up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Notify Smoke Test / Notify Unit Tests (push) Has been cancelled
Notify Smoke Test / Notifier Service Tests (push) Has been cancelled
Notify Smoke Test / Notification Smoke Test (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Scanner Analyzers / Discover Analyzers (push) Has been cancelled
Scanner Analyzers / Build Analyzers (push) Has been cancelled
Scanner Analyzers / Test Language Analyzers (push) Has been cancelled
Scanner Analyzers / Validate Test Fixtures (push) Has been cancelled
Scanner Analyzers / Verify Deterministic Output (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Signals Reachability Scoring & Events / reachability-smoke (push) Has been cancelled
Signals Reachability Scoring & Events / sign-and-upload (push) Has been cancelled
This commit is contained in:
StellaOps Bot
@@ -1,123 +1,123 @@
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Net.Http;
|
||||
using System.Threading;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
using StellaOps.Auth.Client;
|
||||
using StellaOps.Policy.Gateway.Options;
|
||||
|
||||
namespace StellaOps.Policy.Gateway.Services;
|
||||
|
||||
internal sealed class PolicyEngineTokenProvider
|
||||
{
|
||||
private readonly IStellaOpsTokenClient tokenClient;
|
||||
private readonly IOptionsMonitor<PolicyGatewayOptions> optionsMonitor;
|
||||
private readonly PolicyGatewayDpopProofGenerator dpopGenerator;
|
||||
private readonly TimeProvider timeProvider;
|
||||
private readonly ILogger<PolicyEngineTokenProvider> logger;
|
||||
private readonly SemaphoreSlim mutex = new(1, 1);
|
||||
private CachedToken? cachedToken;
|
||||
|
||||
public PolicyEngineTokenProvider(
|
||||
IStellaOpsTokenClient tokenClient,
|
||||
IOptionsMonitor<PolicyGatewayOptions> optionsMonitor,
|
||||
PolicyGatewayDpopProofGenerator dpopGenerator,
|
||||
TimeProvider timeProvider,
|
||||
ILogger<PolicyEngineTokenProvider> logger)
|
||||
{
|
||||
this.tokenClient = tokenClient ?? throw new ArgumentNullException(nameof(tokenClient));
|
||||
this.optionsMonitor = optionsMonitor ?? throw new ArgumentNullException(nameof(optionsMonitor));
|
||||
this.dpopGenerator = dpopGenerator ?? throw new ArgumentNullException(nameof(dpopGenerator));
|
||||
this.timeProvider = timeProvider ?? TimeProvider.System;
|
||||
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
|
||||
}
|
||||
|
||||
public bool IsEnabled => optionsMonitor.CurrentValue.PolicyEngine.ClientCredentials.Enabled;
|
||||
|
||||
public async ValueTask<PolicyGatewayAuthorization?> GetAuthorizationAsync(HttpMethod method, Uri targetUri, CancellationToken cancellationToken)
|
||||
{
|
||||
if (!IsEnabled)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
var tokenResult = await GetTokenAsync(cancellationToken).ConfigureAwait(false);
|
||||
if (tokenResult is null)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
var token = tokenResult.Value;
|
||||
string? proof = null;
|
||||
if (dpopGenerator.Enabled)
|
||||
{
|
||||
proof = dpopGenerator.CreateProof(method, targetUri, token.AccessToken);
|
||||
}
|
||||
|
||||
var scheme = string.Equals(token.TokenType, "dpop", StringComparison.OrdinalIgnoreCase)
|
||||
? "DPoP"
|
||||
: token.TokenType;
|
||||
|
||||
var authorization = $"{scheme} {token.AccessToken}";
|
||||
return new PolicyGatewayAuthorization(authorization, proof, "service");
|
||||
}
|
||||
|
||||
private async ValueTask<CachedToken?> GetTokenAsync(CancellationToken cancellationToken)
|
||||
{
|
||||
var options = optionsMonitor.CurrentValue.PolicyEngine;
|
||||
if (!options.ClientCredentials.Enabled)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
var now = timeProvider.GetUtcNow();
|
||||
if (cachedToken is { } existing && existing.ExpiresAt > now + TimeSpan.FromSeconds(30))
|
||||
{
|
||||
return existing;
|
||||
}
|
||||
|
||||
await mutex.WaitAsync(cancellationToken).ConfigureAwait(false);
|
||||
try
|
||||
{
|
||||
if (cachedToken is { } cached && cached.ExpiresAt > now + TimeSpan.FromSeconds(30))
|
||||
{
|
||||
return cached;
|
||||
}
|
||||
|
||||
var scopeString = BuildScopeClaim(options);
|
||||
var result = await tokenClient.RequestClientCredentialsTokenAsync(scopeString, null, cancellationToken).ConfigureAwait(false);
|
||||
var expiresAt = result.ExpiresAtUtc;
|
||||
cachedToken = new CachedToken(result.AccessToken, string.IsNullOrWhiteSpace(result.TokenType) ? "Bearer" : result.TokenType, expiresAt);
|
||||
logger.LogInformation("Issued Policy Engine client credentials token; expires at {ExpiresAt:o}.", expiresAt);
|
||||
return cachedToken;
|
||||
}
|
||||
finally
|
||||
{
|
||||
mutex.Release();
|
||||
}
|
||||
}
|
||||
|
||||
private string BuildScopeClaim(PolicyGatewayPolicyEngineOptions options)
|
||||
{
|
||||
var scopeSet = new SortedSet<string>(StringComparer.Ordinal)
|
||||
{
|
||||
$"aud:{options.Audience.Trim().ToLowerInvariant()}"
|
||||
};
|
||||
|
||||
