Fix logic of SELECT FOR UDPDATE to avoid deadlocks

1. download the metadata with a timeout to avoid getting stuck 2. lock the record after completing the download
OCA · May 14, 2024 · ad253fb · ad253fb
1 parent 31441ef
commit ad253fb
Showing 1 changed file with 18 additions and 8 deletions.
diff --git a/auth_saml/models/auth_saml_provider.py b/auth_saml/models/auth_saml_provider.py
@@ -411,21 +411,31 @@ def action_refresh_metadata_from_url(self):
         )
         if not providers:
             return False
+
+        providers_to_update = {}
+        for provider in providers:
+            document = requests.get(provider.idp_metadata_url, timeout=5)
+            if document.status_code != 200:
+                raise UserError(
+                    f"Unable to download the metadata for {provider.name}: {document.reason}"
+                )
+            if document.text != provider.idp_metadata:
+                providers_to_update[provider.id] = document.text
+
         # lock the records we might update, so that multiple simultaneous login
         # attempts will not cause concurrent updates
         self.env.cr.execute(
             "SELECT id FROM auth_saml_provider WHERE id in %s FOR UPDATE",
-            (tuple(providers.ids),),
+            (tuple(providers_to_update.keys()),),
         )
         updated = False
         for provider in providers:
-            document = requests.get(provider.idp_metadata_url)
-            if document.status_code != 200:
-                raise UserError(
-                    f"Unable to download the metadata for {provider.name}: {document.reason}"
+            if provider.id in providers_to_update:
+                provider.idp_metadata = providers_to_update[provider.id]
+                _logger.info(
+                    "Updated metadata for provider %s from %s",
+                    provider.name,
                 )
-            if document.text != provider.idp_metadata:
-                provider.idp_metadata = document.text
-                _logger.info("Updated provider metadata for %s", provider.name)
                 updated = True
+
         return updated