123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242 |
- package qlight
- import (
- "context"
- "encoding/base64"
- "encoding/json"
- "fmt"
- "strings"
- "sync"
- "time"
- "github.com/ethereum/go-ethereum/log"
- "github.com/ethereum/go-ethereum/plugin"
- qlightplugin "github.com/ethereum/go-ethereum/plugin/qlight"
- )
- type TokenHolder struct {
- token string
- psi string
- refreshAnticipation int32
- plugin qlightplugin.PluginTokenManager
- pluginManager *plugin.PluginManager
- peerUpdater RunningPeerAuthUpdater
- timer *time.Timer
- eta time.Time
- lock sync.Mutex
- }
- func NewTokenHolder(psi string, pluginManager *plugin.PluginManager) (*TokenHolder, error) {
- plugin, err := getPlugin(pluginManager, new(plugin.QLightTokenManagerPluginTemplate))
- if err != nil {
- return nil, fmt.Errorf("get plugin: %w", err)
- }
- var refreshAnticipation int32
- if plugin != nil {
- refreshAnticipation, err = plugin.PluginTokenManager(context.Background())
- if err != nil {
- return nil, fmt.Errorf("fetch refresh anticipation value: %w", err)
- }
- }
- return NewTokenHolderWithPlugin(psi, refreshAnticipation, plugin, pluginManager), nil
- }
- func getPlugin(pluginManager plugin.PluginManagerInterface, pluginTemplate plugin.QLightTokenManagerPluginTemplateInterface) (plugin qlightplugin.PluginTokenManager, err error) {
- pluginTemplate, err = tokenManager(pluginManager, pluginTemplate)
- if err != nil {
- return
- }
- if pluginTemplate != nil {
- err = pluginTemplate.Start()
- if err != nil {
- return
- }
- plugin, err = pluginTemplate.Get()
- }
- return
- }
- func NewTokenHolderWithPlugin(psi string, refreshAnticipation int32, plugin qlightplugin.PluginTokenManager, pluginManager *plugin.PluginManager) *TokenHolder {
- return &TokenHolder{
- psi: psi,
- plugin: plugin,
- pluginManager: pluginManager,
- refreshAnticipation: refreshAnticipation,
- }
- }
- func (h *TokenHolder) SetPeerUpdater(peerUpdater RunningPeerAuthUpdater) {
- if h == nil || peerUpdater == nil {
- return
- }
- h.peerUpdater = peerUpdater
- }
- func (h *TokenHolder) RefreshPlugin(pluginManager plugin.PluginManagerInterface) error {
- return h.refreshPlugin(pluginManager, new(plugin.QLightTokenManagerPluginTemplate))
- }
- func (h *TokenHolder) refreshPlugin(pluginManager plugin.PluginManagerInterface, template plugin.QLightTokenManagerPluginTemplateInterface) (err error) {
- h.plugin, err = getPlugin(pluginManager, template)
- if err != nil {
- return
- }
- var refreshAnticipation int32
- if h.plugin != nil {
- refreshAnticipation, err = h.plugin.PluginTokenManager(context.Background())
- if err != nil {
- return
- }
- }
- h.refreshAnticipation = refreshAnticipation
- err = h.updateTimer()
- return
- }
- func (h *TokenHolder) HttpCredentialsProvider(ctx context.Context) (string, error) {
- return h.CurrentToken(), nil
- }
- func (h *TokenHolder) ReloadPlugin() error {
- plugin, err := getPlugin(h.pluginManager, new(plugin.QLightTokenManagerPluginTemplate))
- if err != nil {
- return err
- }
- refreshAnticipation, err := plugin.PluginTokenManager(context.Background())
- if err != nil {
- return fmt.Errorf("fetch refresh anticipation value: %w", err)
- }
- h.plugin = plugin
- h.refreshAnticipation = refreshAnticipation
- return h.updateTimer()
- }
- func (h *TokenHolder) CurrentToken() string {
- if h == nil {
- log.Warn("token holder nil, returning empty token")
- return ""
- }
- if h.plugin == nil {
- log.Warn("token plugin is missing, no update possible")
