open-consul/acl/cache.go

package acl

import (
	"crypto/md5"
	"fmt"

	"github.com/hashicorp/consul/sentinel"
	"github.com/hashicorp/golang-lru"
)

// FaultFunc is a function used to fault in the parent,
// rules for an ACL given its ID
type FaultFunc func(id string) (string, string, error)

// aclEntry allows us to store the ACL with it's policy ID
type aclEntry struct {
	ACL    ACL
	Parent string
	RuleID string
}

// Cache is used to implement policy and ACL caching
type Cache struct {
	faultfn     FaultFunc
	aclCache    *lru.TwoQueueCache // Cache id -> acl
	policyCache *lru.TwoQueueCache // Cache policy -> acl
	ruleCache   *lru.TwoQueueCache // Cache rules -> policy
	sentinel    sentinel.Evaluator
}

// NewCache constructs a new policy and ACL cache of a given size
func NewCache(size int, faultfn FaultFunc, sentinel sentinel.Evaluator) (*Cache, error) {
	if size <= 0 {
		return nil, fmt.Errorf("Must provide positive cache size")
	}

	rc, err := lru.New2Q(size)
	if err != nil {
		return nil, err
	}

	pc, err := lru.New2Q(size)
	if err != nil {
		return nil, err
	}

	ac, err := lru.New2Q(size)
	if err != nil {
		return nil, err
	}

	c := &Cache{
		faultfn:     faultfn,
		aclCache:    ac,
		policyCache: pc,
		ruleCache:   rc,
		sentinel:    sentinel,
	}
	return c, nil
}

// GetPolicy is used to get a potentially cached policy set.
// If not cached, it will be parsed, and then cached.
func (c *Cache) GetPolicy(rules string) (*Policy, error) {
	return c.getPolicy(RuleID(rules), rules)
}

// getPolicy is an internal method to get a cached policy,
// but it assumes a pre-computed ID
func (c *Cache) getPolicy(id, rules string) (*Policy, error) {
	raw, ok := c.ruleCache.Get(id)
	if ok {
		return raw.(*Policy), nil
	}
	policy, err := Parse(rules, c.sentinel)
	if err != nil {
		return nil, err
	}
	policy.ID = id
	c.ruleCache.Add(id, policy)
	return policy, nil

}

// RuleID is used to generate an ID for a rule
func RuleID(rules string) string {
	return fmt.Sprintf("%x", md5.Sum([]byte(rules)))
}

// policyID returns the cache ID for a policy
func (c *Cache) policyID(parent, ruleID string) string {
	return parent + ":" + ruleID
}

// GetACLPolicy is used to get the potentially cached ACL
// policy. If not cached, it will be generated and then cached.
func (c *Cache) GetACLPolicy(id string) (string, *Policy, error) {
	// Check for a cached acl
	if raw, ok := c.aclCache.Get(id); ok {
		cached := raw.(aclEntry)
		if raw, ok := c.ruleCache.Get(cached.RuleID); ok {
			return cached.Parent, raw.(*Policy), nil
		}
	}

	// Fault in the rules
	parent, rules, err := c.faultfn(id)
	if err != nil {
		return "", nil, err
	}

	// Get cached
	policy, err := c.GetPolicy(rules)
	return parent, policy, err
}

// GetACL is used to get a potentially cached ACL policy.
// If not cached, it will be generated and then cached.
func (c *Cache) GetACL(id string) (ACL, error) {
	// Look for the ACL directly
	raw, ok := c.aclCache.Get(id)
	if ok {
		return raw.(aclEntry).ACL, nil
	}

	// Get the rules
	parentID, rules, err := c.faultfn(id)
	if err != nil {
		return nil, err
	}
	ruleID := RuleID(rules)

	// Check for a compiled ACL
	policyID := c.policyID(parentID, ruleID)
	var compiled ACL
	if raw, ok := c.policyCache.Get(policyID); ok {
		compiled = raw.(ACL)
	} else {
		// Get the policy
		policy, err := c.getPolicy(ruleID, rules)
		if err != nil {
			return nil, err
		}

		// Get the parent ACL
		parent := RootACL(parentID)
		if parent == nil {
			parent, err = c.GetACL(parentID)
			if err != nil {
				return nil, err
			}
		}

