mirror of
https://github.com/lukaszraczylo/traefikoidc.git
synced 2026-06-05 22:44:17 +00:00
lukaszraczylo
1b49e133da
* Fix bug affecting Azure OIDC authentication ( and most likely others ) * Fixes issue #51 * Ensure that appended roles are unique. Update the documentation. * Improvements targetting possible memory usage spikes. * Additional fixes and cleanup * Refactoring code to fix the issues identified by the users. * Modernize run * Fieldalignment * Multiple changes to improve performance and reduce complexity. - Optimise the errors and recovery. - Deduplicate code in metadata cache. - Remove unused performance monitoring code. - Simplify session management and settings handling. * Fix claims issue. * Add ability to overwrite the default scopes in the settings file * Well.. that escalated quickly. Completely forgot that Traefik uses outdated Yaegi and requires compatibility with 1.20 ( pre-generic Go code ). * Bugfix #51: Ensures that user provided scopes overrides work. * fixup! Bugfix #51: Ensures that user provided scopes overrides work. * fixup! fixup! Bugfix #51: Ensures that user provided scopes overrides work. * Abstract the provider logic into a separate package. * Additional micro fixes and cleanups. * Simplify all the things. * fixup! Simplify all the things. * fixup! fixup! Simplify all the things. * fixup! fixup! fixup! Simplify all the things. * fixup! fixup! fixup! fixup! Simplify all the things. * ... * Cleanup tests. * fixup! Cleanup tests. * fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! fixup! Cleanup tests. * Issue #53: Fix CSRF token handling in reverse proxy 1. ✅ HTTPS Detection Fixed (session.go:723) - Now uses X-Forwarded-Proto header instead of r.URL.Scheme - Properly detects HTTPS in reverse proxy environments 2. ✅ SameSite Cookie Attribute Fixed - Removed automatic SameSiteStrictMode for HTTPS (would break OAuth) - Keeps SameSiteLaxMode to allow OAuth callbacks from external domains - Only uses Strict for AJAX requests which don't involve OAuth redirects 3. ✅ Cookie Domain Handling Fixed - Now respects X-Forwarded-Host header for cookie domain - Ensures cookies are set for the public domain, not internal proxy domain 4. ✅ EnhanceSessionSecurity Properly Integrated - Function is now actually called during session save - Applies security enhancements without breaking OAuth flow Why Issue #53 Failed Before: 1. Cookies were not marked Secure in HTTPS environments (browser wouldn't send them back) 2. If they had been Secure with SameSite=Strict, Azure callbacks would still fail 3. Cookie domain might have been wrong (internal vs public domain) Why It Works Now: 1. Cookies are properly marked Secure for HTTPS 2. Uses SameSite=Lax to allow OAuth provider callbacks 3. Cookie domain uses public domain from X-Forwarded-Host 4. CSRF token persists through the entire OAuth flow * Next set of enhancements together with memory usage improvements. * Memory leak fixes and optimisations. * CSRF and Cookie Domain fixes * fixup! CSRF and Cookie Domain fixes * Metadata cache leak fix + profiling * fixup! Metadata cache leak fix + profiling * Memory leaks hunting, part 1337. * Further pursue of perfection. * fixup! Further pursue of perfection. * fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * Clear race conditions * fixup! Clear race conditions * Weekend fun with memory leaks * Splitting code into multiple files with reasonable testing coverage. ``` ok github.com/lukaszraczylo/traefikoidc 117.017s coverage: 72.6% of statements ok github.com/lukaszraczylo/traefikoidc/auth 0.505s coverage: 87.1% of statements ok github.com/lukaszraczylo/traefikoidc/circuit_breaker 0.283s coverage: 99.0% of statements github.com/lukaszraczylo/traefikoidc/config coverage: 0.0% of statements ok github.com/lukaszraczylo/traefikoidc/handlers 0.349s coverage: 98.2% of statements ok github.com/lukaszraczylo/traefikoidc/internal/providers (cached) coverage: 94.3% of statements ok github.com/lukaszraczylo/traefikoidc/middleware 0.808s coverage: 78.0% of statements ok github.com/lukaszraczylo/traefikoidc/recovery 0.653s coverage: 100.0% of statements ok github.com/lukaszraczylo/traefikoidc/session/chunking (cached) coverage: 87.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/core (cached) coverage: 85.6% of statements ok github.com/lukaszraczylo/traefikoidc/session/crypto (cached) coverage: 81.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/storage (cached) coverage: 93.5% of statements ok github.com/lukaszraczylo/traefikoidc/session/validators (cached) coverage: 98.8% of statements ```` * fixup! Splitting code into multiple files with reasonable testing coverage. * fixup! fixup! Splitting code into multiple files with reasonable testing coverage. * Weekend fun with further optimisations. * fixup! Weekend fun with further optimisations. * fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * Pre-release cleanup. * Enhance test coverage. * fixup! Enhance test coverage. * fixup! fixup! Enhance test coverage. * fixup! fixup! fixup! Enhance test coverage.
