Merge pull request #4160 from mercedes-benz/feature-4159-handle-token-cache-in-cluster

Feature 4159 handle token cache in cluster

Author: de-jcup

sechub-administration/src/test/java/com/mercedesbenz/sechub/domain/administration/TestAdministrationSecurityConfiguration.java

@@ -10,6 +10,7 @@
 
 import com.mercedesbenz.sechub.commons.core.shutdown.ApplicationShutdownHandler;
 import com.mercedesbenz.sechub.sharedkernel.security.SecHubSecurityConfiguration;
+import com.mercedesbenz.sechub.spring.security.OAuth2OpaqueTokenIntrospectionResponseCryptoAccessProvider;
 
 @Configuration
 @Import(SecHubSecurityConfiguration.class)
@@ -24,4 +25,9 @@ RestTemplate restTemplate() {
     ApplicationShutdownHandler applicationShutdownHandler() {
         return mock();
     }
+
+    @Bean
+    OAuth2OpaqueTokenIntrospectionResponseCryptoAccessProvider cryptoAccessProvider() {
+        return mock();
+    }
 }

sechub-commons-core/src/main/java/com/mercedesbenz/sechub/commons/core/cache/CacheData.java

@@ -0,0 +1,79 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.commons.core.cache;
+
+import static java.util.Objects.*;
+
+import java.io.Serializable;
+import java.time.Duration;
+import java.time.Instant;
+
+import javax.crypto.SealedObject;
+
+import com.mercedesbenz.sechub.commons.core.security.CryptoAccess;
+import com.mercedesbenz.sechub.commons.core.security.CryptoAccessProvider;
+
+/**
+ * Represents the data stored in the cache under a specific key.
+ *
+ * <p>
+ * The cached data can be any serializable object. If cryptoAccess provider is
+ * not null, the value is securely sealed using a {@link CryptoAccess} instance
+ * of type otherwise the value be stored directly. <code>T</code>.
+ * </p>
+ */
+public class CacheData<T extends Serializable> {
+
+    private final CryptoAccessProvider<T> cryptoAccessProvider;
+    private final SealedObject sealedValue;
+    private final Duration duration;
+    private final T value;
+    private final Instant createdAt;
+
+    /**
+     * Creates a cache data object. If crypto access provider is not null, a sealed
+     * value will be used, otherwise the plain value will be stored directly in
+     * memory.
+     *
+     * @param value                value
+     * @param duration             duration
+     * @param cryptoAccessProvider crypto access provider
+     * @param createdAt            creation time of cache entry, normally
+     *                             Instant.now() except when the cache element is
+     *                             restored from somewhere else.
+     */
+    public CacheData(T value, Duration duration, CryptoAccessProvider<T> cryptoAccessProvider, Instant createdAt) {
+
+        requireNonNull(value, "Property 'value' must not be null");
+
+        this.createdAt = createdAt != null ? createdAt : Instant.now();
+        this.cryptoAccessProvider = cryptoAccessProvider;
+
+        if (cryptoAccessProvider == null) {
+            this.value = value;
+            this.sealedValue = null;
+        } else {
+            this.value = null;
+            this.sealedValue = cryptoAccessProvider.getCryptoAccess().seal(value);
+        }
+        this.duration = requireNonNull(duration, "Property 'duration' must not be null");
+    }
+
+    public boolean isSealed() {
+        return sealedValue != null;
+    }
+
+    public T getValue() {
+        if (cryptoAccessProvider == null) {
+            return value;
+        }
+        return cryptoAccessProvider.getCryptoAccess().unseal(sealedValue);
+    }
+
+    public Duration getDuration() {
+        return duration;
+    }
+
+    public Instant getCreatedAt() {
+        return createdAt;
+    }
+}

sechub-commons-core/src/main/java/com/mercedesbenz/sechub/commons/core/cache/CachePersistence.java

