sso_proxy: reduce amount of group validations #267
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
With the validator abstraction work that was recently done we inadvertently started to run group validations for each authenticated request. See 'Notes' section for specific details.
This increased volume of requests increases the potential to cause extra strain on upstream providers
Solution
We don't need to validate the groups again here. This pull request brings us closer to previous functionality where we re-validate group membership after refreshing or validating the session, and re-validate email domains and addresses upon each request.
Notes
Now that the group membership check is an official 'validator' within sso-proxy it's ran each time we call
RunValidators()
.The problematic call in question:
sso/internal/proxy/oauthproxy.go
Line 784 in 9019d4f
Previously, we were only checking email address/domains here, with the group check being ran just above that when refreshing or validating the session:
sso/internal/proxy/oauthproxy.go
Line 731 in 9019d4f
sso/internal/proxy/oauthproxy.go
Line 762 in 9019d4f
An alternative solution to validator pkg: control when each validator is ran #266
Also included in this is a change to the group validator (it's no longer used as a pointer). Largely to bring it in line with the other validators.