Skip to content

fix(sdk): Harden auth cache key, validity, and file GC#1860

Merged
gtema merged 1 commit into
mainfrom
sanity
Jul 14, 2026
Merged

fix(sdk): Harden auth cache key, validity, and file GC#1860
gtema merged 1 commit into
mainfrom
sanity

Conversation

@gtema

@gtema gtema commented Jul 14, 2026

Copy link
Copy Markdown
Owner
  • get_config_identity_hash: replace DefaultHasher with SHA-256 over a
    field-tagged canonical string. DefaultHasher is unstable across Rust
    releases (orphans cache files on a toolchain bump) and skipping None
    fields let differently-shaped identities collide on the same cache
    file, letting the wildcard scope matcher return another user's token
  • change auth hash type u64 -> String throughout State/session/
    openstack_async to carry the new hash
  • apply a 60s validity margin when selecting a cached token for use
    (get_scope_auth, find_scope_authz, find_valid_auth), keeping None for
    persistence-time filtering; avoids handing out a token that expires
    before the request completes
  • deterministic scope priority (unscoped > project > domain > system)
    replacing HashMap-order-dependent token selection
  • GC cache/lock files older than 7 days on first State::new() per
    process; gated with Once to avoid repeated directory scans when
    State::new() runs more than once per process
  • fix unlocked first-read race: load_auth_state now creates the lock
    file if missing instead of skipping the lock silently
  • prefix on-disk cache payload with a format-version byte so a schema
    change is logged distinctly from corruption
  • drop Windows readonly attribute on cache files: it added no real
    confidentiality and broke the next write via NamedTempFile::persist/
    File::create

Signed-off-by: Artem Goncharov artem.goncharov@gmail.com

- get_config_identity_hash: replace DefaultHasher with SHA-256 over a
  field-tagged canonical string. DefaultHasher is unstable across Rust
  releases (orphans cache files on a toolchain bump) and skipping None
  fields let differently-shaped identities collide on the same cache
  file, letting the wildcard scope matcher return another user's token
- change auth hash type u64 -> String throughout State/session/
  openstack_async to carry the new hash
- apply a 60s validity margin when selecting a cached token for use
  (get_scope_auth, find_scope_authz, find_valid_auth), keeping None for
  persistence-time filtering; avoids handing out a token that expires
  before the request completes
- deterministic scope priority (unscoped > project > domain > system)
  replacing HashMap-order-dependent token selection
- GC cache/lock files older than 7 days on first State::new() per
  process; gated with Once to avoid repeated directory scans when
  State::new() runs more than once per process
- fix unlocked first-read race: load_auth_state now creates the lock
  file if missing instead of skipping the lock silently
- prefix on-disk cache payload with a format-version byte so a schema
  change is logged distinctly from corruption
- drop Windows readonly attribute on cache files: it added no real
  confidentiality and broke the next write via NamedTempFile::persist/
  File::create

Signed-off-by: Artem Goncharov <artem.goncharov@gmail.com>
@gtema
gtema merged commit db3942c into main Jul 14, 2026
24 checks passed
@gtema-release-plz gtema-release-plz Bot mentioned this pull request Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant