fix(manager): starting and stopping the manager

ndyakov · ndyakov · commit 676cf1c0357e · 2025-05-13T16:54:54.000+03:00
Starting and stopping the manager can be executed multiple times
diff --git a/credentials_provider.go b/credentials_provider.go
@@ -27,6 +27,8 @@ type entraidCredentialsProvider struct {
 
 	// rwLock is a mutex that is used to synchronize access to the listeners slice.
 	rwLock sync.RWMutex // Mutex for synchronizing access to the listeners slice.
+
+	tmLock sync.Mutex
 }
 
 // onTokenNext is a method that is called when the token manager receives a new token.
@@ -65,11 +67,25 @@ func (e *entraidCredentialsProvider) onTokenError(err error) {
 //
 // Note: If the listener is already subscribed, it will not receive duplicate notifications.
 func (e *entraidCredentialsProvider) Subscribe(listener auth.CredentialsListener) (auth.Credentials, auth.UnsubscribeFunc, error) {
-	// First try to get a token, only then subscribe the listener.
-	token, err := e.tokenManager.GetToken(false)
-	if err != nil {
-		return nil, nil, err
+	var token *token.Token
+	// check if the manager is working
+	// If the stopTokenManager is nil, the token manager is not started.
+	e.tmLock.Lock()
+	if e.stopTokenManager == nil {
+		t, stopTM, err := e.tokenManager.Start(tokenListenerFromCP(e))
+		if err != nil {
+			return nil, nil, fmt.Errorf("couldn't start token manager: %w", err)
+		}
+		e.stopTokenManager = stopTM
+		token = t
+	} else {
+		t, err := e.tokenManager.GetToken(false)
+		if err != nil {
+			return nil, nil, fmt.Errorf("couldn't get token: %w", err)
+		}
+		token = t
 	}
+	e.tmLock.Unlock()
 
 	e.rwLock.Lock()
 	// Check if the listener is already in the list of listeners.
@@ -102,6 +118,7 @@ func (e *entraidCredentialsProvider) Subscribe(listener auth.CredentialsListener
 		// Clear the listeners slice if it's empty
 		if len(e.listeners) == 0 {
 			e.listeners = make([]auth.CredentialsListener, 0)
+			e.tmLock.Lock()
 			if e.stopTokenManager != nil {
 				err := e.stopTokenManager()
 				if err != nil {
@@ -111,6 +128,7 @@ func (e *entraidCredentialsProvider) Subscribe(listener auth.CredentialsListener
 				// This prevents multiple calls to stopTokenManager.
 				e.stopTokenManager = nil
 			}
+			e.tmLock.Unlock()
 		}
 		return nil
 	}
@@ -134,10 +152,5 @@ func NewCredentialsProvider(tokenManager manager.TokenManager, options Credentia
 		options:      options,
 		listeners:    make([]auth.CredentialsListener, 0),
 	}
-	stopTM, err := cp.tokenManager.Start(tokenListenerFromCP(cp))
-	if err != nil {
-		return nil, fmt.Errorf("couldn't start token manager: %w", err)
-	}
-	cp.stopTokenManager = stopTM
 	return cp, nil
 }
diff --git a/manager/token_manager.go b/manager/token_manager.go
@@ -82,7 +82,7 @@ type TokenManager interface {
 	// It takes a boolean value forceRefresh as an argument.
 	GetToken(forceRefresh bool) (*token.Token, error)
 	// Start starts the token manager and returns a channel that will receive updates.
-	Start(listener TokenListener) (StopFunc, error)
+	Start(listener TokenListener) (*token.Token, StopFunc, error)
 }
 
 // StopFunc is a function that stops the token manager.
@@ -239,11 +239,11 @@ func (e *entraidTokenManager) GetToken(forceRefresh bool) (*token.Token, error)
 //
 // Note: The initial token is delivered synchronously.
 // The TokenListener will receive the token immediately, before the token manager goroutine starts.
-func (e *entraidTokenManager) Start(listener TokenListener) (StopFunc, error) {
+func (e *entraidTokenManager) Start(listener TokenListener) (*token.Token, StopFunc, error) {
 	e.lock.Lock()
 	defer e.lock.Unlock()
 	if e.listener != nil {
-		return nil, ErrTokenManagerAlreadyStarted
+		return nil, nil, ErrTokenManagerAlreadyStarted
 	}
 
 	if e.closedChan != nil && !internal.IsClosed(e.closedChan) {
@@ -252,15 +252,25 @@ func (e *entraidTokenManager) Start(listener TokenListener) (StopFunc, error) {
 		close(e.closedChan)
 	}
 
