jwt transport: fix retry on unauthorized from CAPI(#3006)

crowdsecurity · May 24, 2024 · f06e3e7 · f06e3e7
1 parent 09afcbe
commit f06e3e7
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 45 deletions.
diff --git a/pkg/apiclient/auth_jwt.go b/pkg/apiclient/auth_jwt.go
@@ -26,6 +26,7 @@ type JWTTransport struct {
  URL *url.URL
  VersionPrefix string
  UserAgent string
+ RetryConfig *RetryConfig
  // Transport is the underlying HTTP transport to use when making requests.
  // It will default to http.DefaultTransport if nil.
  Transport http.RoundTripper
@@ -165,36 +166,67 @@ func (t *JWTTransport) prepareRequest(req *http.Request) (*http.Request, error)
 
 // RoundTrip implements the RoundTripper interface.
 func (t *JWTTransport) RoundTrip(req *http.Request) (*http.Response, error) {
- req, err := t.prepareRequest(req)
- if err != nil {
- return nil, err
- }
 
- if log.GetLevel() >= log.TraceLevel {
- // requestToDump := cloneRequest(req)
- dump, _ := httputil.DumpRequest(req, true)
- log.Tracef("req-jwt: %s", string(dump))
- }
+ var resp *http.Response
+ attemptsCount := make(map[int]int)
 
- // Make the HTTP request.
- resp, err := t.transport().RoundTrip(req)
- if log.GetLevel() >= log.TraceLevel {
- dump, _ := httputil.DumpResponse(resp, true)
- log.Tracef("resp-jwt: %s (err:%v)", string(dump), err)
- }
+ for {
+ if log.GetLevel() >= log.TraceLevel {
+ // requestToDump := cloneRequest(req)
+ dump, _ := httputil.DumpRequest(req, true)
+ log.Tracef("req-jwt: %s", string(dump))
+ }
+ // Make the HTTP request.
+ clonedReq := cloneRequest(req)
 
- if err != nil {
- // we had an error (network error for example, or 401 because token is refused), reset the token?
- t.ResetToken()
+ clonedReq, err := t.prepareRequest(clonedReq)
+ if err != nil {
+ return nil, err
+ }
 
- return resp, fmt.Errorf("performing jwt auth: %w", err)
- }
+ resp, err = t.transport().RoundTrip(clonedReq)
+ if log.GetLevel() >= log.TraceLevel {
+ dump, _ := httputil.DumpResponse(resp, true)
+ log.Tracef("resp-jwt: %s (err:%v)", string(dump), err)
+ }
 
- if resp != nil {
- log.Debugf("resp-jwt: %d", resp.StatusCode)
- }
+ if err != nil {
+ // we had an error (network error for example), reset the token?
+ t.ResetToken()
+ return resp, fmt.Errorf("performing jwt auth: %w", err)
+ }
+
+ if resp != nil {
+ log.Debugf("resp-jwt: %d", resp.StatusCode)
+ }
 
+ config, shouldRetry := t.RetryConfig.StatusCodeConfig[resp.StatusCode]
+ if !shouldRetry {
+ break
+ }
+
+ if attemptsCount[resp.StatusCode] >= config.MaxAttempts {
+ log.Infof("max attempts reached for status code %d", resp.StatusCode)
+ break
+ }
+
+ if config.InvalidateToken {
+ log.Debugf("invalidating token for status code %d", resp.StatusCode)
+ t.ResetToken()
+ }
+
+ log.Debugf("retrying request to %s", req.URL.String())
+ attemptsCount[resp.StatusCode]++
+ log.Infof("attempt %d out of %d", attemptsCount[resp.StatusCode], config.MaxAttempts)
+
+ if config.Backoff {
+ backoff := 2*attemptsCount[resp.StatusCode] + 5
+ log.Infof("retrying in %d seconds (attempt %d of %d)", backoff, attemptsCount[resp.StatusCode], config.MaxAttempts)
+ time.Sleep(time.Duration(backoff) * time.Second)
+ }
+ }
  return resp, nil
+
 }
 
 func (t *JWTTransport) Client() *http.Client {
@@ -211,27 +243,8 @@ func (t *JWTTransport) ResetToken() {
 // transport() returns a round tripper that retries once when the status is unauthorized,
 // and 5 times when the infrastructure is overloaded.
 func (t *JWTTransport) transport() http.RoundTripper {
- transport := t.Transport
- if transport == nil {
- transport = http.DefaultTransport
- }
-
- return &retryRoundTripper{
- next: &retryRoundTripper{
- next: transport,
- maxAttempts: 5,
- withBackOff: true,
- retryStatusCodes: []int{http.StatusTooManyRequests, http.StatusServiceUnavailable, http.StatusGatewayTimeout},
- },
- maxAttempts: 2,
- withBackOff: false,
- retryStatusCodes: []int{http.StatusUnauthorized, http.StatusForbidden},
- onBeforeRequest: func(attempt int) {
- // reset the token only in the second attempt as this is when we know we had a 401 or 403
- // the second attempt is supposed to refresh the token
- if attempt > 0 {
- t.ResetToken()
- }
- },
+ if t.Transport != nil {
+ return t.Transport
  }
+ return http.DefaultTransport
 }
diff --git a/pkg/apiclient/client.go b/pkg/apiclient/client.go
@@ -72,6 +72,13 @@ func NewClient(config *Config) (*ApiClient, error) {
  UserAgent: config.UserAgent,
  VersionPrefix: config.VersionPrefix,
  UpdateScenario: config.UpdateScenario,
+ RetryConfig: NewRetryConfig(
+ WithStatusCodeConfig(http.StatusUnauthorized, 2, false, true),
+ WithStatusCodeConfig(http.StatusForbidden, 2, false, true),
+ WithStatusCodeConfig(http.StatusTooManyRequests, 5, true, false),
+ WithStatusCodeConfig(http.StatusServiceUnavailable, 5, true, false),
+ WithStatusCodeConfig(http.StatusGatewayTimeout, 5, true, false),
+ ),
  }
 
  transport, baseURL := createTransport(config.URL)

diff --git a/pkg/apiclient/retry_config.go b/pkg/apiclient/retry_config.go
@@ -0,0 +1,33 @@
+package apiclient
+
+type StatusCodeConfig struct {
+ MaxAttempts int
+ Backoff bool
+ InvalidateToken bool
+}
+
+type RetryConfig struct {
+ StatusCodeConfig map[int]StatusCodeConfig
+}
+
+type RetryConfigOption func(*RetryConfig)
+
+func NewRetryConfig(options ...RetryConfigOption) *RetryConfig {
+ rc := &RetryConfig{
+ StatusCodeConfig: make(map[int]StatusCodeConfig),
+ }
+ for _, opt := range options {
+ opt(rc)
+ }
+ return rc
+}
+
+func WithStatusCodeConfig(statusCode int, maxAttempts int, backOff bool, invalidateToken bool) RetryConfigOption {
+ return func(rc *RetryConfig) {
+ rc.StatusCodeConfig[statusCode] = StatusCodeConfig{
+ MaxAttempts: maxAttempts,
+ Backoff: backOff,
+ InvalidateToken: invalidateToken,
+ }
+ }
+}