Enable caching capabilities on UserRepository (#264)

* Introduce ProtocolCache to repositories

* Add caching capabilities to UserRepository

* Update test cases

* Cache on first find

* Fix phpcbf

* Start using protocol cache for docker runs

---------

Co-authored-by: Marko Ivančić <[email protected]>

Author: cicnavi

config-templates/module_oidc.php

@@ -288,6 +288,13 @@
     //    60 * 60 * 6, // Default lifetime in seconds (used when particular cache item doesn't define its own lifetime)
     //],
 
+    // Cache duration for user entities (authenticated users data). If not set, cache duration will be the same as
+    // session duration. This is used to avoid fetching user data from database on every authentication event.
+    // This is only relevant if protocol cache adapter is set up. For duration format info, check
+    // https://www.php.net/manual/en/dateinterval.construct.php.
+//    ModuleConfig::OPTION_PROTOCOL_USER_ENTITY_CACHE_DURATION => 'PT1H', // 1 hour
+    ModuleConfig::OPTION_PROTOCOL_USER_ENTITY_CACHE_DURATION => null, // fallback to session duration
+
     /**
      * Cron related options.
      */

docker/ssp/module_oidc.php

@@ -115,4 +115,9 @@
     ModuleConfig::OPTION_AUTH_FORCED_ACR_VALUE_FOR_COOKIE_AUTHENTICATION => null,
 
     ModuleConfig::OPTION_CRON_TAG => 'hourly',
+
+    ModuleConfig::OPTION_PROTOCOL_CACHE_ADAPTER => \Symfony\Component\Cache\Adapter\FilesystemAdapter::class,
+    ModuleConfig::OPTION_PROTOCOL_CACHE_ADAPTER_ARGUMENTS => [
+        // Use defaults
+    ],
 ];

routing/services/services.yml

@@ -115,4 +115,8 @@ services:
   SimpleSAML\OpenID\Federation:
     factory: [ '@SimpleSAML\Module\oidc\Factories\FederationFactory', 'build' ]
   SimpleSAML\OpenID\Jwks:
-    factory: [ '@SimpleSAML\Module\oidc\Factories\JwksFactory', 'build' ]
+    factory: [ '@SimpleSAML\Module\oidc\Factories\JwksFactory', 'build' ]
+
+  # SSP
+  SimpleSAML\Database:
+    factory: [ 'SimpleSAML\Database', 'getInstance' ]

src/Controller/Federation/Test.php

@@ -6,6 +6,7 @@
 
 namespace SimpleSAML\Module\oidc\Controller\Federation;
 
+use SimpleSAML\Database;
 use SimpleSAML\Module\oidc\Codebooks\RegistrationTypeEnum;
 use SimpleSAML\Module\oidc\Factories\CoreFactory;
 use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
@@ -33,6 +34,7 @@ public function __construct(
         protected ?FederationCache $federationCache,
         protected LoggerService $loggerService,
         protected Jwks $jwks,
+        protected Database $database,
         protected ClientEntityFactory $clientEntityFactory,
         protected CoreFactory $coreFactory,
         protected \DateInterval $maxCacheDuration = new \DateInterval('PT30S'),

src/ModuleConfig.php

@@ -80,6 +80,7 @@ class ModuleConfig
     final public const OPTION_FEDERATION_ENTITY_STATEMENT_CACHE_DURATION = 'federation_entity_statement_cache_duration';
     final public const OPTION_PROTOCOL_CACHE_ADAPTER = 'protocol_cache_adapter';
     final public const OPTION_PROTOCOL_CACHE_ADAPTER_ARGUMENTS = 'protocol_cache_adapter_arguments';
+    final public const OPTION_PROTOCOL_USER_ENTITY_CACHE_DURATION = 'protocol_user_entity_cache_duration';
 
