credentials: implement file-based JWT Call Credentials (part 1 for A97)

[dimpavloff]

Part one for grpc/proposal#492 (A97).
This is done in a new credentials/jwt package to provide file-based PerRPCCallCredentials. It can be used beyond XDS. The package handles token reloading, caching, and validation as per A97 .

There will be a separate PR which uses it in xds/bootstrap.

Whilst implementing the above, I considered credentials/oauth and credentials/xds packages instead of creating a new one. The former package has NewJWTAccessFromKey and jwtAccess which seem very relevant at first. However, I think the jwtAccess behaviour seems more tailored towards Google services. Also, the refresh, caching, and error behaviour for A97 is quite different than what's already there and therefore a separate implementation would have still made sense.
WRT credentials/xds, it could have been extended to both handle transport and call credentials. However, this is a bit at odds with A97 which says that the implementation should be non-XDS specific and, from reading between the lines, usable beyond XDS.
I think the current approach makes review easier but because of the similarities with the other two packages, it is a bit confusing to navigate. Please let me know whether the structure should change.

Relates to istio/istio#53532

RELEASE NOTES:

• credentials: add credentials/jwt package providing file-based JWT PerRPCCredentials (A97)

[codecov]

Codecov Report

❌ Patch coverage is 97.63780% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 82.04%. Comparing base (dd718e4) to head (12fedd5).
⚠️ Report is 51 commits behind head on master.

Files with missing lines	Patch %	Lines
credentials/jwt/jwt_token_file_call_creds.go	96.29%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #8431      +/-   ##
==========================================
- Coverage   82.27%   82.04%   -0.24%     
==========================================
  Files         414      414              
  Lines       40424    40647     +223     
==========================================
+ Hits        33259    33347      +88     
- Misses       5795     5910     +115     
- Partials     1370     1390      +20     

Files with missing lines	Coverage Δ
credentials/jwt/jwt_file_reader.go	100.00% <100.00%> (ø)
credentials/jwt/jwt_token_file_call_creds.go	96.29% <96.29%> (ø)

... and 254 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dimpavloff]

@dfawley hey 👋 Given you approved A97, would you mind having a cursory look at the PR to confirm if at least at a high level the approach looks good?

[eshitachandwani]

I will take a look at this , I need to go through the gRFC first.

[dfawley]

Sorry for the delay here.

@easwars would you be able to review this change? I think you have more background into some of the things than I do, like the bootstrap integration. Thank you!

[easwars]

Thank you for your contribution @dimpavloff. Yes, it would be nice if you can split this into smaller PRs. I will continue to use this PR to review the JWT call credentials implementation. If you can move the xDS implementation out to one or more PRs, I would greatly appreciate that and would be happy to review them as well.

[easwars]

Here and elsewhere in this PR, please use appropriate punctuations in comment sentences. See: https://google.github.io/styleguide/go/decisions#comment-sentences

[easwars]

Please define a const for default test timeout and use it in all tests that require a timeout. We use this pattern a lot in our tests. Please search for defaultTestTimeout and defaultTestShortTimeout for commonly used patterns.

[easwars]

Please only test the API surface. Relying on implementation internals in tests makes them brittle and would result in test changes when any changes to implementation is made.

[dimpavloff]

I assume you are referring to using a private field rather than obtaining mu specifically.
In general I agree -- white box tests may get fragile and break during a refactor. However, this test and the next couple of ones are about the caching behaviour -- it is meant to be transparent to the external API. If I don't make assertions about the private fields, the tests may pass trivially and become more flaky (e.g. when testing the backoff in the next test).
One alternative could be factoring out these behaviours out into a separate private struct with "public" functions which expose the same information. Given that it would require shifting the majority of the implementation into that struct, I'm not sure it is an improvement from the current approach.
Please do let me know your thoughts and if you have other suggestions.

[easwars]

Apologies for the delay on this. Have been busy with some other stuff. Will definitely try to make another pass today.