395 lines
9.0 KiB
Go
395 lines
9.0 KiB
Go
// Package singleton provides a centralized, thread-safe singleton management system
|
|
// that consolidates all singleton patterns used throughout the application.
|
|
// It ensures proper initialization, lifecycle management, and graceful shutdown.
|
|
package singleton
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"sync"
|
|
"sync/atomic"
|
|
)
|
|
|
|
// Registry is the centralized singleton registry that manages all singleton instances
|
|
// in the application. It provides thread-safe initialization, access, and cleanup.
|
|
type Registry struct {
|
|
mu sync.RWMutex
|
|
instances map[string]*Instance
|
|
groups map[string]*Group
|
|
shutdown int32
|
|
wg sync.WaitGroup
|
|
}
|
|
|
|
// Instance represents a singleton instance with lifecycle management
|
|
type Instance struct {
|
|
name string
|
|
value interface{}
|
|
initializer func() interface{}
|
|
finalizer func(interface{})
|
|
once sync.Once
|
|
refCount int32
|
|
}
|
|
|
|
// Group represents a group of related singletons
|
|
type Group struct {
|
|
name string
|
|
instances map[string]*Instance
|
|
mu sync.RWMutex
|
|
}
|
|
|
|
var (
|
|
// globalRegistry is the singleton registry instance
|
|
globalRegistry *Registry
|
|
// registryOnce ensures single initialization
|
|
registryOnce sync.Once
|
|
)
|
|
|
|
// Get returns the global singleton registry
|
|
func Get() *Registry {
|
|
registryOnce.Do(func() {
|
|
globalRegistry = &Registry{
|
|
instances: make(map[string]*Instance),
|
|
groups: make(map[string]*Group),
|
|
}
|
|
})
|
|
return globalRegistry
|
|
}
|
|
|
|
// Register registers a new singleton with its initializer and optional finalizer
|
|
func (r *Registry) Register(name string, initializer func() interface{}, finalizer func(interface{})) error {
|
|
if atomic.LoadInt32(&r.shutdown) == 1 {
|
|
return fmt.Errorf("registry is shutting down")
|
|
}
|
|
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
|
|
if _, exists := r.instances[name]; exists {
|
|
return fmt.Errorf("singleton %s already registered", name)
|
|
}
|
|
|
|
r.instances[name] = &Instance{
|
|
name: name,
|
|
initializer: initializer,
|
|
finalizer: finalizer,
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetInstance retrieves or initializes a singleton instance
|
|
func (r *Registry) GetInstance(name string) (interface{}, error) {
|
|
if atomic.LoadInt32(&r.shutdown) == 1 {
|
|
return nil, fmt.Errorf("registry is shutting down")
|
|
}
|
|
|
|
r.mu.RLock()
|
|
instance, exists := r.instances[name]
|
|
r.mu.RUnlock()
|
|
|
|
if !exists {
|
|
return nil, fmt.Errorf("singleton %s not registered", name)
|
|
}
|
|
|
|
// Initialize the singleton if needed
|
|
instance.once.Do(func() {
|
|
if instance.initializer != nil {
|
|
instance.value = instance.initializer()
|
|
atomic.AddInt32(&instance.refCount, 1)
|
|
}
|
|
})
|
|
|
|
return instance.value, nil
|
|
}
|
|
|
|
// MustGet retrieves a singleton instance, panicking if not found
|
|
func (r *Registry) MustGet(name string) interface{} {
|
|
val, err := r.GetInstance(name)
|
|
if err != nil {
|
|
panic(fmt.Sprintf("singleton %s: %v", name, err))
|
|
}
|
|
return val
|
|
}
|
|
|
|
// RegisterGroup creates a new singleton group
|
|
func (r *Registry) RegisterGroup(name string) error {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
|
|
if _, exists := r.groups[name]; exists {
|
|
return fmt.Errorf("group %s already exists", name)
|
|
}
|
|
|
|
