ARC-1246: Improved In-Memory Stores for Codes and Sessions (#17)

* ARC-1246: Added bounded session and code stores.

* ARC-1246: Remove session onces flow is done.

* ARC-1246: Fix sonar issue

* ARC-1246: Check off task!

Author: thomasrichner-oviva

README.md

@@ -6,9 +6,6 @@ In order of priority:
 - [ ] Health endpoint - sanity check whether Jakarta ws is up should be enough. I.e. `/health`
 - [ ] Dockerfile + CI/CD
 - [ ] Helm chart (externally)
-- [ ] Better in-memory stores. Should have some expiry and size limits.
-    - com.oviva.ehealthid.relyingparty.svc.SessionRepo
-    - com.oviva.ehealthid.relyingparty.svc.CodeRepo
 - [ ] Internationalization (ResourceBundles) for templates (en & de)
   - see [Mustache Library](https://github.com/spullara/mustache.java/blob/main/compiler/src/main/java/com/github/mustachejava/functions/BundleFunctions.java)
 - [ ] Metrics endpoint
@@ -93,18 +90,22 @@ The discovery document can be used to configure the relying party in an existing
 
 Use environment variables to configure the relying party server.
 
-| Name                                    | Description                                                                                                                                      | Example                                                 |
-|-----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
-| `EHEALTHID_RP_FEDERATION_ENC_JWKS_PATH` | Path to a JWKS with at least one keypair for encryption of ID tokens.                                                                            | `./enc_jwks.json`                                       |
-| `EHEALTHID_RP_FEDERATION_SIG_JWKS_PATH` | Path to a JWKS with at least one keypair for signature withing the federation. All these keys __MUST__ be registered with the federation master. | `./sig_jwks.json`                                       |
-| `EHEALTHID_RP_REDIRECT_URIS`            | Valid redirection URIs for OpenID connect.                                                                                                       | `https://sso-mydiga.example.com/auth/callback`          |
-| `EHEALTHID_RP_BASE_URI`                 | The external base URI of the relying party. This is also the `issuer` towards the OpenID federation. Additional paths are unsupported for now.   | `https://mydiga-rp.example.com`                         |
-| `EHEALTHID_RP_HOST`                     | Host to bind to.                                                                                                                                 | `0.0.0.0`                                               |
-| `EHEALTHID_RP_PORT`                     | Port to bind to.                                                                                                                                 | `1234`                                                  |
-| `EHEALTHID_RP_FEDERATION_MASTER`        | The URI of the federation master.                                                                                                                | `https://app-test.federationmaster.de`                  |
-| `EHEALTHID_RP_APP_NAME`                 | The application name within the federation.                                                                                                      | `Awesome DiGA`                                          |
-| `EHEALTHID_RP_ES_TTL`                   | The time to live for the entity statement. In ISO8601 format.                                                                                    | `PT12H`                                                 |
-| `EHEALTHID_RP_SCOPES`                   | The comma separated list of scopes requested in the federation. This __MUST__ match what was registered with the federation master.              | `openid,urn:telematik:email,urn:telematik:display_name` |
+| Name                                     | Description                                                                                                                                      | Example                                                 |
+|------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------|
+| `EHEALTHID_RP_FEDERATION_ENC_JWKS_PATH`  | Path to a JWKS with at least one keypair for encryption of ID tokens.                                                                            | `./enc_jwks.json`                                       |
+| `EHEALTHID_RP_FEDERATION_SIG_JWKS_PATH`  | Path to a JWKS with at least one keypair for signature withing the federation. All these keys __MUST__ be registered with the federation master. | `./sig_jwks.json`                                       |
+| `EHEALTHID_RP_REDIRECT_URIS`             | Valid redirection URIs for OpenID connect.                                                                                                       | `https://sso-mydiga.example.com/auth/callback`          |
+| `EHEALTHID_RP_BASE_URI`                  | The external base URI of the relying party. This is also the `issuer` towards the OpenID federation. Additional paths are unsupported for now.   | `https://mydiga-rp.example.com`                         |
+| `EHEALTHID_RP_HOST`                      | Host to bind to.                                                                                                                                 | `0.0.0.0`                                               |
+| `EHEALTHID_RP_PORT`                      | Port to bind to.                                                                                                                                 | `1234`                                                  |
+| `EHEALTHID_RP_FEDERATION_MASTER`         | The URI of the federation master.                                                                                                                | `https://app-test.federationmaster.de`                  |
+| `EHEALTHID_RP_APP_NAME`                  | The application name within the federation.                                                                                                      | `Awesome DiGA`                                          |
+| `EHEALTHID_RP_ES_TTL`                    | The time to live for the entity statement. In ISO8601 format.                                                                                    | `PT12H`                                                 |
+| `EHEALTHID_RP_SCOPES`                    | The comma separated list of scopes requested in the federation. This __MUST__ match what was registered with the federation master.              | `openid,urn:telematik:email,urn:telematik:display_name` |
+| `EHEALTHID_RP_SESSION_STORE_TTL`         | The time to live for sessions. In ISO8601 format.                                                                                                | `PT20M`                                                 |
+| `EHEALTHID_RP_SESSION_STORE_MAX_ENTRIES` | The maximum number of sessions to store. Keeps memory bounded.                                                                                   | `1000`                                                  |
+| `EHEALTHID_RP_CODE_STORE_TTL`            | The time to live for codes, i.e. successful logins where the code is not redeemed yet. In ISO8601 format.                                        | `PT5M`                                                  |
+| `EHEALTHID_RP_CODE_STORE_MAX_ENTRIES`    | The maximum number of codes to store. Keeps memory bounded.                                                                                      | `1000`                                                  |
 
