uv_auth/
cache.rs

1use std::fmt::Display;
2use std::fmt::Formatter;
3use std::hash::BuildHasherDefault;
4use std::sync::Arc;
5use std::sync::RwLock;
6
7use rustc_hash::{FxHashMap, FxHasher};
8use tracing::trace;
9use url::Url;
10
11use uv_once_map::OnceMap;
12use uv_redacted::DisplaySafeUrl;
13
14use crate::credentials::{Authentication, Username};
15use crate::{Credentials, Realm};
16
17type FxOnceMap<K, V> = OnceMap<K, V, BuildHasherDefault<FxHasher>>;
18
19#[derive(Debug, Clone, PartialEq, Eq, Hash)]
20pub(crate) enum FetchUrl {
21    /// A full index URL
22    Index(DisplaySafeUrl),
23    /// A realm URL
24    Realm(Realm),
25}
26
27impl Display for FetchUrl {
28    fn fmt(&self, f: &mut Formatter) -> std::fmt::Result {
29        match self {
30            Self::Index(index) => Display::fmt(index, f),
31            Self::Realm(realm) => Display::fmt(realm, f),
32        }
33    }
34}
35
36#[derive(Debug)] // All internal types are redacted.
37pub struct CredentialsCache {
38    /// A cache per realm and username
39    realms: RwLock<FxHashMap<(Realm, Username), Arc<Authentication>>>,
40    /// A cache tracking the result of realm or index URL fetches from external services
41    pub(crate) fetches: FxOnceMap<(FetchUrl, Username), Option<Arc<Authentication>>>,
42    /// A cache per URL, uses a trie for efficient prefix queries.
43    urls: RwLock<UrlTrie<Arc<Authentication>>>,
44}
45
46impl Default for CredentialsCache {
47    fn default() -> Self {
48        Self::new()
49    }
50}
51
52impl CredentialsCache {
53    /// Create a new cache.
54    pub fn new() -> Self {
55        Self {
56            fetches: FxOnceMap::default(),
57            realms: RwLock::new(FxHashMap::default()),
58            urls: RwLock::new(UrlTrie::new()),
59        }
60    }
61
62    /// Populate the global authentication store with credentials on a URL, if there are any.
63    ///
64    /// Returns `true` if the store was updated.
65    pub fn store_credentials_from_url(&self, url: &DisplaySafeUrl) -> bool {
66        if let Some(credentials) = Credentials::from_url(url) {
67            trace!("Caching credentials for {url}");
68            self.insert(url, Arc::new(Authentication::from(credentials)));
69            true
70        } else {
71            false
72        }
73    }
74
75    /// Populate the global authentication store with credentials on a URL, if there are any.
76    ///
77    /// Returns `true` if the store was updated.
78    pub fn store_credentials(&self, url: &DisplaySafeUrl, credentials: Credentials) {
79        trace!("Caching credentials for {url}");
80        self.insert(url, Arc::new(Authentication::from(credentials)));
81    }
82
83    /// Return the credentials that should be used for a realm and username, if any.
84    pub(crate) fn get_realm(
85        &self,
86        realm: Realm,
87        username: Username,
88    ) -> Option<Arc<Authentication>> {
89        let realms = self.realms.read().unwrap();
90        let given_username = username.is_some();
91        let key = (realm, username);
92
93        let Some(credentials) = realms.get(&key).cloned() else {
94            trace!(
95                "No credentials in cache for realm {}",
96                RealmUsername::from(key)
97            );
98            return None;
99        };
100
101        if given_username && credentials.password().is_none() {
102            // If given a username, don't return password-less credentials
103            trace!(
104                "No password in cache for realm {}",
105                RealmUsername::from(key)
106            );
107            return None;
108        }
109
110        trace!(
111            "Found cached credentials for realm {}",
112            RealmUsername::from(key)
113        );
114        Some(credentials)
115    }
116
117    /// Return the cached credentials for a URL and username, if any.
118    ///
119    /// Note we do not cache per username, but if a username is passed we will confirm that the
120    /// cached credentials have a username equal to the provided one — otherwise `None` is returned.
121    /// If multiple usernames are used per URL, the realm cache should be queried instead.
