crl provider: Static and FileWatcher provider implementations

security/advancedtls/crl.go

@@ -103,15 +103,15 @@ type CRL struct {
 func NewCRL(b []byte) (*CRL, error) {
 	crl, err := parseRevocationList(b)
 	if err != nil {
-		return nil, fmt.Errorf("parseCrl() failed err = %v", err)
+		return nil, fmt.Errorf("fail to parse CRL: %v", err)
 	}
 	crlExt, err := parseCRLExtensions(crl)
 	if err != nil {
-		return nil, fmt.Errorf("parseCRLExtensions() failed err = %v", err)
+		return nil, fmt.Errorf("fail to parse CRL extensions: %v", err)
 	}
 	crlExt.rawIssuer, err = extractCRLIssuer(b)
 	if err != nil {
-		return nil, fmt.Errorf("extractCRLIssuer() failed err= %v", err)
+		return nil, fmt.Errorf("fail to extract CRL issuer failed err= %v", err)
 	}
 	return crlExt, nil
 }
@@ -121,11 +121,11 @@ func NewCRL(b []byte) (*CRL, error) {
 func ReadCRLFile(path string) (*CRL, error) {
 	b, err := os.ReadFile(path)
 	if err != nil {
-		return nil, fmt.Errorf("readFile(%v) failed err = %v", path, err)
+		return nil, fmt.Errorf("cannot read file from provided path %q: %v", path, err)
 	}
 	crl, err := NewCRL(b)
 	if err != nil {
-		return nil, fmt.Errorf("ReadCRLFile(%v) failed err = %v", path, err)
+		return nil, fmt.Errorf("cannot construct CRL from file %q: %v", path, err)
 	}
 	return crl, nil
 }

security/advancedtls/crl_provider.go

@@ -27,6 +27,7 @@ import (
 )
 
 const defaultCRLRefreshDuration = 1 * time.Hour
+const minCRLRefreshDuration = 1 * time.Minute
 
 // CRLProvider is the interface to be implemented to enable custom CRL provider
 // behavior, as defined in [gRFC A69].
@@ -115,13 +116,11 @@ func NewFileWatcherCRLProvider(o FileWatcherOptions) (*FileWatcherCRLProvider, e
 	if err := o.validate(); err != nil {
 		return nil, err
 	}
-	done := make(chan struct{})
-	stop := make(chan struct{})
 	provider := &FileWatcherCRLProvider{
 		crls: make(map[string]*CRL),
 		opts: o,
-		stop: stop,
-		done: done,
+		stop: make(chan struct{}),
+		done: make(chan struct{}),
 	}
 	go provider.run()
 	return provider, nil
@@ -136,9 +135,13 @@ func (o *FileWatcherOptions) validate() error {
 		return fmt.Errorf("advancedtls: CRLDirectory %v is not readable: %v", o.CRLDirectory, err)
 	}
 	// Checks related to RefreshDuration.
-	if o.RefreshDuration < time.Minute {
+	if o.RefreshDuration <= 0 {
+		grpclogLogger.Warningf("RefreshDuration is not set or negative: provided value %v, default value %v will be used.", o.RefreshDuration, defaultCRLRefreshDuration)
 		o.RefreshDuration = defaultCRLRefreshDuration
-		grpclogLogger.Warningf("RefreshDuration must be larger than 1 minute: provided value %v, default value %v will be used.", o.RefreshDuration, defaultCRLRefreshDuration)
+	}
+	if o.RefreshDuration < minCRLRefreshDuration {
+		grpclogLogger.Warningf("RefreshDuration must be at least 1 minute: provided value %v, minimum value %v will be used.", o.RefreshDuration, minCRLRefreshDuration)
+		o.RefreshDuration = minCRLRefreshDuration
 	}
 	return nil
 }

security/advancedtls/crl_provider_test.go

@@ -101,9 +101,20 @@ func (s) TestFileWatcherCRLProviderConfig(t *testing.T) {
 		t.Fatal("Unexpected error:", err)
 	}
 	if defaultProvider.opts.RefreshDuration != defaultCRLRefreshDuration {
-		t.Fatalf("RefreshDuration is not properly updated by validate() func")
+		t.Fatalf("RefreshDuration for defaultCRLRefreshDuration case is not properly updated by validate() func")
 	}
 	defaultProvider.Close()
+	tooFastRefreshProvider, err := NewFileWatcherCRLProvider(FileWatcherOptions{
+		CRLDirectory:    testdata.Path("crl"),
+		RefreshDuration: 5 * time.Second,
+	})
+	if err != nil {
+		t.Fatal("Unexpected error:", err)
+	}
+	if tooFastRefreshProvider.opts.RefreshDuration != minCRLRefreshDuration {
+		t.Fatalf("RefreshDuration for minCRLRefreshDuration case is not properly updated by validate() func")
+	}
+	tooFastRefreshProvider.Close()
 
 	customCallback := func(err error) {
 		fmt.Printf("Custom error message: %v", err)