cache token

Author: valner

internal/metadata/metadata.go

@@ -32,6 +32,14 @@ type instanceData struct {
 
 const instanceDataCacheTTL = 5 * time.Minute
 
+// tokenRefreshMargin is how long before expiry we refresh the token
+const tokenRefreshMargin = 1 * time.Hour
+
+type cachedToken struct {
+	token     string
+	expiresAt time.Time
+}
+
 type Reader struct {
 	cfg    Config
 	logger *slog.Logger
@@ -40,6 +48,9 @@ type Reader struct {
 	mu              sync.Mutex
 	cachedInstance  *instanceData
 	cachedFetchedAt time.Time
+
+	tokenMu     sync.Mutex
+	cachedIAM   *cachedToken
 }
 
 func NewReader(cfg Config, logger *slog.Logger) *Reader {
@@ -80,16 +91,64 @@ func (r *Reader) GetInstanceId() (instanceId string, isFallback bool, err error)
 
 func (r *Reader) GetIamToken() (string, error) {
 	if r.cfg.UseMetadataService {
-		tokenPath := fmt.Sprintf("/v1/iam/%s/token/access_token", r.cfg.MetadataTokenType)
-		body, err := r.fetchFromMetadataService(tokenPath)
+		token, err := r.getCachedIAMToken()
 		if err == nil {
-			return strings.TrimSpace(string(body)), nil
+			return token, nil
 		}
 		r.logger.Warn("Failed to get IAM token from IMDS, falling back to file", "error", err)
 	}
 	return r.readAndTrimFile(r.cfg.Path + "/" + r.cfg.IamTokenFilename)
 }
 
+func (r *Reader) getCachedIAMToken() (string, error) {
+	r.tokenMu.Lock()
+	defer r.tokenMu.Unlock()
+
+	if r.cachedIAM != nil && time.Until(r.cachedIAM.expiresAt) > tokenRefreshMargin {
+		return r.cachedIAM.token, nil
+	}
+
+	tokenPath := fmt.Sprintf("/v1/iam/%s/token/access_token", r.cfg.MetadataTokenType)
+	body, err := r.fetchFromMetadataService(tokenPath)
+	if err != nil {
+		if r.cachedIAM != nil && time.Until(r.cachedIAM.expiresAt) > 0 {
+			r.logger.Warn("Failed to refresh IAM token, using cached token until expiry", "error", err, "expires_at", r.cachedIAM.expiresAt)
+			return r.cachedIAM.token, nil
+		}
+		return "", fmt.Errorf("failed to fetch IAM token from IMDS: %w", err)
+	}
+	token := strings.TrimSpace(string(body))
+
+	expiresAt, err := r.fetchTokenExpiresAt()
+	if err != nil {
+		r.logger.Warn("Failed to get token expiry from IMDS, using default TTL", "error", err)
+		expiresAt = time.Now().Add(instanceDataCacheTTL)
+	}
+
+	if time.Until(expiresAt) <= 0 {
+		return "", fmt.Errorf("token from IMDS is already expired (expires_at: %s)", expiresAt.Format(time.RFC3339Nano))
+	}
+
+	r.cachedIAM = &cachedToken{
+		token:     token,
+		expiresAt: expiresAt,
+	}
+	return token, nil
+}
+
+func (r *Reader) fetchTokenExpiresAt() (time.Time, error) {
+	expiresAtPath := fmt.Sprintf("/v1/iam/%s/token/expires_at", r.cfg.MetadataTokenType)
+	body, err := r.fetchFromMetadataService(expiresAtPath)
+	if err != nil {
+		return time.Time{}, fmt.Errorf("failed to fetch token expires_at: %w", err)
+	}
+	expiresAt, err := time.Parse(time.RFC3339Nano, strings.TrimSpace(string(body)))
+	if err != nil {
+		return time.Time{}, fmt.Errorf("failed to parse expires_at timestamp: %w", err)
+	}
+	return expiresAt, nil
+}
+
 func (r *Reader) getInstanceData() (*instanceData, error) {
 	r.mu.Lock()
 	defer r.mu.Unlock()

internal/metadata/metadata_test.go

@@ -113,14 +113,49 @@ func TestGetInstanceId_IMDSFallbackURL(t *testing.T) {
 }
 
 func TestGetIamToken_IMDS(t *testing.T) {
+	expiresAt := time.Now().Add(12 * time.Hour).UTC().Format(time.RFC3339Nano)
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		assert.Equal(t, "true", r.Header.Get("Metadata"))
-		if r.URL.Path == "/v1/iam/tsa/token/access_token" {
+		switch r.URL.Path {
+		case "/v1/iam/tsa/token/access_token":
 			_, err := w.Write([]byte("my-iam-token"))
 			assert.NoError(t, err)
-			return
+		case "/v1/iam/tsa/token/expires_at":
+			_, err := w.Write([]byte(expiresAt))
+			assert.NoError(t, err)
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	reader := NewReader(Config{
+		UseMetadataService:         true,
+		MetadataServiceURL:         server.URL,
+		MetadataServiceFallbackURL: server.URL,
+		MetadataTokenType:          "tsa",
+	}, testLogger())
+
+	token, err := reader.GetIamToken()
+	require.NoError(t, err)
+	assert.Equal(t, "my-iam-token", token)
+}
+
+func TestGetIamToken_Cached(t *testing.T) {
+	tokenCallCount := 0
+	expiresAt := time.Now().Add(12 * time.Hour).UTC().Format(time.RFC3339Nano)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/v1/iam/tsa/token/access_token":
+			tokenCallCount++
+			_, err := w.Write([]byte("my-iam-token"))
+			assert.NoError(t, err)
+		case "/v1/iam/tsa/token/expires_at":
+			_, err := w.Write([]byte(expiresAt))
+			assert.NoError(t, err)
+		default:
+			http.NotFound(w, r)
 		}
-		http.NotFound(w, r)
 	}))
 	defer server.Close()
 