     protected static array $standardScopes = [
         ScopesEnum::OpenId->value => [
@@ -630,4 +631,20 @@ public function getProtocolCacheAdapterArguments(): array
     {
         return $this->config()->getOptionalArray(self::OPTION_PROTOCOL_CACHE_ADAPTER_ARGUMENTS, []);
     }
+
+    /**
+     * Get cache duration for user entities (user data). If not set in configuration, it will fall back to SSP session
+     * duration.
+     *
+     * @throws \Exception
+     */
+    public function getProtocolUserEntityCacheDuration(): DateInterval
+    {
+        return new DateInterval(
+            $this->config()->getOptionalString(
+                self::OPTION_PROTOCOL_USER_ENTITY_CACHE_DURATION,
+                null,
+            ) ?? "PT{$this->sspConfig()->getInteger('session.duration')}S",
+        );
+    }
 }

src/Repositories/AbstractDatabaseRepository.php

@@ -15,24 +15,21 @@
  */
 namespace SimpleSAML\Module\oidc\Repositories;
 
-use SimpleSAML\Configuration;
 use SimpleSAML\Database;
 use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 
 abstract class AbstractDatabaseRepository
 {
-    protected Configuration $config;
-
-    protected Database $database;
-
     /**
      * ClientRepository constructor.
      * @throws \Exception
      */
-    public function __construct(protected ModuleConfig $moduleConfig)
-    {
-        $this->config = $this->moduleConfig->config();
-        $this->database = Database::getInstance();
+    public function __construct(
+        protected readonly ModuleConfig $moduleConfig,
+        protected readonly Database $database,
+        protected readonly ?ProtocolCache $protocolCache,
+    ) {
     }
 
     abstract public function getTableName(): ?string;

src/Repositories/AccessTokenRepository.php

@@ -20,6 +20,7 @@
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface as OAuth2AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
 use RuntimeException;
+use SimpleSAML\Database;
 use SimpleSAML\Error\Error;
 use SimpleSAML\Module\oidc\Codebooks\DateFormatsEnum;
 use SimpleSAML\Module\oidc\Entities\AccessTokenEntity;
@@ -30,6 +31,7 @@
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AccessTokenRepositoryInterface;
 use SimpleSAML\Module\oidc\Repositories\Traits\RevokeTokenByAuthCodeIdTrait;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 
 class AccessTokenRepository extends AbstractDatabaseRepository implements AccessTokenRepositoryInterface
 {
@@ -39,11 +41,13 @@ class AccessTokenRepository extends AbstractDatabaseRepository implements Access
 
     public function __construct(
         ModuleConfig $moduleConfig,
+        Database $database,
+        ?ProtocolCache $protocolCache,
         protected readonly ClientRepository $clientRepository,
         protected readonly AccessTokenEntityFactory $accessTokenEntityFactory,
         protected readonly Helpers $helpers,
     ) {
-        parent::__construct($moduleConfig);
+        parent::__construct($moduleConfig, $database, $protocolCache);
     }
 
     public function getTableName(): string

src/Repositories/AuthCodeRepository.php

@@ -18,6 +18,7 @@
 
 use League\OAuth2\Server\Entities\AuthCodeEntityInterface as OAuth2AuthCodeEntityInterface;
 use RuntimeException;
+use SimpleSAML\Database;
 use SimpleSAML\Error\Error;
 use SimpleSAML\Module\oidc\Codebooks\DateFormatsEnum;
 use SimpleSAML\Module\oidc\Entities\AuthCodeEntity;
@@ -26,16 +27,19 @@
 use SimpleSAML\Module\oidc\Helpers;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\AuthCodeRepositoryInterface;
+use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 
 class AuthCodeRepository extends AbstractDatabaseRepository implements AuthCodeRepositoryInterface
 {
     public function __construct(
         ModuleConfig $moduleConfig,
+        Database $database,
+        ?ProtocolCache $protocolCache,
         protected readonly ClientRepository $clientRepository,
         protected readonly AuthCodeEntityFactory $authCodeEntityFactory,
         protected readonly Helpers $helpers,
     ) {
-        parent::__construct($moduleConfig);
+        parent::__construct($moduleConfig, $database, $protocolCache);
     }
 
     final public const TABLE_NAME = 'oidc_auth_code';

