TokenCacheService

class gafaelfawr.services.token_cache.TokenCacheService(*, config, internal_cache, notebook_cache, token_redis_store, token_db_store, token_change_store, logger)

Bases: object

Manage cache internal and notebook tokens.

To reduce latency and database query load, notebook and internal tokens for a given parent token are cached in memory and reused as long as the request data matches, the token is still valid, and less than half of its lifetime has passed.

This class handles both the creation and the caching of internal and notebook tokens.

Parameters:

• config (Config) – The Gafaelfawr configuration.

• internal_cache (InternalTokenCache) – Cache for internal tokens.

• notebook_cache (NotebookTokenCache) – Cache for notebook tokens.

• token_db_store (TokenDatabaseStore) – The database backing store for tokens.

• token_redis_store (TokenRedisStore) – The Redis backing store for tokens.

• token_change_store (TokenChangeHistoryStore) – The backing store for history of changes to tokens.

• logger (BoundLogger) – Logger to use.

Notes

The cache storage is process-global and is locked only for asyncio access, not for threaded access. It is not thread-safe. The expectation is that this code will be used by a single-process asyncio server, and scaling will be done by adding more processes.

Notebook tokens are cached under the key of the parent token and its expiration. Internal tokens add the service name and the requested scopes. The expiration of the parent token is included since changing the expiration of a parent token (for a user token for instance) may allow for a longer internal or notebook token, and we don’t want to prevent that change by returning a cached token.

Methods Summary

clear()	Invalidate the caches.
get_internal_token(token_data, service, ...)	Retrieve or create an internal token.
get_notebook_token(token_data, ip_address, *)	Retrieve or create a notebook token.

Methods Documentation

async clear()

Invalidate the caches.

Used primarily for testing.

Return type:

None

async get_internal_token(token_data, service, scopes, ip_address, *, minimum_lifetime=None)

Retrieve or create an internal token.

Return the cached token if one is available, a matching token if one exists in the database, or a newly-created token if necessary.

The new token will have the same expiration time as the existing token on which it’s based unless that expiration time is longer than the expiration time of normal interactive tokens, in which case it will be capped at the interactive token expiration time.

Parameters:

• token_data (TokenData) – The authentication data for the parent token.

• service (str) – The service of the internal token.

• scopes (list[str]) – The scopes the internal token should have.

• ip_address (str) – The IP address from which the request came.

• minimum_lifetime (timedelta | None, default: None) – If set, the minimum required lifetime of the token.

Returns:

The cached token or newly-created token.

Return type:

Token

async get_notebook_token(token_data, ip_address, *, minimum_lifetime=None)

Retrieve or create a notebook token.

Return the cached token if one is available, a matching token if one exists in the database, or a newly-created token if necessary.

The new token will have the same expiration time as the existing token on which it’s based unless that expiration time is longer than the expiration time of normal interactive tokens, in which case it will be capped at the interactive token expiration time.

Parameters:

• token_data (TokenData) – The authentication data for the parent token.

• ip_address (str) – The IP address from which the request came.

• minimum_lifetime (timedelta | None, default: None) – If set, the minimum required lifetime of the token.

Returns:

The cached token, or None if no matching token is cached.

Return type:

Token or None