Merge pull request #553 from openziti/avoid-concurrent-api-session-re…

…quests avoid concurrent api-session requests
openziti · Sep 19, 2023 · 650b528 · 650b528
2 parents 54fcf10 + 8897e18
commit 650b528
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 12 deletions.
diff --git a/inc_internal/zt_internal.h b/inc_internal/zt_internal.h
@@ -252,6 +252,7 @@ struct ziti_ctx {
     bool enabled;
     int ctrl_status;
 
+    bool active_session_request;
     ziti_api_session *api_session;
     uv_timeval64_t api_session_expires_at;
     ziti_api_session_state api_session_state;

diff --git a/library/ziti.c b/library/ziti.c
@@ -129,20 +129,15 @@ static int parse_getopt(const char *q, const char *opt, char *out, size_t maxout
     return ZITI_INVALID_CONFIG;
 }
 
-int load_tls(ziti_config *cfg, tls_context **ctx) {
+static int init_tls_from_config(tls_context *tls, ziti_config *cfg) {
     PREP(ziti);
 
-    // load ca from ziti config if present
-    const char *ca;
-    size_t ca_len = parse_ref(cfg->id.ca, &ca);
-    tls_context *tls = default_tls_context(ca, ca_len);
     tlsuv_private_key_t pk;
 
-    if (cfg->id.key == NULL) {
-        TRY(ziti, ("TLS key should be provided", ZITI_INVALID_CONFIG));
-    }
+    TRY(ziti, cfg->id.key == NULL ? ZITI_INVALID_CONFIG : ZITI_OK);
 
     TRY(ziti, load_key_internal(tls, &pk, cfg->id.key));
+
     tls_cert c = NULL;
     if (cfg->id.cert) {
         const char *cert;
@@ -154,11 +149,27 @@ int load_tls(ziti_config *cfg, tls_context **ctx) {
     CATCH(ziti) {
         return ERR(ziti);
     }
-
-    *ctx = tls;
     return ZITI_OK;
 }
 
+int load_tls(ziti_config *cfg, tls_context **ctx) {
+
+    // load ca from ziti config if present
+    const char *ca;
+    size_t ca_len = parse_ref(cfg->id.ca, &ca);
+    tls_context *tls = default_tls_context(ca, ca_len);
+
+    int rc = init_tls_from_config(tls, cfg);
+
+    if (rc == ZITI_OK) {
+        *ctx = tls;
+    } else {
+        tls->free_ctx(tls);
+        *ctx = NULL;
+    }
+    return rc;
+}
+
 int ziti_set_client_cert(ziti_context ztx, const char *cert_buf, size_t cert_len, const char *key_buf, size_t key_len) {
     tlsuv_private_key_t pk;
     tls_cert c;
@@ -264,6 +275,17 @@ void ziti_set_unauthenticated(ziti_context ztx) {
     FREE(ztx->api_session);
     ztx->api_session_state = ZitiApiSessionStateUnauthenticated;
 
+    if (ztx->sessionKey) {
+        init_tls_from_config(ztx->tlsCtx, &ztx->config);
+        if (ztx->sessonCert) {
+            ztx->tlsCtx->free_cert(&ztx->sessonCert);
+            ztx->sessonCert = NULL;
+        }
+
+        ztx->sessionKey->free(ztx->sessionKey);
+        ztx->sessionKey = NULL;
+    }
+
     ziti_ctrl_clear_api_session(&ztx->controller);
 }
 
@@ -866,8 +888,13 @@ static void api_session_refresh(uv_timer_t *t) {
         if (ztx->api_session_state == ZitiApiSessionStatePartiallyAuthenticated || ztx->api_session_state == ZitiApiSessionStateFullyAuthenticated) {
             struct ziti_init_req *req = calloc(1, sizeof(struct ziti_init_req));
             req->ztx = ztx;
-            ZTX_LOG(DEBUG, "api_session_refresh refreshing api session by querying controller");
-            ziti_ctrl_current_api_session(&ztx->controller, api_session_cb, req);
+            if (ztx->active_session_request) {
+                ZTX_LOG(DEBUG, "active refresh request: skipping");
+            } else {
+                ztx->active_session_request = true;
+                ZTX_LOG(DEBUG, "api_session_refresh refreshing api session by querying controller");
+                ziti_ctrl_current_api_session(&ztx->controller, api_session_cb, req);
+            }
         } else {
             ZTX_LOG(DEBUG, "api_session_refresh refreshing api session skipped, waiting for api session state change");
         }
@@ -1443,6 +1470,8 @@ static void session_post_auth_query_cb(ziti_context ztx, int status, void *ctx)
             ziti_ctrl_current_api_session(&ztx->controller, update_session_data, ztx);
         }
 
+        // disable this until we figure out expiration and rolling requirements
+#if ENABLE_SESSION_CERTIFICATES
         if (ztx->sessionKey == NULL) {
             char common_name[128];
             snprintf(common_name, sizeof(common_name), "%s-%u-%" PRIu64,
@@ -1460,6 +1489,7 @@ static void session_post_auth_query_cb(ziti_context ztx, int status, void *ctx)
 
             ziti_ctrl_create_api_certificate(&ztx->controller, ztx->sessionCsr, on_create_cert, ztx);
         }
+#endif
 
 
         ziti_services_refresh(ztx, true);
@@ -1541,6 +1571,7 @@ static void api_session_cb(ziti_api_session *session, const ziti_error *err, voi
     struct ziti_init_req *init_req = ctx;
     ziti_context ztx = init_req->ztx;
     ztx->loop_thread = uv_thread_self();
+    ztx->active_session_request = false;
 
     int errCode = err ? err->err : ZITI_OK;