tests passing

Signed-off-by: Grant Linville <grant@acorn.io>

Author: g-linville

go.mod

@@ -40,6 +40,8 @@ require (
 	golang.org/x/sync v0.12.0
 	google.golang.org/api v0.228.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
+	gorm.io/driver/postgres v1.5.7
+	gorm.io/gorm v1.25.7
 	k8s.io/apimachinery v0.29.0
 )
 
@@ -62,6 +64,11 @@ require (
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/jackc/pgpassfile v1.0.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
+	github.com/jackc/pgx/v5 v5.4.3 // indirect
+	github.com/jinzhu/inflection v1.0.0 // indirect
+	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect

go.sum

@@ -88,6 +88,16 @@ github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
+github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
+github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
+github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.4.3 h1:cxFyXhxlvAifxnkKKdlxv8XqUf59tDlYjnV5YYfsJJY=
+github.com/jackc/pgx/v5 v5.4.3/go.mod h1:Ig06C2Vu0t5qXC60W8sqIthScaEnFvojjj9dSljmHRA=
+github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
+github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
+github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
+github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/justinas/alice v1.2.0 h1:+MHSA/vccVCF4Uq37S42jwlkvI2Xzl7zTPCN5BnZNVo=
 github.com/justinas/alice v1.2.0/go.mod h1:fN5HRH/reO/zrUflLfTN43t3vXvKzvZIENsNEe7i7qA=
 github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
@@ -263,5 +273,9 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gorm.io/driver/postgres v1.5.7 h1:8ptbNJTDbEmhdr62uReG5BGkdQyeasu/FZHxI0IMGnM=
+gorm.io/driver/postgres v1.5.7/go.mod h1:3e019WlBaYI5o5LIdNV+LyxCMNtLOQETBXL2h4chKpA=
+gorm.io/gorm v1.25.7 h1:VsD6acwRjz2zFxGO50gPO6AkNs7KKnvfzUjHQhZDz/A=
+gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o=
 k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis=

pkg/apis/options/options.go

@@ -156,6 +156,10 @@ func NewFlagSet() *pflag.FlagSet {
 	flagSet.Bool("redis-use-cluster", false, "Connect to redis cluster. Must set --redis-cluster-connection-urls to use this feature")
 	flagSet.StringSlice("redis-cluster-connection-urls", []string{}, "List of Redis cluster connection URLs (eg redis://[USER[:PASSWORD]@]HOST[:PORT]). Used in conjunction with --redis-use-cluster")
 	flagSet.Int("redis-connection-idle-timeout", 0, "Redis connection idle timeout seconds, if Redis timeout option is non-zero, the --redis-connection-idle-timeout must be less then Redis timeout option")
+	flagSet.String("postgres-connection-url", "", "URL of postgres server for postgres session storage (eg: postgres://[USER[:PASSWORD]@]HOST[:PORT]/DBNAME)")
+	flagSet.Int("postgres-max-idle-conns", 10, "Maximum number of idle connections to postgres")
+	flagSet.Int("postgres-max-open-conns", 100, "Maximum number of open connections to postgres")
+	flagSet.Int("postgres-conn-max-lifetime", 3600, "Maximum lifetime of a connection to postgres in seconds")
 	flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)")
 	flagSet.Bool("gcp-healthchecks", false, "Enable GCP/GKE healthcheck endpoints")
 

pkg/apis/options/sessions.go

@@ -2,9 +2,10 @@ package options
 
 // SessionOptions contains configuration options for the SessionStore providers.
 type SessionOptions struct {
-	Type   string             `flag:"session-store-type" cfg:"session_store_type"`
-	Cookie CookieStoreOptions `cfg:",squash"`
-	Redis  RedisStoreOptions  `cfg:",squash"`
+	Type     string               `flag:"session-store-type" cfg:"session_store_type"`
+	Cookie   CookieStoreOptions   `cfg:",squash"`
+	Redis    RedisStoreOptions    `cfg:",squash"`
+	Postgres PostgresStoreOptions `cfg:",squash"`
 }
 