r.groups[name] = &Group{
|
|
name: name,
|
|
instances: make(map[string]*Instance),
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// AddToGroup adds a singleton to a group
|
|
func (r *Registry) AddToGroup(groupName, singletonName string) error {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
|
|
group, groupExists := r.groups[groupName]
|
|
if !groupExists {
|
|
return fmt.Errorf("group %s does not exist", groupName)
|
|
}
|
|
|
|
instance, instanceExists := r.instances[singletonName]
|
|
if !instanceExists {
|
|
return fmt.Errorf("singleton %s not registered", singletonName)
|
|
}
|
|
|
|
group.mu.Lock()
|
|
defer group.mu.Unlock()
|
|
|
|
group.instances[singletonName] = instance
|
|
return nil
|
|
}
|
|
|
|
// GetGroup retrieves all singletons in a group
|
|
func (r *Registry) GetGroup(name string) (map[string]interface{}, error) {
|
|
r.mu.RLock()
|
|
group, exists := r.groups[name]
|
|
r.mu.RUnlock()
|
|
|
|
if !exists {
|
|
return nil, fmt.Errorf("group %s does not exist", name)
|
|
}
|
|
|
|
group.mu.RLock()
|
|
defer group.mu.RUnlock()
|
|
|
|
result := make(map[string]interface{})
|
|
for name, instance := range group.instances {
|
|
if instance.value != nil {
|
|
result[name] = instance.value
|
|
}
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
// AddReference increments the reference count for a singleton
|
|
func (r *Registry) AddReference(name string) error {
|
|
r.mu.RLock()
|
|
instance, exists := r.instances[name]
|
|
r.mu.RUnlock()
|
|
|
|
if !exists {
|
|
return fmt.Errorf("singleton %s not registered", name)
|
|
}
|
|
|
|
atomic.AddInt32(&instance.refCount, 1)
|
|
return nil
|
|
}
|
|
|
|
// ReleaseReference decrements the reference count for a singleton
|
|
func (r *Registry) ReleaseReference(name string) error {
|
|
r.mu.RLock()
|
|
instance, exists := r.instances[name]
|
|
r.mu.RUnlock()
|
|
|
|
if !exists {
|
|
return fmt.Errorf("singleton %s not registered", name)
|
|
}
|
|
|
|
count := atomic.AddInt32(&instance.refCount, -1)
|
|
if count == 0 && instance.finalizer != nil && instance.value != nil {
|
|
// Run finalizer when last reference is released
|
|
go instance.finalizer(instance.value)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// GetReferenceCount returns the reference count for a singleton
|
|
func (r *Registry) GetReferenceCount(name string) (int32, error) {
|
|
r.mu.RLock()
|
|
instance, exists := r.instances[name]
|
|
r.mu.RUnlock()
|
|
|
|
if !exists {
|
|
return 0, fmt.Errorf("singleton %s not registered", name)
|
|
}
|
|
|
|
return atomic.LoadInt32(&instance.refCount), nil
|
|
}
|
|
|
|
// Shutdown gracefully shuts down all singletons
|
|
func (r *Registry) Shutdown(ctx context.Context) error {
|
|
if !atomic.CompareAndSwapInt32(&r.shutdown, 0, 1) {
|
|
return fmt.Errorf("registry already shutting down")
|
|
}
|
|
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
|
|
// Create error channel for collecting shutdown errors
|
|
errChan := make(chan error, len(r.instances))
|
|
|
|
// Run finalizers for all initialized singletons
|
|
for name, instance := range r.instances {
|
|
if instance.value != nil && instance.finalizer != nil {
|
|
r.wg.Add(1)
|
|
go func(n string, i *Instance) {
|
|
defer r.wg.Done()
|
|
|
|
// Run finalizer with panic recovery
|
|
func() {
|
|
defer func() {
|
|
if r := recover(); r != nil {
|
|
errChan <- fmt.Errorf("finalizer for %s panicked: %v", n, r)
|
|
}
|
|
}()
|
|
i.finalizer(i.value)
|
|
}()
|
|
}(name, instance)
