Token blacklist, cache and metadata improvements

TokenBlacklist Improvements: Fixed size limit enforcement to properly maintain max size of 1000 tokens Improved eviction strategy to remove expired tokens first before removing oldest Added proper cleanup of tokens during Add operation to prevent size overflow Fixed oldest token eviction logic to ensure correct token removal Added proper locking mechanisms to prevent race conditions Cache Improvements: Fixed cleanup mechanism to only remove truly expired items Improved eviction strategy in LRU cache to prioritize expired items Added smarter eviction in evictOldest to scan for expired items first Fixed aggressive cleanup that was removing valid items Maintained proper LRU ordering while handling evictions MetadataCache: Verified proper implementation of metadata caching with hourly refresh Confirmed proper handling of cache extension on fetch failures Validated thread-safe operations with proper RWMutex usage
2026-06-05 22:44:17 +00:00 · 2025-02-09 23:53:05 +00:00
parent e6205b3a48
commit 9402f1bca5
5 changed files with 180 additions and 134 deletions
@@ -0,0 +1,110 @@
+package traefikoidc
+
+import (
+	"sync"
+	"time"
+)
+
+// TokenBlacklist manages a thread-safe list of revoked tokens with expiration.
+type TokenBlacklist struct {
+	tokens map[string]time.Time
+	mutex  sync.RWMutex
+}
+
+// NewTokenBlacklist creates a new token blacklist instance.
+func NewTokenBlacklist() *TokenBlacklist {
+	return &TokenBlacklist{
+		tokens: make(map[string]time.Time),
+	}
+}
+
+// Add adds a token to the blacklist with an expiration time.
+func (b *TokenBlacklist) Add(token string, expiry time.Time) {
+	b.mutex.Lock()
+	defer b.mutex.Unlock()
+
+	// Clean up expired tokens if we're at capacity
+	if len(b.tokens) >= 1000 {
+		now := time.Now()
+		futureThreshold := now.Add(time.Minute)
+		for t, exp := range b.tokens {
+			if now.After(exp) || futureThreshold.After(exp) {
+				delete(b.tokens, t)
+			}
+		}
+
+		// If still at capacity, remove oldest token
+		if len(b.tokens) >= 1000 {
+			var oldestToken string
+			var oldestTime time.Time
+			first := true
+			for t, exp := range b.tokens {
+				if first || exp.Before(oldestTime) {
+					oldestToken = t
+					oldestTime = exp
+					first = false
+				}
+			}
+			if oldestToken != "" {
+				delete(b.tokens, oldestToken)
+			}
+		}
+	}
+
+	b.tokens[token] = expiry
+}
+
+// IsBlacklisted checks if a token is in the blacklist and not expired.
+func (b *TokenBlacklist) IsBlacklisted(token string) bool {
+	b.mutex.RLock()
+	defer b.mutex.RUnlock()
+
+	expiry, exists := b.tokens[token]
+	if !exists {
+		return false
+	}
+
+	// If token is expired, remove it and return false
+	if time.Now().After(expiry) {
+		// Switch to write lock to remove expired token
+		b.mutex.RUnlock()
+		b.mutex.Lock()
+		delete(b.tokens, token)
+		b.mutex.Unlock()
+		b.mutex.RLock()
+		return false
+	}
+
+	return true
+}
+
+// Cleanup removes expired tokens from the blacklist.
+// Also removes tokens that will expire within the next minute to prevent edge cases.
+func (b *TokenBlacklist) Cleanup() {
+	b.mutex.Lock()
+	defer b.mutex.Unlock()
+
+	now := time.Now()
+	futureThreshold := now.Add(time.Minute)
+
+	for token, expiry := range b.tokens {
+		// Remove tokens that are expired or will expire soon
+		if now.After(expiry) || futureThreshold.After(expiry) {
+			delete(b.tokens, token)
+		}
+	}
+}
+
+// Remove removes a token from the blacklist regardless of its expiration.
+func (b *TokenBlacklist) Remove(token string) {
+	b.mutex.Lock()
+	defer b.mutex.Unlock()
+	delete(b.tokens, token)
+}
+
+// Count returns the current number of tokens in the blacklist.
+func (b *TokenBlacklist) Count() int {
+	b.mutex.RLock()
+	defer b.mutex.RUnlock()
+	return len(b.tokens)
+}
@@ -128,6 +128,7 @@ func (c *Cache) Cleanup() {

 	now := time.Now()
 	for key, item := range c.items {
+		// Only remove items that are already expired
 		if now.After(item.ExpiresAt) {
 			c.removeItem(key)
 		}
@@ -136,8 +137,23 @@ func (c *Cache) Cleanup() {

