TokenCacheService

class gafaelfawr.services.token_cache.TokenCacheService(*, config, internal_cache, notebook_cache, token_redis_store, token_db_store, token_change_store, session, logger)

Bases: object

Manage cache internal and notebook tokens.

To reduce latency and database query load, notebook and internal tokens for a given parent token are cached in memory and reused as long as the request data matches, the token is still valid, and less than half of its lifetime has passed.

This class handles both the creation and the caching of internal and notebook tokens.

Parameters:

Notes

The cache storage is process-global and is locked only for asyncio access, not for threaded access. It is not thread-safe. The expectation is that this code will be used by a single-process asyncio server, and scaling will be done by adding more processes.

Notebook tokens are cached under the key of the parent token and its expiration. Internal tokens add the service name and the requested scopes. The expiration of the parent token is included since changing the expiration of a parent token (for a user token for instance) may allow for a longer internal or notebook token, and we don’t want to prevent that change by returning a cached token.

Methods Summary

clear()

Invalidate the caches.

get_internal_token(token_data, service, ...)

Retrieve or create an internal token.

get_notebook_token(token_data, ip_address, *)

Retrieve or create a notebook token.

Methods Documentation

async clear()

Invalidate the caches.

Used primarily for testing.

Return type:

None

async get_internal_token(token_data, service, scopes, ip_address, *, minimum_lifetime=None)

Retrieve or create an internal token.

Return the cached token if one is available, a matching token if one exists in the database, or a newly-created token if necessary.

The new token will have the same expiration time as the existing token on which it’s based unless that expiration time is longer than the expiration time of normal interactive tokens, in which case it will be capped at the interactive token expiration time.

Parameters:
  • token_data (TokenData) – Authentication data for the parent token.

  • service (str) – Service of the internal token.

  • scopes (set[str]) – Scopes the internal token should have.

  • ip_address (str) – IP address from which the request came.

  • minimum_lifetime (timedelta | None, default: None) – If set, the minimum required lifetime of the token.

Returns:

Cached token or newly-created token.

Return type:

Token

async get_notebook_token(token_data, ip_address, *, minimum_lifetime=None)

Retrieve or create a notebook token.

Return the cached token if one is available, a matching token if one exists in the database, or a newly-created token if necessary.

The new token will have the same expiration time as the existing token on which it’s based unless that expiration time is longer than the expiration time of normal interactive tokens, in which case it will be capped at the interactive token expiration time.

Parameters:
  • token_data (TokenData) – The authentication data for the parent token.

  • ip_address (str) – The IP address from which the request came.

  • minimum_lifetime (timedelta | None, default: None) – If set, the minimum required lifetime of the token.

Returns:

The cached token, or None if no matching token is cached.

Return type:

Token or None