Add concept of a key cache to the SciTokens verifier.

With this, we can bypass the remote lookup for frequently-used
issuers.

Author: bbockelm

CMakeLists.txt

@@ -20,12 +20,12 @@ set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} -g")
 
 include (FindPkgConfig)
 pkg_check_modules(LIBCRYPTO REQUIRED libcrypto)
-set (INCLUDE_DIRECTORIES ${INCLUDE_DIRECTORIES} ${LIBCRYPTO_INCLUDE_DIRS})
+pkg_check_modules(SQLITE REQUIRED sqlite3)
 
-include_directories( "${PROJECT_SOURCE_DIR}" ${JWT_CPP_INCLUDES} ${CURL_INCLUDES})
+include_directories( "${PROJECT_SOURCE_DIR}" ${JWT_CPP_INCLUDES} ${CURL_INCLUDES} ${LIBCRYPTO_INCLUDE_DIRS} ${SQLITE_INCLUDE_DIRS})
 
-add_library(SciTokens SHARED src/scitokens.cpp src/scitokens_internal.cpp)
-target_link_libraries(SciTokens ${LIBCRYPTO_LIBRARIES} ${CURL_LIBRARIES})
+add_library(SciTokens SHARED src/scitokens.cpp src/scitokens_internal.cpp src/scitokens_cache.cpp)
+target_link_libraries(SciTokens ${LIBCRYPTO_LIBRARIES} ${CURL_LIBRARIES} ${SQLITE_LIBRARIES})
 set_target_properties(SciTokens PROPERTIES LINK_FLAGS "-Wl,--version-script=${PROJECT_SOURCE_DIR}/configs/export-symbols")
 
 add_executable(scitokens-test src/test.cpp)

