92 lines
2.6 KiB
Go
92 lines
2.6 KiB
Go
/*
|
|
Copyright 2023 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package aes
|
|
|
|
import (
|
|
"bytes"
|
|
"time"
|
|
"unsafe"
|
|
|
|
utilcache "k8s.io/apimachinery/pkg/util/cache"
|
|
"k8s.io/apiserver/pkg/storage/value"
|
|
"k8s.io/utils/clock"
|
|
)
|
|
|
|
type simpleCache struct {
|
|
cache *utilcache.Expiring
|
|
ttl time.Duration
|
|
}
|
|
|
|
func newSimpleCache(clock clock.Clock, ttl time.Duration) *simpleCache {
|
|
cache := utilcache.NewExpiringWithClock(clock)
|
|
// "Stale" entries are always valid for us because the TTL is just used to prevent
|
|
// unbounded growth on the cache - for a given info the transformer is always the same.
|
|
// The key always corresponds to the exact same value, with the caveat that
|
|
// since we use the value.Context.AuthenticatedData to overwrite old keys,
|
|
// we always have to check that the info matches (to validate the transformer is correct).
|
|
cache.AllowExpiredGet = true
|
|
return &simpleCache{
|
|
cache: cache,
|
|
ttl: ttl,
|
|
}
|
|
}
|
|
|
|
// given a key, return the transformer, or nil if it does not exist in the cache
|
|
func (c *simpleCache) get(info []byte, dataCtx value.Context) *transformerWithInfo {
|
|
val, ok := c.cache.Get(keyFunc(dataCtx))
|
|
if !ok {
|
|
return nil
|
|
}
|
|
|
|
transformer := val.(*transformerWithInfo)
|
|
|
|
if !bytes.Equal(transformer.info, info) {
|
|
return nil
|
|
}
|
|
|
|
return transformer
|
|
}
|
|
|
|
// set caches the record for the key
|
|
func (c *simpleCache) set(dataCtx value.Context, transformer *transformerWithInfo) {
|
|
if dataCtx == nil || len(dataCtx.AuthenticatedData()) == 0 {
|
|
panic("authenticated data must not be empty")
|
|
}
|
|
if transformer == nil {
|
|
panic("transformer must not be nil")
|
|
}
|
|
if len(transformer.info) == 0 {
|
|
panic("info must not be empty")
|
|
}
|
|
c.cache.Set(keyFunc(dataCtx), transformer, c.ttl)
|
|
}
|
|
|
|
func keyFunc(dataCtx value.Context) string {
|
|
return toString(dataCtx.AuthenticatedData())
|
|
}
|
|
|
|
// toString performs unholy acts to avoid allocations
|
|
func toString(b []byte) string {
|
|
// unsafe.SliceData relies on cap whereas we want to rely on len
|
|
if len(b) == 0 {
|
|
return ""
|
|
}
|
|
// Copied from go 1.20.1 strings.Builder.String
|
|
// https://github.com/golang/go/blob/202a1a57064127c3f19d96df57b9f9586145e21c/src/strings/builder.go#L48
|
|
return unsafe.String(unsafe.SliceData(b), len(b))
|
|
}
|