@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.commons.core.cache;
+
+import java.io.Serializable;
+import java.time.Instant;
+
+public interface CachePersistence<T extends Serializable> {
+
+    /**
+     * Updates or creates a cache entry
+     *
+     * @param key       the key for the cache entry
+     * @param cacheData cache data containing
+     */
+    void put(String key, CacheData<T> cacheData);
+
+    /**
+     * Fetch cache entry for given key
+     *
+     * @param key key to identify value
+     * @return cache data or <code>null</code> if not available
+     */
+    CacheData<T> get(String key);
+
+    /**
+     * Remove entry from cache
+     *
+     * @param key key to identify value
+     */
+    void remove(String key);
+
+    /**
+     * Removes all outdated entries from cache
+     *
+     * @param now an instant representing now
+     */
+    void removeOutdated(Instant now);
+
+}

sechub-commons-core/src/main/java/com/mercedesbenz/sechub/commons/core/cache/InMemoryCachePersistence.java

@@ -0,0 +1,49 @@
+// SPDX-License-Identifier: MIT
+package com.mercedesbenz.sechub.commons.core.cache;
+
+import java.io.Serializable;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Map;
+import java.util.concurrent.ConcurrentHashMap;
+
+/**
+ * <b>Note:</b> This cache persistence is local to a single application instance
+ * and is not shared across multiple instances. Avoid using it in scenarios
+ * where a distributed caching mechanism is required.
+ *
+ * @param <T>
+ */
+public class InMemoryCachePersistence<T extends Serializable> implements CachePersistence<T> {
+
+    private final Map<String, CacheData<T>> cacheMap = new ConcurrentHashMap<>();
+
+    @Override
+    public void remove(String key) {
+        cacheMap.remove(key);
+    }
+
+    @Override
+    public void put(String key, CacheData<T> cacheData) {
+        cacheMap.put(key, cacheData);
+    }
+
+    @Override
+    public CacheData<T> get(String key) {
+        return cacheMap.get(key);
+    }
+
+    @Override
+    public void removeOutdated(Instant now) {
+        cacheMap.forEach((key, value) -> {
+            Instant cacheDataCreatedAt = value.getCreatedAt();
+            Duration cacheDataDuration = value.getDuration();
+
+            if (cacheDataCreatedAt.plus(cacheDataDuration).isBefore(now)) {
+                cacheMap.remove(key);
+            }
+        });
+
+    }
+
+}

sechub-commons-core/src/main/java/com/mercedesbenz/sechub/commons/core/cache/InMemoryCache.java renamed to sechub-commons-core/src/main/java/com/mercedesbenz/sechub/commons/core/cache/SelfCleaningCache.java

@@ -1,20 +1,20 @@
 // SPDX-License-Identifier: MIT
 package com.mercedesbenz.sechub.commons.core.cache;
 
-import static java.util.Objects.requireNonNull;
+import static java.util.Objects.*;
 
 import java.io.Serializable;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.Optional;
-import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.ScheduledFuture;
 import java.util.concurrent.TimeUnit;
 
-import javax.crypto.SealedObject;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
-import com.mercedesbenz.sechub.commons.core.security.CryptoAccess;
+import com.mercedesbenz.sechub.commons.core.security.CryptoAccessProvider;
 import com.mercedesbenz.sechub.commons.core.shutdown.ApplicationShutdownHandler;
 import com.mercedesbenz.sechub.commons.core.shutdown.ShutdownListener;
 
@@ -23,47 +23,44 @@
  * caching mechanism for generic data.
  *
  * <p>
- * It uses a {@link ConcurrentHashMap} to store data and a scheduled task to
+ * It uses a {@link CachePersistence} to store data and a scheduled task to
  * clear expired entries periodically. By default, the cache cleanup runs every
  * minute with an initial delay of 1 minute. These values can be customized via
  * the constructor.
  * </p>
  *
- * <p>
- * <b>Note:</b> This cache is local to a single application instance and is not
- * shared across multiple instances. Avoid using it in scenarios where a
- * distributed caching mechanism is required.
- * </p>
- *
  * @param <T> the type of data stored in the cache (must be of type
  *            {@link Serializable})
  *
- * @author hamidonos
+ * @author hamidonos, de-jcup
  */
-public class InMemoryCache<T extends Serializable> implements ShutdownListener {
+public class SelfCleaningCache<T extends Serializable> implements ShutdownListener {
 
-    private static final Duration DEFAULT_CACHE_CLEAR_JOB_PERIOD = Duration.ofMinutes(1);
+    private static final Logger logger = LoggerFactory.getLogger(SelfCleaningCache.class);
 
