Skip to content

Add cache for retrieved RBAC claims #25698

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 9, 2020
Merged

Add cache for retrieved RBAC claims #25698

merged 5 commits into from
Sep 9, 2020

Conversation

JunTaoLuo
Copy link
Contributor

@JunTaoLuo JunTaoLuo commented Sep 8, 2020
edited
Loading

fixes #25329.

Tested manually, I have a feeling unit tests are going to be tricky.

@JunTaoLuo JunTaoLuo requested a review from Tratcher as a code owner September 8, 2020 17:30
@ghost ghost added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Sep 8, 2020
JunTaoLuo
JunTaoLuo commented Sep 8, 2020
View reviewed changes
src/Security/Authentication/Negotiate/src/LdapSettings.cs
/// </summary>
public int ClaimsCacheSize { get; set; } = 1024;

internal MemoryCache ClaimsCache { get; set; }
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is different from the certificate validation cache in that it's not stored in DI. It might be a bit odd to have the cache in LdapSettings but I'm not sure if there's any value in putting this cache in DI.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Main value of putting it in DI is if you want to make it easy for them to plug in their own cache implementation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While that's true, I'm not sure we'd want that kind of flexibility here at the moment. I don't see it as particularly useful in this scenario.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's fine, I was just pointing out what advantages putting it in DI has

@Tratcher Tratcher requested a review from HaoK September 8, 2020 20:10
@Tratcher
Copy link
Member

Tratcher commented Sep 8, 2020

You can write a test that seeds the cache and verifies those are the values returned.

JunTaoLuo
JunTaoLuo commented Sep 9, 2020
View reviewed changes
src/Security/Authentication/Negotiate/test/Negotiate.Test/NegotiateHandlerTests.cs
{
ldapSettings.Domain = "domain.NET";
ldapSettings.ClaimsCache = claimsCache;
ldapSettings.EnableLdapClaimResolution = false; // This disables binding to the LDAP connection on startup
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I expected, this is really hacky but it works.

@JunTaoLuo JunTaoLuo added the Servicing-consider Shiproom approval is required for the issue label Sep 9, 2020
@ghost
Copy link

ghost commented Sep 9, 2020

Hello human! Please make sure you've included the Shiproom Template in a comment or (preferably) the PR description. Also, make sure this PR is not marked as a draft and is ready-to-merge.

@JunTaoLuo JunTaoLuo added this to the 5.0.0-rc2 milestone Sep 9, 2020
@JunTaoLuo
Copy link
Contributor Author

cc @Pilchie for rc2 approval.

@Pilchie Pilchie added Servicing-approved Shiproom has approved the issue and removed Servicing-consider Shiproom approval is required for the issue labels Sep 9, 2020
@Pilchie
Copy link
Member

Pilchie commented Sep 9, 2020

Approved for .NET 5 RC2 pending CI completion.

@JunTaoLuo JunTaoLuo merged commit 035221d into release/5.0-rc2 Sep 9, 2020
@JunTaoLuo JunTaoLuo deleted the johluo/claim-cache branch September 9, 2020 21:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tratcher Tratcher Tratcher approved these changes

@HaoK HaoK HaoK approved these changes

Assignees
No one assigned
Labels
area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer Servicing-approved Shiproom has approved the issue
Projects
None yet
Milestone
5.0.0-rc2
Development

Successfully merging this pull request may close these issues.
4 participants
@JunTaoLuo @Tratcher @Pilchie @HaoK