-	t, err := e.GetToken(true)
+	ctx, ctxCancel := context.WithCancel(context.Background())
+	e.ctx = ctx
+	e.ctxCancel = ctxCancel
+
+	t, err := e.GetToken(false)
+	// If a token was found in the cache, check if:
+	// - it is expired (based on the lower bound)
+	// - it is about to expire (based on the expiration refresh ratio)
+	// if so, get a new token
+	expirationRefreshTime := t.ReceivedAt().Add(time.Duration(float64(t.TTL()) * float64(time.Second) * e.expirationRefreshRatio))
+	expirationWithoutLowerBound := t.ExpirationOn().Add(-1 * e.lowerBoundDuration)
+	now := time.Now()
+	if t != nil && (expirationWithoutLowerBound.Before(now) || expirationRefreshTime.Before(now)) {
+		t, err = e.GetToken(true)
+	}
 	if err != nil {
-		go listener.OnError(err)
-		return nil, fmt.Errorf("failed to start token manager: %w", err)
+		return nil, nil, fmt.Errorf("failed to start token manager: %w", err)
 	}
 
-	// Deliver initial token synchronously
-	listener.OnNext(t)
-
 	e.closedChan = make(chan struct{})
 	e.listener = listener
 
@@ -325,7 +335,7 @@ func (e *entraidTokenManager) Start(listener TokenListener) (StopFunc, error) {
 		}
 	}(listener, e.closedChan)
 
-	return e.stop, nil
+	return t, e.stop, nil
 }
 
 // stop closes the token manager and releases any resources.
diff --git a/manager/token_manager_test.go b/manager/token_manager_test.go
@@ -182,7 +182,7 @@ func TestTokenManager_Close(t *testing.T) {
 
 		var stopper StopFunc
 		assert.NotPanics(t, func() {
-			stopper, err = tokenManager.Start(listener)
+			_, stopper, err = tokenManager.Start(listener)
 			assert.NotNil(t, stopper)
 			assert.NoError(t, err)
 		})
@@ -222,7 +222,7 @@ func TestTokenManager_Close(t *testing.T) {
 		listener.On("OnNext", testTokenValid).Return()
 
 		assert.NotPanics(t, func() {
-			cancel, err := tokenManager.Start(listener)
+			_, cancel, err := tokenManager.Start(listener)
 			assert.NotNil(t, cancel)
 			assert.NoError(t, err)
 			assert.NotNil(t, tm.listener)
@@ -258,7 +258,7 @@ func TestTokenManager_Close(t *testing.T) {
 		listener.On("OnNext", testTokenValid).Return()
 
 		assert.NotPanics(t, func() {
-			stopper, err := tokenManager.Start(listener)
+			_, stopper, err := tokenManager.Start(listener)
 			assert.NotNil(t, stopper)
 			assert.NoError(t, err)
 			assert.NotNil(t, tm.listener)
@@ -329,7 +329,7 @@ func TestTokenManager_Start(t *testing.T) {
 				go func() {
 					defer wg.Done()
 					time.Sleep(time.Duration(int64(rand.Intn(100)) * int64(time.Millisecond)))
-					_, err := tokenManager.Start(listener)
+					_, _, err := tokenManager.Start(listener)
 					if err == nil {
 						hasStarted += 1
 						return
@@ -344,7 +344,7 @@ func TestTokenManager_Start(t *testing.T) {
 			assert.NotNil(t, tm.listener)
 			assert.Equal(t, 1, hasStarted)
 			assert.Equal(t, int32(numExecutions-1), atomic.LoadInt32(&alreadyStarted))
-			cancel, err := tokenManager.Start(listener)
+			_, cancel, err := tokenManager.Start(listener)
 			assert.Nil(t, cancel)
 			assert.Error(t, err)
 			assert.NotNil(t, tm.listener)
@@ -389,7 +389,7 @@ func TestTokenManager_Start(t *testing.T) {
 					} else {
 						l := &mockTokenListener{Id: num}
 						l.On("OnNext", testTokenValid).Return()
-						_, err = tokenManager.Start(l)
+						_, _, err = tokenManager.Start(l)
 					}
 					if err != nil {
 						if err != ErrTokenManagerAlreadyStopped && err != ErrTokenManagerAlreadyStarted {
@@ -412,7 +412,7 @@ func TestTokenManager_Start(t *testing.T) {
 					log.Printf("FAILING WITH lastExecution[STOPPED]: %d", lastExecution)
 				}
 				assert.NotNil(t, tm.listener)
-				stopper, err := tokenManager.Start(listener)
+				_, stopper, err := tokenManager.Start(listener)
 				assert.Nil(t, stopper)
 				assert.Error(t, err)
 				// Stop the token manager with internal stop, since stopper should be nil
@@ -588,7 +588,8 @@ func TestEntraidTokenManager_GetToken(t *testing.T) {
 		mParser.On("ParseResponse", rawResponse).Return(testTokenValid, nil)
 		listener.On("OnNext", testTokenValid).Return()
 
