From e3105607871e19af1f0ff6b4f99991835f08bcf9 Mon Sep 17 00:00:00 2001
From: Nikita Tokarchuk <nikita@tokarch.uk>
Date: Wed, 18 Oct 2023 11:34:56 +0200
Subject: [PATCH] rewrite expiration time to use seconds

---
 ngx_http_auth_ldap_module.c | 75 +++++++++++++++++++++----------------
 1 file changed, 43 insertions(+), 32 deletions(-)

diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c
index ad1a90f..df32048 100644
--- a/ngx_http_auth_ldap_module.c
+++ b/ngx_http_auth_ldap_module.c
@@ -107,8 +107,8 @@ typedef struct {
 typedef struct {
     ngx_array_t *servers;        /* array of ngx_http_auth_ldap_server_t */
     ngx_flag_t cache_enabled;
-    ngx_msec_t cache_expiration_time;
-    ngx_msec_t cache_limit_time;
+    size_t cache_expiration_no_use_seconds;
+    size_t cache_expiration_seconds;
     size_t cache_size;
     ngx_int_t servers_size;
 #if (NGX_OPENSSL)
@@ -124,8 +124,8 @@ typedef struct {
 typedef struct {
     uint32_t small_hash;     /* murmur2 hash of username ^ &server       */
     uint32_t outcome;        /* OUTCOME_DENY or OUTCOME_ALLOW            */
-    ngx_msec_t used_time;    /* ngx_current_msec when used               */
-    ngx_msec_t created_time; /* ngx_current_msec when created            */
+    size_t used_time;        /* seconds when used               */
+    size_t created_time;     /* seconds when created            */
     u_char big_hash[16];     /* md5 hash of (username, server, password) */
 } ngx_http_auth_ldap_cache_elt_t;
 
@@ -133,8 +133,8 @@ typedef struct {
     ngx_http_auth_ldap_cache_elt_t *buckets;
     ngx_uint_t num_buckets;
     ngx_uint_t elts_per_bucket;
-    ngx_msec_t expiration_time;
-    ngx_msec_t limit_time;
+    size_t expiration_no_use_seconds;
+    size_t expiration_seconds;
 } ngx_http_auth_ldap_cache_t;
 
 typedef enum {
@@ -249,19 +249,19 @@ static ngx_command_t ngx_http_auth_ldap_commands[] = {
         NULL
     },
     {
-        ngx_string("auth_ldap_cache_expiration_time"),
+        ngx_string("auth_ldap_cache_expiration_no_use_seconds"),
         NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1,
-        ngx_conf_set_msec_slot,
+        ngx_conf_set_size_slot,
         NGX_HTTP_MAIN_CONF_OFFSET,
-        offsetof(ngx_http_auth_ldap_main_conf_t, cache_expiration_time),
+        offsetof(ngx_http_auth_ldap_main_conf_t, cache_expiration_no_use_seconds),
         NULL
     },
     {
-        ngx_string("auth_ldap_cache_limit_time"),
+        ngx_string("auth_ldap_cache_expiration_seconds"),
         NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1,
-        ngx_conf_set_msec_slot,
+        ngx_conf_set_size_slot,
         NGX_HTTP_MAIN_CONF_OFFSET,
-        offsetof(ngx_http_auth_ldap_main_conf_t, cache_limit_time),
+        offsetof(ngx_http_auth_ldap_main_conf_t, cache_expiration_seconds),
         NULL
     },
     {
@@ -774,8 +774,8 @@ ngx_http_auth_ldap_create_main_conf(ngx_conf_t *cf)
     }
 
     conf->cache_enabled = NGX_CONF_UNSET;
-    conf->cache_expiration_time = NGX_CONF_UNSET_MSEC;
-    conf->cache_limit_time = NGX_CONF_UNSET_MSEC;
+    conf->cache_expiration_no_use_seconds = NGX_CONF_UNSET_SIZE;
+    conf->cache_expiration_seconds = NGX_CONF_UNSET_SIZE;
     conf->cache_size = NGX_CONF_UNSET_SIZE;
     conf->servers_size = NGX_CONF_UNSET;
 
@@ -802,17 +802,17 @@ ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent)
         return NGX_CONF_ERROR;
     }
 
