Use a short throttling threshold for MI (and CCA)

Author: rayluo

msal/application.py

@@ -537,7 +537,11 @@ def __init__(
             self.http_client.mount("https://", a)
         self.http_client = ThrottledHttpClient(
             self.http_client,
-            {} if http_cache is None else http_cache,  # Default to an in-memory dict
+            http_cache=http_cache,
+            default_throttle_time=60
+                # The default value 60 was recommended mainly for PCA at the end of
+                # https://identitydivision.visualstudio.com/devex/_git/AuthLibrariesApiReview?version=GBdev&path=%2FService%20protection%2FIntial%20set%20of%20protection%20measures.md&_a=preview
+                if isinstance(self, PublicClientApplication) else 5,
             )
 
         self.app_name = app_name

msal/managed_identity.py

@@ -12,7 +12,7 @@
 from typing import Union  # Needed in Python 3.7 & 3.8
 from .token_cache import TokenCache
 from .individual_cache import _IndividualCache as IndividualCache
-from .throttled_http_client import ThrottledHttpClientBase, _parse_http_429_5xx_retry_after
+from .throttled_http_client import ThrottledHttpClientBase, RetryAfterParser
 
 
 logger = logging.getLogger(__name__)
@@ -109,18 +109,18 @@ def __init__(self, *, client_id=None, resource_id=None, object_id=None):
 
 
 class _ThrottledHttpClient(ThrottledHttpClientBase):
-    def __init__(self, http_client, http_cache):
-        super(_ThrottledHttpClient, self).__init__(http_client, http_cache)
+    def __init__(self, http_client, **kwargs):
+        super(_ThrottledHttpClient, self).__init__(http_client, **kwargs)
         self.get = IndividualCache(  # All MIs (except Cloud Shell) use GETs
             mapping=self._expiring_mapping,
-            key_maker=lambda func, args, kwargs: "POST {} hash={} 429/5xx/Retry-After".format(
+            key_maker=lambda func, args, kwargs: "REQ {} hash={} 429/5xx/Retry-After".format(
                 args[0],  # It is the endpoint, typically a constant per MI type
-                _hash(
+                self._hash(
                     # Managed Identity flavors have inconsistent parameters.
                     # We simply choose to hash them all.
                     str(kwargs.get("params")) + str(kwargs.get("data"))),
                 ),
-            expires_in=_parse_http_429_5xx_retry_after,
+            expires_in=RetryAfterParser(5).parse,  # 5 seconds default for non-PCA
             )(http_client.get)
 
 
@@ -226,7 +226,7 @@ def __init__(
             #    ( https://learn.microsoft.com/en-us/azure/service-fabric/how-to-managed-cluster-managed-identity-service-fabric-app-code#error-handling )
             http_client.http_client  # Patch the raw (unpatched) http client
                 if isinstance(http_client, ThrottledHttpClientBase) else http_client,
-            {} if http_cache is None else http_cache,  # Default to an in-memory dict
+            http_cache=http_cache,
         )
         self._token_cache = token_cache or TokenCache()
 

msal/throttled_http_client.py

@@ -9,35 +9,27 @@
 DEVICE_AUTH_GRANT = "urn:ietf:params:oauth:grant-type:device_code"
 
 
-def _hash(raw):
-    return sha256(repr(raw).encode("utf-8")).hexdigest()
-
-
-def _parse_http_429_5xx_retry_after(result=None, **ignored):
-    """Return seconds to throttle"""
-    assert result is not None, """
-        The signature defines it with a default value None,
-        only because the its shape is already decided by the
-        IndividualCache's.__call__().
-        In actual code path, the result parameter here won't be None.
-        """
-    response = result
-    lowercase_headers = {k.lower(): v for k, v in getattr(
-        # Historically, MSAL's HttpResponse does not always have headers
-        response, "headers", {}).items()}
-    if not (response.status_code == 429 or response.status_code >= 500
-            or "retry-after" in lowercase_headers):
-        return 0  # Quick exit
-    default = 60  # Recommended at the end of
-        # https://identitydivision.visualstudio.com/devex/_git/AuthLibrariesApiReview?version=GBdev&path=%2FService%20protection%2FIntial%20set%20of%20protection%20measures.md&_a=preview
-    retry_after = lowercase_headers.get("retry-after", default)
-    try:
-        # AAD's retry_after uses integer format only
-        # https://stackoverflow.microsoft.com/questions/264931/264932
-        delay_seconds = int(retry_after)
-    except ValueError:
-        delay_seconds = default
-    return min(3600, delay_seconds)
+class RetryAfterParser(object):
+    def __init__(self, default_value=None):
+        self._default_value = 5 if default_value is None else default_value
+
+    def parse(self, *, result, **ignored):
+        """Return seconds to throttle"""
+        response = result
+        lowercase_headers = {k.lower(): v for k, v in getattr(
+            # Historically, MSAL's HttpResponse does not always have headers
+            response, "headers", {}).items()}
+        if not (response.status_code == 429 or response.status_code >= 500
+                or "retry-after" in lowercase_headers):
+            return 0  # Quick exit
+        retry_after = lowercase_headers.get("retry-after", self._default_value)
+        try:
+            # AAD's retry_after uses integer format only
+            # https://stackoverflow.microsoft.com/questions/264931/264932
+            delay_seconds = int(retry_after)
+        except ValueError:
+            delay_seconds = self._default_value
+        return min(3600, delay_seconds)
 
