Merge pull request #4 from stackkit/bugfix/cert-cache

Fix cert caching

Author: marickvantuil

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## 1.0.1 - 2020-12-07
+
+**Fixed**
+
+- Fixed certificates cached too long
+
 ## 1.0.0 - 2020-10-11
 
 **Added**

composer.json

@@ -11,8 +11,7 @@
         "ext-json": "*",
         "google/cloud-scheduler": "^1.4",
         "firebase/php-jwt": "^5.2",
-        "phpseclib/phpseclib": "~2.0",
-        "laravel/framework": "8.*"
+        "phpseclib/phpseclib": "~2.0"
     },
     "require-dev": {
         "mockery/mockery": "^1.2",

phpunit.xml

@@ -18,7 +18,7 @@
         <env name="APP_DEBUG" value="1"/>
         <env name="APP_ENV" value="testing"/>
         <env name="APP_KEY" value="AckfSECXIvnK5r28GVIWUAxmbBSjTsmF"/>
-        <env name="CACHE_DRIVER" value="array"/>
+        <env name="CACHE_DRIVER" value="file"/>
         <env name="SESSION_DRIVER" value="array"/>
         <env name="MAIL_DRIVER" value="log"/>
     </php>

src/OpenIdVerificator.php

@@ -2,7 +2,9 @@
 
 namespace Stackkit\LaravelGoogleCloudScheduler;
 
+use Carbon\Carbon;
 use Firebase\JWT\JWT;
+use Firebase\JWT\SignatureInvalidException;
 use GuzzleHttp\Client;
 use Illuminate\Support\Arr;
 use Illuminate\Support\Facades\Cache;
@@ -19,6 +21,7 @@ class OpenIdVerificator
     private $guzzle;
     private $rsa;
     private $jwt;
+    private $maxAge = [];
 
     public function __construct(Client $guzzle, RSA $rsa, JWT $jwt)
     {
@@ -32,7 +35,6 @@ public function guardAgainstInvalidOpenIdToken($decodedToken)
         /**
          * https://developers.google.com/identity/protocols/oauth2/openid-connect#validatinganidtoken
          */
-
         if (!in_array($decodedToken->iss, ['https://accounts.google.com', 'accounts.google.com'])) {
             throw new CloudSchedulerException('The given OpenID token is not valid');
         }
@@ -46,30 +48,40 @@ public function guardAgainstInvalidOpenIdToken($decodedToken)
         }
     }
 
-    public function decodeToken($token)
+    public function decodeOpenIdToken($openIdToken, $kid, $cache = true)
     {
+        if (!$cache) {
+            $this->forgetFromCache();
+        }
+
+        $publicKey = $this->getPublicKey($kid);
+
         try {
-            $kid = $this->getKidFromOpenIdToken($token);
-            $publicKey = $this->getPublicKey($kid);
+            return $this->jwt->decode($openIdToken, $publicKey, ['RS256']);
+        } catch (SignatureInvalidException $e) {
+            if (!$cache) {
+                throw $e;
+            }
 
-            return $this->jwt->decode($token, $publicKey, ['RS256']);
-        } catch (Throwable $e) {
-            throw new CloudSchedulerException('Could not decode token');
+            return $this->decodeOpenIdToken($openIdToken, $kid, false);
         }
     }
 
     public function getPublicKey($kid = null)
     {
-        $v3Certs = Cache::rememberForever(self::V3_CERTS, function () {
-            return $this->getv3Certs();
-        });
+        if (Cache::has(self::V3_CERTS)) {
+            $v3Certs = Cache::get(self::V3_CERTS);
+        } else {
+            $v3Certs = $this->getFreshCertificates();
+            Cache::put(self::V3_CERTS, $v3Certs, Carbon::now()->addSeconds($this->maxAge[self::URL_OPENID_CONFIG]));
+        }
 