|
|
}
|
|
}
|
|
|
|
// Wait for all finalizers to complete or timeout
|
|
done := make(chan struct{})
|
|
go func() {
|
|
r.wg.Wait()
|
|
close(done)
|
|
}()
|
|
|
|
select {
|
|
case <-done:
|
|
// All finalizers completed
|
|
case <-ctx.Done():
|
|
return fmt.Errorf("shutdown timeout: %w", ctx.Err())
|
|
}
|
|
|
|
// Collect any errors
|
|
close(errChan)
|
|
var errs []error
|
|
for err := range errChan {
|
|
if err != nil {
|
|
errs = append(errs, err)
|
|
}
|
|
}
|
|
|
|
// Clear all instances
|
|
r.instances = make(map[string]*Instance)
|
|
r.groups = make(map[string]*Group)
|
|
|
|
if len(errs) > 0 {
|
|
return fmt.Errorf("shutdown errors: %v", errs)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Reset resets the registry (mainly for testing)
|
|
func (r *Registry) Reset() {
|
|
r.mu.Lock()
|
|
defer r.mu.Unlock()
|
|
|
|
r.instances = make(map[string]*Instance)
|
|
r.groups = make(map[string]*Group)
|
|
atomic.StoreInt32(&r.shutdown, 0)
|
|
}
|
|
|
|
// Stats returns statistics about the registry
|
|
type Stats struct {
|
|
TotalRegistered int
|
|
TotalInitialized int
|
|
TotalGroups int
|
|
TotalReferences int32
|
|
}
|
|
|
|
// GetStats returns current registry statistics
|
|
func (r *Registry) GetStats() Stats {
|
|
r.mu.RLock()
|
|
defer r.mu.RUnlock()
|
|
|
|
stats := Stats{
|
|
TotalRegistered: len(r.instances),
|
|
TotalGroups: len(r.groups),
|
|
}
|
|
|
|
for _, instance := range r.instances {
|
|
if instance.value != nil {
|
|
stats.TotalInitialized++
|
|
}
|
|
stats.TotalReferences += atomic.LoadInt32(&instance.refCount)
|
|
}
|
|
|
|
return stats
|
|
}
|
|
|
|
// Builder provides a fluent interface for registering singletons
|
|
type Builder struct {
|
|
registry *Registry
|
|
name string
|
|
initializer func() interface{}
|
|
finalizer func(interface{})
|
|
group string
|
|
}
|
|
|
|
// NewBuilder creates a new singleton builder
|
|
func NewBuilder(name string) *Builder {
|
|
return &Builder{
|
|
registry: Get(),
|
|
name: name,
|
|
}
|
|
}
|
|
|
|
// WithInitializer sets the initializer function
|
|
func (b *Builder) WithInitializer(init func() interface{}) *Builder {
|
|
b.initializer = init
|
|
return b
|
|
}
|
|
|
|
// WithFinalizer sets the finalizer function
|
|
func (b *Builder) WithFinalizer(final func(interface{})) *Builder {
|
|
b.finalizer = final
|
|
return b
|
|
}
|
|
|
|
// InGroup adds the singleton to a group
|
|
func (b *Builder) InGroup(group string) *Builder {
|
|
b.group = group
|
|
return b
|
|
}
|
|
|
|
// Register registers the singleton with the configured options
|
|
func (b *Builder) Register() error {
|
|
if err := b.registry.Register(b.name, b.initializer, b.finalizer); err != nil {
|
|
return err
|
|
}
|
|
|
|
if b.group != "" {
|
|
// Ensure group exists
|
|
if err := b.registry.RegisterGroup(b.group); err != nil {
|
|
// Group might already exist, which is ok
|
|
if !contains(err.Error(), "already exists") {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return b.registry.AddToGroup(b.group, b.name)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Helper function to check if string contains substring
|
|
func contains(s, substr string) bool {
|
|
return len(s) >= len(substr) && (s == substr || len(s) > len(substr) && containsHelper(s, substr))
|
|
}
|
|
|
|
func containsHelper(s, substr string) bool {
|
|
for i := 0; i <= len(s)-len(substr); i++ {
|
|
if s[i:i+len(substr)] == substr {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
}
|