Skip to content

Commit

Permalink
Merge pull request #1025 from uc-cdis/fix/gs-cache
Browse files Browse the repository at this point in the history 
fix(gs): ensure inmem cache exp getschecked
  • Loading branch information
@BinamB
BinamB authored Jun 28, 2022
2 parents c523375 + a96c5f3 commit e38eb3d
Show file tree
Hide file tree
Showing 4 changed files with 235 additions and 106 deletions.
38 changes: 28 additions & 10 deletions fence/blueprints/data/indexd.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1188,13 +1188,22 @@ def _generate_google_storage_signed_url(
user_id=user_id, username=username
)
expiration_time = int(time.time()) + expires_in

is_cached = False

if proxy_group_id in self._assume_role_cache_gs:
private_key, key_db_entry = self._assume_role_cache_gs.get(proxy_group_id)
is_cached = True
elif hasattr(flask.current_app, "db"):
(
raw_private_key,
raw_key_db_entry,
expires_at,
) = self._assume_role_cache_gs.get(proxy_group_id, (None, None, None))
if raw_key_db_entry and raw_key_db_entry.expires > expiration_time:
is_cached = True
private_key = raw_private_key
key_db_entry = raw_key_db_entry
else:
del self._assume_role_cache_gs[proxy_group_id]

if not is_cached and hasattr(flask.current_app, "db"):
with flask.current_app.db.session as session:
cache = (
session.query(AssumeRoleCacheGCP)
Expand All @@ -1205,10 +1214,15 @@ def _generate_google_storage_signed_url(
rv = (
json.loads(cache.gcp_private_key),
json.loads(cache.gcp_key_db_entry),
cache.expires_at,
)
self._assume_role_cache_gs[proxy_group_id] = rv
private_key, key_db_entry = self._assume_role_cache_gs.get(
proxy_group_id
(
private_key,
key_db_entry,
expires_at,
) = self._assume_role_cache_gs.get(
proxy_group_id, (None, None, None)
)
is_cached = True

Expand All @@ -1228,17 +1242,21 @@ def _generate_google_storage_signed_url(
# If our scheduled maintainence script removes the url-signing key
# before the expiration of the url then the url will NOT work
# (even though the url itself isn't expired)
if key_db_entry and key_db_entry.expires < expiration_time:
if key_db_entry.expires < expiration_time:
private_key = create_primary_service_account_key(
user_id=user_id, username=username, proxy_group_id=proxy_group_id
)
self._assume_role_cache_gs[proxy_group_id] = (private_key, key_db_entry)
self._assume_role_cache_gs[proxy_group_id] = (
private_key,
key_db_entry,
key_db_entry.expires,
)

db_entry = {}
db_entry["gcp_proxy_group_id"] = proxy_group_id
db_entry["gcp_private_key"] = str(private_key)
db_entry["gcp_private_key"] = json.dumps(str(private_key))
db_entry["gcp_key_db_entry"] = str(key_db_entry)
db_entry["expires_at"] = expiration_time
db_entry["expires_at"] = key_db_entry.expires

if hasattr(flask.current_app, "db"): # we don't have db in startup
with flask.current_app.db.session as session:
Expand Down
3 changes: 3 additions & 0 deletions fence/resources/google/utils.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,9 @@ def get_or_create_primary_service_account_key(
sa_private_key = create_primary_service_account_key(
user_id, username, proxy_group_id, expires
)
user_service_account_key = _get_primary_service_account_key(
user_id, username, proxy_group_id
)

return sa_private_key, user_service_account_key

Expand Down
Loading

0 comments on commit e38eb3d

Please sign in to comment.