 # Generate Keys & Register for Federation
 

ehealthid-rp/pom.xml

@@ -36,6 +36,12 @@
       <groupId>com.nimbusds</groupId>
       <artifactId>nimbus-jose-jwt</artifactId>
     </dependency>
+    <dependency>
+      <groupId>com.github.ben-manes.caffeine</groupId>
+      <artifactId>caffeine</artifactId>
+    </dependency>
+
+    <!-- BEGIN jackson -->
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-core</artifactId>
@@ -48,6 +54,7 @@
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
     </dependency>
+    <!-- END jackson -->
 
     <!-- BEGIN jakarta ws -->
     <dependency>
@@ -76,7 +83,6 @@
     <dependency>
       <groupId>net.logstash.logback</groupId>
       <artifactId>logstash-logback-encoder</artifactId>
-      <version>7.4</version>
     </dependency>
     <!-- END logging-->
 

ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/ConfigReader.java

@@ -25,6 +25,12 @@ public class ConfigReader {
   public static final String CONFIG_APP_NAME = "app_name";
   public static final String CONFIG_SCOPES = "scopes";
 
+  public static final String CONFIG_SESSION_STORE_TTL = "session_store_ttl";
+  public static final String CONFIG_SESSION_STORE_MAX_ENTRIES = "session_store_max_entries";
+
+  public static final String CONFIG_CODE_STORE_TTL = "code_store_ttl";
+  public static final String CONFIG_CODE_STORE_MAX_ENTRIES = "code_store_max_entries";
+
   private final ConfigProvider configProvider;
 
   public ConfigReader(ConfigProvider configProvider) {
@@ -78,7 +84,26 @@ public Config read() {
     var relyingPartyConfig =
         new RelyingPartyConfig(supportedResponseTypes, loadAllowedRedirectUrls());
 
-    return new Config(relyingPartyConfig, federationConfig, host, port, baseUri);
+    return new Config(
+        relyingPartyConfig,
+        federationConfig,
+        host,
+        port,
+        baseUri,
+        sessionStoreConfig(),
+        codeStoreConfig());
+  }
+
+  private SessionStoreConfig sessionStoreConfig() {
+    var ttl = getDurationOrDefault(CONFIG_SESSION_STORE_TTL, Duration.ofMinutes(20));
+    var maxEntries = getIntOrDefault(CONFIG_SESSION_STORE_MAX_ENTRIES, 1000);
+    return new SessionStoreConfig(ttl, maxEntries);
+  }
+
+  private CodeStoreConfig codeStoreConfig() {
+    var ttl = getDurationOrDefault(CONFIG_CODE_STORE_TTL, Duration.ofMinutes(5));
+    var maxEntries = getIntOrDefault(CONFIG_CODE_STORE_MAX_ENTRIES, 1000);
+    return new CodeStoreConfig(ttl, maxEntries);
   }
 
   private List<URI> loadAllowedRedirectUrls() {
@@ -88,6 +113,14 @@ private List<URI> loadAllowedRedirectUrls() {
         .toList();
   }
 
