- Enable passing token data for Token Authentication #337
Conversation
* - Token Auth changes * - copyright correction * - modify test * - modify tests * - test modifications * - test change * - minor changes * - Dont print token and privatekey in string conversion * - print token, pvtonly only if stringwithpasswd selected * -minor changes * - correct comments * - renaming and free the token mem from handler * - minor changes * - oauth testing fixes * - minor changes
sudarshan12s
changed the title
drv.go
Outdated
| @@ -167,6 +167,18 @@ func ParseDSN(dataSourceName string) (P ConnectionParams, err error) { | |||
|
|
|||
| func NewPassword(s string) Password { return dsn.NewPassword(s) } | |||
|
|
|||
| func freeAccessToken(cAccessToken *C.dpiAccessToken) { | |||
| if cAccessToken != nil { | |||
There was a problem hiding this comment.
if cAssessToken == nil { return }
token.go
Outdated
| // | ||
| //export TokenCallbackHandler | ||
| func TokenCallbackHandler(ctx unsafe.Pointer, accessTokenC *C.dpiAccessToken) { | ||
| log.Printf("CB %p %+v", ctx, accessTokenC) |
There was a problem hiding this comment.
if logger != nil && logger.Enabled(ctx, slog.LevelDebug) {
logger.Debug("TokenCallbackHandler", "ctx", fmt.Sprintf("%p", ctx), "accessToken", cAccessToken)
}
token.go
Outdated
| // tokenCallbackHandler is the callback for C code on token expiry. | ||
| // | ||
| //export TokenCallbackHandler | ||
| func TokenCallbackHandler(ctx unsafe.Pointer, accessTokenC *C.dpiAccessToken) { |
There was a problem hiding this comment.
In drv.go it is called cAccessToken;
Here, accessTokenC.
Please, rename both to accessToken!
There was a problem hiding this comment.
Renamed to accessToken
token.go
Outdated
| func TokenCallbackHandler(ctx unsafe.Pointer, accessTokenC *C.dpiAccessToken) { | ||
| log.Printf("CB %p %+v", ctx, accessTokenC) | ||
| accessTokenCBsMu.Lock() | ||
| acessTokenCB := accessTokenCBs[*((*uint64)(ctx))] |
There was a problem hiding this comment.
if it is :=, then it overrides (shadows) the global accessTokenDBs, so no locking needed.
But I think you want to remove the :.
There was a problem hiding this comment.
I didn't understand the comment fully.. I want to modify the value(ptr) in the map with the token and private key C strings returned in this callback. These C strings are freed on next invocation of this callback.
I also modified to use RW lock instead of simple mutex. It looks ok?
token.go
Outdated
|
|
||
| import ( | ||
| "context" | ||
| "github.com/godror/godror/dsn" |
There was a problem hiding this comment.
Move it to the end of the imports, spearated by an empty line.
drv.go
Outdated
| @@ -844,6 +900,9 @@ func (d *drv) createPool(P commonAndPoolParams) (*connPool, error) { | |||
| (**C.dpiPool)(unsafe.Pointer(&dp)), | |||
| ) | |||
| }); err != nil { | |||
| if tokenCBID != 0 { | |||
There was a problem hiding this comment.
We don't really need this check.
token.go
Outdated
| // this map entry | ||
| var ( | ||
| accessTokenCBsMu sync.Mutex | ||
| accessTokenCBs = make(map[uint64]*accessTokenCB) |
There was a problem hiding this comment.
Use of runtime/cgo.Handle may be easier.
There was a problem hiding this comment.
I tried with cgo.Handle to store the callback context and hence avoid global map, accessTokenCBs . It is causing panic during C.dpiPool_create. looks like i am missing something..
panic: runtime error: cgo argument has Go pointer to unpinned Go pointer
I am able to simulate this panic with simple program. Below program will panic but when we comment this line
var h cgo.Handle so that we use global handle h , it works fine. So it looks this global bookkeeping might still be needed for each pool with cgo.Handle ?
package main
/*
struct dt {
void *context;
};
typedef struct dt dt;
extern void MyGoPrint(void *context);
static inline void myprint(struct dt *a1) {
MyGoPrint(a1->context);
}
*/
import "C"
import (
"context"
"runtime/cgo"
"unsafe"
)
//export MyGoPrint
func MyGoPrint(context unsafe.Pointer) {
h := *(*cgo.Handle)(context)
val := h.Value().(accessTokenCB)
println(val.id)
h.Delete()
}
type At struct {
Tok string
}
// AccessToken Callback information.
type accessTokenCB struct {
ctx context.Context
callback func(context.Context, *At) error
id uint64
ctoken *C.char
cprivateKey *C.char
}
func getH() cgo.Handle {
cb := func(ctx context.Context, tok *At) error {
tok.Tok = "123"
return nil
}
val := accessTokenCB{callback: cb, ctx: context.Background(), id: 32, ctoken: nil, cprivateKey: nil}
h := cgo.NewHandle(val)
return h
}
var h cgo.Handle
func main() {
var h cgo.Handle
h = getH()
var poolCt C.dt
poolCt.context = unsafe.Pointer(&h)
C.myprint(&poolCt)
// Output: 32
}
There was a problem hiding this comment.
package main
/*
extern void MyGoPrint(void *p);
static inline void myprint(void *p) {
MyGoPrint(p);
}
*/
import "C"
import (
"context"
"runtime/cgo"
"unsafe"
)
//export MyGoPrint
func MyGoPrint(p unsafe.Pointer) {
h := *(*cgo.Handle)(p)
val := h.Value().(accessTokenCB)
println(val.id)
h.Delete()
}
type At struct {
Tok string
}
// AccessToken Callback information.
type accessTokenCB struct {
ctx context.Context
callback func(context.Context, *At) error
id uint64
ctoken *C.char
cprivateKey *C.char
}
func getH() cgo.Handle {
cb := func(ctx context.Context, tok *At) error {
tok.Tok = "123"
return nil
}
val := accessTokenCB{
callback: cb, ctx: context.Background(),
id: 32, ctoken: nil, cprivateKey: nil}
h := cgo.NewHandle(val)
return h
}
func main() {
var h cgo.Handle
h = getH()
C.myprint(unsafe.Pointer(&h))
// Output: 32
}
works (no fancy structs - that'd need C helper).