122    pub(crate) fn get_url(
123        &self,
124        url: &DisplaySafeUrl,
125        username: &Username,
126    ) -> Option<Arc<Authentication>> {
127        let urls = self.urls.read().unwrap();
128        let credentials = urls.get(url);
129        if let Some(credentials) = credentials {
130            if username.is_none() || username.as_deref() == credentials.username() {
131                if username.is_some() && credentials.password().is_none() {
132                    // If given a username, don't return password-less credentials
133                    trace!("No password in cache for URL {url}");
134                    return None;
135                }
136                trace!("Found cached credentials for URL {url}");
137                return Some(credentials.clone());
138            }
139        }
140        trace!("No credentials in cache for URL {url}");
141        None
142    }
143
144    /// Update the cache with the given credentials.
145    pub(crate) fn insert(&self, url: &DisplaySafeUrl, credentials: Arc<Authentication>) {
146        // Do not cache empty credentials
147        if credentials.is_empty() {
148            return;
149        }
150
151        // Insert an entry for requests including the username
152        let username = credentials.to_username();
153        if username.is_some() {
154            let realm = (Realm::from(url), username);
155            self.insert_realm(realm, &credentials);
156        }
157
158        // Insert an entry for requests with no username
159        self.insert_realm((Realm::from(url), Username::none()), &credentials);
160
161        // Insert an entry for the URL
162        let mut urls = self.urls.write().unwrap();
163        urls.insert(url, credentials);
164    }
165
166    /// Private interface to update a realm cache entry.
167    ///
168    /// Returns replaced credentials, if any.
169    fn insert_realm(
170        &self,
171        key: (Realm, Username),
172        credentials: &Arc<Authentication>,
173    ) -> Option<Arc<Authentication>> {
174        // Do not cache empty credentials
175        if credentials.is_empty() {
176            return None;
177        }
178
179        let mut realms = self.realms.write().unwrap();
180
181        // Always replace existing entries if we have a password or token
182        if credentials.is_authenticated() {
183            return realms.insert(key, credentials.clone());
184        }
185
186        // If we only have a username, add a new entry or replace an existing entry if it doesn't have a password
187        let existing = realms.get(&key);
188        if existing.is_none_or(|credentials| credentials.password().is_none()) {
189            return realms.insert(key, credentials.clone());
190        }
191
192        None
193    }
194}
195
196#[derive(Debug)]
197struct UrlTrie<T> {
198    states: Vec<TrieState<T>>,
199}
200
201#[derive(Debug)]
202struct TrieState<T> {
203    children: Vec<(String, usize)>,
204    value: Option<T>,
205}
206
207impl<T> Default for TrieState<T> {
208    fn default() -> Self {
209        Self {
210            children: vec![],
211            value: None,
212        }
213    }
214}
215
216impl<T> UrlTrie<T> {
217    fn new() -> Self {
218        let mut trie = Self { states: vec![] };
219        trie.alloc();
220        trie
221    }
222
223    fn get(&self, url: &Url) -> Option<&T> {
224        let mut state = 0;
225        let realm = Realm::from(url).to_string();
226        for component in [realm.as_str()]
227            .into_iter()
228            .chain(url.path_segments().unwrap().filter(|item| !item.is_empty()))
229        {
230            state = self.states[state].get(component)?;
231            if let Some(ref value) = self.states[state].value {
232                return Some(value);
233            }
234        }
235        self.states[state].value.as_ref()
236    }
237
238    fn insert(&mut self, url: &Url, value: T) {
239        let mut state = 0;
240        let realm = Realm::from(url).to_string();
241        for component in [realm.as_str()]
242            .into_iter()
243            .chain(url.path_segments().unwrap().filter(|item| !item.is_empty()))
244        {
245            match self.states[state].index(component) {
246                Ok(i) => state = self.states[state].children[i].1,
247                Err(i) => {
248                    let new_state = self.alloc();
249                    self.states[state]
250                        .children
251                        .insert(i, (component.to_string(), new_state));
252                    state = new_state;
253                }
254            }
255        }
256        self.states[state].value = Some(value);
257    }
258
259    fn alloc(&mut self) -> usize {
260        let id = self.states.len();
261        self.states.push(TrieState::default());
