Support for session cookies and PKCS8 private keys

connelly38 · connelly38 · commit 0f7d182a2bc6 · 2022-03-08T11:04:03.000-08:00
If set in response headers, allow setting a cookie named "session"
to enable session persistence in load balancer routing.

Also: added support for PKCS8 format private keys.

Also fixed a case where multiple goroutines running parallel requests to an
older server might result in unsupported protocol errors.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
+## Unreleased
+
+### Added
+- Support for session persistence. If a Set-Cookie HTTP header is present the SDK will now set a Cookie header using the requested session value.
+- Support for PKCS8 format private keys.
+
 ## 1.3.0 - 2022-02-24
 
 ### Added
diff --git a/nosqldb/auth/iam/helpers.go b/nosqldb/auth/iam/helpers.go
@@ -43,6 +43,13 @@ func PrivateKeyFromBytesWithPassword(pemData, password []byte) (key *rsa.Private
 		}
 
 		key, e = x509.ParsePKCS1PrivateKey(decrypted)
+		if e != nil {
+			e = nil
+			parseResult, e := x509.ParsePKCS8PrivateKey(decrypted)
+			if e == nil {
+				key = parseResult.(*rsa.PrivateKey)
+			}
+		}
 
 	} else {
 		e = fmt.Errorf("PEM data was not found in buffer")
diff --git a/nosqldb/bad_protocol_test.go b/nosqldb/bad_protocol_test.go
@@ -162,7 +162,8 @@ func seekPos(lengths []int, fieldOff int) (off int) {
 }
 
 func (suite *BadProtocolTestSuite) doBadProtoTest(req nosqldb.Request, data []byte, desc string, expectErrCode nosqlerr.ErrorCode) {
-	_, err := suite.bpTestClient.DoExecute(context.Background(), req, data)
+	serialVerUsed := suite.bpTestClient.GetSerialVersion()
+	_, err := suite.bpTestClient.DoExecute(context.Background(), req, data, serialVerUsed)
 	switch expectErrCode {
 	case nosqlerr.NoError:
 		suite.NoErrorf(err, "%q should have succeeded, got error %v", desc, err)
@@ -173,7 +174,8 @@ func (suite *BadProtocolTestSuite) doBadProtoTest(req nosqldb.Request, data []by
 }
 
 func (suite *BadProtocolTestSuite) doBadProtoTest2(req nosqldb.Request, data []byte, desc string, expectErrCode1 nosqlerr.ErrorCode, expectErrCode2 nosqlerr.ErrorCode) {
-	_, err := suite.bpTestClient.DoExecute(context.Background(), req, data)
+	serialVerUsed := suite.bpTestClient.GetSerialVersion()
+	_, err := suite.bpTestClient.DoExecute(context.Background(), req, data, serialVerUsed)
 	suite.Truef((nosqlerr.Is(err, expectErrCode1) || nosqlerr.Is(err, expectErrCode2)),
 		"%q failed, got error %v, want error %s or %s", desc, err, expectErrCode1, expectErrCode2)
 }
@@ -185,7 +187,7 @@ func (suite *BadProtocolTestSuite) TestBadGetRequest() {
 		Key:         suite.key,
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -259,7 +261,7 @@ func (suite *BadProtocolTestSuite) TestBadGetIndexesRequest() {
 		IndexName: suite.index,
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -300,7 +302,7 @@ func (suite *BadProtocolTestSuite) TestBadGetTableRequest() {
 		TableName: suite.table,
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -336,7 +338,7 @@ func (suite *BadProtocolTestSuite) TestBadListTablesRequest() {
 		Namespace: ns,
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -387,7 +389,7 @@ func (suite *BadProtocolTestSuite) TestBadListTablesRequest() {
 func (suite *BadProtocolTestSuite) TestBadPrepareRequest() {
 	stmt := "select * from " + suite.table
 	req := &nosqldb.PrepareRequest{Statement: stmt}
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -495,7 +497,7 @@ func (suite *BadProtocolTestSuite) TestBadQueryRequest() {
 		2,           // VariableValue: INT_TYPE + packed int
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -591,7 +593,7 @@ func (suite *BadProtocolTestSuite) TestBadPutRequest() {
 		ttlLen,         // TTL: value(packed long) + unit(byte)
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -673,7 +675,7 @@ func (suite *BadProtocolTestSuite) TestBadDeleteRequest() {
 		0,              // MatchVersion: bytes
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -730,7 +732,7 @@ func (suite *BadProtocolTestSuite) TestBadWriteMultipleRequest() {
 		0,              // Sub requests: the size does not matter for this test.
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -790,7 +792,7 @@ func (suite *BadProtocolTestSuite) TestBadMultiDeleteRequest() {
 		21,             // ContinuationKey: byte array
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -866,7 +868,7 @@ func (suite *BadProtocolTestSuite) TestBadTableRequest() {
 		1,       // HasTableName: boolean
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	suite.AddToTables(newTable)
 	origData := make([]byte, len(data))
@@ -926,7 +928,7 @@ func (suite *BadProtocolTestSuite) TestBadSystemRequest() {
 		stmtLen, // Statement: string
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
@@ -976,7 +978,7 @@ func (suite *BadProtocolTestSuite) TestBadSystemStatusRequest() {
 		stmtLen, // Statement: string
 	}
 