There was a problem hiding this comment.
Finding https://groups.google.com/g/golang-nuts/c/PLSIN5jmzpM
The rewritten code is even simpler (treat cgo.Handle as a number (C.uintptr_t)):
package main
/*
#include <stdint.h>
extern void MyGoPrint(uintptr_t p);
static inline void myprint(uintptr_t p) {
MyGoPrint(p);
}
*/
import "C"
import (
"context"
"runtime/cgo"
)
//export MyGoPrint
func MyGoPrint(handle C.uintptr_t) {
h := cgo.Handle(handle)
val := h.Value().(accessTokenCB)
println(val.id)
h.Delete()
}
type At struct {
Tok string
}
// AccessToken Callback information.
type accessTokenCB struct {
ctx context.Context
callback func(context.Context, *At) error
id uint64
ctoken *C.char
cprivateKey *C.char
}
func getH() cgo.Handle {
cb := func(ctx context.Context, tok *At) error {
tok.Tok = "123"
return nil
}
val := accessTokenCB{
callback: cb, ctx: context.Background(),
id: 32, ctoken: nil, cprivateKey: nil}
h := cgo.NewHandle(val)
return h
}
func main() {
C.myprint(C.uintptr_t(getH()))
// Output: 32
}
There was a problem hiding this comment.
In our case , we need to pass poolCreateParams struct which has void * argument , accessTokenCallbackContext to C.dpiPool_create call. Hence i cant use cgo.Handle then?
There was a problem hiding this comment.
package main
/*
#include <stdint.h>
#include <stdlib.h>
struct hw {
uintptr_t handle;
};
typedef struct hw hw;
extern void MyGoPrint(uintptr_t handle);
// Called in C with void*, calls Go function with uintptr_t.
static inline void MyWrappedGoPrint(void *context) {
hw *a1 = (hw*)context;
MyGoPrint(a1->handle);
}
static inline void *wrap_handle(uintptr_t handle) {
hw *a1 = malloc(sizeof(hw));
a1->handle = handle;
return (void *)a1;
}
static inline void myprint(void *context) {
MyWrappedGoPrint(context);
}
static inline void wrapped_myprint(uintptr_t handle) {
myprint(wrap_handle(handle));
}
*/
import "C"
import (
"context"
"runtime/cgo"
)
//export MyGoPrint
func MyGoPrint(handle C.uintptr_t) {
h := (cgo.Handle)(handle)
val := ((cgo.Handle)(h)).Value().(accessTokenCB)
println(val.id)
h.Delete()
}
type At struct {
Tok string
}
type accessTokenCB struct {
ctx context.Context
callback func(context.Context, *At) error
id uint64
ctoken *C.char
cprivateKey *C.char
}
func getH() cgo.Handle {
cb := func(ctx context.Context, tok *At) error {
tok.Tok = "123"
return nil
}
val := accessTokenCB{callback: cb, ctx: context.Background(), id: 32, ctoken: nil, cprivateKey: nil}
h := cgo.NewHandle(val)
return h
}
func main() {
h := getH()
C.wrapped_myprint((C.uintptr_t)(h))
// Output: 32
}
just create enough wrappers :)
There was a problem hiding this comment.
Thanks . I made the changes by wrapping it now..
Description
For Token Based Authentication, the connect string can be alias as mentioned here. This PR adds support to programatically supply token information; token and privateKey data. For IAM , token and privateKey needs to be provided. For OAUTH, token is enough.
In case of pool config(
standAloneConnection=0), callback needs to be provided along with context, which is invoked when the token information to connect database has expired passing the context as input argument.The callback is supposed to fill the refresh token. The C memory allocated for token data passed to odpi-c is freed on next invocation of callback. Hence the context passed by godror to odpi-c has token, privateKey returned by previous invocation of callback. The cgo.handle is used to pass the go
accessTokenCBvalue after wrapping it into void * .The context argument for the callback is taken as
context.Contexttype to just allow variable key/value pairs. Should this be interface{} instead?Note:
Token Authentication is only supported with tcps(tls)
If privateKey is not given but only token is given, OAUTH based Authentication is internally tried.
For pool config (
standAloneConnection=0), token based authentication, both homogeneous and externalAuth fields in the dpiPoolCreateParams structure must be set to 1. Incase of StandAlone (standAloneConnection=1) externalAuth must be set to 1.token and privateKeys are not considered as part of pool key and hence single pool will be created for multiple sql.open calls with different token/privateKeys
privateKey format should not have the comments ( -----BEGIN OPENSSH PRIVATE KEY-----
, -----END OPENSSH PRIVATE KEY-----
) It has to be removed and passed to the driver.
ConnectionParams.StringWithPassword only enables printing token/pvtkey
example of token and privatekey passed in sql.open for standalone=1
Testing:
IAM and OAUTH testing for standalone and pool is done.
Token callback triggering more than once is tested manually by code change