Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

With IAM Authentication enabled, Connector does duplicate refresh #771

Closed
enocom opened this issue Apr 15, 2024 · 2 comments · Fixed by #806 or #808
Closed

With IAM Authentication enabled, Connector does duplicate refresh #771

enocom opened this issue Apr 15, 2024 · 2 comments · Fixed by #806 or #808
Assignees
@enocom
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.

Comments

@enocom
Copy link
Member

enocom commented Apr 15, 2024
edited
Loading

Using the Cloud SQL Proxy with debug logging enabled, you can see that the Go Connector makes two refresh operations for one connection attempt:

$ ./cloud-sql-proxy enocom-experiments-304623:us-central1:pg2 --debug-logs --auto-iam-authn
2024/04/15 10:26:49 Authorizing with Application Default Credentials
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Connection info added to cache
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation started
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation complete
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Current certificate expiration = 2024-04-15T17:26:49Z
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation scheduled at 2024-04-15T17:22:49Z (now + 56m0s)
2024/04/15 10:26:49 [enocom-experiments-304623:us-central1:pg2] Listening on 127.0.0.1:5432
2024/04/15 10:26:49 The proxy has started successfully and is ready for new connections!


2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Accepted connection from 127.0.0.1:47630
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation started
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation complete
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Current certificate expiration = 2024-04-15T17:26:57Z
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Connection info refresh operation scheduled at 2024-04-15T17:22:57Z (now + 56m0s)
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Now = 2024-04-15T16:26:58Z, Current cert expiration = 2024-04-15T17:26:57Z
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Cert is valid = true
2024/04/15 10:26:58 [enocom-experiments-304623:us-central1:pg2] Dialing 35.238.106.212:3307

This is happening because the Proxy calls EngineVersion to warm the cache, but EngineVersion doesn't support a way to specify if IAM Authn is used or not, and so assumes it's not in use (the nil argument).

When the call to connection info occurs, it enables IAM auth, and causes the existing refresh to be canceled.
@enocom enocom added type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns. priority: p2 Moderately-important priority. Fix may not be included in next release. labels Apr 15, 2024
@enocom
Copy link
Member Author

enocom commented Apr 15, 2024

This will be fixed with #731 most likely.

This was referenced May 16, 2024
Closed
Closed
enocom added a commit that referenced this issue May 20, 2024
@enocom
fix: remove duplicate refresh operations
9a2a142 
Fixes #771
@enocom
Copy link
Member Author

enocom commented May 20, 2024

This bug has a few different manifestations.

@enocom enocom mentioned this issue May 20, 2024
Merged
enocom added a commit that referenced this issue May 20, 2024
@enocom
fix: remove duplicate refresh operations
a4ebd12 
Fixes #771
enocom added a commit that referenced this issue May 20, 2024
@enocom
fix: remove duplicate refresh operations
229b98c 
Fixes #771
enocom added a commit that referenced this issue May 20, 2024
@enocom
fix: remove duplicate refresh operations
2df4151 
Fixes #771
enocom added a commit that referenced this issue May 20, 2024
@enocom
fix: remove duplicate refresh operations
acd9a94 
Fixes #771
enocom added a commit that referenced this issue May 20, 2024
@enocom
fix: remove duplicate refresh operations
155cf30 
When callers (like the Cloud SQL Proxy) warmup the background refresh
with EngineVersion, the initial refresh operation starts with IAM Authn
disabled. Then when a caller connects with IAM authentication, the
existing refresh is invalidated (because it doesn't include the client's
OAuth2 token). In effect, two refresh operations are completed when the
dialer could have just run one initially.

This commit ensures calls to EngineVersion respect the dialer's global
IAM authentication setting. If IAM authentication is enabled at the
dialer level, then EngineVersion will ensure the refresh operation uses
IAM authentication. And only one refresh operation occurs between warmup
and first connection.

In cases where a dialer is initialized without IAM authentication, but
then a call to dial requests IAM authentication, a second refresh is
unavoidable. This seems to be an uncommon enough use case that it is an
acceptable tradeoff given how IAM authentication is tightly coupled with
the client certificate refresh.

Separately, when Cloud SQL Proxy invocations start the Proxy with the
--token flag in combination with IAM authentication, the underlying
token does not have a corresponding refresh token and so cannot be
refreshed. As a result, when the double calls occur (as described
above), there is a third refresh attempt started because the token has a
missing expiration field (there is only AccessToken, no RefreshToken, or
Expiry).