		// Compile the ACL
		acl, err := New(parent, policy, c.sentinel)
		if err != nil {
			return nil, err
		}

		// Cache the compiled ACL
		c.policyCache.Add(policyID, acl)
		compiled = acl
	}

	// Cache and return the ACL
	c.aclCache.Add(id, aclEntry{compiled, parentID, ruleID})
	return compiled, nil
}

// ClearACL is used to clear the ACL cache if any
func (c *Cache) ClearACL(id string) {
	c.aclCache.Remove(id)
}

// Purge is used to clear all the ACL caches. The
// rule and policy caches are not purged, since they
// are content-hashed anyways.
func (c *Cache) Purge() {
	c.aclCache.Purge()
}
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`package acl`

			`import (`
			`"crypto/md5"`
			`"fmt"`

Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`"github.com/hashicorp/consul/sentinel"`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`"github.com/hashicorp/golang-lru"`
			`)`

acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`// FaultFunc is a function used to fault in the parent,`
Activates fallback to replicated ACLs. 2016-08-04 00:01:32 +00:00			`// rules for an ACL given its ID`
acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`type FaultFunc func(id string) (string, string, error)`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`// aclEntry allows us to store the ACL with it's policy ID`
			`type aclEntry struct {`
acl: Avoid shared cache with different parents 2014-08-15 02:32:05 +00:00			`ACL ACL`
			`Parent string`
			`RuleID string`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`}`

acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`// Cache is used to implement policy and ACL caching`
			`type Cache struct {`
			`faultfn FaultFunc`
Switches all ACL caches to 2Q. 2016-08-09 18:00:22 +00:00			`aclCache *lru.TwoQueueCache // Cache id -> acl`
			`policyCache *lru.TwoQueueCache // Cache policy -> acl`
			`ruleCache *lru.TwoQueueCache // Cache rules -> policy`
Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`sentinel sentinel.Evaluator`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`}`

typofixes - https://github.com/vlajos/misspell_fixer 2014-12-04 23:25:06 +00:00			`// NewCache constructs a new policy and ACL cache of a given size`
Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`func NewCache(size int, faultfn FaultFunc, sentinel sentinel.Evaluator) (*Cache, error) {`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`if size <= 0 {`
			`return nil, fmt.Errorf("Must provide positive cache size")`
			`}`
Switches all ACL caches to 2Q. 2016-08-09 18:00:22 +00:00
			`rc, err := lru.New2Q(size)`
			`if err != nil {`
			`return nil, err`
			`}`

			`pc, err := lru.New2Q(size)`
			`if err != nil {`
			`return nil, err`
			`}`

			`ac, err := lru.New2Q(size)`
			`if err != nil {`
			`return nil, err`
			`}`

acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`c := &Cache{`
			`faultfn: faultfn,`
acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`aclCache: ac,`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`policyCache: pc,`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`ruleCache: rc,`
Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`sentinel: sentinel,`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`}`
			`return c, nil`
			`}`

			`// GetPolicy is used to get a potentially cached policy set.`
			`// If not cached, it will be parsed, and then cached.`
			`func (c Cache) GetPolicy(rules string) (Policy, error) {`
Activates fallback to replicated ACLs. 2016-08-04 00:01:32 +00:00			`return c.getPolicy(RuleID(rules), rules)`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`}`

			`// getPolicy is an internal method to get a cached policy,`
			`// but it assumes a pre-computed ID`
			`func (c Cache) getPolicy(id, rules string) (Policy, error) {`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`raw, ok := c.ruleCache.Get(id)`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`if ok {`
			`return raw.(*Policy), nil`
			`}`
Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`policy, err := Parse(rules, c.sentinel)`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`if err != nil {`
			`return nil, err`
			`}`
acl: Associate policy ID 2014-08-08 23:51:19 +00:00			`policy.ID = id`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`c.ruleCache.Add(id, policy)`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`return policy, nil`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00
			`}`