src/scitokens_cache.cpp

@@ -0,0 +1,258 @@
+
+#include <cstdint>
+#include <string>
+#include <vector>
+
+#include <pwd.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/stat.h>
+
+#ifndef PICOJSON_USE_INT64
+#define PICOJSON_USE_INT64
+#endif
+#include <jwt-cpp/picojson.h>
+#include <sqlite3.h>
+
+#include "scitokens_internal.h"
+
+namespace {
+
+void
+initialize_cachedb(const std::string &keycache_file) {
+
+    sqlite3 *db;
+    int rc = sqlite3_open(keycache_file.c_str(), &db);
+    if (rc != SQLITE_OK) {
+        std::cerr << "SQLite key cache creation failed." << std::endl;
+        sqlite3_close(db);
+        return;
+    }
+    char *err_msg = nullptr;
+    rc = sqlite3_exec(db, "CREATE TABLE IF NOT EXISTS keycache ("
+                          "issuer text UNIQUE PRIMARY KEY NOT NULL,"
+                          "keys text NOT NULL)",
+                      NULL, 0, &err_msg);
+    if (rc) {
+        std::cerr << "Sqlite table creation failed: " << err_msg << std::endl;
+        sqlite3_free(err_msg);
+    }
+    sqlite3_close(db);
+}
+
+/**
+ * Get the Cache file location
+ *
+ *  1. $XDG_CACHE_HOME
+ *  2. .cache subdirectory of home directory as returned by the password database
+ */
+std::string
+get_cache_file() {
+
+    const char *xdg_cache_home = getenv("XDG_CACHE_HOME");
+
+    auto bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
+    bufsize = (bufsize == -1) ? 16384 : bufsize;
+
+    std::vector<char> buf;
+    buf.reserve(bufsize);
+
+    std::string home_dir;
+    struct passwd pwd, *result = NULL;
+    getpwuid_r(geteuid(), &pwd, &buf[0], bufsize, &result);
+    if (result && result->pw_dir) {
+        home_dir = result->pw_dir;
+        home_dir += "/.cache";
+    }
+
+    std::string cache_dir(xdg_cache_home ? xdg_cache_home : home_dir.c_str());
+    if (cache_dir.size() == 0) {
+        return "";
+    }
+
+    struct stat cache_dir_stat;
+    if (-1 == stat(cache_dir.c_str(), &cache_dir_stat)) {
+        if (errno == ENOENT) {
+            if (-1 == mkdir(cache_dir.c_str(), 0700)) return "";
+        }
+    }
+
+    std::string keycache_dir = cache_dir + "/scitokens";
+    if (-1 == stat(keycache_dir.c_str(), &cache_dir_stat)) {
+        if (errno == ENOENT) {
+            if (-1 == mkdir(keycache_dir.c_str(), 0700)) return "";
+        }
+    }
+
+    std::string keycache_file = keycache_dir + "/scitokens_cpp.sqllite";
+    initialize_cachedb(keycache_file);
+
+    return keycache_file;
+}
+
+
+void
+remove_issuer_entry(sqlite3 *db, const std::string &issuer, bool new_transaction) {
+
+    if (new_transaction) sqlite3_exec(db, "BEGIN", 0, 0 , 0);
+
+    sqlite3_stmt *stmt;
+    int rc = sqlite3_prepare_v2(db, "DELETE FROM keycache WHERE issuer = ?", -1, &stmt, NULL);
+    if (rc != SQLITE_OK) {
+        sqlite3_close(db);
+        return;
+    }
+
+    if (sqlite3_bind_text(stmt, 1, issuer.c_str(), issuer.size(), SQLITE_STATIC) != SQLITE_OK) {
+        sqlite3_finalize(stmt);
+        sqlite3_close(db);
+        return;
+    }
+
+    rc = sqlite3_step(stmt);
+    if (rc != SQLITE_DONE) {
+        sqlite3_finalize(stmt);
+        sqlite3_close(db);
+        return;
+    }
+
+    sqlite3_finalize(stmt);
+
+    if (new_transaction) sqlite3_exec(db, "COMMIT", 0, 0 , 0);
+}
+
+}
+
+
+bool
+scitokens::Validator::get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update) {
+    auto cache_fname = get_cache_file();
+    if (cache_fname.size() == 0) {return false;}
+
+    sqlite3 *db;
+    int rc = sqlite3_open(cache_fname.c_str(), &db);
+    if (rc) {
+        sqlite3_close(db);
+        return false;
+    }
+
+    sqlite3_stmt *stmt;
+    rc = sqlite3_prepare_v2(db, "SELECT keys from keycache where issuer = ?", -1, &stmt, NULL);
+    if (rc != SQLITE_OK) {
+        sqlite3_close(db);
+        return false;
+    }
+
+    if (sqlite3_bind_text(stmt, 1, issuer.c_str(), issuer.size(), SQLITE_STATIC) != SQLITE_OK) {
+        sqlite3_finalize(stmt);
+        sqlite3_close(db);
+        return false;
+    }
+
+    rc = sqlite3_step(stmt);
+    if (rc == SQLITE_ROW) {
+        const unsigned char * data = sqlite3_column_text(stmt, 0);
+        std::string metadata(reinterpret_cast<const char *>(data));
+        sqlite3_finalize(stmt);
+        picojson::value json_obj;
+        auto err = picojson::parse(json_obj, metadata);
+        if (!err.empty() || !json_obj.is<picojson::object>()) {
+            remove_issuer_entry(db, issuer, true);
+            sqlite3_close(db);
+            return false;
+        }
+        auto top_obj = json_obj.get<picojson::object>();
+        auto iter = top_obj.find("jwks");
+        if (iter == top_obj.end() || !iter->second.is<picojson::object>()) {
+            remove_issuer_entry(db, issuer, true);
+            sqlite3_close(db);
+            return false;
+        }
+        auto keys_local = iter->second;
+        iter = top_obj.find("expires");
+        if (iter == top_obj.end() || !iter->second.is<int64_t>()) {
+            remove_issuer_entry(db, issuer, true);
+            sqlite3_close(db);
+            return false;
+        }
+        auto expiry = iter->second.get<int64_t>();
+        if (now > expiry) {
+            remove_issuer_entry(db, issuer, true);
+            sqlite3_close(db);
+            return false;
+        }
+        sqlite3_close(db);
+        iter = top_obj.find("next_update");
+        if (iter == top_obj.end() || !iter->second.is<int64_t>()) {
+            next_update = expiry - 4*3600;
+        } else {
+            next_update = iter->second.get<int64_t>();
+        }
+        keys = keys_local;
+        return true;
+    } else if (rc == SQLITE_DONE) {
+        sqlite3_finalize(stmt);
+        sqlite3_close(db);
+        return false;
+    } else {
+        // TODO: log error?
+        sqlite3_finalize(stmt);
+        sqlite3_close(db);
+        return false;
+    }
+}
+
+
+bool
+scitokens::Validator::store_public_keys(const std::string &issuer, const picojson::value &keys, int64_t next_update, int64_t expires) {
+    picojson::object top_obj;
+    top_obj["jwks"] = keys;
+    top_obj["next_update"] = picojson::value(next_update);
+    top_obj["expires"] = picojson::value(expires);
+    picojson::value db_value(top_obj);
+    std::string db_str = db_value.serialize();
+
+    auto cache_fname = get_cache_file();
+    if (cache_fname.size() == 0) {return false;}
+        
+    sqlite3 *db;
+    int rc = sqlite3_open(cache_fname.c_str(), &db);
+    if (rc) {
+        sqlite3_close(db);
+        return false;
+    }   
+
+    sqlite3_exec(db, "BEGIN", 0, 0 , 0);
+
+    remove_issuer_entry(db, issuer, false);
+
+    sqlite3_stmt *stmt;
+    rc = sqlite3_prepare_v2(db, "INSERT INTO keycache VALUES (?, ?)", -1, &stmt, NULL);
+    if (rc != SQLITE_OK) {
+        sqlite3_close(db);
+        return false;
+    }
+
+    if (sqlite3_bind_text(stmt, 1, issuer.c_str(), issuer.size(), SQLITE_STATIC) != SQLITE_OK) {
+        sqlite3_finalize(stmt);
+        sqlite3_close(db);
+        return false;
+    }
+
+    if (sqlite3_bind_text(stmt, 2, db_str.c_str(), db_str.size(), SQLITE_STATIC) != SQLITE_OK) {
+        sqlite3_finalize(stmt);
+        sqlite3_close(db);
+        return false;
+    }
+
+    rc = sqlite3_step(stmt);
+    if (rc != SQLITE_DONE) {
+        sqlite3_finalize(stmt);
+        sqlite3_close(db);
+        return false;
+    }
+
+    sqlite3_exec(db, "COMMIT", 0, 0 , 0);
+
+    return true;
+}

