. 		mc.cache[key] = entry

  163. 		return

  164. 	}

  165. 

  166. 	entry.IsTokenValid = false

  167. 	entry.LastUsedAt = time.Now()

  168. 

  169. 	log.WithField("UserID", key.UserID).WithField("TokenID", key.TokenID).Infof("notify token invalid")

  170. }

  171. 

  172. func (mc *Cache) load(key CacheKey) {

  173. 	log := logger.WithField("Mod", "AccessTokenCache")

  174. 

  175. 	loadToken, cerr := mc.loader(key)

  176. 

  177. 	mc.lock.Lock()

  178. 	defer mc.lock.Unlock()

  179. 

  180. 	if cerr != nil {

  181. 		log.WithField("UserID", key.UserID).WithField("TokenID", key.TokenID).Warnf("load token: %v", cerr)

  182. 

  183. 		// 明确是无效的Token的也缓存一下,用于快速拒绝请求

  184. 		if cerr == ErrTokenNotFound {

  185. 			mc.cache[key] = &CacheEntry{

  186. 				IsTokenValid: false,

  187. 				LoadedAt:     time.Now(),

  188. 				LastUsedAt:   time.Now(),

  189. 			}

  190. 		}

  191. 		return

  192. 	}

  193. 

  194. 	pubKey, err := hex.DecodeString(loadToken.PublicKey)

  195. 	if err != nil {

  196. 		log.WithField("UserID", key.UserID).WithField("TokenID", key.TokenID).Warnf("invalid public key: %v", err)

  197. 		return

  198. 	}

  199. 

  200. 	mc.cache[key] = &CacheEntry{

  201. 		IsTokenValid: true,

  202. 		Token:        loadToken,

  203. 		PublicKey:    pubKey,

  204. 		LoadedAt:     time.Now(),

  205. 		LastUsedAt:   time.Now(),

  206. 	}

  207. 

  208. 	log.WithField("UserID", key.UserID).WithField("TokenID", key.TokenID).Infof("load token success, expires at: %v", loadToken.ExpiresAt)

  209. }

  210. 

  211. func (mc *Cache) Verify(authInfo rpc.AccessTokenAuthInfo) bool {

  212. 	token, ok := mc.Get(CacheKey{

  213. 		UserID:  authInfo.UserID,

  214. 		TokenID: authInfo.AccessTokenID,

  215. 	})

  216. 	if !ok {

  217. 		return false

  218. 	}

  219. 	if !token.IsTokenValid {

  220. 		return false

  221. 	}

  222. 

  223. 	sig, err := hex.DecodeString(authInfo.Signature)

  224. 	if err != nil {

  225. 		return false

  226. 	}

  227. 

  228. 	return ed25519.Verify(token.PublicKey, []byte(MakeStringToSign(authInfo.UserID, authInfo.AccessTokenID, authInfo.Nonce)), []byte(sig))

  229. }

  230. 

  231. func MakeStringToSign(userID cortypes.UserID, tokenID cortypes.AccessTokenID, nonce string) string {

  232. 	return fmt.Sprintf("%v.%v.%v", userID, tokenID, nonce)

  233. }