+  private Duration getDurationOrDefault(String config, Duration defaultValue) {
+    return configProvider.get(config).map(Duration::parse).orElse(defaultValue);
+  }
+
+  private int getIntOrDefault(String config, int defaultValue) {
+    return configProvider.get(config).map(Integer::parseInt).orElse(defaultValue);
+  }
+
   private List<String> getScopes() {
 
     return configProvider
@@ -127,5 +160,11 @@ public record Config(
       FederationConfig federation,
       String host,
       int port,
-      URI baseUri) {}
+      URI baseUri,
+      SessionStoreConfig sessionStore,
+      CodeStoreConfig codeStoreConfig) {}
+
+  public record SessionStoreConfig(Duration ttl, int maxEntries) {}
+
+  public record CodeStoreConfig(Duration ttl, int maxEntries) {}
 }

ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/Main.java

@@ -1,5 +1,7 @@
 package com.oviva.ehealthid.relyingparty;
 
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
 import com.nimbusds.jose.jwk.JWKSet;
 import com.oviva.ehealthid.auth.AuthenticationFlow;
 import com.oviva.ehealthid.fedclient.FederationMasterClientImpl;
@@ -8,12 +10,19 @@
 import com.oviva.ehealthid.fedclient.api.InMemoryCacheImpl;
 import com.oviva.ehealthid.fedclient.api.JavaHttpClient;
 import com.oviva.ehealthid.fedclient.api.OpenIdClient;
+import com.oviva.ehealthid.relyingparty.ConfigReader.CodeStoreConfig;
+import com.oviva.ehealthid.relyingparty.ConfigReader.SessionStoreConfig;
 import com.oviva.ehealthid.relyingparty.cfg.ConfigProvider;
 import com.oviva.ehealthid.relyingparty.cfg.EnvConfigProvider;
 import com.oviva.ehealthid.relyingparty.poc.GematikHeaderDecoratorHttpClient;
-import com.oviva.ehealthid.relyingparty.svc.InMemoryCodeRepo;
-import com.oviva.ehealthid.relyingparty.svc.InMemorySessionRepo;
+import com.oviva.ehealthid.relyingparty.svc.AfterCreatedExpiry;
+import com.oviva.ehealthid.relyingparty.svc.CaffeineCodeRepo;
+import com.oviva.ehealthid.relyingparty.svc.CaffeineSessionRepo;
+import com.oviva.ehealthid.relyingparty.svc.CodeRepo;
 import com.oviva.ehealthid.relyingparty.svc.KeyStore;
+import com.oviva.ehealthid.relyingparty.svc.SessionRepo;
+import com.oviva.ehealthid.relyingparty.svc.SessionRepo.Session;
+import com.oviva.ehealthid.relyingparty.svc.TokenIssuer.Code;
 import com.oviva.ehealthid.relyingparty.svc.TokenIssuerImpl;
 import com.oviva.ehealthid.relyingparty.ws.App;
 import jakarta.ws.rs.SeBootstrap;
@@ -63,8 +72,9 @@ public void run() throws ExecutionException, InterruptedException {
     var config = configReader.read();
 
     var keyStore = new KeyStore();
-    var tokenIssuer = new TokenIssuerImpl(config.baseUri(), keyStore, new InMemoryCodeRepo());
-    var sessionRepo = new InMemorySessionRepo();
+    var codeRepo = buildCodeRepo(config.codeStoreConfig());
+    var tokenIssuer = new TokenIssuerImpl(config.baseUri(), keyStore, codeRepo);
+    var sessionRepo = buildSessionRepo(config.sessionStore());
 