src/Repositories/ClientRepository.php

@@ -17,18 +17,22 @@
 
 use League\OAuth2\Server\Repositories\ClientRepositoryInterface;
 use PDO;
+use SimpleSAML\Database;
 use SimpleSAML\Module\oidc\Entities\ClientEntity;
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\Module\oidc\Factories\Entities\ClientEntityFactory;
 use SimpleSAML\Module\oidc\ModuleConfig;
+use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 
 class ClientRepository extends AbstractDatabaseRepository implements ClientRepositoryInterface
 {
     public function __construct(
         ModuleConfig $moduleConfig,
+        Database $database,
+        ?ProtocolCache $protocolCache,
         protected readonly ClientEntityFactory $clientEntityFactory,
     ) {
-        parent::__construct($moduleConfig);
+        parent::__construct($moduleConfig, $database, $protocolCache);
     }
 
     final public const TABLE_NAME = 'oidc_client';
@@ -389,7 +393,7 @@ private function count(string $query, ?string $owner): int
      */
     private function getItemsPerPage(): int
     {
-        return $this->config
+        return $this->moduleConfig->config()
             ->getOptionalIntegerRange(ModuleConfig::OPTION_ADMIN_UI_PAGINATION_ITEMS_PER_PAGE, 1, 100, 20);
     }
 

src/Repositories/RefreshTokenRepository.php

@@ -19,6 +19,7 @@
 use League\OAuth2\Server\Entities\RefreshTokenEntityInterface as OAuth2RefreshTokenEntityInterface;
 use League\OAuth2\Server\Exception\OAuthServerException;
 use RuntimeException;
+use SimpleSAML\Database;
 use SimpleSAML\Module\oidc\Codebooks\DateFormatsEnum;
 use SimpleSAML\Module\oidc\Entities\Interfaces\RefreshTokenEntityInterface;
 use SimpleSAML\Module\oidc\Entities\RefreshTokenEntity;
@@ -27,6 +28,7 @@
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\RefreshTokenRepositoryInterface;
 use SimpleSAML\Module\oidc\Repositories\Traits\RevokeTokenByAuthCodeIdTrait;
+use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 
 class RefreshTokenRepository extends AbstractDatabaseRepository implements RefreshTokenRepositoryInterface
 {
@@ -36,11 +38,13 @@ class RefreshTokenRepository extends AbstractDatabaseRepository implements Refre
 
     public function __construct(
         ModuleConfig $moduleConfig,
+        Database $database,
+        ?ProtocolCache $protocolCache,
         protected readonly AccessTokenRepository $accessTokenRepository,
         protected readonly RefreshTokenEntityFactory $refreshTokenEntityFactory,
         protected readonly Helpers $helpers,
     ) {
-        parent::__construct($moduleConfig);
+        parent::__construct($moduleConfig, $database, $protocolCache);
     }
 
     /**

src/Repositories/ScopeRepository.php

@@ -26,18 +26,12 @@
 use function array_key_exists;
 use function in_array;
 
-class ScopeRepository extends AbstractDatabaseRepository implements ScopeRepositoryInterface
+class ScopeRepository implements ScopeRepositoryInterface
 {
     public function __construct(
-        ModuleConfig $moduleConfig,
+        protected readonly ModuleConfig $moduleConfig,
         protected readonly ScopeEntityFactory $scopeEntityFactory,
     ) {
-        parent::__construct($moduleConfig);
-    }
-
-    public function getTableName(): ?string
-    {
-        return null;
     }
 
