feat: Introducing StreamingCredentialsProvider for token based authentication #3320
Conversation
There was a problem hiding this comment.
LGTM but I think the PR title is misleading. From what I understand, this PR doesn't provide the possibility for authentication with a StreamingCredentialsProvider just yet, instead it introduces the necessary interfaces and already prepares the ground by refactoring the basic auth we were using to use the new Credentials interface.
|
Reverting this back to Draft, will continue working on it before |
Introduces the StreamingCredentialsProvider as the CredentialsProvider with the highest priority. TODO: needs to be tested
Change CancelProviderFunc to UnsubscribeFunc
ndyakov
force-pushed
the
ndyakov/token-based-auth
branch
from
ff04986 to
44628c5
Compare
ndyakov
force-pushed
the
ndyakov/token-based-auth
branch
from
8fd3bd5 to
5fac913
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a streaming credentials provider mechanism for token‐based authentication, refactoring connection initialization and hook propagation while also updating tests and documentation for authentication.
- Introduces new types and interfaces in the auth package for dynamic credential updates.
- Refactors core connection initialization to use the streaming provider and re-authentication listener.
- Updates tests and docs (including README and examples) to cover new authentication flows and hook propagation improvements.
Reviewed Changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tx.go | Moves hooksMixin from Tx struct into baseClient; updates newTx() accordingly. |
| sentinel.go | Updates onClose hook assignment using wrappedOnClose. |
| ring_test.go | Enhances pipeline hook tests by skipping connection initialization commands. |
| redis_test.go | Introduces tests verifying proper priority usage of Streaming, context, regular, and static credentials. |
| redis.go | Adds functions to support re-authentication on credentials updates; adjusts error wrapping and hook usage. |
| probabilistic_test.go | Modifies expectations to be more flexible about command lengths. |
| osscluster*.go | Minor nil-check improvements and injection of streaming authentication options. |
| options.go | Updates option comments and adds StreamingCredentialsProvider field. |
| internal_test.go, example_instrumentation_test.go, doctests, command_recorder_test.go | Additions and tweaks to tests and examples for improved instrumentation and command recording support. |
| auth/* | New auth package files implementing the streaming credentials API and its tests. |
| README.md | Updates documentation describing the new authentication priority order and provider usage. |
| .github/wordlist.txt | Updates wordlist with new authentication-related keywords. |
Comments suppressed due to low confidence (2)
tx.go:29
- Verify that removing hooksMixin from the Tx struct and relying on baseClient.hooksMixin is an intentional design change to ensure that all hook functionality remains effective.
hooksMixin: c.hooksMixin.clone(),
redis.go:441
- There appears to be a potential naming inconsistency between 'DisableIdentity' and 'DisableIndentity'. Please confirm that the correct option name is used to avoid confusion.
if !c.opt.DisableIdentity && !c.opt.DisableIndentity {
ndyakov
force-pushed
the
ndyakov/token-based-auth
branch
3 times, most recently
from
79185b7 to
2f1d17e
Compare
ndyakov
force-pushed
the
ndyakov/token-based-auth
branch
from
2f1d17e to
8b51596
Compare
ndyakov
force-pushed
the
ndyakov/token-based-auth
branch
from
4b37fed to
6e58e79
Compare
ndyakov
force-pushed
the
ndyakov/token-based-auth
branch
from
6e58e79 to
5228611
Compare
There was a problem hiding this comment.
LGTM! Great job on this, the PR looks awesome! I was initially wondering about omitting the hooksMixin when creating the connection for re-authentication (cn := newConn(c.opt, connPool, nil) in reAuthConnection). However, it makes sense as a defensive measure to prevent potential infinite loops if a hook itself indirectly triggered a re-authentication.
ndyakov
force-pushed
the
ndyakov/token-based-auth
branch
from
24eb2fc to
b7ce3cd
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new StreamingCredentialsProvider for token‐based authentication while refactoring several internal authentication flows and improving test coverage. Key changes include adding support for streaming credentials (and their dynamic updates), refactoring connection and authentication flows (e.g. re-authentication and onClose handling), and updating documentation and tests to reflect the new authentication methods.
Reviewed Changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| tx.go | Refactoring Tx initialization – removal of hooksMixin in the struct versus its usage. |
| sentinel.go | Updates to onClose handling via wrappedOnClose and removal of unused hooksMixin. |
| ring_test.go | Updated test expectations to accommodate connection initialization commands. |
| redis_test.go | Added tests to validate credential provider priority and streaming credential updates. |
| redis.go | Refactored authentication flow, adding streaming and context-based provider support. |
| osscluster.*, options.go | Enhanced configuration options and documentation for authentication mechanisms. |
| auth/* | New implementations and tests for StreamingCredentialsProvider and ReAuthCredentialsListener. |
| README.md | Updated authentication documentation and examples supporting streaming provider usage. |
| Others | Minor improvements and documentation updates across tests and helpers. |
Comments suppressed due to low confidence (2)
tx.go:29
- The Tx struct no longer contains a hooksMixin field, yet newTx still attempts to initialize it. Either remove the hooksMixin initialization in newTx or re-add the hooksMixin field to the Tx struct.
hooksMixin: c.hooksMixin.clone(),
redis_test.go:860
- [nitpick] Using a fixed sleep duration to wait for credential updates might lead to flaky tests; consider replacing it with a synchronization mechanism (e.g. a WaitGroup or channel) to ensure the update is processed before asserting.
time.Sleep(100 * time.Millisecond)
Implementation Details and Key Changes
New Authentication Package
authpackage to hold types related to authenticationauth.Credentialsinterface to facilitate integration with external credential sourcesbasicAuthfor username/password credentialsStreaming Credentials Provider
StreamingCredentialsProviderinterface for dynamic credential updatesReAuthCredentialsListenerfor handling credential updatesDocumentation Updates
Hooks System Enhancement
hooksMixinto propagate hooks to child connectionsTesting
Security Considerations
Important Note: The hooksMixin refactor will now propagate hooks to child connections and trigger them prior to the initialization process. This change may have security implications, particularly regarding the visibility of authentication commands. For example, Redis MONITOR doesn't report AUTH commands, and this change could potentially expose sensitive authentication information through hooks. This should be carefully considered and potentially documented for users implementing custom hooks.
Related Issues