@@ -131,9 +166,145 @@ func TestGetIamToken_IMDS(t *testing.T) {
 		MetadataTokenType:          "tsa",
 	}, testLogger())
 
+	// First call fetches from IMDS
 	token, err := reader.GetIamToken()
 	require.NoError(t, err)
 	assert.Equal(t, "my-iam-token", token)
+
+	// Second call should use cache
+	token, err = reader.GetIamToken()
+	require.NoError(t, err)
+	assert.Equal(t, "my-iam-token", token)
+
+	assert.Equal(t, 1, tokenCallCount, "token should be fetched only once while cached")
+}
+
+func TestGetIamToken_RefreshesWhenNearExpiry(t *testing.T) {
+	tokenCallCount := 0
+	expiresAt := time.Now().Add(12 * time.Hour).UTC().Format(time.RFC3339Nano)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/v1/iam/tsa/token/access_token":
+			tokenCallCount++
+			_, err := fmt.Fprintf(w, "token-%d", tokenCallCount)
+			assert.NoError(t, err)
+		case "/v1/iam/tsa/token/expires_at":
+			_, err := w.Write([]byte(expiresAt))
+			assert.NoError(t, err)
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	reader := NewReader(Config{
+		UseMetadataService:         true,
+		MetadataServiceURL:         server.URL,
+		MetadataServiceFallbackURL: server.URL,
+		MetadataTokenType:          "tsa",
+	}, testLogger())
+
+	// First fetch
+	token, err := reader.GetIamToken()
+	require.NoError(t, err)
+	assert.Equal(t, "token-1", token)
+	assert.Equal(t, 1, tokenCallCount)
+
+	// Simulate token about to expire (within refresh margin)
+	reader.tokenMu.Lock()
+	reader.cachedIAM.expiresAt = time.Now().Add(30 * time.Minute) // less than 1 hour margin
+	reader.tokenMu.Unlock()
+
+	// Should re-fetch
+	token, err = reader.GetIamToken()
+	require.NoError(t, err)
+	assert.Equal(t, "token-2", token)
+	assert.Equal(t, 2, tokenCallCount)
+}
+
+func TestGetIamToken_UsesStaleTokenOnRefreshFailure(t *testing.T) {
+	tokenCallCount := 0
+	expiresAt := time.Now().Add(12 * time.Hour).UTC().Format(time.RFC3339Nano)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/v1/iam/tsa/token/access_token":
+			tokenCallCount++
+			if tokenCallCount > 1 {
+				w.WriteHeader(http.StatusInternalServerError)
+				return
+			}
+			_, err := w.Write([]byte("original-token"))
+			assert.NoError(t, err)
+		case "/v1/iam/tsa/token/expires_at":
+			_, err := w.Write([]byte(expiresAt))
+			assert.NoError(t, err)
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	reader := NewReader(Config{
+		UseMetadataService:         true,
+		MetadataServiceURL:         server.URL,
+		MetadataServiceFallbackURL: server.URL,
+		MetadataTokenType:          "tsa",
+	}, testLogger())
+
+	// First fetch succeeds
+	token, err := reader.GetIamToken()
+	require.NoError(t, err)
+	assert.Equal(t, "original-token", token)
+
+	// Simulate near expiry but not yet expired
+	reader.tokenMu.Lock()
+	reader.cachedIAM.expiresAt = time.Now().Add(30 * time.Minute) // needs refresh but not expired
+	reader.tokenMu.Unlock()
+
+	// Refresh fails — should return stale token since it hasn't expired yet
+	token, err = reader.GetIamToken()
+	require.NoError(t, err)
+	assert.Equal(t, "original-token", token)
+}
+
+func TestGetIamToken_AlreadyExpired(t *testing.T) {
+	expiredAt := time.Now().Add(-1 * time.Hour).UTC().Format(time.RFC3339Nano)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.Path {
+		case "/v1/iam/tsa/token/access_token":
+			_, err := w.Write([]byte("expired-token"))
+			assert.NoError(t, err)
+		case "/v1/iam/tsa/token/expires_at":
+			_, err := w.Write([]byte(expiredAt))
+			assert.NoError(t, err)
+		default:
+			http.NotFound(w, r)
+		}
+	}))
+	defer server.Close()
+
+	tmpDir := t.TempDir()
+	err := os.WriteFile(filepath.Join(tmpDir, "tsa-token"), []byte("file-token\n"), 0644)
+	require.NoError(t, err)
+
+	reader := NewReader(Config{
+		UseMetadataService:         true,
+		MetadataServiceURL:         server.URL,
+		MetadataServiceFallbackURL: server.URL,
+		MetadataTokenType:          "tsa",
+		Path:                       tmpDir,
+		IamTokenFilename:           "tsa-token",
+	}, testLogger())
+
+	// Token from IMDS is expired — should error from getCachedIAMToken and fall back to file
+	token, err := reader.GetIamToken()
+	require.NoError(t, err)
+	assert.Equal(t, "file-token", token)
+
+	// Verify token was not cached
+	reader.tokenMu.Lock()
+	assert.Nil(t, reader.cachedIAM, "expired token should not be cached")
+	reader.tokenMu.Unlock()
 }
 
 func TestGetIamToken_FileFallback(t *testing.T) {