-		cancel, err := tokenManager.Start(listener)
+		initialToken, cancel, err := tokenManager.Start(listener)
+		assert.NotNil(t, initialToken)
 		assert.NotNil(t, cancel)
 		assert.NoError(t, err)
 		assert.NotNil(t, tm.listener)
@@ -598,6 +599,46 @@ func TestEntraidTokenManager_GetToken(t *testing.T) {
 		assert.NotNil(t, token1)
 	})
 
+	t.Run("GetToken with cached token", func(t *testing.T) {
+		t.Parallel()
+		idp := &mockIdentityProvider{}
+		listener := &mockTokenListener{}
+		mParser := &mockIdentityProviderResponseParser{}
+		tokenManager, err := NewTokenManager(idp,
+			TokenManagerOptions{
+				IdentityProviderResponseParser: mParser,
+			},
+		)
+		assert.NoError(t, err)
+		assert.NotNil(t, tokenManager)
+		tm, ok := tokenManager.(*entraidTokenManager)
+		assert.True(t, ok)
+		assert.Nil(t, tm.listener)
+
+		rawResponse := &authResult{
+			ResultType:  shared.ResponseTypeRawToken,
+			RawTokenVal: "test",
+		}
+
+		idp.On("RequestToken", mock.Anything).Return(rawResponse, nil)
+		mParser.On("ParseResponse", rawResponse).Return(testTokenValid, nil)
+		listener.On("OnNext", testTokenValid).Return()
+
+		initialToken, cancel, err := tokenManager.Start(listener)
+		assert.NotNil(t, initialToken)
+		assert.NotNil(t, cancel)
+		assert.NoError(t, err)
+		assert.NotNil(t, tm.listener)
+
+		token1, err := tokenManager.GetToken(false)
+		assert.NoError(t, err)
+		assert.NotNil(t, token1)
+
+		token2, err := tokenManager.GetToken(false)
+		assert.NoError(t, err)
+		assert.Equal(t, token1, token2)
+	})
+
 	t.Run("GetToken with parse error", func(t *testing.T) {
 		t.Parallel()
 		idp := &mockIdentityProvider{}
@@ -623,7 +664,7 @@ func TestEntraidTokenManager_GetToken(t *testing.T) {
 		mParser.On("ParseResponse", rawResponse).Return(nil, fmt.Errorf("parse error"))
 		listener.On("OnError", mock.Anything).Return()
 
-		cancel, err := tokenManager.Start(listener)
+		_, cancel, err := tokenManager.Start(listener)
 		assert.Error(t, err)
 		assert.Nil(t, cancel)
 		assert.Nil(t, tm.listener)
@@ -814,7 +855,7 @@ func TestEntraidTokenManager_Streaming(t *testing.T) {
 		mParser.On("ParseResponse", idpResponse).Return(token1, nil).Once()
 		listener.On("OnNext", token1).Return().Once()
 
-		stopper, err := tokenManager.Start(listener)
+		_, stopper, err := tokenManager.Start(listener)
 		assert.NotNil(t, stopper)
 		assert.NoError(t, err)
 		assert.NotNil(t, tm.listener)
@@ -881,7 +922,7 @@ func TestEntraidTokenManager_Streaming(t *testing.T) {
 
 		listener.On("OnNext", mock.AnythingOfType("*token.Token")).Return()
 