 // CookieSessionStoreType is used to indicate the CookieSessionStore should be
@@ -15,6 +16,10 @@ var CookieSessionStoreType = "cookie"
 // used for storing sessions.
 var RedisSessionStoreType = "redis"
 
+// PostgresSessionStoreType is used to indicate the PostgresSessionStore should be
+// used for storing sessions.
+var PostgresSessionStoreType = "postgres"
+
 // CookieStoreOptions contains configuration options for the CookieSessionStore.
 type CookieStoreOptions struct {
 	Minimal bool `flag:"session-cookie-minimal" cfg:"session_cookie_minimal"`
@@ -36,6 +41,14 @@ type RedisStoreOptions struct {
 	IdleTimeout            int      `flag:"redis-connection-idle-timeout" cfg:"redis_connection_idle_timeout"`
 }
 
+// PostgresStoreOptions contains configuration options for the PostgresSessionStore.
+type PostgresStoreOptions struct {
+	ConnectionURL   string `flag:"postgres-connection-url" cfg:"postgres_connection_url"`
+	MaxIdleConns    int    `flag:"postgres-max-idle-conns" cfg:"postgres_max_idle_conns"`
+	MaxOpenConns    int    `flag:"postgres-max-open-conns" cfg:"postgres_max_open_conns"`
+	ConnMaxLifetime int    `flag:"postgres-conn-max-lifetime" cfg:"postgres_conn_max_lifetime"`
+}
+
 func sessionOptionsDefaults() SessionOptions {
 	return SessionOptions{
 		Type: CookieSessionStoreType,