-	data, err := suite.bpTestClient.ProcessRequest(req)
+	data, _, err := suite.bpTestClient.ProcessRequest(req)
 	suite.Require().NoError(err)
 	origData := make([]byte, len(data))
 	copy(origData, data)
diff --git a/nosqldb/client.go b/nosqldb/client.go
@@ -86,6 +86,12 @@ type Client struct {
 
 	// for managing one-time messaging
 	oneTimeMessages map[string]struct{}
+
+	// sessionStr represents a session cookie to use, if non-nil
+	sessionStr string
+
+	// for generic locking
+	lockMux sync.Mutex
 }
 
 var (
@@ -97,6 +103,8 @@ var (
 const (
 	// LimiterRefreshNanos is used to update table limits once every 10 minutes
 	LimiterRefreshNanos int64 = 600 * 1000 * 1000 * 1000
+	// SessionCookieField is used to check for persistent session cookies
+	SessionCookieField string = "session="
 )
 
 // NewClient creates a Client instance with the specified Config.
@@ -794,9 +802,9 @@ func (c *Client) nextRequestID() int32 {
 // processRequest processes the specified request before it is sent to server.
 // This method applies default configurations such as timeout and consistency
 // values for the request if they are not specified for the request.
-func (c *Client) processRequest(req Request) (data []byte, err error) {
+func (c *Client) processRequest(req Request) (data []byte, serialVerUsed int16, err error) {
 	if req == nil {
-		return nil, errNilRequest
+		return nil, 0, errNilRequest
 	}
 
 	// Set default values for the request with the global request configurations
@@ -806,17 +814,17 @@ func (c *Client) processRequest(req Request) (data []byte, err error) {
 
 	// Validates the request, returns immediately if validation fails.
 	if err = req.validate(); err != nil {
-		return nil, err
+		return nil, 0, err
 	}
 
-	data, err = c.serializeRequest(req)
+	data, serialVerUsed, err = c.serializeRequest(req)
 	if err != nil || !c.isCloud {
 		return
 	}
 
 	// check request size for cloud
 	if err = checkRequestSizeLimit(req, len(data)); err != nil {
-		return nil, err
+		return nil, 0, err
 	}
 
 	return
@@ -831,15 +839,15 @@ func (c *Client) execute(req Request) (Result, error) {
 }
 
 func (c *Client) executeWithContext(ctx context.Context, req Request) (Result, error) {
-	data, err := c.processRequest(req)
+	data, serialVerUsed, err := c.processRequest(req)
 	if err != nil {
 		return nil, err
 	}
 
-	return c.doExecute(ctx, req, data)
+	return c.doExecute(ctx, req, data, serialVerUsed)
 }
 
-func (c *Client) doExecute(ctx context.Context, req Request, data []byte) (result Result, err error) {
+func (c *Client) doExecute(ctx context.Context, req Request, data []byte, serialVerUsed int16) (result Result, err error) {
 	if req == nil {
 		return nil, errNilRequest
 	}
@@ -962,11 +970,11 @@ func (c *Client) doExecute(ctx context.Context, req Request, data []byte) (resul
 			}
 
 			if nosqlerr.Is(err, nosqlerr.UnsupportedProtocol) {
-				if c.decrementSerialVersion() == false {
+				if c.decrementSerialVersion(serialVerUsed) == false {
 					return nil, err
 				}
 				// if serial version mismatch, we must re-serialize the request
-				data, err = c.serializeRequest(req)
+				data, serialVerUsed, err = c.serializeRequest(req)
 				if err != nil {
 					return nil, err
 				}
@@ -1048,14 +1056,19 @@ func (c *Client) doExecute(ctx context.Context, req Request, data []byte) (resul
 			httpReq.Header.Set("Authorization", authStr)
 		}
 
+		// Allow for session persistence, if available
+		if c.sessionStr != "" {
+			httpReq.Header.Set("Cookie", c.sessionStr)
+		}
+
 		err = c.signHTTPRequest(httpReq)
 		if err != nil {
 			return nil, err
 		}
 
 		// warn if using features not implemented at the connected server
 		// currently cloud does not support Durability
-		if c.serialVersion < 3 || c.isCloud {
+		if serialVerUsed < 3 || c.isCloud {
 			needMsg := false
 			if pReq, ok := req.(*PutRequest); ok && pReq.Durability.IsSet() {
 				needMsg = true
@@ -1073,7 +1086,7 @@ func (c *Client) doExecute(ctx context.Context, req Request, data []byte) (resul
 		}
 
