entelix-cloud 0.5.5

entelix cloud transports — Bedrock, Vertex, Foundry; OAuth refresh (gcp_auth, aws-sigv4, azure_identity)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155

//! `CachedTokenProvider<T>` — single-flight cached token wrapper used by
//! every cloud transport that fronts an OAuth-style credential
//! source.
//!
//! Read path is lock-free (`parking_lot::RwLock` read guard cloned
//! into an `Option<TokenState<T>>`). Single-flight uses an atomic
//! claim flag plus `tokio::sync::Notify`: at most one task runs the
//! user-supplied `TokenRefresher::refresh()` future at a time, and
//! no lock is held across that future (CLAUDE.md "lock ordering").
//! Refresh fires `refresh_buffer` before the cached token's
//! wall-clock expiry.

use std::sync::Arc;
use std::sync::atomic::{AtomicBool, Ordering};
use std::time::{Duration, Instant};

use async_trait::async_trait;
use parking_lot::RwLock;
use tokio::sync::Notify;

use crate::CloudError;

/// Default lead time before a token's expiry triggers a refresh.
///
/// Five minutes balances "preempt 401s on long calls" against "don't
/// thrash short-TTL credentials" — most cloud providers issue
/// 60-min tokens, so a 5-min buffer leaves ~92% of the lifetime in
/// the fast path.
pub const DEFAULT_REFRESH_BUFFER: Duration = Duration::from_mins(5);

/// Source-of-truth that yields a fresh `T` plus its absolute expiry
/// time when called.
#[async_trait]
pub trait TokenRefresher<T>: Send + Sync
where
    T: Clone + Send + Sync + 'static,
{
    /// Fetch a fresh token. Implementors hit the underlying IDP
    /// (gcp_auth, azure_identity, …); errors propagate to the
    /// caller of [`CachedTokenProvider::current`].
    async fn refresh(&self) -> Result<TokenSnapshot<T>, CloudError>;
}

/// One refresh result.
#[derive(Clone, Debug)]
pub struct TokenSnapshot<T> {
    /// The token value itself (often a [`secrecy::SecretString`]).
    pub value: T,
    /// Wall-clock instant at which the token stops being valid.
    pub expires_at: Instant,
}

#[derive(Clone)]
struct TokenState<T> {
    value: T,
    expires_at: Instant,
}

/// Cache + single-flight wrapper around a [`TokenRefresher`].
pub struct CachedTokenProvider<T>
where
    T: Clone + Send + Sync + 'static,
{
    cached: RwLock<Option<TokenState<T>>>,
    refresh_in_progress: AtomicBool,
    refresh_done: Notify,
    refresher: Arc<dyn TokenRefresher<T>>,
    refresh_buffer: Duration,
}

impl<T> CachedTokenProvider<T>
where
    T: Clone + Send + Sync + 'static,
{
    /// Build with the default [`DEFAULT_REFRESH_BUFFER`] lead time.
    pub fn new(refresher: Arc<dyn TokenRefresher<T>>) -> Self {
        Self::with_refresh_buffer(refresher, DEFAULT_REFRESH_BUFFER)
    }

    /// Build with a custom refresh-buffer.
    pub fn with_refresh_buffer(
        refresher: Arc<dyn TokenRefresher<T>>,
        refresh_buffer: Duration,
    ) -> Self {
        Self {
            cached: RwLock::new(None),
            refresh_in_progress: AtomicBool::new(false),
            refresh_done: Notify::new(),
            refresher,
            refresh_buffer,
        }
    }

    /// Return the current valid token, refreshing if the cached
    /// value is missing or within the refresh-buffer of expiry.
    ///
    /// Single-flight: only one caller runs the user-supplied
    /// [`TokenRefresher::refresh`] at a time. Other callers wait on
    /// a [`Notify`] for the refresh to complete and then re-check
    /// the cache. No lock is held across the user-supplied future.
    pub async fn current(&self) -> Result<T, CloudError> {
        loop {
            if let Some(state) = self.read_fresh() {
                return Ok(state);
            }
            // Try to claim refresh ownership atomically.
            if self
                .refresh_in_progress
                .compare_exchange(false, true, Ordering::AcqRel, Ordering::Acquire)
                .is_ok()
            {
                let result = self.refresher.refresh().await;
                if let Ok(snap) = &result {
                    *self.cached.write() = Some(TokenState {
                        value: snap.value.clone(),
                        expires_at: snap.expires_at,
                    });
                }
                self.refresh_in_progress.store(false, Ordering::Release);
                self.refresh_done.notify_waiters();
                return result.map(|s| s.value);
            }
            // Someone else owns the refresh — register for the
            // notification, then re-check (the writer may complete
            // between our claim attempt and our subscription).
            let waiter = self.refresh_done.notified();
            tokio::pin!(waiter);
            waiter.as_mut().enable();
            if let Some(state) = self.read_fresh() {
                return Ok(state);
            }
            waiter.await;
            // Loop: re-read cache (now likely fresh) or retry the claim.
        }
    }

    /// Drop the cached value. Useful when a 401 surfaces to force a
    /// reload regardless of the recorded expiry (clock skew defence).
    pub fn invalidate(&self) {
        *self.cached.write() = None;
    }

    fn read_fresh(&self) -> Option<T> {
        let snapshot = {
            let guard = self.cached.read();
            guard.as_ref().cloned()
        };
        let state = snapshot?;
        if Instant::now() + self.refresh_buffer < state.expires_at {
            Some(state.value)
        } else {
            None
        }
    }
}