The dialer sees the missing expiration as an expired client certificate
and immediately starts a new refresh. But because the dialer has already
consumed two attempts, the rate limiter (2 initial attempts, then
30s/attempt) forces the client to wait 30s before connecting.

This commit ensures that situation will not happen by using the correct
client correct expiration and not the invalid token expiration. For
cases where the Cloud SQL Proxy configures the dialer with the --token
flag (and no refresh token), the dialer will always default to using the
client certificate's expiration. This means the refresh cycle will fail
once the token expires.

Fixes #771
enocom added a commit that referenced this issue May 20, 2024
@enocom
fix: remove duplicate refresh operations
06cc954 
When callers (like the Cloud SQL Proxy) warmup the background refresh
with EngineVersion, the initial refresh operation starts with IAM Authn
disabled. Then when a caller connects with IAM authentication, the
existing refresh is invalidated (because it doesn't include the client's
OAuth2 token). In effect, two refresh operations are completed when the
dialer could have just run one initially.

This commit ensures calls to EngineVersion respect the dialer's global
IAM authentication setting. If IAM authentication is enabled at the
dialer level, then EngineVersion will ensure the refresh operation uses
IAM authentication. And only one refresh operation occurs between warmup
and first connection.

In cases where a dialer is initialized without IAM authentication, but
then a call to dial requests IAM authentication, a second refresh is
unavoidable. This seems to be an uncommon enough use case that it is an
acceptable tradeoff given how IAM authentication is tightly coupled with
the client certificate refresh.

Separately, when Cloud SQL Proxy invocations start the Proxy with the
--token flag in combination with IAM authentication, the underlying
token does not have a corresponding refresh token and so cannot be
refreshed. As a result, when the double calls occur (as described
above), there is a third refresh attempt started because the token has a
missing expiration field (there is only AccessToken, no RefreshToken, or
Expiry).

The dialer sees the missing expiration as an expired client certificate
and immediately starts a new refresh. But because the dialer has already
consumed two attempts, the rate limiter (2 initial attempts, then
30s/attempt) forces the client to wait 30s before connecting.

This commit ensures that situation will not happen by using the correct
client certificate expiration and not the invalid token expiration. For
cases where the Cloud SQL Proxy configures the dialer with the --token
flag (and no refresh token), the dialer will always default to using the
client certificate's expiration. This means the refresh cycle will fail
once the token expires.

Fixes #771
@enocom enocom assigned enocom and unassigned jackwotherspoon May 20, 2024
enocom added a commit that referenced this issue May 21, 2024
@enocom
fix: remove duplicate refresh operations (#806)
beb3605 
When callers (like the Cloud SQL Proxy) warmup the background refresh
with EngineVersion, the initial refresh operation starts with IAM Authn
disabled. Then when a caller connects with IAM authentication, the
existing refresh is invalidated (because it doesn't include the client's
OAuth2 token). In effect, two refresh operations are completed when the
dialer could have just run one initially.

This commit ensures calls to EngineVersion respect the dialer's global
IAM authentication setting. If IAM authentication is enabled at the
dialer level, then EngineVersion will ensure the refresh operation uses
IAM authentication. And only one refresh operation occurs between warmup
and first connection.

In cases where a dialer is initialized without IAM authentication, but
then a call to dial requests IAM authentication, a second refresh is
unavoidable. This seems to be an uncommon enough use case that it is an
acceptable tradeoff given how IAM authentication is tightly coupled with
the client certificate refresh.

Separately, when Cloud SQL Proxy invocations start the Proxy with the
--token flag in combination with IAM authentication, the underlying
token does not have a corresponding refresh token and so cannot be
refreshed. As a result, when the double calls occur (as described
above), there is a third refresh attempt started because the token has a
missing expiration field (there is only AccessToken, no RefreshToken, or
Expiry).

The dialer sees the missing expiration as an expired client certificate
and immediately starts a new refresh. But because the dialer has already
consumed two attempts, the rate limiter (2 initial attempts, then
30s/attempt) forces the client to wait 30s before connecting.

This commit ensures that situation will not happen by using the correct
client certificate expiration and not the invalid token expiration. For
cases where the Cloud SQL Proxy configures the dialer with the --token
flag (and no refresh token), the dialer will always default to using the
client certificate's expiration. This means the refresh cycle will fail
once the token expires.

Fixes #771
@release-please release-please bot mentioned this issue May 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@enocom enocom

Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: bug Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Projects
None yet
Milestone
No milestone
2 participants
@enocom @jackwotherspoon