pkg/sessions/postgres/lock.go

@@ -0,0 +1,210 @@
+package postgres
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
+	"gorm.io/gorm"
+)
+
+// SessionLock represents a lock record in the database
+type SessionLock struct {
+	Key       string `gorm:"primaryKey"`
+	ExpiresAt time.Time
+	CreatedAt time.Time
+	UpdatedAt time.Time
+}
+
+// Lock implements the sessions.Lock interface using a custom table.
+// This implementation uses a dedicated table to track locks with expiration times.
+//
+// Important notes about this implementation:
+// 1. Locks have built-in expiration functionality
+// 2. Locks are automatically cleaned up when they expire
+// 3. The lock key is stored directly in the table
+// 4. If the database connection is lost, the lock will be automatically released
+type Lock struct {
+	db  *gorm.DB
+	key string
+}
+
+// NewLock creates a new PostgreSQL lock instance
+func NewLock(db *gorm.DB, key string) sessions.Lock {
+	return &Lock{
+		db:  db,
+		key: key,
+	}
+}
+
+// Obtain obtains a lock by inserting a record into the session_lock table.
+// If a lock already exists and hasn't expired, it will return ErrLockNotObtained.
+func (l *Lock) Obtain(ctx context.Context, expiration time.Duration) error {
+	// Verify database connection is healthy
+	if err := l.verifyConnection(ctx); err != nil {
+		return fmt.Errorf("database connection error: %w", err)
+	}
+
+	// Start a transaction to ensure atomicity
+	tx := l.db.WithContext(ctx).Begin()
+	if tx.Error != nil {
+		return fmt.Errorf("error starting transaction: %w", tx.Error)
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			tx.Rollback()
+		}
+	}()
+
+	// Clean up expired locks
+	if err := tx.Where("expires_at < ?", time.Now()).Delete(&SessionLock{}).Error; err != nil {
+		tx.Rollback()
+		return fmt.Errorf("error cleaning up expired locks: %w", err)
+	}
+
+	// Check if lock exists and is valid
+	var existingLock SessionLock
+	err := tx.Where("key = ?", l.key).First(&existingLock).Error
+	if err == nil {
+		// Lock exists and hasn't expired
+		tx.Rollback()
+		return sessions.ErrLockNotObtained
+	}
+	if !errors.Is(err, gorm.ErrRecordNotFound) {
+		tx.Rollback()
+		return fmt.Errorf("error checking existing lock: %w", err)
+	}
+
+	// Create new lock
+	lock := &SessionLock{
+		Key:       l.key,
+		ExpiresAt: time.Now().Add(expiration),
+	}
+	if err := tx.Create(lock).Error; err != nil {
+		tx.Rollback()
+		return fmt.Errorf("error creating lock: %w", err)
+	}
+
+	return tx.Commit().Error
+}
+
+// Peek checks if the lock is still held by checking if it exists and hasn't expired
+func (l *Lock) Peek(ctx context.Context) (bool, error) {
+	// Verify database connection is healthy
+	if err := l.verifyConnection(ctx); err != nil {
+		return false, fmt.Errorf("database connection error: %w", err)
+	}
+
+	// Clean up expired locks
+	if err := l.db.WithContext(ctx).Where("expires_at < ?", time.Now()).Delete(&SessionLock{}).Error; err != nil {
+		return false, fmt.Errorf("error cleaning up expired locks: %w", err)
+	}
+
+	// Check if lock exists and is valid
+	var lock SessionLock
+	err := l.db.WithContext(ctx).Where("key = ?", l.key).First(&lock).Error
+	if err == nil {
+		return true, nil
+	}
+	if err == gorm.ErrRecordNotFound {
+		return false, nil
+	}
+	return false, fmt.Errorf("error checking lock: %w", err)
+}
+
+// Refresh refreshes the lock by updating its expiration time
+func (l *Lock) Refresh(ctx context.Context, expiration time.Duration) error {
+	// Verify database connection is healthy
+	if err := l.verifyConnection(ctx); err != nil {
+		return fmt.Errorf("database connection error: %w", err)
+	}
+
+	// Start a transaction to ensure atomicity
+	tx := l.db.WithContext(ctx).Begin()
+	if tx.Error != nil {
+		return fmt.Errorf("error starting transaction: %w", tx.Error)
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			tx.Rollback()
+		}
+	}()
+
+	// First verify we hold the lock
+	var existingLock SessionLock
+	err := tx.Where("key = ? AND expires_at > ?", l.key, time.Now()).First(&existingLock).Error
+	if err != nil {
+		tx.Rollback()
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return sessions.ErrNotLocked
+		}
+		return fmt.Errorf("error checking existing lock: %w", err)
+	}
+
+	// Update lock expiration
+	result := tx.Model(&SessionLock{}).
+		Where("key = ?", l.key).
+		Update("expires_at", time.Now().Add(expiration))
+	if result.Error != nil {
+		tx.Rollback()
+		return fmt.Errorf("error refreshing lock: %w", result.Error)
+	}
+	if result.RowsAffected == 0 {
+		tx.Rollback()
+		return sessions.ErrNotLocked
+	}
+
+	return tx.Commit().Error
+}
+
+// Release releases the lock by deleting the record from the session_lock table
+func (l *Lock) Release(ctx context.Context) error {
+	// Verify database connection is healthy
+	if err := l.verifyConnection(ctx); err != nil {
+		return fmt.Errorf("database connection error: %w", err)
+	}
+
+	// Start a transaction to ensure atomicity
+	tx := l.db.WithContext(ctx).Begin()
+	if tx.Error != nil {
+		return fmt.Errorf("error starting transaction: %w", tx.Error)
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			tx.Rollback()
+		}
+	}()
+
+	// Clean up expired locks
+	if err := tx.Where("expires_at < ?", time.Now()).Delete(&SessionLock{}).Error; err != nil {
+		tx.Rollback()
+		return fmt.Errorf("error cleaning up expired locks: %w", err)
+	}
+
+	// Delete the lock
+	result := tx.Where("key = ?", l.key).Delete(&SessionLock{})
+	if result.Error != nil {
+		tx.Rollback()
+		return fmt.Errorf("error releasing lock: %w", result.Error)
+	}
+	if result.RowsAffected == 0 {
+		tx.Rollback()
+		return sessions.ErrNotLocked
+	}
+
+	return tx.Commit().Error
+}
+
+// verifyConnection checks if the database connection is healthy
+func (l *Lock) verifyConnection(ctx context.Context) error {
+	sqlDB, err := l.db.DB()
+	if err != nil {
+		return fmt.Errorf("error getting database instance: %w", err)
+	}
+	if err := sqlDB.PingContext(ctx); err != nil {
+		return fmt.Errorf("error pinging database: %w", err)
+	}
+	return nil
+}