AuthN: support sync cache for proxy client (#62874)

* AuthN: Add cache support for auth proxy to skip sync

* AuthN: Change proxy auth hook to be a client hook

* AuthN: fix cache key

* fix test

* lint

pkg/services/authn/authn.go

@@ -47,6 +47,8 @@ type ClientParams struct {
 	EnableDisabledUsers bool
 	// FetchSyncedUser ensure that all required information is added to the identity
 	FetchSyncedUser bool
+	// CacheAuthProxyKey  if this key is set we will try to cache the user id for proxy client
+	CacheAuthProxyKey string
 	// LookUpParams are the arguments used to look up the entity in the DB.
 	LookUpParams login.UserLookupParams
 }

pkg/services/authn/authnimpl/service.go

@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"strconv"
 
+	"github.com/grafana/grafana/pkg/infra/remotecache"
 	"github.com/hashicorp/go-multierror"
 	"go.opentelemetry.io/otel/attribute"
 
@@ -53,7 +54,7 @@ func ProvideService(
 	loginAttempts loginattempt.Service, quotaService quota.Service,
 	authInfoService login.AuthInfoService, renderService rendering.Service,
 	features *featuremgmt.FeatureManager, oauthTokenService oauthtoken.OAuthTokenService,
-	socialService social.Service,
+	socialService social.Service, cache *remotecache.RemoteCache,
 ) *Service {
 	s := &Service{
 		log:            log.New("authn.service"),
@@ -104,7 +105,7 @@ func ProvideService(
 	}
 
 	if s.cfg.AuthProxyEnabled && len(proxyClients) > 0 {
-		proxy, err := clients.ProvideProxy(cfg, proxyClients...)
+		proxy, err := clients.ProvideProxy(cfg, cache, userService, proxyClients...)
 		if err != nil {
 			s.log.Error("failed to configure auth proxy", "err", err)
 		} else {

pkg/services/authn/clients/proxy.go

@@ -2,12 +2,17 @@ package clients
 
 import (
 	"context"
+	"encoding/hex"
 	"fmt"
+	"hash/fnv"
 	"net"
 	"path"
 	"strings"
+	"time"
 
+	"github.com/grafana/grafana/pkg/infra/log"
 	"github.com/grafana/grafana/pkg/services/authn"
+	"github.com/grafana/grafana/pkg/services/user"
 	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util"
 	"github.com/grafana/grafana/pkg/util/errutil"
@@ -19,6 +24,7 @@ const (
 	proxyFieldLogin  = "Login"
 	proxyFieldRole   = "Role"
 	proxyFieldGroups = "Groups"
+	proxyCachePrefix = "auth-proxy-sync-ttl"
 )
 
 var proxyFields = [...]string{proxyFieldName, proxyFieldEmail, proxyFieldLogin, proxyFieldRole, proxyFieldGroups}
@@ -29,18 +35,29 @@ var (
 	errInvalidProxyHeader = errutil.NewBase(errutil.StatusInternal, "auth-proxy.invalid-proxy-header")
 )
 
-var _ authn.ContextAwareClient = new(Proxy)
+var (
+	_ authn.HookClient         = new(Proxy)
+	_ authn.ContextAwareClient = new(Proxy)
+)
 
-func ProvideProxy(cfg *setting.Cfg, clients ...authn.ProxyClient) (*Proxy, error) {
+func ProvideProxy(cfg *setting.Cfg, cache proxyCache, userSrv user.Service, clients ...authn.ProxyClient) (*Proxy, error) {
 	list, err := parseAcceptList(cfg.AuthProxyWhitelist)
 	if err != nil {
 		return nil, err
 	}
-	return &Proxy{cfg, clients, list}, nil
+	return &Proxy{log.New(authn.ClientProxy), cfg, cache, userSrv, clients, list}, nil
+}
+
+type proxyCache interface {
+	Get(ctx context.Context, key string) (interface{}, error)
+	Set(ctx context.Context, key string, value interface{}, expire time.Duration) error
 }
 
 type Proxy struct {
+	log         log.Logger
 	cfg         *setting.Cfg
+	cache       proxyCache
+	userSrv     user.Service
 	clients     []authn.ProxyClient
 	acceptedIPs []*net.IPNet
 }
@@ -61,13 +78,35 @@ func (c *Proxy) Authenticate(ctx context.Context, r *authn.Request) (*authn.Iden
 
 	additional := getAdditionalProxyHeaders(r, c.cfg)
 