 		// OnDemand is not available in V2
-		if c.serialVersion < 3 {
+		if serialVerUsed < 3 {
 			if tReq, ok := req.(*TableRequest); ok && tReq.TableLimits != nil {
 				if tReq.TableLimits.CapacityMode == types.OnDemand {
 					c.oneTimeMessage("The requested feature is not supported " +
@@ -1334,17 +1347,18 @@ func (c *Client) signHTTPRequest(httpReq *http.Request) error {
 // serializeRequest serializes the specified request into a slice of bytes that
 // will be sent to the server. The serial version is always written followed by
 // the actual request payload.
-func (c *Client) serializeRequest(req Request) (data []byte, err error) {
+func (c *Client) serializeRequest(req Request) (data []byte, serialVerUsed int16, err error) {
 	wr := binary.NewWriter()
-	if _, err = wr.WriteSerialVersion(c.serialVersion); err != nil {
-		return
+	serialVerUsed = c.serialVersion
+	if _, err = wr.WriteSerialVersion(serialVerUsed); err != nil {
+		return nil, 0, err
 	}
 
-	if err = req.serialize(wr, c.serialVersion); err != nil {
-		return
+	if err = req.serialize(wr, serialVerUsed); err != nil {
+		return nil, 0, err
 	}
 
-	return wr.Bytes(), nil
+	return wr.Bytes(), serialVerUsed, nil
 }
 
 // processResponse processes the http response returned from server.
@@ -1360,6 +1374,7 @@ func (c *Client) processResponse(httpResp *http.Response, req Request) (Result,
 	}
 
 	if httpResp.StatusCode == http.StatusOK {
+		c.setSessionCookie(httpResp.Header)
 		return c.processOKResponse(data, req)
 	}
 
@@ -1402,6 +1417,29 @@ func (c *Client) processOKResponse(data []byte, req Request) (Result, error) {
 	return nil, wrapResponseErrors(int(code), msg)
 }
 
+// setSessionCookie sets a persistent session cookie value to use for
+// following requests, if present in the response header.
+func (c *Client) setSessionCookie(header http.Header) {
+	if header == nil {
+		return
+	}
+	// NOTE: this code assumes there will always be at most
+	// one Set-Cookie header in the response. If the load balancer
+	// settings change, or the proxy changes to add Set-Cookie
+	// headers, this code may need to be changed to look for
+	// multiple Set-Cookie headers.
+	v := header.Get("Set-Cookie")
+	if strings.HasPrefix(v, SessionCookieField) == false {
+		return
+	}
+	c.lockMux.Lock()
+	defer c.lockMux.Unlock()
+	c.sessionStr = strings.Split(v, ";")[0]
+	c.logger.LogWithFn(logger.Fine, func() string {
+		return fmt.Sprintf("Set session cookie to \"%s\"", c.sessionStr)
+	})
+}
+
 // processNotOKResponse processes the http response whose status code is not 200.
 func (c *Client) processNotOKResponse(data []byte, statusCode int) error {
 	if statusCode == http.StatusBadRequest && len(data) > 0 {
@@ -1502,7 +1540,12 @@ func (c *Client) VerifyConnection() error {
 // decrementSerialVersion attempts to reduce the serial version used for
 // communicating with the server. If the version is already at its lowest
 // value, it will not be decremented and false will be returned.
-func (c *Client) decrementSerialVersion() bool {
+func (c *Client) decrementSerialVersion(serialVerUsed int16) bool {
+	c.lockMux.Lock()
+	defer c.lockMux.Unlock()
+	if c.serialVersion != serialVerUsed {
+		return true
+	}
 	if c.serialVersion > 2 {
 		c.serialVersion--
 		return true
diff --git a/nosqldb/export_test.go b/nosqldb/export_test.go
@@ -20,12 +20,12 @@ func (c *Client) SetResponseHandler(fn HandleResponse) {
 	c.handleResponse = fn
 }
 
-func (c *Client) ProcessRequest(req Request) (data []byte, err error) {
+func (c *Client) ProcessRequest(req Request) (data []byte, serialVerUsed int16, err error) {
 	return c.processRequest(req)
 }
 
-func (c *Client) DoExecute(ctx context.Context, req Request, data []byte) (Result, error) {
-	return c.doExecute(ctx, req, data)
+func (c *Client) DoExecute(ctx context.Context, req Request, data []byte, serialVerUsed int16) (Result, error) {
+	return c.doExecute(ctx, req, data, serialVerUsed)
 }
 
 func (p *PreparedStatement) GetStatement() []byte {

Original file line number	Diff line number	Diff line change
`@@ -20,12 +20,12 @@ func (c *Client) SetResponseHandler(fn HandleResponse) {`
`20`	`20`	`c.handleResponse = fn`
`21`	`21`	`}`
`22`	`22`
`23`		`-func (c *Client) ProcessRequest(req Request) (data []byte, err error) {`
	`23`	`+func (c *Client) ProcessRequest(req Request) (data []byte, serialVerUsed int16, err error) {`
`24`	`24`	`return c.processRequest(req)`
`25`	`25`	`}`
`26`	`26`
`27`		`-func (c *Client) DoExecute(ctx context.Context, req Request, data []byte) (Result, error) {`
`28`		`- return c.doExecute(ctx, req, data)`
	`27`	`+func (c *Client) DoExecute(ctx context.Context, req Request, data []byte, serialVerUsed int16) (Result, error) {`
	`28`	`+ return c.doExecute(ctx, req, data, serialVerUsed)`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`func (p *PreparedStatement) GetStatement() []byte {`