     /**

src/Repositories/UserRepository.php

@@ -21,29 +21,38 @@
 use League\OAuth2\Server\Entities\ClientEntityInterface as OAuth2ClientEntityInterface;
 use League\OAuth2\Server\Entities\UserEntityInterface;
 use League\OAuth2\Server\Repositories\UserRepositoryInterface;
+use SimpleSAML\Database;
 use SimpleSAML\Module\oidc\Entities\UserEntity;
 use SimpleSAML\Module\oidc\Factories\Entities\UserEntityFactory;
 use SimpleSAML\Module\oidc\Helpers;
 use SimpleSAML\Module\oidc\ModuleConfig;
 use SimpleSAML\Module\oidc\Repositories\Interfaces\IdentityProviderInterface;
+use SimpleSAML\Module\oidc\Utils\ProtocolCache;
 
 class UserRepository extends AbstractDatabaseRepository implements UserRepositoryInterface, IdentityProviderInterface
 {
     final public const TABLE_NAME = 'oidc_user';
 
     public function __construct(
         ModuleConfig $moduleConfig,
+        Database $database,
+        ?ProtocolCache $protocolCache,
         protected readonly Helpers $helpers,
         protected readonly UserEntityFactory $userEntityFactory,
     ) {
-        parent::__construct($moduleConfig);
+        parent::__construct($moduleConfig, $database, $protocolCache);
     }
 
     public function getTableName(): string
     {
         return $this->database->applyPrefix(self::TABLE_NAME);
     }
 
+    public function getCacheKey(string $identifier): string
+    {
+        return $this->getTableName() . '_' . $identifier;
+    }
+
     /**
      * @param string $identifier
      *
@@ -52,6 +61,13 @@ public function getTableName(): string
      */
     public function getUserEntityByIdentifier(string $identifier): ?UserEntity
     {
+        /** @var ?array $cachedState */
+        $cachedState = $this->protocolCache?->get(null, $this->getCacheKey($identifier));
+
+        if (is_array($cachedState)) {
+            return $this->userEntityFactory->fromState($cachedState);
+        }
+
         $stmt = $this->database->read(
             "SELECT * FROM {$this->getTableName()} WHERE id = :id",
             [
@@ -69,7 +85,15 @@ public function getUserEntityByIdentifier(string $identifier): ?UserEntity
             return null;
         }
 
-        return $this->userEntityFactory->fromState($row);
+        $userEntity = $this->userEntityFactory->fromState($row);
+
+        $this->protocolCache?->set(
+            $userEntity->getState(),
+            $this->moduleConfig->getProtocolUserEntityCacheDuration(),
+            $this->getCacheKey($userEntity->getIdentifier()),
+        );
+
+        return $userEntity;
     }
 
     /**
@@ -95,21 +119,29 @@ public function add(UserEntity $userEntity): void
             $stmt,
             $userEntity->getState(),
         );
+
+        $this->protocolCache?->set(
+            $userEntity->getState(),
+            $this->moduleConfig->getProtocolUserEntityCacheDuration(),
+            $this->getCacheKey($userEntity->getIdentifier()),
+        );
     }
 
-    public function delete(UserEntity $user): void
+    public function delete(UserEntity $userEntity): void
     {
         $this->database->write(
             "DELETE FROM {$this->getTableName()} WHERE id = :id",
             [
-                'id' => $user->getIdentifier(),
+                'id' => $userEntity->getIdentifier(),
             ],
         );
+
+        $this->protocolCache?->delete($this->getCacheKey($userEntity->getIdentifier()));
     }
 
-    public function update(UserEntity $user, ?DateTimeImmutable $updatedAt = null): void
+    public function update(UserEntity $userEntity, ?DateTimeImmutable $updatedAt = null): void
     {
-        $user->setUpdatedAt($updatedAt ?? $this->helpers->dateTime()->getUtc());
+        $userEntity->setUpdatedAt($updatedAt ?? $this->helpers->dateTime()->getUtc());
 
         $stmt = sprintf(
             "UPDATE %s SET claims = :claims, updated_at = :updated_at, created_at = :created_at WHERE id = :id",
@@ -118,7 +150,13 @@ public function update(UserEntity $user, ?DateTimeImmutable $updatedAt = null):
 
         $this->database->write(
             $stmt,
-            $user->getState(),
+            $userEntity->getState(),
+        );
+
+        $this->protocolCache?->set(
+            $userEntity->getState(),
+            $this->moduleConfig->getProtocolUserEntityCacheDuration(),
+            $this->getCacheKey($userEntity->getIdentifier()),
         );
     }
 }