Concurrency issue when caching JS policies

Closes #12204
2022-08-11 12:37:09 -03:00 · 2022-08-11 12:37:09 -03:00 · eda33a0b21
commit eda33a0b21
parent 15bbb46657
2 changed files with 98 additions and 2 deletions
--- a/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/ScriptCache.java
+++ b/authz/policy/common/src/main/java/org/keycloak/authorization/policy/provider/js/ScriptCache.java
@ -16,6 +16,7 @@
 */
 package org.keycloak.authorization.policy.provider.js;

+import java.util.Collections;
 import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.concurrent.atomic.AtomicBoolean;
@ -56,12 +57,12 @@ public class ScriptCache {
     * @param maxAge the time in milliseconds that an entry can stay in the cache. If {@code -1}, entries never expire
     */
    public ScriptCache(final int maxEntries, long maxAge) {
-        cache = new LinkedHashMap<String, CacheEntry>(16, DEFAULT_LOAD_FACTOR, true) {
+        cache = Collections.synchronizedMap(new LinkedHashMap<String, CacheEntry>(16, DEFAULT_LOAD_FACTOR, true) {
            @Override
            protected boolean removeEldestEntry(Map.Entry eldest) {
                return cache.size()  > maxEntries;
            }
-        };
+        });
        this.maxAge = maxAge;
    }

--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ScriptCacheTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/ScriptCacheTest.java
@ -0,0 +1,95 @@
+/*
+ * Copyright 2022 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.testsuite.authz;
+
+import static java.util.concurrent.TimeUnit.MILLISECONDS;
+import static java.util.concurrent.locks.LockSupport.parkNanos;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
+import java.util.concurrent.TimeUnit;
+import java.util.concurrent.TimeoutException;
+import java.util.concurrent.locks.LockSupport;
+import java.util.function.BiConsumer;
+import javax.script.ScriptContext;
+import org.junit.Test;
+import org.keycloak.authorization.policy.provider.js.ScriptCache;
+import org.keycloak.models.ScriptModel;
+import org.keycloak.models.utils.KeycloakModelUtils;
+import org.keycloak.scripting.EvaluatableScriptAdapter;
+import org.keycloak.scripting.ScriptBindingsConfigurer;
+import org.keycloak.scripting.ScriptExecutionException;
+
+public class ScriptCacheTest {
+
+    /**
+     * This test is non-deterministic but should fail most of the time if there is a concurrency issue
+     * when caching entries
+     */
+    @Test
+    public void testConcurrency() throws Exception {
+        ScriptCache scriptCache = new ScriptCache(10, -1);
+        ExecutorService executor = Executors.newWorkStealingPool();
+        CompletableFuture allFutures = CompletableFuture.completedFuture(null);
+
+        for (int i = 0; i < 500; i++) {
+            String id = KeycloakModelUtils.generateId();
+
+            CompletableFuture<Void> future = CompletableFuture.runAsync(new Runnable() {
+                @Override
+                public void run() {
+                    scriptCache.computeIfAbsent(id, ScriptCacheTest::createScriptAndPark);
+                }
+            }, executor);
+
+            // should throw an exception here during concurrent modification
+            scriptCache.computeIfAbsent(id, ScriptCacheTest::createScript);
+
+            allFutures = CompletableFuture.allOf(allFutures, future);
+        }
+
+        allFutures.get(10, TimeUnit.SECONDS);
+    }
+
+    private static EvaluatableScriptAdapter createScript(String s) {
+        return new EvaluatableScriptAdapter() {
+            @Override
+            public ScriptModel getScriptModel() {
+                return null;
+            }
+
+            @Override
+            public Object eval(ScriptBindingsConfigurer bindingsConfigurer)
+                    throws ScriptExecutionException {
+                return null;
+            }
+
+            @Override
+            public Object eval(ScriptContext context) throws ScriptExecutionException {
+                return null;
+            }
+        };
+    }
+
+    private static EvaluatableScriptAdapter createScriptAndPark(String s) {
+        parkNanos(MILLISECONDS.toNanos(10));
+        return createScript(s);
+    }
+}