src/scitokens_internal.cpp

@@ -271,7 +271,7 @@ SciToken::deserialize(const std::string &data) {
 
 
 void
-Validator::get_public_key_pem(const std::string &issuer, const std::string &kid, std::string &public_pem, std::string &algorithm)
+Validator::get_public_keys_from_web(const std::string &issuer, picojson::value &keys, int64_t &next_update, int64_t &expires)
 {
     std::string openid_metadata, oauth_metadata;
     get_metadata_endpoint(issuer, openid_metadata, oauth_metadata);
@@ -316,45 +316,75 @@ Validator::get_public_key_pem(const std::string &issuer, const std::string &kid,
         throw JsonException(err);
     }
 
-    auto key_obj = find_key_id(json_obj, kid);
+    auto now = std::time(NULL);
+    // TODO: take expiration time from the cache-control header in the response.
 
-    iter = key_obj.find("alg");
+    keys = json_obj;
+
+    next_update = now + 600;
+    expires = now + 4*3600;
+}
+
+void
+Validator::get_public_key_pem(const std::string &issuer, const std::string &kid, std::string &public_pem, std::string &algorithm) {
+
+    picojson::value keys;
+    int64_t next_update, expires;
+    auto now = std::time(NULL);
+    if (get_public_keys_from_db(issuer, now, keys, next_update)) {
+        if (now > next_update) {
+            try {
+                get_public_keys_from_web(issuer, keys, next_update, expires);
+                store_public_keys(issuer, keys, next_update, expires);
+            } catch (std::runtime_error &) {
+                // ignore the exception: we have a valid set of keys already/
+            }
+        }
+    } else {
+        get_public_keys_from_web(issuer, keys, next_update, expires);
+        store_public_keys(issuer, keys, next_update, expires);
+    }
+
+    auto key_obj = find_key_id(keys, kid);
+    
+    auto iter = key_obj.find("alg");
     if (iter == key_obj.end() || (!iter->second.is<std::string>())) {
         throw JsonException("Key is missing algorithm name");
-    }
+    }   
     auto alg = iter->second.get<std::string>();
     if (alg != "RS256" and alg != "ES256") {
         throw UnsupportedKeyException("Issuer is using an unsupported algorithm");
-    }
+    }   
     std::string pem;
 
     if (alg == "ES256")
     {
         iter = key_obj.find("x");
         if (iter == key_obj.end() || (!iter->second.is<std::string>())) {
             throw JsonException("Elliptic curve is missing x-coordinate");
-        }
+        }   
         auto x = iter->second.get<std::string>();
         iter = key_obj.find("y");
         if (iter == key_obj.end() || (!iter->second.is<std::string>())) {
             throw JsonException("Elliptic curve is missing y-coordinate");
-        }
+        }   
         auto y = iter->second.get<std::string>();
         pem = es256_from_coords(x, y);
     } else {
         iter = key_obj.find("e");
         if (iter == key_obj.end() || (!iter->second.is<std::string>())) {
             throw JsonException("Public key is missing exponent");
-        }
+        }   
         auto e = iter->second.get<std::string>();
         iter = key_obj.find("n");
         if (iter == key_obj.end() || (!iter->second.is<std::string>())) {
             throw JsonException("Public key is missing n-value");
-        }
+        }   
         auto n = iter->second.get<std::string>();
         pem = rs256_from_coords(e, n);
-    }
-
+    }   
+    
     public_pem = pem;
     algorithm = alg;
 }
+

src/scitokens_internal.h

@@ -176,6 +176,9 @@ class Validator {
 
 private:
     void get_public_key_pem(const std::string &issuer, const std::string &kid, std::string &public_pem, std::string &algorithm);
+    void get_public_keys_from_web(const std::string &issuer, picojson::value &keys, int64_t &next_update, int64_t &expires);
+    bool get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update);
+    bool store_public_keys(const std::string &issuer, const picojson::value &keys, int64_t next_update, int64_t expires);
 };
 
 }