-
Notifications
You must be signed in to change notification settings - Fork 48
/
key_cacher.go
154 lines (132 loc) · 4.08 KB
/
key_cacher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
package jose
import (
b64 "encoding/base64"
"errors"
"time"
"gopkg.in/square/go-jose.v2"
)
var (
ErrNoKeyFound = errors.New("no Keys have been found")
ErrKeyExpired = errors.New("key exists but is expired")
// Configuring with MaxKeyAgeNoCheck will skip key expiry check
MaxKeyAgeNoCheck = time.Duration(-1)
)
//KeyIDGetter extracts a key id from a JSONWebKey
type KeyIDGetter interface {
Get(*jose.JSONWebKey) string
}
//KeyIDGetterFunc function conforming to the KeyIDGetter interface.
type KeyIDGetterFunc func(*jose.JSONWebKey) string
// Get calls f(r)
func (f KeyIDGetterFunc) Get(key *jose.JSONWebKey) string {
return f(key)
}
//DefaultKeyIDGetter returns the default kid as JSONWebKey key id
func DefaultKeyIDGetter(key *jose.JSONWebKey) string {
return key.KeyID
}
//X5TKeyIDGetter extracts the key id from the jSONWebKey as the x5t
func X5TKeyIDGetter(key *jose.JSONWebKey) string {
return b64.RawURLEncoding.EncodeToString(key.CertificateThumbprintSHA1)
}
//CompoundX5TKeyIDGetter extracts the key id from the jSONWebKey as the a compound string of the kid and the x5t
func CompoundX5TKeyIDGetter(key *jose.JSONWebKey) string {
return key.KeyID + X5TKeyIDGetter(key)
}
func KeyIDGetterFactory(keyIdentifyStrategy string) KeyIDGetter {
var supportedKeyIdentifyStrategy = map[string]KeyIDGetterFunc{
"kid": DefaultKeyIDGetter,
"x5t": X5TKeyIDGetter,
"kid_x5t": CompoundX5TKeyIDGetter,
}
if keyGetter, ok := supportedKeyIdentifyStrategy[keyIdentifyStrategy]; ok {
return keyGetter
}
return KeyIDGetterFunc(DefaultKeyIDGetter)
}
type KeyCacher interface {
Get(keyID string) (*jose.JSONWebKey, error)
Add(keyID string, webKeys []jose.JSONWebKey) (*jose.JSONWebKey, error)
}
type MemoryKeyCacher struct {
entries map[string]keyCacherEntry
maxKeyAge time.Duration
maxCacheSize int
keyIDGetter KeyIDGetter
}
type keyCacherEntry struct {
addedAt time.Time
jose.JSONWebKey
}
// NewMemoryKeyCacher creates a new Keycacher interface with option
// to set max age of cached keys and max size of the cache.
func NewMemoryKeyCacher(maxKeyAge time.Duration, maxCacheSize int, keyIdentifyStrategy string) KeyCacher {
return &MemoryKeyCacher{
entries: map[string]keyCacherEntry{},
maxKeyAge: maxKeyAge,
maxCacheSize: maxCacheSize,
keyIDGetter: KeyIDGetterFactory(keyIdentifyStrategy),
}
}
// Get obtains a key from the cache, and checks if the key is expired
func (mkc *MemoryKeyCacher) Get(keyID string) (*jose.JSONWebKey, error) {
searchKey, ok := mkc.entries[keyID]
if ok {
if mkc.maxKeyAge == MaxKeyAgeNoCheck || !mkc.keyIsExpired(keyID) {
return &searchKey.JSONWebKey, nil
}
return nil, ErrKeyExpired
}
return nil, ErrNoKeyFound
}
// Add adds a key into the cache and handles overflow
func (mkc *MemoryKeyCacher) Add(keyID string, downloadedKeys []jose.JSONWebKey) (*jose.JSONWebKey, error) {
var addingKey jose.JSONWebKey
var addingKeyID string
for _, key := range downloadedKeys {
cacheKey := mkc.keyIDGetter.Get(&key)
if cacheKey == keyID {
addingKey = key
addingKeyID = cacheKey
}
if mkc.maxCacheSize == -1 {
mkc.entries[cacheKey] = keyCacherEntry{
addedAt: time.Now(),
JSONWebKey: key,
}
}
}
if addingKey.Key != nil {
if mkc.maxCacheSize != -1 {
mkc.entries[addingKeyID] = keyCacherEntry{
addedAt: time.Now(),
JSONWebKey: addingKey,
}
mkc.handleOverflow()
}
return &addingKey, nil
}
return nil, ErrNoKeyFound
}
// keyIsExpired deletes the key from cache if it is expired
func (mkc *MemoryKeyCacher) keyIsExpired(keyID string) bool {
if time.Now().After(mkc.entries[keyID].addedAt.Add(mkc.maxKeyAge)) {
delete(mkc.entries, keyID)
return true
}
return false
}
// handleOverflow deletes the oldest key from the cache if overflowed
func (mkc *MemoryKeyCacher) handleOverflow() {
if mkc.maxCacheSize < len(mkc.entries) {
var oldestEntryKeyID string
var latestAddedTime = time.Now()
for entryKeyID, entry := range mkc.entries {
if entry.addedAt.Before(latestAddedTime) {
latestAddedTime = entry.addedAt
oldestEntryKeyID = entryKeyID
}
}
delete(mkc.entries, oldestEntryKeyID)
}
}