-    if (conf->cache_expiration_time == NGX_CONF_UNSET_MSEC) {
-        conf->cache_expiration_time = 10000;
+    if (conf->cache_expiration_no_use_seconds == NGX_CONF_UNSET_SIZE) {
+        conf->cache_expiration_no_use_seconds = 300;
     }
-    if (conf->cache_limit_time == NGX_CONF_UNSET_MSEC) {
-        conf->cache_limit_time = 10000;
+    if (conf->cache_expiration_seconds == NGX_CONF_UNSET_SIZE) {
+        conf->cache_expiration_seconds = 600;
     }
-    if (conf->cache_expiration_time < 1000) {
-        ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_expiration_time cannot be smaller than 1000 ms.");
+    if (conf->cache_expiration_no_use_seconds < 1) {
+        ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_expiration_no_use_seconds cannot be smaller than 1000 ms.");
         return NGX_CONF_ERROR;
     }
-    if (conf->cache_limit_time < 1000) {
+    if (conf->cache_expiration_seconds < 1) {
         ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_limit_time cannot be smaller than 1000 ms.");
         return NGX_CONF_ERROR;
     }
@@ -924,8 +924,8 @@ ngx_http_auth_ldap_init_cache(ngx_cycle_t *cycle)
     }
 
     cache = &ngx_http_auth_ldap_cache;
-    cache->expiration_time = conf->cache_expiration_time;
-    cache->limit_time = conf->cache_limit_time;
+    cache->expiration_no_use_seconds = conf->cache_expiration_no_use_seconds;
+    cache->expiration_seconds = conf->cache_expiration_seconds;
     cache->num_buckets = count;
     cache->elts_per_bucket = 8;
 
@@ -947,8 +947,9 @@ ngx_http_auth_ldap_check_cache_and_update(ngx_http_request_t *r, ngx_http_auth_l
 {
     ngx_http_auth_ldap_cache_elt_t *elt;
     ngx_md5_t md5ctx;
-    ngx_msec_t used_time_when_expired;
-    ngx_msec_t created_time_when_expired;
+    size_t current_seconds;
+    size_t used_time_valid_after;
+    size_t created_time_valid_after;
     ngx_uint_t i;
 
     ctx->cache_small_hash = ngx_murmur_hash2(r->headers_in.user.data, r->headers_in.user.len) ^ (uint32_t) (ngx_uint_t) server;
@@ -962,14 +963,21 @@ ngx_http_auth_ldap_check_cache_and_update(ngx_http_request_t *r, ngx_http_auth_l
     ctx->cache_bucket = &cache->buckets[ctx->cache_small_hash % cache->num_buckets];
 
     elt = ctx->cache_bucket;
-    used_time_when_expired = ngx_current_msec - cache->expiration_time;
-    created_time_when_expired = ngx_current_msec - cache->limit_time;
+
+    current_seconds = (size_t)ngx_cached_time->sec;
+    used_time_valid_after = current_seconds - cache->expiration_no_use_seconds;
+    created_time_valid_after = current_seconds - cache->expiration_seconds;
+
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "> current_seconds=%d", current_seconds);
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "> used_time_valid_after=%d", used_time_valid_after);
+    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "> created_time_valid_after=%d", created_time_valid_after);
+
     for (i = 0; i < cache->elts_per_bucket; i++, elt++) {
         if (elt->small_hash == ctx->cache_small_hash &&
-                elt->used_time > used_time_when_expired &&
-                elt->created_time > created_time_when_expired &&
+                elt->used_time > used_time_valid_after &&
+                elt->created_time > created_time_valid_after &&
                 memcmp(elt->big_hash, ctx->cache_big_hash, 16) == 0) {
-            elt->used_time = ngx_current_msec; // update time as we've just used this entry
+            elt->used_time = current_seconds; // update time as we've just used this entry
             return elt->outcome;
         }
     }
@@ -983,6 +991,7 @@ ngx_http_auth_ldap_set_cache(ngx_http_auth_ldap_ctx_t *ctx,
 {
     ngx_http_auth_ldap_cache_elt_t *elt, *oldest_elt;
     ngx_uint_t i;
+    size_t current_seconds;
 
     elt = ctx->cache_bucket;
     oldest_elt = elt;
@@ -992,8 +1001,10 @@ ngx_http_auth_ldap_set_cache(ngx_http_auth_ldap_ctx_t *ctx,
         }
     }
 
-    oldest_elt->created_time = ngx_current_msec;
-    oldest_elt->used_time = ngx_current_msec;
+    current_seconds = (size_t)ngx_cached_time->sec;
+
+    oldest_elt->created_time = current_seconds;
+    oldest_elt->used_time = current_seconds;
     oldest_elt->outcome = outcome;
     oldest_elt->small_hash = ctx->cache_small_hash;
     ngx_memcpy(oldest_elt->big_hash, ctx->cache_big_hash, 16);