ory / oathkeeper

A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
3.25k stars 359 forks source link

Cache for Hydrator Mutator does not caching responses #727

Closed schreddies closed 3 years ago

schreddies commented 3 years ago

Describe the bug

The bug is that, with properly setup for cache in hydrator, the amount of calls is the same as without caching. I.e. Caching with value of ttl of 60 sek, should be able to cache hydrator response to same user/request for this time. Introduction of this feature: https://github.com/ory/oathkeeper/issues/417

Reproducing the bug

Steps to reproduce the behavior:

Oathkeeper config:

  hydrator:
    enabled: true
    config:
      api:
        url: http://hydrate.com/hydrate
      cache:
        ttl: 60s

Oathkeeper rules:

    "mutators": [
      {
        "handler": "hydrator"
      }
    ]

Using wkr software for performance testing

Running 1m test @ http://127.0.0.1:4455/a
  20 threads and 20 connections
  Thread Stats   Avg      Stdev     Max   +/- Stdev
    Latency   154.12ms  198.17ms   2.18s    90.59%
    Req/Sec    11.43      5.89    30.00     56.81%
  10946 requests in 1.00m, 0.97MB read
Requests/sec:    182.12
Transfer/sec:     16.59KB

as result, the logs in hydrator is the same number as the number of calls (around 10k) from client (wkr) - the responses are the same (static response) Expected behavior

Cached hydrator responses should be cached as ttl.

Environment

-version: v0.38.10-beta.2 -environment: docker

Additional context

Add any other context about the problem here.

schreddies commented 3 years ago

I've found strange that in the mutator_hydrator_test.go file there is no test for cache as well: https://github.com/ory/oathkeeper/blob/master/pipeline/mutate/mutator_hydrator_test.go

schreddies commented 3 years ago

I think that the enabled:true in config makes all of the difference - will close if test will prove it!