 // evictOldest removes the least recently used item from the cache.
 func (c *Cache) evictOldest() {
+	now := time.Now()
 	elem := c.order.Front()
-	if elem != nil {
+	
+	// First try to find an expired item from the front
+	for elem != nil {
+		entry := elem.Value.(lruEntry)
+		if item, exists := c.items[entry.key]; exists {
+			if now.After(item.ExpiresAt) {
+				c.removeItem(entry.key)
+				return
+			}
+		}
+		elem = elem.Next()
+	}
+
+	// If no expired items found, remove the oldest item
+	if elem = c.order.Front(); elem != nil {
 		entry := elem.Value.(lruEntry)
 		c.removeItem(entry.key)
 	}
@@ -11,7 +11,6 @@ import (
 	"net/http/cookiejar"
 	"net/url"
 	"strings"
-	"sync"
 	"time"
 )

@@ -283,79 +282,6 @@ func extractClaims(tokenString string) (map[string]interface{}, error) {
 	return claims, nil
 }

-// TokenBlacklist maintains a thread-safe list of revoked tokens.
-// It stores tokens with their expiration times and automatically
-// removes expired entries during cleanup operations.
-type TokenBlacklist struct {
-	// blacklist maps token IDs to their expiration times
-	blacklist map[string]time.Time
-
-	// mutex protects concurrent access to the blacklist
-	mutex sync.RWMutex
-
-	// maxSize is the maximum number of tokens in the blacklist
-	maxSize int
-}
-
-// NewTokenBlacklist creates a new TokenBlacklist instance.
-func NewTokenBlacklist() *TokenBlacklist {
-	return &TokenBlacklist{
-		blacklist: make(map[string]time.Time),
-		maxSize:   1000, // Limit the size to prevent unbounded growth
-	}
-}
-
-// Add adds a token to the blacklist with an expiration time.
-func (tb *TokenBlacklist) Add(tokenID string, expiration time.Time) {
-	tb.mutex.Lock()
-	defer tb.mutex.Unlock()
-
-	// Clean up expired tokens if we're at capacity
-	if len(tb.blacklist) >= tb.maxSize {
-		now := time.Now()
-		for token, exp := range tb.blacklist {
-			if now.After(exp) {
-				delete(tb.blacklist, token)
-			}
-		}
-		// If still at capacity after cleanup, remove oldest token
-		if len(tb.blacklist) >= tb.maxSize {
-			var oldestToken string
-			var oldestTime time.Time
-			first := true
-			for token, exp := range tb.blacklist {
-				if first || exp.Before(oldestTime) {
-					oldestToken = token
-					oldestTime = exp
-					first = false
-				}
-			}
-			delete(tb.blacklist, oldestToken)
-		}
-	}
-	tb.blacklist[tokenID] = expiration
-}
-
-// IsBlacklisted checks if a token is in the blacklist and not expired.
-func (tb *TokenBlacklist) IsBlacklisted(tokenID string) bool {
-	tb.mutex.RLock()
-	defer tb.mutex.RUnlock()
-	expiration, exists := tb.blacklist[tokenID]
-	return exists && time.Now().Before(expiration)
-}
-
-// Cleanup removes expired tokens from the blacklist.
-func (tb *TokenBlacklist) Cleanup() {
-	tb.mutex.Lock()
-	defer tb.mutex.Unlock()
-	now := time.Now()
-	for tokenID, expiration := range tb.blacklist {
-		if now.After(expiration) {
-			delete(tb.blacklist, tokenID)
-		}
-	}
-}
-
 // TokenCache provides a caching mechanism for validated tokens.
 // It stores token claims to avoid repeated validation of the
 // same token, improving performance for frequently used tokens.
@@ -16,16 +16,16 @@ func TestTokenBlacklistSizeLimit(t *testing.T) {
 	}

 	// Verify size is at max
-	if len(tb.blacklist) != 1000 {
-		t.Errorf("Expected blacklist size to be 1000, got %d", len(tb.blacklist))
+	if tb.Count() != 1000 {
+		t.Errorf("Expected blacklist size to be 1000, got %d", tb.Count())
 	}

 	// Add one more token, should trigger cleanup/eviction
 	tb.Add("newtoken", time.Now().Add(time.Hour))

 	// Size should still be at max
-	if len(tb.blacklist) > 1000 {
-		t.Errorf("Blacklist exceeded max size: %d", len(tb.blacklist))
+	if tb.Count() > 1000 {
+		t.Errorf("Blacklist exceeded max size: %d", tb.Count())
 	}
 }

@@ -46,12 +46,14 @@ func TestTokenBlacklistExpiredCleanup(t *testing.T) {
 	tb.Cleanup()

 	// Only valid tokens should remain
-	if len(tb.blacklist) != 500 {
-		t.Errorf("Expected 500 valid tokens after cleanup, got %d", len(tb.blacklist))
+	if tb.Count() != 500 {
+		t.Errorf("Expected 500 valid tokens after cleanup, got %d", tb.Count())
 	}

