Merge pull request #738 from openziti/add-auth-lock

Add back locking around authenticate. Fix deadlocks. Fixes #735

Author: plorenz

CHANGELOG.md

@@ -9,7 +9,13 @@ server side, so if the feature is enabled, router version 1.6.2+ will be require
 
 ## Issues Fixed and Dependency Updates
 
+# Release notes 1.1.1
+
+## Issues Fixed and Dependency Updates
+
 * github.com/openziti/sdk-golang: [v1.1.0 -> v1.1.1](https://github.com/openziti/sdk-golang/compare/v1.1.0...v1.1.1)
+    * [Issue #735](https://github.com/openziti/sdk-golang/issues/735) - Ensure Authenticate can't be called in parallel
+
 * github.com/openziti/channel/v4: [v4.0.6 -> v4.1.3](https://github.com/openziti/channel/compare/v4.0.6...v4.1.3)
     * [Issue #187](https://github.com/openziti/channel/issues/187) - Allow fallback to regular channel when 'is grouped' isn't set when using multi-listener
     * [Issue #185](https://github.com/openziti/channel/issues/185) - Add group secret for multi-underlay channels
@@ -26,6 +32,7 @@ server side, so if the feature is enabled, router version 1.6.2+ will be require
 * golang.org/x/term: v0.30.0 -> v0.32.0
 * golang.org/x/text: v0.23.0 -> v0.25.0
 
+
 # Release notes 1.1.0
 
 ## What's New

example/go.mod

@@ -80,7 +80,7 @@ require (
 	github.com/muhlemmer/gu v0.3.1 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/openziti/channel/v4 v4.1.3 // indirect
+	github.com/openziti/channel/v4 v4.2.0 // indirect
 	github.com/openziti/edge-api v0.26.45 // indirect
 	github.com/openziti/identity v1.0.101 // indirect
 	github.com/openziti/metrics v1.4.1 // indirect

example/go.sum

@@ -358,8 +358,8 @@ github.com/onsi/gomega v1.13.0 h1:7lLHu94wT9Ij0o6EWWclhu0aOh32VxhkwEJvzuWPeak=
 github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
-github.com/openziti/channel/v4 v4.1.3 h1:+weirY7+Yxw45v4yX9lwO3W7/Wqv/fTFuErk1J2mmu4=
-github.com/openziti/channel/v4 v4.1.3/go.mod h1:t42XcuNICtJSizetoZbmml3l5AE7d/LDCf29c+Ene4Q=
+github.com/openziti/channel/v4 v4.2.0 h1:oDWDECsMlGqYOWTR7cpvWiEtDgK2zH5XYyU94mMobUQ=
+github.com/openziti/channel/v4 v4.2.0/go.mod h1:t42XcuNICtJSizetoZbmml3l5AE7d/LDCf29c+Ene4Q=
 github.com/openziti/edge-api v0.26.45 h1:M5rR28yEIIpbVo7F7c5tF+z2qNKqvN55pK6bZqQHn+8=
 github.com/openziti/edge-api v0.26.45/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng=
 github.com/openziti/foundation/v2 v2.0.63 h1:7D8JhHT3i4H5owF+XnTdyjCKn809xEcFD8/RG1h9QYA=

example/influxdb-client-go/go.mod

@@ -94,7 +94,7 @@ require (
 	github.com/muhlemmer/gu v0.3.1 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
-	github.com/openziti/channel/v4 v4.1.3 // indirect
+	github.com/openziti/channel/v4 v4.2.0 // indirect
 	github.com/openziti/edge-api v0.26.45 // indirect
 	github.com/openziti/foundation/v2 v2.0.63 // indirect
 	github.com/openziti/identity v1.0.101 // indirect

example/influxdb-client-go/go.sum

@@ -413,8 +413,8 @@ github.com/onsi/gomega v1.13.0 h1:7lLHu94wT9Ij0o6EWWclhu0aOh32VxhkwEJvzuWPeak=
 github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
-github.com/openziti/channel/v4 v4.1.3 h1:+weirY7+Yxw45v4yX9lwO3W7/Wqv/fTFuErk1J2mmu4=
-github.com/openziti/channel/v4 v4.1.3/go.mod h1:t42XcuNICtJSizetoZbmml3l5AE7d/LDCf29c+Ene4Q=
+github.com/openziti/channel/v4 v4.2.0 h1:oDWDECsMlGqYOWTR7cpvWiEtDgK2zH5XYyU94mMobUQ=
+github.com/openziti/channel/v4 v4.2.0/go.mod h1:t42XcuNICtJSizetoZbmml3l5AE7d/LDCf29c+Ene4Q=
 github.com/openziti/edge-api v0.26.45 h1:M5rR28yEIIpbVo7F7c5tF+z2qNKqvN55pK6bZqQHn+8=
 github.com/openziti/edge-api v0.26.45/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng=
 github.com/openziti/foundation/v2 v2.0.63 h1:7D8JhHT3i4H5owF+XnTdyjCKn809xEcFD8/RG1h9QYA=

