Auth: Return error when retries have been exhausted for OAuth token refresh (#98034)

Return error when retries for DB lock have been exhausted in oauth_token.go
2025-02-25 18:55:37 -06:00 · 2024-12-16 17:03:39 +01:00 · 2024-12-16 17:03:39 +01:00 · 6cd3a5458e
commit 6cd3a5458e
parent b310b6f8c5
3 changed files with 60 additions and 3 deletions
--- a/pkg/services/authn/authnimpl/sync/oauth_token_sync.go
+++ b/pkg/services/authn/authnimpl/sync/oauth_token_sync.go
@ -98,6 +98,11 @@ func (s *OAuthTokenSync) SyncOauthTokenHook(ctx context.Context, id *authn.Ident
 				return nil, nil
 			}
 			if errors.Is(refreshErr, oauthtoken.ErrRetriesExhausted) {
 				ctxLogger.Warn("Retries have been exhausted for locking the DB for OAuth token refresh", "id", id.ID, "error", refreshErr)
 				return nil, refreshErr
 			}
 			ctxLogger.Error("Failed to refresh OAuth access token", "id", id.ID, "error", refreshErr)
 			// log the user out
--- a/pkg/services/oauthtoken/oauth_token.go
+++ b/pkg/services/oauthtoken/oauth_token.go
@ -35,6 +35,7 @@ var (
 	ErrNoRefreshTokenFound = errors.New("no refresh token found")
 	ErrNotAnOAuthProvider  = errors.New("not an oauth provider")
 	ErrCouldntRefreshToken = errors.New("could not refresh token")
 	ErrRetriesExhausted    = errors.New("retries exhausted")
 )
 type Service struct {
@ -270,7 +271,7 @@ func (o *Service) TryTokenRefresh(ctx context.Context, usr identity.Requester, s
 		if attempts < 5 {
 			return nil
 		}
-		return ErrCouldntRefreshToken
+		return ErrRetriesExhausted
 	}
 	var newToken *oauth2.Token
--- a/pkg/services/oauthtoken/oauth_token_test.go
+++ b/pkg/services/oauthtoken/oauth_token_test.go
@ -62,7 +62,11 @@ func (f *FakeAuthInfoStore) DeleteAuthInfo(ctx context.Context, cmd *login.Delet
 	return f.ExpectedError
 }
-func TestService_TryTokenRefresh(t *testing.T) {
+func TestIntegration_TryTokenRefresh(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
 	}
 	unexpiredToken := &oauth2.Token{
 		AccessToken:  "testaccess",
 		RefreshToken: "testrefresh",
@ -86,6 +90,7 @@ func TestService_TryTokenRefresh(t *testing.T) {
 		socialConnector *socialtest.MockSocialConnector
 		socialService   *socialtest.FakeSocialService
 		store   db.DB
 		service *Service
 	}
@ -251,6 +256,30 @@ func TestService_TryTokenRefresh(t *testing.T) {
 			},
 			expectedToken: unexpiredTokenWithIDToken,
 		},
 		{
 			desc:     "should return ErrRetriesExhausted when lock cannot be acquired",
 			identity: &authn.Identity{ID: "1234", Type: claims.TypeUser, AuthenticatedBy: login.GenericOAuthModule},
 			setup: func(env *environment) {
 				env.socialService.ExpectedAuthInfoProvider = &social.OAuthInfo{
 					UseRefreshToken: true,
 				}
 				env.authInfoService.ExpectedUserAuth = &login.UserAuth{
 					AuthModule:        login.GenericOAuthModule,
 					AuthId:            "subject",
 					UserId:            1234,
 					OAuthAccessToken:  unexpiredTokenWithIDToken.AccessToken,
 					OAuthRefreshToken: unexpiredTokenWithIDToken.RefreshToken,
 					OAuthExpiry:       unexpiredTokenWithIDToken.Expiry,
 					OAuthTokenType:    unexpiredTokenWithIDToken.TokenType,
 					OAuthIdToken:      EXPIRED_ID_TOKEN,
 				}
 				_ = env.store.WithDbSession(context.Background(), func(sess *db.Session) error {
 					_, err := sess.Exec(`INSERT INTO server_lock (operation_uid, last_execution, version) VALUES (?, ?, ?)`, "oauth-refresh-token-1234", time.Now().Add(2*time.Second).Unix(), 0)
 					return err
 				})
 			},
 			expectedErr: ErrRetriesExhausted,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
@ -265,6 +294,7 @@ func TestService_TryTokenRefresh(t *testing.T) {
 				socialService: &socialtest.FakeSocialService{
 					ExpectedConnector: socialConnector,
 				},
 				store: store,
 			}
 			if tt.setup != nil {
@ -308,7 +338,11 @@ func TestService_TryTokenRefresh(t *testing.T) {
 	}
 }
-func TestService_TryTokenRefresh_WithExternalSessions(t *testing.T) {
+func TestIntegration_TryTokenRefresh_WithExternalSessions(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping integration test")
 	}
 	unexpiredToken := &oauth2.Token{
 		AccessToken:  "testaccess",
 		RefreshToken: "testrefresh",
@ -338,6 +372,7 @@ func TestService_TryTokenRefresh_WithExternalSessions(t *testing.T) {
 		socialConnector *socialtest.MockSocialConnector
 		socialService   *socialtest.FakeSocialService
 		store   db.DB
 		service *Service
 	}
@ -509,6 +544,21 @@ func TestService_TryTokenRefresh_WithExternalSessions(t *testing.T) {
 			},
 			expectedToken: unexpiredTokenWithIDToken,
 		},
 		{
 			desc:     "should return ErrRetriesExhausted when lock cannot be acquired",
 			identity: &authn.Identity{ID: "1234", Type: claims.TypeUser, AuthenticatedBy: login.GenericOAuthModule},
 			setup: func(env *environment) {
 				env.socialService.ExpectedAuthInfoProvider = &social.OAuthInfo{
 					UseRefreshToken: true,
 				}
 				_ = env.store.WithDbSession(context.Background(), func(sess *db.Session) error {
 					_, err := sess.Exec(`INSERT INTO server_lock (operation_uid, last_execution, version) VALUES (?, ?, ?)`, "oauth-refresh-token-1234-1", time.Now().Add(2*time.Second).Unix(), 0)
 					return err
 				})
 			},
 			expectedErr: ErrRetriesExhausted,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.desc, func(t *testing.T) {
@ -523,6 +573,7 @@ func TestService_TryTokenRefresh_WithExternalSessions(t *testing.T) {
 				socialService: &socialtest.FakeSocialService{
 					ExpectedConnector: socialConnector,
 				},
 				store: store,
 			}
 			if tt.setup != nil {