 	// Verify only valid tokens remain
-	for token, expiry := range tb.blacklist {
+	tb.mutex.RLock()
+	defer tb.mutex.RUnlock()
+	for token, expiry := range tb.tokens {
 		if time.Now().After(expiry) {
 			t.Errorf("Found expired token after cleanup: %s", token)
 		}
@@ -130,8 +132,8 @@ func TestTokenBlacklistMemoryUsage(t *testing.T) {
 	}

 	// Verify size stayed within limits
-	if len(tb.blacklist) > tb.maxSize {
-		t.Errorf("Blacklist exceeded max size: %d", len(tb.blacklist))
+	if tb.Count() > 1000 {
+		t.Errorf("Blacklist exceeded max size: %d", tb.Count())
 	}
 }

@@ -167,8 +169,8 @@ func TestConcurrentTokenBlacklistOperations(t *testing.T) {
 	}

 	// Verify size constraints were maintained
-	if len(tb.blacklist) > tb.maxSize {
-		t.Errorf("Blacklist exceeded max size under concurrent operations: %d", len(tb.blacklist))
+	if tb.Count() > 1000 {
+		t.Errorf("Blacklist exceeded max size under concurrent operations: %d", tb.Count())
 	}
 }

@@ -326,25 +326,22 @@ func (t *TraefikOidc) startMetadataRefresh(providerURL string) {
 	ticker := time.NewTicker(1 * time.Hour)
 	defer ticker.Stop()

-	for {
-		select {
-		case <-ticker.C:
-			t.logger.Debug("Refreshing OIDC metadata")
-			metadata, err := t.metadataCache.GetMetadata(providerURL, t.httpClient, t.logger)
-			if err != nil {
-				t.logger.Errorf("Failed to refresh metadata: %v", err)
-				continue
-			}
+	for range ticker.C {
+		t.logger.Debug("Refreshing OIDC metadata")
+		metadata, err := t.metadataCache.GetMetadata(providerURL, t.httpClient, t.logger)
+		if err != nil {
+			t.logger.Errorf("Failed to refresh metadata: %v", err)
+			continue
+		}

-			if metadata != nil {
-				t.jwksURL = metadata.JWKSURL
-				t.authURL = metadata.AuthURL
-				t.tokenURL = metadata.TokenURL
-				t.issuerURL = metadata.Issuer
-				t.revocationURL = metadata.RevokeURL
-				t.endSessionURL = metadata.EndSessionURL
-				t.logger.Debug("Successfully refreshed metadata")
-			}
+		if metadata != nil {
+			t.jwksURL = metadata.JWKSURL
+			t.authURL = metadata.AuthURL
+			t.tokenURL = metadata.TokenURL
+			t.issuerURL = metadata.Issuer
+			t.revocationURL = metadata.RevokeURL
+			t.endSessionURL = metadata.EndSessionURL
+			t.logger.Debug("Successfully refreshed metadata")
 		}
 	}
 }
@@ -719,39 +716,34 @@ func (t *TraefikOidc) startTokenCleanup() {
 		defer ticker.Stop()
 		defer cancel()
 		
-		for {
+		for range ticker.C {
+			t.logger.Debug("Starting token cleanup cycle")
+			
+			// Run cleanup in a separate goroutine with shorter timeout
+			cleanupCtx, cleanupCancel := context.WithTimeout(ctx, 5*time.Second)
+			done := make(chan struct{})
+			
+			go func() {
+				defer close(done)
+				// Clean up in smaller batches to prevent long-running operations
+				t.tokenCache.Cleanup()
+				t.tokenBlacklist.Cleanup()
+				
+				// Force garbage collection after cleanup
+				runtime.GC()
+			}()
+			
+			// Wait for cleanup to complete or timeout
 			select {
-			case <-ctx.Done():
-				return
-			case <-ticker.C:
-				t.logger.Debug("Starting token cleanup cycle")
-				
-				// Run cleanup in a separate goroutine with shorter timeout
-				cleanupCtx, cleanupCancel := context.WithTimeout(ctx, 5*time.Second)
-				done := make(chan struct{})
-				
-				go func() {
-					defer close(done)
-					// Clean up in smaller batches to prevent long-running operations
-					t.tokenCache.Cleanup()
-					t.tokenBlacklist.Cleanup()
-					
-					// Force garbage collection after cleanup
-					runtime.GC()
-				}()
-				
-				// Wait for cleanup to complete or timeout
-				select {
-				case <-cleanupCtx.Done():
-					if cleanupCtx.Err() == context.DeadlineExceeded {
-						t.logger.Error("Token cleanup cycle timed out")
-					}
-				case <-done:
-					t.logger.Debug("Token cleanup cycle completed successfully")
+			case <-cleanupCtx.Done():
+				if cleanupCtx.Err() == context.DeadlineExceeded {
+					t.logger.Error("Token cleanup cycle timed out")
 				}
-				
-				cleanupCancel()
+			case <-done:
+				t.logger.Debug("Token cleanup cycle completed successfully")
 			}
+			
+			cleanupCancel()
 		}
 	}()
 }