feat: refresh dynamic auth credentials#1008
Conversation
|
Validation refreshed on the current head: git diff --check origin/main...HEAD
go test ./... -run 'TestPipe/Auth Credentials Refresh' -count=1
go test -race ./... -run 'TestPipe/Auth Credentials Refresh' -count=1
go test . -run TestPipe -count=1 -timeout=120sAll passed locally. The current CircleCI build/setup checks are also green. |
|
Updated in 10ad622:
Validation:
|
|
Updated in d9a5659:
Validation:
|
d9a5659 to
3c88942
Compare
|
Update: refreshed against the current head after the follow-up commits. Current commit: Current CI status: Local validation on this head: git diff --check upstream/main...HEAD
go test -run '^TestNewPipe$/Auth_Credentials_Refresh' -count=1 -timeout=2m .
go test -race -run '^TestNewPipe$/Auth_Credentials_Refresh' -count=1 -timeout=5m . |
|
Updated in
Validation: git diff --check upstream/main...HEAD
go test -run '^TestNewPipe$/Auth_Credentials_Refresh' -count=1 -timeout=2m .
go test -race -run '^TestNewPipe$/Auth_Credentials_Refresh' -count=1 -timeout=5m . |
|
Updated in
Validation:
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
Reviewed by Cursor Bugbot for commit c514a7f. Configure here.
| p.authRefreshAfter = authCredentials.RefreshAfter | ||
| ready := make(chan struct{}) | ||
| p.authTimer = time.AfterFunc(p.authRefreshAfter, func() { | ||
| <-ready |
| if err := ctx.Err(); err != nil { | ||
| return newErrResult(err) | ||
| } | ||
|
|
| reset = p.lftmTimer.Reset(p.lftm) | ||
| } | ||
| if p.authTimer != nil && p.authRefreshAfter > 0 { | ||
| reset = p.authTimer.Reset(p.authRefreshAfter) && reset |
There was a problem hiding this comment.
Hmm, my bad, let's go back to make RefreshAfter a time.Time so that we can be more accurate when resetting the timer.
| return | ||
| } | ||
| if auth.Username != "" || auth.Password != "" { | ||
| args := []string{"AUTH"} |
There was a problem hiding this comment.
Please preallocate the slice slots for username and password.
| r2ps bool // identify this pipe is used for resp2 pubsub or not | ||
| noNoDelay bool | ||
| optIn bool | ||
| authRefreshAfter time.Duration |
There was a problem hiding this comment.
My bad, please make this a time.Time. Also, fields should be aligned by size. It won't be the last field.
|
Updated in
Validation:
|

Fixes #1007
Summary
AuthCredentials.RefreshAfterso dynamic credential providers can schedule per-pipe credential refreshes after a caller-selected duration.AUTHfor RESP2 and RESP3 connections, including password-only RESP3 connections that authenticate as the default user.AUTH.Testing
git diff --check upstream/main...HEADgo test -run '^TestNewPipe$' -count=1 -timeout=3m .go test -race -run '^(TestNewPipe|TestPoolWithConnLifetime)$' -count=1 -timeout=5m .Note
High Risk
Changes authentication timing and in-flight AUTH on pooled connections; mis-timed refresh or pool/timer races could drop connections or leave stale credentials until exit.
Overview
Adds
AuthCredentials.RefreshAftersoAuthCredentialsFncan schedule per-connection credential rotation. Each pipe runs anauthTimerthat re-invokes the provider and issuesAUTHon the live connection (RESP2/RESP3, including password-only RESP3 asdefault).Timer lifecycle is aligned with connection lifetime:
StopTimer/ResetTimernow pause and resume both lifetime and auth refresh while a pipe is checked out from the pool;_exitno longer stops timers globally. The pool drops newly created connections ifStopTimerfails (timer already fired), matching reuse behavior for stale wires.Failures while fetching or applying refreshed credentials close the pipe, with refresh
AUTHbounded byConnWriteTimeout. Broadpipe_testcoverage plus pool tests for expired new connections.Reviewed by Cursor Bugbot for commit 0e3a859. Bugbot is set up for automated code reviews on this repo. Configure here.