Cache tokens when using swift's v2 authentication

Signed-off-by: Robin Appelman <robin@icewind.nl>

3 files changed, 94 insertions, 17 deletions

diff --git a/lib/private/Files/ObjectStore/SwiftFactory.php b/lib/private/Files/ObjectStore/SwiftFactory.php
index 3ff534b4e64..1034026327b 100644
--- a/lib/private/Files/ObjectStore/SwiftFactory.php
+++ b/lib/private/Files/ObjectStore/SwiftFactory.php
@@ -33,6 +33,7 @@ use OCP\ICache;
 use OCP\ILogger;
 use OpenStack\Common\Error\BadResponseError;
 use OpenStack\Common\Auth\Token;
+use OpenStack\Identity\v2\Models\Catalog;
 use OpenStack\Identity\v2\Service as IdentityV2Service;
 use OpenStack\Identity\v3\Service as IdentityV3Service;
 use OpenStack\OpenStack;
@@ -47,6 +48,13 @@ class SwiftFactory {
 	private $container = null;
 	private $logger;
 
+	const DEFAULT_OPTIONS = [
+		'autocreate' => false,
+		'urlType' => 'publicURL',
+		'catalogName' => 'swift',
+		'catalogType' => 'object-store'
+	];
+
 	public function __construct(ICache $cache, array $params, ILogger $logger) {
 		$this->cache = $cache;
 		$this->params = $params;
@@ -62,11 +70,21 @@ class SwiftFactory {
 		}
 	}
 
-	private function cacheToken(Token $token, string $cacheKey) {
+	private function cacheToken(Token $token, string $serviceUrl, string $cacheKey) {
 		if ($token instanceof \OpenStack\Identity\v3\Models\Token) {
+			// for v3 the catalog is cached as part of the token, so no need to cache $serviceUrl separately
 			$value = json_encode($token->export());
 		} else {
-			$value = json_encode($token);
+			/** @var \OpenStack\Identity\v2\Models\Token $token */
+			$value = json_encode([
+				'serviceUrl' => $serviceUrl,
+				'token' => [
+					'issued_at' => $token->issuedAt->format('c'),
+					'expires' => $token->expires->format('c'),
+					'id' => $token->id,
+					'tenant' => $token->tenant
+				]
+			]);
 		}
 		$this->cache->set($cacheKey . '/token', $value);
 	}
@@ -82,10 +100,6 @@ class SwiftFactory {
 		if (!isset($this->params['container'])) {
 			$this->params['container'] = 'nextcloud';
 		}
-		if (!isset($this->params['autocreate'])) {
-			// should only be true for tests
-			$this->params['autocreate'] = false;
-		}
 		if (isset($this->params['user']) && is_array($this->params['user'])) {
 			$userName = $this->params['user']['name'];
 		} else {
@@ -97,6 +111,7 @@ class SwiftFactory {
 		if (!isset($this->params['tenantName']) && isset($this->params['tenant'])) {
 			$this->params['tenantName'] = $this->params['tenant'];
 		}
+		$this->params = array_merge(self::DEFAULT_OPTIONS, $this->params);
 
 		$cacheKey = $userName . '@' . $this->params['url'] . '/' . $this->params['container'];
 		$token = $this->getCachedToken($cacheKey);
@@ -114,7 +129,7 @@ class SwiftFactory {
 
 			return $this->auth(IdentityV3Service::factory($httpClient), $cacheKey);
 		} else {
-			return $this->auth(IdentityV2Service::factory($httpClient), $cacheKey);
+			return $this->auth(SwiftV2CachingAuthService::factory($httpClient), $cacheKey);
 		}
 	}
 
@@ -127,25 +142,41 @@ class SwiftFactory {
 	private function auth($authService, string $cacheKey) {
 		$this->params['identityService'] = $authService;
 		$this->params['authUrl'] = $this->params['url'];
-		$client = new OpenStack($this->params);
 
 		$cachedToken = $this->params['cachedToken'];
 		$hasValidCachedToken = false;
-		if (\is_array($cachedToken) && ($authService instanceof IdentityV3Service)) {
-			$token = $authService->generateTokenFromCache($cachedToken);
-			if (\is_null($token->catalog)) {
-				$this->logger->warning('Invalid cached token for swift, no catalog set: ' . json_encode($cachedToken));
-			} else if ($token->hasExpired()) {
-				$this->logger->debug('Cached token for swift expired');
+		if (\is_array($cachedToken)) {
+			if ($authService instanceof IdentityV3Service) {
+				$token = $authService->generateTokenFromCache($cachedToken);
+				if (\is_null($token->catalog)) {
+					$this->logger->warning('Invalid cached token for swift, no catalog set: ' . json_encode($cachedToken));
+				} else if ($token->hasExpired()) {
+					$this->logger->debug('Cached token for swift expired');
+				} else {
+					$hasValidCachedToken = true;
+				}
 			} else {
-				$hasValidCachedToken = true;
+				try {
+					/** @var \OpenStack\Identity\v2\Models\Token $token */
+					$token = $authService->model(\OpenStack\Identity\v2\Models\Token::class, $cachedToken['token']);
+					$now = new \DateTimeImmutable("now");
+					if ($token->expires > $now) {
+						$hasValidCachedToken = true;
+						$this->params['v2cachedToken'] = $token;
+						$this->params['v2serviceUrl'] = $cachedToken['serviceUrl'];
+					} else {
+						$this->logger->debug('Cached token for swift expired');
+					}
+				} catch (\Exception $e) {
+					$this->logger->logException($e);
+				}
 			}
 		}
 
 		if (!$hasValidCachedToken) {
 			try {
-				$token = $authService->generateToken($this->params);
-				$this->cacheToken($token, $cacheKey);
+				list($token, $serviceUrl) = $authService->authenticate($this->params);
+				$this->cacheToken($token, $serviceUrl, $cacheKey);
 			} catch (ConnectException $e) {
 				throw new StorageAuthException('Failed to connect to keystone, verify the keystone url', $e);
 			} catch (ClientException $e) {
@@ -164,6 +195,9 @@ class SwiftFactory {
 			}
 		}
 
+
+		$client = new OpenStack($this->params);
+
 		return $client;
 	}
 
diff --git a/lib/private/Files/ObjectStore/SwiftV2CachingAuthService.php b/lib/private/Files/ObjectStore/SwiftV2CachingAuthService.php
new file mode 100644
index 00000000000..38f1e54dac3
--- /dev/null
+++ b/lib/private/Files/ObjectStore/SwiftV2CachingAuthService.php
@@ -0,0 +1,35 @@
+<?php declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2018 Robin Appelman <robin@icewind.nl>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OC\Files\ObjectStore;
+
+
+use OpenStack\Identity\v2\Service;
+
+class SwiftV2CachingAuthService extends Service {
+	public function authenticate(array $options = []): array {
+		if (!empty($options['v2cachedToken'])) {
+			return [$options['v2cachedToken'], $options['v2serviceUrl']];
+		} else {
+			return parent::authenticate($options);
+		}
+	}
+}
diff --git a/tests/preseed-config.php b/tests/preseed-config.php
index 70cf272faef..2d88d939157 100644
--- a/tests/preseed-config.php
+++ b/tests/preseed-config.php
@@ -63,6 +63,14 @@ if (getenv('OBJECT_STORE') === 'swift') {
 						'name' => 'default',
 					]
 				],
+				'scope' => [
+					'project' => [
+						'name' => 'service',
+						'domain' => [
+							'name' => 'default',
+						],
+					],
+				],
 				'tenantName' => 'service',
 				'serviceName' => 'swift',
 				'region' => 'regionOne',