FYI, we recommend authors to not mark comments as resolved. Instead, we recommend the reviewer to do that once the comment has been satisfactorily addressed, because now I have to unresolve every comment to see what I commented and then verify that the comment has been satisfactorily addressed. Thanks for understanding.

[easwars]

Nit: It looks like these two bullet points can/should be merged?

[easwars]

Actually, I personally haven't considered it so far, because I tend to avoid RWLocks after being bitten by them once (in a bad way). But, I'm not opposed to it and it does sound more explicit when using RWLocks.

[easwars]

Can we make a const for the one minute pre-emptive refresh trigger?

[easwars]

That's a valid point. Even if it is a single goroutine, we cannot leak it, because our tests check for leaked goroutines and therefore unit tests will fail. Thanks for trying though.

[easwars]

Ack

[easwars]

Again, apologies for the delay in the review.

I did a little bit of thinking and I feel we can avoid the second mutex and also avoid locking and unlocking multiple times in several codepaths with the following approach.

(this is mostly going to be pseudocode ... so please bear with me)

• Separate out the file reading and expiration extracting functionality into a separate type, JWTFileReader or some other name

  • This would have a NewXxx function that would take the file name
  • This type would also have a method to read the token from file: ReadToken() (token string, expiry time.Time, err error)
  • This type would be very simple and would not know or care about any of the other stuff happening in the creds (like preemptive refreshes, ongoing refreshes etc)
  • It would be the responsibility of the caller to ensure that they don't call the ReadToken() method concurrently. Nothing bad will happen if they call it concurrently, just that there would unnecessary file reads.

• We would maintain the following state in the creds (all protected by a single sync.Mutex)

  • token
  • expiry time
  • previously seen error
  • retry attempt number
  • next retry time
  • pending refresh (boolean)
  • a condition variable for starting a token refresh (sync.Cond)

• The GetRequestMetadata would work as follows:

  • Lock the mutex
  • Defer a call to unlock the mutex
  • If the token is valid:
    • if we need a pre-emptive refresh:
      • if there is no pending refresh:
        • set the pending bit
        • spawn a goroutine to refresh the token
    • return token
  • If we are in backoff:
    • return error
  • If there is no pending request:
    • set the pending bit
    • spawn a goroutine to refresh the token
  • Wait for the condition that (pending == false), using the condition variable. This will be something like:

      for pending == true {
        cond.Wait()
      }

    • When there is an ongoing refresh, this will block the current goroutine without holding the mutex
  • Once we get past the condition variable, we can safely return the result from the our state
    • Once we get past cond.Wait(), we will again have possession of the mutex, and can therefore safely access our state
    • we either have a valid token or a valid error

• The goroutine to refresh the token would do the following:

  • Call fileReader.ReadToken()
    • (the above call is now happening without the mutex), but since spawning of this goroutine is controlled by the pending bit, we are always guaranteed that only one instance of this goroutine is ever running)
  • Lock mutex
    • Update internal state (token, expiry, error, backoff state)
    • reset the pending bit
  • Unlock mutex
  • Call Broadcast on the condition variable to unblock all goroutines waiting on this condition

Let me know what you think.

[github-actions]

This PR is labeled as requiring an update from the reporter, and no update has been received after 6 days. If no update is provided in the next 7 days, this issue will be automatically closed.

[dimpavloff]

Hi @easwars , apologies for the delay, I was on holiday. Thanks for the review and for the suggested approach. I don't have the code very fresh in my mind anymore 😅 but I think that makes sense. I will see what I can do in the coming days and get back to you.

[dimpavloff]

@easwars , I managed to iterate on top of your suggestion to simplify it further, we no longer need the condition variable, just one lock! LMK what you think

[dimpavloff]

FYI, I've cached it just in case

[dimpavloff]

Just to highlight, I made both the struct and function private. LMK if you intended for them to be public