foreach (var scope in options.ClientCredentials.Scopes)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(scope))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
scopeSet.Add(scope.Trim());
|
||||
}
|
||||
|
||||
return string.Join(' ', scopeSet);
|
||||
}
|
||||
|
||||
private readonly record struct CachedToken(string AccessToken, string TokenType, DateTimeOffset ExpiresAt);
|
||||
}
|
||||
using System;
|
||||
using System.Collections.Generic;
|
||||
using System.Net.Http;
|
||||
using System.Threading;
|
||||
using System.Threading.Tasks;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
using StellaOps.Auth.Client;
|
||||
using StellaOps.Policy.Gateway.Options;
|
||||
|
||||
namespace StellaOps.Policy.Gateway.Services;
|
||||
|
||||
internal sealed class PolicyEngineTokenProvider
|
||||
{
|
||||
private readonly IStellaOpsTokenClient tokenClient;
|
||||
private readonly IOptionsMonitor<PolicyGatewayOptions> optionsMonitor;
|
||||
private readonly PolicyGatewayDpopProofGenerator dpopGenerator;
|
||||
private readonly TimeProvider timeProvider;
|
||||
private readonly ILogger<PolicyEngineTokenProvider> logger;
|
||||
private readonly SemaphoreSlim mutex = new(1, 1);
|
||||
private CachedToken? cachedToken;
|
||||
|
||||
public PolicyEngineTokenProvider(
|
||||
IStellaOpsTokenClient tokenClient,
|
||||
IOptionsMonitor<PolicyGatewayOptions> optionsMonitor,
|
||||
PolicyGatewayDpopProofGenerator dpopGenerator,
|
||||
TimeProvider timeProvider,
|
||||
ILogger<PolicyEngineTokenProvider> logger)
|
||||
{
|
||||
this.tokenClient = tokenClient ?? throw new ArgumentNullException(nameof(tokenClient));
|
||||
this.optionsMonitor = optionsMonitor ?? throw new ArgumentNullException(nameof(optionsMonitor));
|
||||
this.dpopGenerator = dpopGenerator ?? throw new ArgumentNullException(nameof(dpopGenerator));
|
||||
this.timeProvider = timeProvider ?? TimeProvider.System;
|
||||
this.logger = logger ?? throw new ArgumentNullException(nameof(logger));
|
||||
}
|
||||
|
||||
public bool IsEnabled => optionsMonitor.CurrentValue.PolicyEngine.ClientCredentials.Enabled;
|
||||
|
||||
public async ValueTask<PolicyGatewayAuthorization?> GetAuthorizationAsync(HttpMethod method, Uri targetUri, CancellationToken cancellationToken)
|
||||
{
|
||||
if (!IsEnabled)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
var tokenResult = await GetTokenAsync(cancellationToken).ConfigureAwait(false);
|
||||
if (tokenResult is null)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
var token = tokenResult.Value;
|
||||
string? proof = null;
|
||||
if (dpopGenerator.Enabled)
|
||||
{
|
||||
proof = dpopGenerator.CreateProof(method, targetUri, token.AccessToken);
|
||||
}
|
||||
|
||||
var scheme = string.Equals(token.TokenType, "dpop", StringComparison.OrdinalIgnoreCase)
|
||||
? "DPoP"
|
||||
: token.TokenType;
|
||||
|
||||
var authorization = $"{scheme} {token.AccessToken}";
|
||||
return new PolicyGatewayAuthorization(authorization, proof, "service");
|
||||
}
|
||||
|
||||
private async ValueTask<CachedToken?> GetTokenAsync(CancellationToken cancellationToken)
|
||||
{
|
||||
var options = optionsMonitor.CurrentValue.PolicyEngine;
|
||||
if (!options.ClientCredentials.Enabled)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
var now = timeProvider.GetUtcNow();
|
||||
if (cachedToken is { } existing && existing.ExpiresAt > now + TimeSpan.FromSeconds(30))
|
||||
{
|
||||
return existing;
|
||||
}
|
||||
|
||||
await mutex.WaitAsync(cancellationToken).ConfigureAwait(false);
|
||||
try
|
||||
{
|
||||
if (cachedToken is { } cached && cached.ExpiresAt > now + TimeSpan.FromSeconds(30))
|
||||
{
|
||||
return cached;
|
||||
}
|
||||
|
||||
var scopeString = BuildScopeClaim(options);
|
||||
var result = await tokenClient.RequestClientCredentialsTokenAsync(scopeString, null, cancellationToken).ConfigureAwait(false);
|
||||
var expiresAt = result.ExpiresAtUtc;
|
||||
cachedToken = new CachedToken(result.AccessToken, string.IsNullOrWhiteSpace(result.TokenType) ? "Bearer" : result.TokenType, expiresAt);
|
||||
logger.LogInformation("Issued Policy Engine client credentials token; expires at {ExpiresAt:o}.", expiresAt);
|
||||
return cachedToken;
|
||||
}
|
||||
finally
|
||||
{
|
||||
mutex.Release();
|
||||
}
|
||||
}
|
||||
|
||||
private string BuildScopeClaim(PolicyGatewayPolicyEngineOptions options)
|
||||
{
|
||||
var scopeSet = new SortedSet<string>(StringComparer.Ordinal)
|
||||
{
|
||||
$"aud:{options.Audience.Trim().ToLowerInvariant()}"
|
||||
};
|
||||
|
||||
foreach (var scope in options.ClientCredentials.Scopes)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(scope))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
scopeSet.Add(scope.Trim());
|
||||
}
|
||||
|
||||
return string.Join(' ', scopeSet);
|
||||
}
|
||||
|
||||
private readonly record struct CachedToken(string AccessToken, string TokenType, DateTimeOffset ExpiresAt);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user