         $cert = $kid ? collect($v3Certs)->firstWhere('kid', '=', $kid) : $v3Certs[0];
 
         return $this->extractPublicKeyFromCertificate($cert);
     }
 
-    private function getv3Certs()
+    private function getFreshCertificates()
     {
         $jwksUri =  $this->callApiAndReturnValue(self::URL_OPENID_CONFIG, 'jwks_uri');
 
@@ -97,11 +109,24 @@ private function callApiAndReturnValue($url, $value)
 
         $data = json_decode($response->getBody(), true);
 
+        $maxAge = 0;
+        foreach ($response->getHeader('Cache-Control') as $line) {
+            preg_match('/max-age=(\d+)/', $line, $matches);
+            $maxAge = isset($matches[1]) ? (int) $matches[1] : 0;
+        }
+
+        $this->maxAge[$url] = $maxAge;
+
         return Arr::get($data, $value);
     }
 
     public function isCached()
     {
         return Cache::has(self::V3_CERTS);
     }
+
+    public function forgetFromCache()
+    {
+        Cache::forget(self::V3_CERTS);
+    }
 }

src/TaskHandler.php

@@ -58,7 +58,9 @@ private function authorizeRequest()
 
         $openIdToken = $this->request->bearerToken();
 
-        $decodedToken = $this->openId->decodeToken($openIdToken);
+        $kid = $this->openId->getKidFromOpenIdToken($openIdToken);
+
+        $decodedToken = $this->openId->decodeOpenIdToken($openIdToken, $kid);
 
         $this->openId->guardAgainstInvalidOpenIdToken($decodedToken);
     }

tests/GooglePublicKeyTest.php

@@ -0,0 +1,90 @@
+<?php
+
+namespace Tests;
+
+use Carbon\Carbon;
+use Firebase\JWT\JWT;
+use GuzzleHttp\Client;
+use Illuminate\Cache\Events\CacheHit;
+use Illuminate\Cache\Events\CacheMissed;
+use Illuminate\Cache\Events\KeyWritten;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Event;
+use Mockery;
+use phpseclib\Crypt\RSA;
+use Stackkit\LaravelGoogleCloudScheduler\OpenIdVerificator;
+
+class GooglePublicKeyTest extends TestCase
+{
+    /**
+     * @var OpenIdVerificator
+     */
+    private $publicKey;
+
+    /**
+     * @var Client
+     */
+    private $guzzle;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->guzzle = Mockery::mock(new Client());
+
+        $this->publicKey = new OpenIdVerificator($this->guzzle, new RSA(), new JWT());
+    }
+
+    /** @test */
+    public function it_fetches_the_gcloud_public_key()
+    {
+        $this->assertStringContainsString('-----BEGIN PUBLIC KEY-----', $this->publicKey->getPublicKey());
+    }
+
+    /** @test */
+    public function it_caches_the_gcloud_public_key()
+    {
+        $this->assertFalse($this->publicKey->isCached());
+
+        $this->publicKey->getPublicKey();
+
+        $this->assertTrue($this->publicKey->isCached());
+    }
+
+    /** @test */
+    public function it_will_return_the_cached_gcloud_public_key()
+    {
+        Event::fake();
+
+        $this->publicKey->getPublicKey();
+
+        Event::assertDispatched(CacheMissed::class);
+        Event::assertDispatched(KeyWritten::class);
+
+        $this->publicKey->getPublicKey();
+
+        Event::assertDispatched(CacheHit::class);
+
+        $this->guzzle->shouldHaveReceived('get')->twice();
+    }
+
+    /** @test */
+    public function public_key_is_cached_according_to_cache_control_headers()
+    {
+        Event::fake();
+
+        $this->publicKey->getPublicKey();
+
+        $this->publicKey->getPublicKey();
+
+        Carbon::setTestNow(Carbon::now()->addSeconds(3600));
+        $this->publicKey->getPublicKey();
+
+        Carbon::setTestNow(Carbon::now()->addSeconds(5));
+        $this->publicKey->getPublicKey();
+
+        Event::assertDispatched(CacheMissed::class, 2);
+        Event::assertDispatched(KeyWritten::class, 2);
+
+    }
+}