-	// FIXME: add cache to prevent sync on every request
+	cacheKey, ok := getProxyCacheKey(username, additional)
+	if ok {
+		// See if we have cached the user id, in that case we can fetch the signed-in user and skip sync.
+		// Error here means that we could not find anything in cache, so we can proceed as usual
+		if entry, err := c.cache.Get(ctx, cacheKey); err == nil {
+			usr, err := c.userSrv.GetSignedInUserWithCacheCtx(ctx, &user.GetSignedInUserQuery{
+				UserID: entry.(int64),
+				OrgID:  r.OrgID,
+			})
+
+			if err != nil {
+				c.log.Warn("could not resolved cached user", "error", err, "userId", entry.(int64))
+			}
+
+			// if we for some reason cannot find the user we proceed with the normal flow, authenticate with ProxyClient
+			// and perform syncs
+			if usr != nil {
+				c.log.Debug("user was loaded from cache, skip syncs", "userId", usr.UserID)
+				return authn.IdentityFromSignedInUser(authn.NamespacedID(authn.NamespaceUser, usr.UserID), usr, authn.ClientParams{}), nil
+			}
+		}
+	}
 
 	var clientErr error
 	for _, proxyClient := range c.clients {
 		var identity *authn.Identity
 		identity, clientErr = proxyClient.AuthenticateProxy(ctx, r, username, additional)
 		if identity != nil {
+			identity.ClientParams.CacheAuthProxyKey = cacheKey
 			return identity, nil
 		}
 	}
@@ -83,6 +122,24 @@ func (c *Proxy) Priority() uint {
 	return 50
 }
 
+func (c *Proxy) Hook(ctx context.Context, identity *authn.Identity, r *authn.Request) error {
+	if identity.ClientParams.CacheAuthProxyKey == "" {
+		return nil
+	}
+
+	namespace, id := identity.NamespacedID()
+	if namespace != authn.NamespaceUser {
+		return nil
+	}
+
+	c.log.Debug("cache proxy user", "userId", id)
+	if err := c.cache.Set(ctx, identity.ClientParams.CacheAuthProxyKey, id, time.Duration(c.cfg.AuthProxySyncTTL)*time.Minute); err != nil {
+		c.log.Warn("failed to cache proxy user", "error", err, "userId", id)
+	}
+
+	return nil
+}
+
 func (c *Proxy) isAllowedIP(r *authn.Request) bool {
 	if len(c.acceptedIPs) == 0 {
 		return true
@@ -153,3 +210,20 @@ func getAdditionalProxyHeaders(r *authn.Request, cfg *setting.Cfg) map[string]st
 	}
 	return additional
 }
+
+func getProxyCacheKey(username string, additional map[string]string) (string, bool) {
+	key := strings.Builder{}
+	key.WriteString(username)
+	for _, k := range proxyFields {
+		if v, ok := additional[k]; ok {
+			key.WriteString(v)
+		}
+	}
+
+	hash := fnv.New128a()
+	if _, err := hash.Write([]byte(key.String())); err != nil {
+		return "", false
+	}
+
+	return strings.Join([]string{proxyCachePrefix, hex.EncodeToString(hash.Sum(nil))}, ":"), true
+}

pkg/services/authn/clients/proxy_test.go

@@ -2,14 +2,17 @@ package clients
 
 import (
 	"context"
+	"errors"
 	"net/http"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
 	"github.com/grafana/grafana/pkg/services/authn"
 	"github.com/grafana/grafana/pkg/services/authn/authntest"
+	"github.com/grafana/grafana/pkg/services/user/usertest"
 	"github.com/grafana/grafana/pkg/setting"
 )
 
@@ -109,7 +112,7 @@ func TestProxy_Authenticate(t *testing.T) {
 				calledAdditional = additional
 				return nil, nil
 			}}
-			c, err := ProvideProxy(cfg, proxyClient)
+			c, err := ProvideProxy(cfg, fakeCache{expectedErr: errors.New("")}, usertest.NewUserServiceFake(), proxyClient)
 			require.NoError(t, err)
 
 			_, err = c.Authenticate(context.Background(), tt.req)
@@ -165,8 +168,23 @@ func TestProxy_Test(t *testing.T) {
 			cfg := setting.NewCfg()
 			cfg.AuthProxyHeaderName = "Proxy-Header"
 
-			c, _ := ProvideProxy(cfg, nil)
+			c, _ := ProvideProxy(cfg, nil, nil, nil)
 			assert.Equal(t, tt.expectedOK, c.Test(context.Background(), tt.req))
 		})
 	}
 }
+
+var _ proxyCache = new(fakeCache)
+
+type fakeCache struct {
+	expectedErr  error
+	expectedItem interface{}
+}
+
+func (f fakeCache) Get(ctx context.Context, key string) (interface{}, error) {
+	return f.expectedItem, f.expectedErr
+}
+
+func (f fakeCache) Set(ctx context.Context, key string, value interface{}, expire time.Duration) error {
+	return f.expectedErr
+}