Race condition in mod_auth_openidc filecache
zandbelt opened this issue · comments
Discussed in #777
Originally posted by dbakker January 24, 2022
We've been getting random errors from mod_auth_openidc like this:
[client XXXXX:0] oidc_cache_file_read: could not read enough bytes from: "PATH", bytes_read (0) != len (16),
We suspect this might be caused by a race condition in src/cache/file.c. Our appliction is javascript based and fires tens of json requests at the same time, potentially triggering multiple oidc_cache_file_set's / oidc_cache_file_get's at once.
The way that oidc_cache_file_set works now is that it always opens the file with APR_FOPEN_TRUNCATE and only after does an APR_FLOCK_EXCLUSIVE. This means that after oidc_cache_file_get gets a lock it might find an empty file because of a oidc_cache_file_set that has preemptively emptied the file.
As a suggested fix, perhaps the file could be truncated after locking instead of before.
Additional info:
mod_auth_openidc version: 2.4.10 (latest)
config settings:
OIDCCacheType file
OIDCCacheDir /var/cache/apache2/mod_auth_openidc/cache
OIDCSessionType server-cache
OIDCSessionInactivityTimeout 28800
OIDCSessionMaxDuration 28800
OIDCHTTPTimeoutShort 30
OIDCStateMaxNumberOfCookies 7 true
OIDCProviderMetadataURL https://URL
OIDCRedirectURI https://URL
OIDCCryptoPassphrase 123securekey123
OIDCClientID apache2
OIDCClientSecret 123securekey123
OIDCRemoteUserClaim preferred_username
OIDCHTMLErrorTemplate /srv/www/authentication.html</div>