     var authFlow =
         buildAuthFlow(
@@ -110,4 +120,21 @@ private AuthenticationFlow buildAuthFlow(URI selfIssuer, URI fedmaster, JWKSet e
     return new AuthenticationFlow(
         selfIssuer, fedmasterClient, openIdClient, encJwks::getKeyByKeyId);
   }
+
+  private SessionRepo buildSessionRepo(SessionStoreConfig config) {
+    Cache<String, Session> store = buildCache(config.ttl(), config.maxEntries());
+    return new CaffeineSessionRepo(store, config.ttl());
+  }
+
+  private CodeRepo buildCodeRepo(CodeStoreConfig config) {
+    Cache<String, Code> store = buildCache(config.ttl(), config.maxEntries());
+    return new CaffeineCodeRepo(store);
+  }
+
+  private <T> Cache<String, T> buildCache(Duration ttl, int maxSize) {
+    return Caffeine.newBuilder()
+        .expireAfter(new AfterCreatedExpiry<>(ttl.toNanos()))
+        .maximumSize(maxSize)
+        .build();
+  }
 }

ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/AfterCreatedExpiry.java

@@ -0,0 +1,24 @@
+package com.oviva.ehealthid.relyingparty.svc;
+
+import com.github.benmanes.caffeine.cache.Expiry;
+import org.checkerframework.checker.index.qual.NonNegative;
+
+public record AfterCreatedExpiry<T>(long timeToLiveNanos) implements Expiry<String, T> {
+
+  @Override
+  public long expireAfterCreate(String key, T value, long currentTime) {
+    return timeToLiveNanos;
+  }
+
+  @Override
+  public long expireAfterUpdate(
+      String key, T value, long currentTime, @NonNegative long currentDuration) {
+    return timeToLiveNanos - currentDuration;
+  }
+
+  @Override
+  public long expireAfterRead(
+      String key, T value, long currentTime, @NonNegative long currentDuration) {
+    return timeToLiveNanos - currentDuration;
+  }
+}

ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/CaffeineCodeRepo.java

@@ -0,0 +1,24 @@
+package com.oviva.ehealthid.relyingparty.svc;
+
+import com.github.benmanes.caffeine.cache.Cache;
+import com.oviva.ehealthid.relyingparty.svc.TokenIssuer.Code;
+import java.util.Optional;
+
+public class CaffeineCodeRepo implements CodeRepo {
+
+  private final Cache<String, Code> store;
+
+  public CaffeineCodeRepo(Cache<String, Code> store) {
+    this.store = store;
+  }
+
+  @Override
+  public void save(Code code) {
+    store.put(code.code(), code);
+  }
+
+  @Override
+  public Optional<Code> remove(String code) {
+    return Optional.ofNullable(store.asMap().remove(code));
+  }
+}

ehealthid-rp/src/main/java/com/oviva/ehealthid/relyingparty/svc/CaffeineSessionRepo.java

@@ -0,0 +1,47 @@
+package com.oviva.ehealthid.relyingparty.svc;
+
+import com.github.benmanes.caffeine.cache.Cache;
+import edu.umd.cs.findbugs.annotations.NonNull;
+import edu.umd.cs.findbugs.annotations.Nullable;
+import java.time.Duration;
+import java.time.Instant;
+
+public class CaffeineSessionRepo implements SessionRepo {
+
+  private final Cache<String, Session> store;
+  private final Duration timeToLive;
+
+  public CaffeineSessionRepo(Cache<String, Session> cache, Duration timeToLive) {
+    this.store = cache;
+    this.timeToLive = timeToLive;
+  }
+
+  @Override
+  public void save(@NonNull Session session) {
+    if (session.id() == null) {
+      throw new IllegalArgumentException("session has no ID");
+    }
+
+    store.put(session.id(), session);
+  }
+
+  @Nullable
+  @Override
+  public Session load(@NonNull String sessionId) {
+    var session = store.getIfPresent(sessionId);
+    if (session == null || session.createdAt().plus(timeToLive).isBefore(Instant.now())) {
+      return null;
+    }
+    return session;
+  }
+
+  @Nullable
+  @Override
+  public Session remove(@NonNull String sessionId) {
+    var session = store.asMap().remove(sessionId);
+    if (session == null || session.createdAt().plus(timeToLive).isBefore(Instant.now())) {
+      return null;
+    }
+    return session;
+  }
+}