Skip to content

Cache git-lfs-authenticate repsonse#2045

Closed
bozaro wants to merge 2 commits intogit-lfs:masterfrom
bozaro:git-lfs-authenticate-cache
Closed

Cache git-lfs-authenticate repsonse#2045
bozaro wants to merge 2 commits intogit-lfs:masterfrom
bozaro:git-lfs-authenticate-cache

Conversation

@bozaro
Copy link
Contributor

@bozaro bozaro commented Mar 17, 2017
edited
Loading

Changes summary:

  • lfsapi.NewRequest now returns RequestFactory instead of (*http.Request, err);
  • RequestFactory interface have two methods:
    • NewRequest() (*http.Request, error) - generate request;
    • InvalidateAuthorization() bool - invalidate cached authentication data.
  • For simple HTTP requests RequestFactory simply wraps http.Request.
  • For SSH based HTTP requests RequestFactory generate http.Request based on
    last git-lfs-authenticate response.

This change for fix issue #2018

@bozaro bozaro force-pushed the git-lfs-authenticate-cache branch 3 times, most recently from e7c509c to 7a31a3b Compare March 17, 2017 08:41
@bozaro
Cache git-lfs-authenticate repsonse
14ffccb 
Changes summary:

 * lfsapi.NewRequest now returns RequestFactory instead of (*http.Request, err);
 * RequestFactory interface have two methods:
   * NewRequest() (*http.Request, error) - generate request;
   * InvalidateAuthorization() bool - invalidate cached authentication data.
 * For simple HTTP requests RequestFactory simply wraps http.Request.
 * For SSH based HTTP requests RequestFactory generate http.Request based on
   last git-lfs-authenticate response.
@bozaro bozaro force-pushed the git-lfs-authenticate-cache branch from 7a31a3b to 14ffccb Compare March 17, 2017 08:48
@bozaro bozaro mentioned this pull request Mar 17, 2017
Closed
@technoweenie
Copy link
Contributor

technoweenie commented Mar 17, 2017

Interesting approach, but I think a better approach would be wrapping the credential and ssh code with a write-through caching layer. For example, there's already a CredentialHelper interface that's used for tests. That way, the interfaces to making HTTP requests doesn't have to change everywhere. What do you think about that?

Also, the SSH auth cache doesn't take expires_at into account. So it's possible that requests made after the expiration would be stuck using a bad token.

@bozaro
Copy link
Contributor Author

bozaro commented Mar 17, 2017

Also, the SSH auth cache doesn't take expires_at into account. So it's possible that requests made after the expiration would be stuck using a bad token.

It not a problem: expire_at is useless, because nobody guaranty time syncronization between client and lfs-server hosts.
On expired token usage, server should return 401 error and client reinvoke git-lfs-authenticate command for new token.

@bozaro
Copy link
Contributor Author

bozaro commented Mar 17, 2017

Interesting approach, but I think a better approach would be wrapping the credential and ssh code with a write-through caching layer. For example, there's already a CredentialHelper interface that's used for tests. That way, the interfaces to making HTTP requests doesn't have to change everywhere. What do you think about that?

I wanted to use CredentialHelper, but git-lfs-authenticate returns not credentional, but request URL and headers. And there are no stable paths in git-lfs-authenticate response. It can change any information.

@ttaylorr
Copy link
Contributor

ttaylorr commented Mar 17, 2017
edited
Loading

Also, the SSH auth cache doesn't take expires_at into account. So it's possible that requests made after the expiration would be stuck using a bad token.

It not a problem: expire_at is useless, because nobody guaranty time syncronization between client and lfs-server hosts.

LFS exhibits this behavior in other places where it will retry requests that have actions that are already expired instead of receiving a 401 and retrying the request later down the pipeline. If the client and server have drastically different times, the request retry budget will be exceeded and the request will fail.

I think it would be worthwhile to keep that behavior consistent here and respect the expires_at property.

I wanted to use CredentialHelper, but git-lfs-authenticate returns not credentional, but request URL and headers.

I think it would be fine to also return credentials from this function, but I would love to hear @technoweenie's thoughts on this.

@technoweenie
Copy link
Contributor

technoweenie commented Mar 17, 2017

I think the ssh auth can have its own custom interface that returns a (cached) href + header + expires_at. It doesn't have to use the credential helper interface.

@technoweenie technoweenie mentioned this pull request Mar 20, 2017
Closed
@technoweenie technoweenie mentioned this pull request Mar 24, 2017
Merged
@ttaylorr ttaylorr closed this Apr 3, 2017
@ttaylorr
Copy link
Contributor

ttaylorr commented Apr 3, 2017
edited
Loading

Closing since we merged #2080.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bozaro @technoweenie @ttaylorr