add dedicated JQ filter cache TTL default of 10 mins

configured through environment variable OIDC_JQ_FILTER_CACHE_TTL; hash input to accomodate for non-encrypted (shm) long keys Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Aug 13, 2023 · 4eebd5b · 4eebd5b
1 parent 9a3b6d9
commit 4eebd5b
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 6 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,6 @@
 08/13/2023
 - increase performance of JQ filtering by caching JQ filtering results
+  default cache ttl is 10 min, configured through environment variable OIDC_JQ_FILTER_CACHE_TTL
 - bump to 2.4.14.3rc5
 
 07/25/2023

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -1416,13 +1416,22 @@ static apr_byte_t oidc_refresh_access_token_before_expiry(request_rec *r,
 #define OIDC_USERINFO_SIGNED_JWT_EXPIRE_DEFAULT 0
 #define OIDC_USERINFO_SIGNED_JWT_CACHE_TTL_ENVVAR "OIDC_USERINFO_SIGNED_JWT_CACHE_TTL"
 
-int oidc_userinfo_signed_jwt_cache_ttl(request_rec *r) {
+static int oidc_userinfo_signed_jwt_cache_ttl(request_rec *r) {
 	const char *s_ttl = apr_table_get(r->subprocess_env,
 			OIDC_USERINFO_SIGNED_JWT_CACHE_TTL_ENVVAR);
 	return (s_ttl ?
 			_oidc_str_to_int(s_ttl) : OIDC_USERINFO_SIGNED_JWT_EXPIRE_DEFAULT);
 }
 
+#define OIDC_JQ_FILTER_EXPIRE_DEFAULT 600
+#define OIDC_JQ_FILTER_CACHE_TTL_ENVVAR "OIDC_JQ_FILTER_CACHE_TTL"
+
+int oidc_jq_filter_cache_ttl(request_rec *r) {
+	const char *s_ttl = apr_table_get(r->subprocess_env,
+			OIDC_JQ_FILTER_CACHE_TTL_ENVVAR);
+	return (s_ttl ? _oidc_str_to_int(s_ttl) : OIDC_JQ_FILTER_EXPIRE_DEFAULT);
+}
+
 static apr_byte_t oidc_userinfo_create_signed_jwt(request_rec *r, oidc_cfg *cfg,
 		oidc_session_t *session, const char *s_claims, char **cser) {
 	apr_byte_t rv = FALSE;

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -815,7 +815,7 @@ int oidc_cfg_delete_oldest_state_cookies(oidc_cfg *cfg);
 oidc_provider_t* oidc_cfg_provider_create(apr_pool_t *pool);
 oidc_provider_t* oidc_cfg_provider_copy(apr_pool_t *pool, const oidc_provider_t *src);
 void oidc_config_check_x_forwarded(request_rec *r, const apr_byte_t x_forwarded_headers);
-int oidc_userinfo_signed_jwt_cache_ttl(request_rec *r);
+int oidc_jq_filter_cache_ttl(request_rec *r);
 
 // oidc_util.c
 int oidc_strnenvcmp(const char *a, const char *b, int len);

diff --git a/src/util.c b/src/util.c
@@ -3162,9 +3162,14 @@ const char* oidc_util_jq_filter(request_rec *r, const char *input,
 	oidc_debug(r, "processing input: %s", input);
 	oidc_debug(r, "processing filter: %s", filter);
 
-	ttl = oidc_userinfo_signed_jwt_cache_ttl(r);
-	key = apr_pstrcat(r->pool, input, ":", filter, NULL);
+	ttl = oidc_jq_filter_cache_ttl(r);
 	if (ttl != 0) {
+		if (oidc_util_hash_string_and_base64url_encode(r, OIDC_JOSE_ALG_SHA256,
+				apr_pstrcat(r->pool, input, filter, NULL), &key) == FALSE) {
+			oidc_error(r,
+					"oidc_util_hash_string_and_base64url_encode returned an error");
+			goto end;
+		}
 		oidc_cache_get_jq_filter(r, key, &value);
 		if (value != NULL) {
 			oidc_debug(r, "return cached result: %s", value);
@@ -3196,10 +3201,11 @@ const char* oidc_util_jq_filter(request_rec *r, const char *input,
 
 	if ((result != NULL) && (ttl != 0)) {
 		oidc_debug(r, "caching result: %s", result);
-		oidc_cache_set_jq_filter(r, key, result, apr_time_now() + apr_time_from_sec(ttl));
+		oidc_cache_set_jq_filter(r, key, result,
+				apr_time_now() + apr_time_from_sec(ttl));
 	}
 
-end:
+	end:
 
 	if (parser)
 		jv_parser_free(parser);