Activates fallback to replicated ACLs. 2016-08-04 00:01:32 +00:00			`// RuleID is used to generate an ID for a rule`
			`func RuleID(rules string) string {`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`return fmt.Sprintf("%x", md5.Sum([]byte(rules)))`
			`}`

acl: Avoid shared cache with different parents 2014-08-15 02:32:05 +00:00			`// policyID returns the cache ID for a policy`
			`func (c *Cache) policyID(parent, ruleID string) string {`
			`return parent + ":" + ruleID`
			`}`

acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`// GetACLPolicy is used to get the potentially cached ACL`
			`// policy. If not cached, it will be generated and then cached.`
acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`func (c Cache) GetACLPolicy(id string) (string, Policy, error) {`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`// Check for a cached acl`
			`if raw, ok := c.aclCache.Get(id); ok {`
			`cached := raw.(aclEntry)`
acl: Avoid shared cache with different parents 2014-08-15 02:32:05 +00:00			`if raw, ok := c.ruleCache.Get(cached.RuleID); ok {`
acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`return cached.Parent, raw.(*Policy), nil`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`}`
			`}`

			`// Fault in the rules`
acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`parent, rules, err := c.faultfn(id)`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`if err != nil {`
acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`return "", nil, err`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`}`

			`// Get cached`
acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`policy, err := c.GetPolicy(rules)`
			`return parent, policy, err`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`}`

			`// GetACL is used to get a potentially cached ACL policy.`
			`// If not cached, it will be generated and then cached.`
			`func (c *Cache) GetACL(id string) (ACL, error) {`
			`// Look for the ACL directly`
			`raw, ok := c.aclCache.Get(id)`
			`if ok {`
acl: Adding cached policy fetch via ACL 2014-08-08 22:25:11 +00:00			`return raw.(aclEntry).ACL, nil`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`}`

			`// Get the rules`
acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`parentID, rules, err := c.faultfn(id)`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`if err != nil {`
			`return nil, err`
			`}`
Activates fallback to replicated ACLs. 2016-08-04 00:01:32 +00:00			`ruleID := RuleID(rules)`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`// Check for a compiled ACL`
acl: Avoid shared cache with different parents 2014-08-15 02:32:05 +00:00			`policyID := c.policyID(parentID, ruleID)`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`var compiled ACL`
acl: Avoid shared cache with different parents 2014-08-15 02:32:05 +00:00			`if raw, ok := c.policyCache.Get(policyID); ok {`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`compiled = raw.(ACL)`
			`} else {`
			`// Get the policy`
			`policy, err := c.getPolicy(ruleID, rules)`
			`if err != nil {`
			`return nil, err`
			`}`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00
acl: Simplify parent ACL, adding root policies 2014-08-12 17:35:27 +00:00			`// Get the parent ACL`
			`parent := RootACL(parentID)`
			`if parent == nil {`
			`parent, err = c.GetACL(parentID)`
			`if err != nil {`
			`return nil, err`
			`}`
			`}`

acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`// Compile the ACL`
Introduce Code Policy validation via sentinel, with a noop implementation 2017-09-14 19:31:01 +00:00			`acl, err := New(parent, policy, c.sentinel)`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`if err != nil {`
			`return nil, err`
			`}`

			`// Cache the compiled ACL`
acl: Avoid shared cache with different parents 2014-08-15 02:32:05 +00:00			`c.policyCache.Add(policyID, acl)`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`compiled = acl`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`}`

			`// Cache and return the ACL`
acl: Return the parent with GetACLPolicy 2014-08-12 17:45:28 +00:00			`c.aclCache.Add(id, aclEntry{compiled, parentID, ruleID})`
acl: Adding additional tier of caching 2014-08-09 00:37:13 +00:00			`return compiled, nil`
acl: Adding caching mechanism 2014-08-08 21:36:09 +00:00			`}`

			`// ClearACL is used to clear the ACL cache if any`
			`func (c *Cache) ClearACL(id string) {`
			`c.aclCache.Remove(id)`
			`}`
acl: Adding cache purging 2014-08-09 00:44:23 +00:00
			`// Purge is used to clear all the ACL caches. The`
			`// rule and policy caches are not purged, since they`
			`// are content-hashed anyways.`
			`func (c *Cache) Purge() {`
			`c.aclCache.Purge()`
			`}`