-		cancel, err := tokenManager.Start(listener)
+		_, cancel, err := tokenManager.Start(listener)
 		assert.NotNil(t, cancel)
 		assert.NoError(t, err)
 		assert.NotNil(t, tm.listener)
@@ -938,7 +979,7 @@ func TestEntraidTokenManager_Streaming(t *testing.T) {
 
 		listener.On("OnNext", mock.AnythingOfType("*token.Token")).Return()
 
-		cancel, err := tokenManager.Start(listener)
+		_, cancel, err := tokenManager.Start(listener)
 		assert.NotNil(t, cancel)
 		assert.NoError(t, err)
 		assert.NotNil(t, tm.listener)
@@ -991,7 +1032,7 @@ func TestEntraidTokenManager_Streaming(t *testing.T) {
 
 		listener.On("OnNext", mock.AnythingOfType("*token.Token")).Return()
 
-		cancel, err := tokenManager.Start(listener)
+		_, cancel, err := tokenManager.Start(listener)
 		assert.NotNil(t, cancel)
 		assert.NoError(t, err)
 		assert.NotNil(t, tm.listener)
@@ -1041,7 +1082,7 @@ func TestEntraidTokenManager_Streaming(t *testing.T) {
 			assert.NotNil(t, err)
 		}).Return().Maybe()
 
-		cancel, err := tokenManager.Start(listener)
+		_, cancel, err := tokenManager.Start(listener)
 		assert.NotNil(t, cancel)
 		assert.NoError(t, err)
 		assert.NotNil(t, tm.listener)
@@ -1095,7 +1136,7 @@ func TestEntraidTokenManager_Streaming(t *testing.T) {
 			assert.NotNil(t, err)
 		}).Return()
 
-		cancel, err := tokenManager.Start(listener)
+		_, cancel, err := tokenManager.Start(listener)
 		assert.NotNil(t, cancel)
 		assert.NoError(t, err)
 		assert.NotNil(t, tm.listener)
@@ -1174,7 +1215,7 @@ func TestEntraidTokenManager_Streaming(t *testing.T) {
 			close(maxAttemptsReached)
 		}).Return()
 
-		cancel, err := tokenManager.Start(listener)
+		_, cancel, err := tokenManager.Start(listener)
 		assert.NotNil(t, cancel)
 		assert.NoError(t, err)
 		assert.NotNil(t, tm.listener)
@@ -1248,7 +1289,7 @@ func TestEntraidTokenManager_Streaming(t *testing.T) {
 			close(maxAttemptsReached)
 		}).Return().Maybe()
 
-		cancel, err := tokenManager.Start(listener)
+		_, cancel, err := tokenManager.Start(listener)
 		assert.NotNil(t, cancel)
 		assert.NoError(t, err)
 		assert.NotNil(t, tm.listener)
@@ -1338,7 +1379,7 @@ func BenchmarkTokenManager_Start(b *testing.B) {
 
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		_, _ = tokenManager.Start(listener)
+		_, _, _ = tokenManager.Start(listener)
 	}
 }
 
@@ -1364,7 +1405,7 @@ func BenchmarkTokenManager_Close(b *testing.B) {
 	mParser.On("ParseResponse", rawResponse).Return(testTokenValid, nil)
 	listener.On("OnNext", testTokenValid).Return()
 
-	stopper, err := tokenManager.Start(listener)
+	_, stopper, err := tokenManager.Start(listener)
 	if err != nil {
 		b.Fatal(err)
 	}
@@ -1477,7 +1518,7 @@ func TestConcurrentTokenManagerOperations(t *testing.T) {
 				case 0:
 					// Start the token manager with a new listener
 					// t.Logf("Goroutine %d, Operation %d: Attempting to start token manager", routineID, j)
-					closeFunc, err := tm.Start(listener)
+					_, closeFunc, err := tm.Start(listener)
 
 					if err != nil {
 						if err != ErrTokenManagerAlreadyStarted {
@@ -1655,7 +1696,7 @@ func TestConcurrentTokenManagerOperations(t *testing.T) {
 		},
 	}
 
-	closeFunc, err := tm.Start(finalListener)
+	_, closeFunc, err := tm.Start(finalListener)
 	if err != nil && err != ErrTokenManagerAlreadyStarted {
 		t.Fatalf("Failed to start token manager after concurrent operations: %v", err)
 	}