 
 def _extract_data(kwargs, key, default=None):
@@ -53,7 +45,7 @@ class ThrottledHttpClientBase(object):
 
     The subclass should implement post() and/or get()
     """
-    def __init__(self, http_client, http_cache):
+    def __init__(self, http_client, *, http_cache=None):
         self.http_client = http_client
         self._expiring_mapping = ExpiringMapping(  # It will automatically clean up
             mapping=http_cache if http_cache is not None else {},
@@ -70,10 +62,14 @@ def get(self, *args, **kwargs):
     def close(self):
         return self.http_client.close()
 
+    @staticmethod
+    def _hash(raw):
+        return sha256(repr(raw).encode("utf-8")).hexdigest()
+
 
 class ThrottledHttpClient(ThrottledHttpClientBase):
-    def __init__(self, http_client, http_cache):
-        super(ThrottledHttpClient, self).__init__(http_client, http_cache)
+    def __init__(self, http_client, *, default_throttle_time=None, **kwargs):
+        super(ThrottledHttpClient, self).__init__(http_client, **kwargs)
 
         _post = http_client.post  # We'll patch _post, and keep original post() intact
 
@@ -86,22 +82,22 @@ def __init__(self, http_client, http_cache):
                     args[0],  # It is the url, typically containing authority and tenant
                     _extract_data(kwargs, "client_id"),  # Per internal specs
                     _extract_data(kwargs, "scope"),  # Per internal specs
-                    _hash(
+                    self._hash(
                         # The followings are all approximations of the "account" concept
                         # to support per-account throttling.
                         # TODO: We may want to disable it for confidential client, though
                         _extract_data(kwargs, "refresh_token",  # "account" during refresh
                             _extract_data(kwargs, "code",  # "account" of auth code grant
                                 _extract_data(kwargs, "username")))),  # "account" of ROPC
                     ),
-            expires_in=_parse_http_429_5xx_retry_after,
+            expires_in=RetryAfterParser(default_throttle_time or 5).parse,
             )(_post)
 
         _post = IndividualCache(  # It covers the "UI required cache"
             mapping=self._expiring_mapping,
             key_maker=lambda func, args, kwargs: "POST {} hash={} 400".format(
                 args[0],  # It is the url, typically containing authority and tenant
-                _hash(
+                self._hash(
                     # Here we use literally all parameters, even those short-lived
                     # parameters containing timestamps (WS-Trust or POP assertion),
                     # because they will automatically be cleaned up by ExpiringMapping.
@@ -140,7 +136,7 @@ def __init__(self, http_client, http_cache):
             mapping=self._expiring_mapping,
             key_maker=lambda func, args, kwargs: "GET {} hash={} 2xx".format(
                 args[0],  # It is the url, sometimes containing inline params
-                _hash(kwargs.get("params", "")),
+                self._hash(kwargs.get("params", "")),
                 ),
             expires_in=lambda result=None, **ignored:
                 3600*24 if 200 <= result.status_code < 300 else 0,

tests/test_throttled_http_client.py

@@ -40,11 +40,10 @@ class CloseMethodCalled(Exception):
 class TestHttpDecoration(unittest.TestCase):
 