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/michaelquigley/pfxlog v0.6.10
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/openziti/channel/v4 v4.1.3
+	github.com/openziti/channel/v4 v4.2.0
 	github.com/openziti/edge-api v0.26.45
 	github.com/openziti/foundation/v2 v2.0.63
 	github.com/openziti/identity v1.0.101

go.sum

@@ -299,8 +299,8 @@ github.com/onsi/gomega v1.13.0 h1:7lLHu94wT9Ij0o6EWWclhu0aOh32VxhkwEJvzuWPeak=
 github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
-github.com/openziti/channel/v4 v4.1.3 h1:+weirY7+Yxw45v4yX9lwO3W7/Wqv/fTFuErk1J2mmu4=
-github.com/openziti/channel/v4 v4.1.3/go.mod h1:t42XcuNICtJSizetoZbmml3l5AE7d/LDCf29c+Ene4Q=
+github.com/openziti/channel/v4 v4.2.0 h1:oDWDECsMlGqYOWTR7cpvWiEtDgK2zH5XYyU94mMobUQ=
+github.com/openziti/channel/v4 v4.2.0/go.mod h1:t42XcuNICtJSizetoZbmml3l5AE7d/LDCf29c+Ene4Q=
 github.com/openziti/edge-api v0.26.45 h1:M5rR28yEIIpbVo7F7c5tF+z2qNKqvN55pK6bZqQHn+8=
 github.com/openziti/edge-api v0.26.45/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng=
 github.com/openziti/foundation/v2 v2.0.63 h1:7D8JhHT3i4H5owF+XnTdyjCKn809xEcFD8/RG1h9QYA=

ziti/ziti.go

@@ -193,6 +193,7 @@ type ContextImpl struct {
 	authQueryHandlers map[string]func(query *rest_model.AuthQueryDetail, response MfaCodeResponse) error
 
 	events.EventEmmiter
+	authAttemptLock                 sync.Mutex
 	lastSuccessfulApiSessionRefresh time.Time
 	routerProxy                     func(addr string) *transport.ProxyConfiguration
 
@@ -664,41 +665,50 @@ func (context *ContextImpl) refreshSessions() {
 }
 
 func (context *ContextImpl) RefreshServices() error {
-	return context.refreshServices(true)
+	return context.refreshServices(true, false)
 }
 
-func (context *ContextImpl) refreshServices(forceCheck bool) error {
-	if err := context.ensureApiSession(); err != nil {
-		return fmt.Errorf("failed to refresh services: %v", err)
+func (context *ContextImpl) refreshServices(forceRefresh, refreshAfterAuth bool) error {
+	if !refreshAfterAuth { // if in authenticate mutex, can't re-auth
+		if err := context.ensureApiSession(); err != nil {
+			return fmt.Errorf("failed to refresh services: %v", err)
+		}
 	}
 
 	var checkService bool
 	var lastServiceUpdate *strfmt.DateTime
 	var err error
 
 	log := pfxlog.Logger()
-	log.Debug("checking if service updates available")
-	if checkService, lastServiceUpdate, err = context.CtrlClt.IsServiceListUpdateAvailable(); err != nil {
-		log.WithError(err).Error("failed to check if service list update is available")
-		target := &current_api_session.ListServiceUpdatesUnauthorized{}
-		if errors.As(err, &target) {
-			checkService = true
-		} else {
-			if err = context.Authenticate(); err != nil {
-				log.WithError(err).Error("unable to re-authenticate during session refresh")
+
+	if !forceRefresh {
+		log.Debug("checking if service updates available")
+		if checkService, lastServiceUpdate, err = context.CtrlClt.IsServiceListUpdateAvailable(); err != nil {
+			log.WithError(err).Error("failed to check if service list update is available")
+			target := &current_api_session.ListServiceUpdatesUnauthorized{}
+			if errors.As(err, &target) {
+				checkService = true
 			} else {
-				if checkService, lastServiceUpdate, err = context.CtrlClt.IsServiceListUpdateAvailable(); err != nil {
-					checkService = true
+				if err = context.Authenticate(); err != nil {
+					log.WithError(err).Error("unable to re-authenticate during session refresh")
+				} else {
+					if checkService, lastServiceUpdate, err = context.CtrlClt.IsServiceListUpdateAvailable(); err != nil {
+						checkService = true
+					}
 				}
 			}
 		}
 	}
 
-	if checkService || forceCheck {
+	if checkService || forceRefresh {
 		log.Debug("refreshing services")
 
 		services, err := context.CtrlClt.GetServices()
 		if err != nil {
+			if refreshAfterAuth { // in authenticate mutex, can't re-auth
+				return err
+			}
+
 			target := &service.ListServicesUnauthorized{}
 			if errors.As(err, &target) {
 				log.Info("attempting to re-authenticate")
@@ -831,7 +841,7 @@ func (context *ContextImpl) runRefreshes() {
 
 		case <-svcRefreshTick.C:
 			log.Debug("refreshing services")
-			if err := context.refreshServices(false); err != nil {
+			if err := context.refreshServices(false, false); err != nil {
 				log.WithError(err).Error("failed to load service updates")
 			}
 
@@ -939,6 +949,9 @@ func (context *ContextImpl) Reauthenticate() error {
 }
 
 func (context *ContextImpl) Authenticate() error {
+	context.authAttemptLock.Lock()
+	defer context.authAttemptLock.Unlock()
+
 	if context.CtrlClt.GetCurrentApiSession() != nil {
 		if time.Since(context.lastSuccessfulApiSessionRefresh) < 5*time.Second {
 			return nil
@@ -1013,7 +1026,7 @@ func (context *ContextImpl) onFullAuth(apiSession apis.ApiSession) error {
 	context.Emit(EventAuthenticationStateFull, apiSession)
 
 	// get services
-	if err := context.RefreshServices(); err != nil {
+	if err := context.refreshServices(true, true); err != nil {
 		doOnceErr = err
 	}
 
@@ -1668,7 +1681,7 @@ func (context *ContextImpl) createSession(service *rest_model.ServiceDetail, ses
 
 		var createSessionNotFound = &rest_session.CreateSessionNotFound{}
 		if errors.As(err, &createSessionNotFound) {
-			if refreshErr := context.refreshServices(false); refreshErr != nil {
+			if refreshErr := context.refreshServices(false, false); refreshErr != nil {
 				logger.WithError(refreshErr).Info("failed to refresh services after create session returned 404 (likely for service)")
 			}
 		}