pomerium / pomerium / 21760916942

44%

Build Type

push

github

Committed by web-flow

Commit Message

fix(grpc): deadlock in CachedOutboundGRPClientConn.Get() on config change (#6101)

## Summary

`CachedOutboundGRPClientConn.Get()` deadlocks when called a second time
with
different options but the same (still-alive) context.

The bug was introduced in #6078. When `Get()` needs to replace an
existing
connection, it calls `stopCleanup()` (the return value of
`context.AfterFunc`)
to cancel the scheduled cleanup. If the original context is still alive,
`stopCleanup()` succeeds — meaning the AfterFunc will never fire and
`close(done)` never happens. The subsequent `<-cache.done` then blocks
forever.

This deadlocks the authorize service on the first config change after
startup,
because `newAuthorizeStateFromConfig` is called with the long-lived app
context
from both `New()` and `OnConfigChange()`. The deadlock prevents
`a.ssh.OnConfigChange(cfg)` from executing, so the SSH policy indexer
never
receives config updates with tunnel route policies — resulting in empty
authorized routes in the SSH TUI.

**Fix:** check the return value of `stopCleanup()`: if `true` (AfterFunc
was
prevented from running), close the connection directly; if `false`
(AfterFunc
already started), wait for it to finish.

## Related issues

- #6078

## User Explanation

Fixes a bug where SSH tunnel routes would not appear in the TUI after
upgrading
to a version containing #6078. The authorize service would silently
deadlock on
the first configuration change, preventing route policy updates from
reaching
the SSH subsystem.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review

Run Details

7 of 7 new or added lines in 1 file covered. (100.0%)

9 existing lines in 3 files now uncovered.

31544 of 70823 relevant lines covered (44.54%)

115.36 hits per line