     def test_throttled_http_client_should_not_alter_original_http_client(self):
-        http_cache = {}
         original_http_client = DummyHttpClient()
         original_get = original_http_client.get
         original_post = original_http_client.post
-        throttled_http_client = ThrottledHttpClient(original_http_client, http_cache)
+        throttled_http_client = ThrottledHttpClient(original_http_client)
         goal = """The implementation should wrap original http_client
             and keep it intact, instead of monkey-patching it"""
         self.assertNotEqual(throttled_http_client, original_http_client, goal)
@@ -54,7 +53,7 @@ def test_throttled_http_client_should_not_alter_original_http_client(self):
     def _test_RetryAfter_N_seconds_should_keep_entry_for_N_seconds(
             self, http_client, retry_after):
         http_cache = {}
-        http_client = ThrottledHttpClient(http_client, http_cache)
+        http_client = ThrottledHttpClient(http_client, http_cache=http_cache)
         resp1 = http_client.post("https://example.com")  # We implemented POST only
         resp2 = http_client.post("https://example.com")  # We implemented POST only
         logger.debug(http_cache)
@@ -90,7 +89,7 @@ def test_one_RetryAfter_request_should_block_a_similar_request(self):
         http_cache = {}
         http_client = DummyHttpClient(
             status_code=429, response_headers={"Retry-After": 2})
-        http_client = ThrottledHttpClient(http_client, http_cache)
+        http_client = ThrottledHttpClient(http_client, http_cache=http_cache)
         resp1 = http_client.post("https://example.com", data={
             "scope": "one", "claims": "bar", "grant_type": "authorization_code"})
         resp2 = http_client.post("https://example.com", data={
@@ -102,7 +101,7 @@ def test_one_RetryAfter_request_should_not_block_a_different_request(self):
         http_cache = {}
         http_client = DummyHttpClient(
             status_code=429, response_headers={"Retry-After": 2})
-        http_client = ThrottledHttpClient(http_client, http_cache)
+        http_client = ThrottledHttpClient(http_client, http_cache=http_cache)
         resp1 = http_client.post("https://example.com", data={"scope": "one"})
         resp2 = http_client.post("https://example.com", data={"scope": "two"})
         logger.debug(http_cache)
@@ -112,7 +111,7 @@ def test_one_invalid_grant_should_block_a_similar_request(self):
         http_cache = {}
         http_client = DummyHttpClient(
             status_code=400)  # It covers invalid_grant and interaction_required
-        http_client = ThrottledHttpClient(http_client, http_cache)
+        http_client = ThrottledHttpClient(http_client, http_cache=http_cache)
         resp1 = http_client.post("https://example.com", data={"claims": "foo"})
         logger.debug(http_cache)
         resp1_again = http_client.post("https://example.com", data={"claims": "foo"})
@@ -146,7 +145,7 @@ def test_http_get_200_should_be_cached(self):
         http_cache = {}
         http_client = DummyHttpClient(
             status_code=200)  # It covers UserRealm discovery and OIDC discovery
-        http_client = ThrottledHttpClient(http_client, http_cache)
+        http_client = ThrottledHttpClient(http_client, http_cache=http_cache)
         resp1 = http_client.get("https://example.com?foo=bar")
         resp2 = http_client.get("https://example.com?foo=bar")
         logger.debug(http_cache)
@@ -156,7 +155,7 @@ def test_device_flow_retry_should_not_be_cached(self):
         DEVICE_AUTH_GRANT = "urn:ietf:params:oauth:grant-type:device_code"
         http_cache = {}
         http_client = DummyHttpClient(status_code=400)
-        http_client = ThrottledHttpClient(http_client, http_cache)
+        http_client = ThrottledHttpClient(http_client, http_cache=http_cache)
         resp1 = http_client.post(
             "https://example.com", data={"grant_type": DEVICE_AUTH_GRANT})
         resp2 = http_client.post(
@@ -165,9 +164,8 @@ def test_device_flow_retry_should_not_be_cached(self):
         self.assertNotEqual(resp1.text, resp2.text, "Should return a new response")
 
     def test_throttled_http_client_should_provide_close(self):
-        http_cache = {}
         http_client = DummyHttpClient(status_code=200)
-        http_client = ThrottledHttpClient(http_client, http_cache)
+        http_client = ThrottledHttpClient(http_client)
         with self.assertRaises(CloseMethodCalled):
             http_client.close()