feat(oci/auth): session-token disk reload + last_refresh_error observability (v0.2.0b14)#209
Merged
Merged
Conversation
…ability Closes two gaps surfaced by an audit against oci-genai-auth-python: 1. SecurityTokenSigner is immutable, so locus had no path to recover from an out-of-band 'oci session refresh' on the security_token_file. _refresh_callable_for now accepts profile/config_file and, for session-token signers, returns a closure that re-reads the file from disk and yields a fresh signer. OCIRequestSigner._do_refresh detects the returned signer and swaps it in. Both OCIOpenAIModel and OCIResponsesModel plumb the args through. 2. _do_refresh used to swallow exceptions silently. OCIRequestSigner now exposes last_refresh_error (None on success, the Exception on failure) and emits a structured log line on each refresh outcome. Backwards-compatible: existing in-place refreshers (instance/resource principal refresh_security_token returns None) continue to work unchanged. Tests: 9 new unit cases covering both gaps and the guard paths. Signed-off-by: Federico Kamelhar <federico.kamelhar@oracle.com>
oracle-contributor-agreement
Bot
added
the
OCA Verified
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Audit-driven follow-up to b13. Closes two gaps against the
oci-genai-authreference (oracle-samples/oci-genai-auth-python).Why
Session-token profiles (the
~/.oci/configshape withsecurity_token_file = ...) are the standard laptop-dev auth mode.SecurityTokenSignerfrom the OCI SDK is immutable, so after b13's periodic refresh wiring landed, session-token signers were still effectively static: whenoci session refreshrotated the file out-of-band, the next request still used the original captured token and 401'd until the process restarted.The other gap: when refresh fails (DNS hiccup, metadata-service flake, file race), the wrapper swallowed the exception silently. Operators had no way to spot "this pod has been failing every refresh attempt for the last 30 minutes and is one 401 away from going dark."
What changed
_refresh_callable_for(signer, *, profile=..., config_file=...)inopenai_compat.pynow, for aSecurityTokenSigner, returns a closure that re-readssecurity_token_filefrom disk and yields a fresh signer.OCIRequestSigner._do_refreshdetects the returned signer (viahasattr(result, "do_request_sign")) and swapsself._signerto it. BothOCIOpenAIModelandOCIResponsesModelplumb the new args through.last_refresh_errorobservability. Exposed publicly onOCIRequestSigner; reset toNoneon every successful refresh; structured log emit (warningon failure,debugon success) so pod logs show the refresh outcome.refresh_security_token) still work, since they typically returnNone.Test plan
test_oci_signer_refresh_observability.py— covering the newlast_refresh_errorattribute, both refresh-callback return-value shapes, in-place-mutation backward compat, end-to-end session-token disk round-trip with a temp keypair, and the guard paths that disable refresh when profile context is missing.SecurityTokenSignerbuilt from a tempfile, file rotated, refresh callable produces a fresh signer carrying the new token.Ships as
v0.2.0b14. CHANGELOG entry under that heading.