262        id
263    }
264}
265
266impl<T> TrieState<T> {
267    fn get(&self, component: &str) -> Option<usize> {
268        let i = self.index(component).ok()?;
269        Some(self.children[i].1)
270    }
271
272    fn index(&self, component: &str) -> Result<usize, usize> {
273        self.children
274            .binary_search_by(|(label, _)| label.as_str().cmp(component))
275    }
276}
277
278#[derive(Debug)]
279struct RealmUsername(Realm, Username);
280
281impl std::fmt::Display for RealmUsername {
282    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
283        let Self(realm, username) = self;
284        if let Some(username) = username.as_deref() {
285            write!(f, "{username}@{realm}")
286        } else {
287            write!(f, "{realm}")
288        }
289    }
290}
291
292impl From<(Realm, Username)> for RealmUsername {
293    fn from((realm, username): (Realm, Username)) -> Self {
294        Self(realm, username)
295    }
296}
297
298#[cfg(test)]
299mod tests {
300    use crate::Credentials;
301    use crate::credentials::Password;
302
303    use super::*;
304
305    #[test]
306    fn test_trie() {
307        let credentials1 =
308            Credentials::basic(Some("username1".to_string()), Some("password1".to_string()));
309        let credentials2 =
310            Credentials::basic(Some("username2".to_string()), Some("password2".to_string()));
311        let credentials3 =
312            Credentials::basic(Some("username3".to_string()), Some("password3".to_string()));
313        let credentials4 =
314            Credentials::basic(Some("username4".to_string()), Some("password4".to_string()));
315
316        let mut trie = UrlTrie::new();
317        trie.insert(
318            &Url::parse("https://burntsushi.net").unwrap(),
319            credentials1.clone(),
320        );
321        trie.insert(
322            &Url::parse("https://astral.sh").unwrap(),
323            credentials2.clone(),
324        );
325        trie.insert(
326            &Url::parse("https://example.com/foo").unwrap(),
327            credentials3.clone(),
328        );
329        trie.insert(
330            &Url::parse("https://example.com/bar").unwrap(),
331            credentials4.clone(),
332        );
333
334        let url = Url::parse("https://burntsushi.net/regex-internals").unwrap();
335        assert_eq!(trie.get(&url), Some(&credentials1));
336
337        let url = Url::parse("https://burntsushi.net/").unwrap();
338        assert_eq!(trie.get(&url), Some(&credentials1));
339
340        let url = Url::parse("https://astral.sh/about").unwrap();
341        assert_eq!(trie.get(&url), Some(&credentials2));
342
343        let url = Url::parse("https://example.com/foo").unwrap();
344        assert_eq!(trie.get(&url), Some(&credentials3));
345
346        let url = Url::parse("https://example.com/foo/").unwrap();
347        assert_eq!(trie.get(&url), Some(&credentials3));
348
349        let url = Url::parse("https://example.com/foo/bar").unwrap();
350        assert_eq!(trie.get(&url), Some(&credentials3));
351
352        let url = Url::parse("https://example.com/bar").unwrap();
353        assert_eq!(trie.get(&url), Some(&credentials4));
354
355        let url = Url::parse("https://example.com/bar/").unwrap();
356        assert_eq!(trie.get(&url), Some(&credentials4));
357
358        let url = Url::parse("https://example.com/bar/foo").unwrap();
359        assert_eq!(trie.get(&url), Some(&credentials4));
360
361        let url = Url::parse("https://example.com/about").unwrap();
362        assert_eq!(trie.get(&url), None);
363
364        let url = Url::parse("https://example.com/foobar").unwrap();
365        assert_eq!(trie.get(&url), None);
366    }
367
368    #[test]
369    fn test_url_with_credentials() {
370        let username = Username::new(Some(String::from("username")));
371        let password = Password::new(String::from("password"));
372        let credentials = Arc::new(Authentication::from(Credentials::Basic {
373            username: username.clone(),
374            password: Some(password),
375        }));
376        let cache = CredentialsCache::default();
377        // Insert with URL with credentials and get with redacted URL.
378        let url = DisplaySafeUrl::parse("https://username:password@example.com/foobar").unwrap();
379        cache.insert(&url, credentials.clone());
380        assert_eq!(cache.get_url(&url, &username), Some(credentials.clone()));
381        // Insert with redacted URL and get with URL with credentials.
382        let url =
383            DisplaySafeUrl::parse("https://username:password@second-example.com/foobar").unwrap();
384        cache.insert(&url, credentials.clone());
385        assert_eq!(cache.get_url(&url, &username), Some(credentials.clone()));
386    }
387}
uv_auth/cache.rs

uv_auth/
cache.rs