- return h.token
- }
- expired, err := h.tokenExpired()
- if err != nil {
- log.Warn("error while checking if token is expired", "err", err)
- }
- if !expired {
- return h.token
- }
- h.lock.Lock()
- defer h.lock.Unlock()
- returnedToken, err := h.plugin.TokenRefresh(context.Background(), h.token, h.psi)
- if err != nil {
- log.Error("get token from plugin", "err", err)
- } else {
- if h.token != returnedToken {
- log.Debug("new token from plugin")
- err = h.peerUpdater.UpdateTokenForRunningQPeers(returnedToken)
- if err != nil {
- log.Warn("update token to QPeers", "err", err)
- }
- }
- h.token = returnedToken
- err = h.updateTimer()
- if err != nil {
- log.Warn("update token timer", "err", err)
- }
- }
- return h.token
- }
- // updateTimer updates the expiration timer that will trigger automatically a token refreshment
- func (h *TokenHolder) updateTimer() error {
- if h == nil && h.plugin == nil {
- return nil
- }
- expireIn, err := h.tokenExpirationDelay()
- if err != nil {
- return err
- }
- if h.timer != nil && time.Now().Add(expireIn).After(h.eta) {
- if !h.timer.Stop() {
- log.Debug("token updateTimer read timer.C", "expire in", expireIn)
- <-h.timer.C
- }
- h.timer = nil
- }
- if h.timer == nil {
- if expireIn <= 0 { // automatic refresh one second after if already expired
- expireIn = time.Second
- } else {
- expireIn = expireIn - time.Duration(h.refreshAnticipation)*time.Millisecond
- }
- h.eta = time.Now().Add(expireIn)
- log.Debug("token updateTimer new", "expire in", expireIn, "eta", h.eta)
- h.timer = time.AfterFunc(expireIn, func() {
- log.Debug("token updateTimer triggered", "expire in", expireIn, "eta", h.eta)
- h.timer = nil
- h.eta = time.Now()
- h.CurrentToken()
- })
- }
- return nil
- }
- type JWT struct {
- ExpireAt int64 `json:"exp"`
- }
- func (h *TokenHolder) tokenExpirationDelay() (time.Duration, error) {
- if len(h.token) == 0 {
- return 0, nil
- }
- token := h.token
- idx := strings.Index(token, " ")
- if idx >= 0 {
- token = token[idx+1:]
- }
- split := strings.Split(token, ".")
- if len(split) <= 1 {
- return 0, nil
- }
- data, err := base64.RawStdEncoding.DecodeString(split[1])
- if err != nil {
- return 0, fmt.Errorf("decode Base64: %w", err)
- }
- jwt := &JWT{}
- err = json.Unmarshal(data, jwt)
- if err != nil {
- return 0, fmt.Errorf("unmarshal JSON: %w", err)
- }
- expireAt := time.Unix(jwt.ExpireAt, 0)
- return -time.Since(expireAt), nil // transform negative value to positive as expiration date is in future and time.Since measure in the past
- }
- func (h *TokenHolder) tokenExpired() (bool, error) {
- expireIn, err := h.tokenExpirationDelay()
- if err != nil {
- return true, err
- }
- return expireIn < time.Duration(h.refreshAnticipation)*time.Millisecond, nil
- }
- func (h *TokenHolder) SetCurrentToken(v string) {
- h.token = v
- }
- func (h *TokenHolder) SetExpirationAnticipation(v int32) {
- h.refreshAnticipation = v
- }
- func tokenManager(pluginManager plugin.PluginManagerInterface, template plugin.QLightTokenManagerPluginTemplateInterface) (plugin.QLightTokenManagerPluginTemplateInterface, error) {
- name := plugin.QLightTokenManagerPluginInterfaceName
- if pluginManager.IsEnabled(name) {
- managedPlugin := template.ManagedPlugin()
- log.Warn("template plugin", "tmp", template, "managed", managedPlugin)
- err := pluginManager.GetPluginTemplate(name, managedPlugin)
- return template, err
- }
- log.Info("Token Manager Plugin is not enabled")
- return nil, nil
- }
|