Skip to content

sso_proxy: reduce amount of group validations #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jusshersmith merged 1 commit into from
Nov 15, 2019
Merged

sso_proxy: reduce amount of group validations #267

Jusshersmith merged 1 commit into from
Nov 15, 2019

Conversation

@Jusshersmith
Copy link
Contributor

@Jusshersmith Jusshersmith commented Nov 12, 2019
edited
Loading

Problem

With the validator abstraction work that was recently done we inadvertently started to run group validations for each authenticated request. See 'Notes' section for specific details.

This increased volume of requests increases the potential to cause extra strain on upstream providers

Solution

We don't need to validate the groups again here. This pull request brings us closer to previous functionality where we re-validate group membership after refreshing or validating the session, and re-validate email domains and addresses upon each request.

Notes

  • Now that the group membership check is an official 'validator' within sso-proxy it's ran each time we call RunValidators().

    The problematic call in question:

    sso/internal/proxy/oauthproxy.go

    Line 784 in 9019d4f

    errors := options.RunValidators(p.Validators, session)

    Previously, we were only checking email address/domains here, with the group check being ran just above that when refreshing or validating the session:

    sso/internal/proxy/oauthproxy.go

    Line 731 in 9019d4f

    ok, err := p.provider.RefreshSession(session, allowedGroups)
    &

    sso/internal/proxy/oauthproxy.go

    Line 762 in 9019d4f

    ok := p.provider.ValidateSessionState(session, allowedGroups)

  • An alternative solution to validator pkg: control when each validator is ran #266

  • Also included in this is a change to the group validator (it's no longer used as a pointer). Largely to bring it in line with the other validators.

@Jusshersmith Jusshersmith added the bug Something isn't working label Nov 13, 2019
@Jusshersmith Jusshersmith requested a review from jphines November 13, 2019 11:26
@Jusshersmith Jusshersmith merged commit 99e69f8 into master Nov 15, 2019
@Jusshersmith Jusshersmith deleted the jusshersmith-group-validator-bug branch November 15, 2019 14:32
@Jusshersmith Jusshersmith mentioned this pull request Nov 21, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jphines jphines jphines approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Jusshersmith @jphines