Fix data race in session cache

.github/workflows/precommit.yml

@@ -13,7 +13,7 @@ jobs:
       - uses: actions/setup-python@v2
       - uses: actions/setup-go@v2
         with:
-          go-version: '1.17'
+          go-version: '1.24'
       - name: Install goimports
         run: go install golang.org/x/tools/cmd/goimports@latest
-      - uses: pre-commit/action@v2.0.0
+      - uses: pre-commit/action@v3.0.1

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
         name: Set up Go
         uses: actions/setup-go@v2
         with:
-          go-version: 1.17
+          go-version: 1.24
       -
         name: Login to Public ECR
         env:

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
 - repo: https://github.com/dnephin/pre-commit-golang
-  rev: master
+  rev: v0.5.1
   hooks:
     - id: go-fmt
     - id: go-vet

cmd/credential_process.go

@@ -156,6 +156,6 @@ func printCredentialProcess(credentials *aws.Credentials) error {
 		logging.LogError(err, "Error parsing credential response")
 		return err
 	}
-	fmt.Printf(string(b))
+	fmt.Print(string(b))
 	return nil
 }

go.mod

@@ -1,6 +1,6 @@
 module github.com/netflix/weep
 
-go 1.17
+go 1.24
 
 require (
 	github.com/aws/aws-sdk-go v1.40.39

pkg/config/config.go

@@ -73,6 +73,7 @@ func getDefaultLogFile() string {
 //   - /etc/weep/weep.yaml
 //   - ~/.weep/weep.yaml
 //   - ./weep.yaml
+//
 // If a config file is specified via CLI arg, it will be read exclusively and not merged with other
 // configuration.
 func InitConfig(filename string) error {

pkg/creds/consoleme.go

@@ -273,7 +273,7 @@ func parseWebError(rawErrorResponse []byte) error {
 	if err := json.Unmarshal(rawErrorResponse, &errorResponse); err != nil {
 		return errors.Wrap(err, "failed to unmarshal JSON")
 	}
-	return fmt.Errorf(strings.Join(errorResponse.Errors, "\n"))
+	return errors.New(strings.Join(errorResponse.Errors, "\n"))
 }
 
 func parseError(statusCode int, rawErrorResponse []byte) error {

pkg/creds/refreshable.go

@@ -17,7 +17,7 @@
 package creds
 
 import (
-	"fmt"
+	stdErrors "errors"
 	"strings"
 	"time"
 
@@ -107,7 +107,7 @@ func (rp *RefreshableProvider) refresh() error {
 			// The http.Client, with the best of intentions, will hold the connection open,
 			// meaning that an auto-updated cert won't be used by the client.
 			rp.client.CloseIdleConnections()
-			return fmt.Errorf(viper.GetString("mtls_settings.old_cert_message"))
+			return stdErrors.New(viper.GetString("mtls_settings.old_cert_message"))
 		} else {
 			return err
 		}

pkg/errors/errors.go

@@ -23,6 +23,7 @@ func (e Error) Error() string { return string(e) }
 const (
 	NoCredentialsFoundInCache      = Error("no credentials found in cache")
 	NoTokenFoundInCache            = Error("no token found in cache")
+	InvalidTokenFoundInCache       = Error("token's cached attributes are invalid")
 	NoDefaultRoleSet               = Error("no default role set")
 	BrowserOpenError               = Error("could not launch browser, open link manually")
 	CredentialRetrievalError       = Error("failed to retrieve credentials from broker")

pkg/session/cache.go

@@ -14,8 +14,7 @@ import (
 const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-"
 
 type tokenCache struct {
-	sync.RWMutex
-	TokenMap
+	sync.Map
 }
 
 type tokenAttributes struct {
@@ -40,9 +39,7 @@ func randomString(n int) string {
 }
 
 func createCache() *tokenCache {
-	c := &tokenCache{
-		TokenMap: make(map[string]*tokenAttributes),
-	}
+	c := &tokenCache{}
 	go c.startWatcher()
 	return c
 }
@@ -59,12 +56,18 @@ func (c *tokenCache) startWatcher() {
 }
 
 func (c *tokenCache) clean() {
-	for token, attr := range c.TokenMap {
-		if attr.Expiration.Before(time.Now()) {
-			logging.Log.Debugf("deleting token with expiration %v", attr.Expiration)
-			c.delete(token)
+	c.Range(func(key, value interface{}) bool {
+		if attr, ok := value.(*tokenAttributes); ok {
+			if attr.Expiration.Before(time.Now()) {
+				logging.Log.Debugf("deleting token with expiration %v", attr.Expiration)
+				c.Delete(key)
+			}
+		} else {
+			logging.Log.Debugf("deleting token with invalid attributes %v", value)
+			c.Delete(key)
 		}
-	}
+		return true
+	})
 }
 
 func (c *tokenCache) generateToken(role string, ttlSeconds int) string {
@@ -74,45 +77,39 @@ func (c *tokenCache) generateToken(role string, ttlSeconds int) string {
 }
 
 func (c *tokenCache) checkToken(token string) (bool, int) {
-	attr, err := sessions.Get(token)
+	attr, err := c.Get(token)
 	if err != nil {
-		logging.Log.Warning("invalid session token")
+		logging.Log.Warningf("invalid session token: %v", err)
 		return false, 0
 	}
 	if attr.Expiration.Before(time.Now()) {
 		logging.Log.Warning("session token is expired")
 		return false, 0
 	}
-	remainingTtl := time.Now().Sub(attr.Expiration)
+	remainingTtl := attr.Expiration.Sub(time.Now())
 	return true, int(remainingTtl.Seconds())
 }
 
-func (c *tokenCache) delete(token string) {
-	c.Lock()
-	defer c.Unlock()
-	if _, ok := c.TokenMap[token]; ok {
-		delete(c.TokenMap, token)
-	}
-}
-
 func (c *tokenCache) Set(token, role string, ttl int) {
 	expiration := time.Now().Add(time.Duration(ttl) * time.Second)
 	attr := tokenAttributes{
 		InitialTtl: ttl,
 		Expiration: expiration,
 		Role:       role,
 	}
-	c.Lock()
-	defer c.Unlock()
-	c.TokenMap[token] = &attr
+	c.Store(token, &attr)
 }
 
 func (c *tokenCache) Get(token string) (*tokenAttributes, error) {
-	c.RLock()
-	defer c.RUnlock()
-	attr, ok := c.TokenMap[token]
+	var value interface{}
+	var ok bool
+	var attr *tokenAttributes
+	value, ok = c.Load(token)
 	if !ok {
 		return nil, errors.NoTokenFoundInCache
 	}
-	return attr, nil
+	if attr, ok = value.(*tokenAttributes); ok {
+		return attr, nil
+	}
+	return nil, errors.InvalidTokenFoundInCache
 }