-    private final ConcurrentHashMap<String, CacheData> cacheMap = new ConcurrentHashMap<>();
+    private final String cacheName;
     private final ScheduledExecutorService scheduledExecutorService;
-    private final CryptoAccess<T> cryptoAccess = new CryptoAccess<>();
     private final ScheduledFuture<?> cacheClearJob;
     private final Duration cacheClearJobPeriod;
-
-    public InMemoryCache(ScheduledExecutorService scheduledExecutorService, ApplicationShutdownHandler applicationShutdownHandler) {
-        this(DEFAULT_CACHE_CLEAR_JOB_PERIOD, scheduledExecutorService, applicationShutdownHandler);
-    }
+    private final CachePersistence<T> cachePersistence;
+    private final CryptoAccessProvider<T> cryptoAccessProvider;
 
     /* @formatter:off */
-    public InMemoryCache(Duration cacheClearJobPeriod,
+    public SelfCleaningCache(String cacheName, CachePersistence<T> cachePersistence, Duration cacheClearJobPeriod,
                          ScheduledExecutorService scheduledExecutorService,
-                         ApplicationShutdownHandler applicationShutdownHandler) {
+                         ApplicationShutdownHandler applicationShutdownHandler, CryptoAccessProvider<T> cryptoAccessProvider) {
         /* @formatter:on */
+        this.cacheName = requireNonNull(cacheName, "Parameter 'cacheName' must not be null");
+        this.cachePersistence = requireNonNull(cachePersistence, "Parameter 'cachePersistence' must not be null");
         this.scheduledExecutorService = requireNonNull(scheduledExecutorService, "Property 'scheduledExecutorService' must not be null");
         this.cacheClearJobPeriod = requireNonNull(cacheClearJobPeriod, "Property 'cacheClearJobPeriod' must not be null");
+        this.cryptoAccessProvider = cryptoAccessProvider;
+
         cacheClearJob = scheduleClearCacheJob();
+
         requireNonNull(applicationShutdownHandler, "Property 'applicationShutdownHandler' must not be null");
         applicationShutdownHandler.register(this);
+
     }
 
     /**
@@ -81,7 +78,11 @@ public InMemoryCache(Duration cacheClearJobPeriod,
      */
     public void put(String key, T value, Duration duration) {
         requireNonNull(key, "Argument 'key' must not be null");
-        cacheMap.put(key, new CacheData(value, duration));
+        if (logger.isTraceEnabled()) {
+            logger.trace("Cache:{} - Put to persistence ({}): key={}, duration={}, value= {}", cacheName, cachePersistence.getClass().getSimpleName(), key,
+                    duration, value);
+        }
+        cachePersistence.put(key, new CacheData<T>(value, duration, cryptoAccessProvider, Instant.now()));
     }
 
     /**
@@ -98,12 +99,18 @@ public void put(String key, T value, Duration duration) {
     public Optional<T> get(String key) {
         requireNonNull(key, "Argument 'key' must not be null");
 
-        CacheData cacheData = cacheMap.get(key);
+        CacheData<T> cacheData = cachePersistence.get(key);
 
         if (cacheData == null) {
+            if (logger.isTraceEnabled()) {
+                logger.trace("Cache:{} - Get: key={} - not found", cacheName, key);
+            }
             return Optional.empty();
         }
 
+        if (logger.isTraceEnabled()) {
+            logger.trace("Cache:{} - Get: key={} - found", cacheName, key);
+        }
         return Optional.of(cacheData.getValue());
     }
 
@@ -115,7 +122,11 @@ public Optional<T> get(String key) {
      * @throws NullPointerException if the specified key is null
      */
     public void remove(String key) {
-        cacheMap.remove(key);
+        requireNonNull(key, "key must not be null!");
+        if (logger.isTraceEnabled()) {
+            logger.trace("Cache:{} - Remove: key={}", cacheName, key);
+        }
+        cachePersistence.remove(key);
     }
 
     public Duration getCacheClearJobPeriod() {
@@ -139,49 +150,10 @@ private ScheduledFuture<?> scheduleClearCacheJob() {
     }
 
     private void clearCache() {
-        Instant now = Instant.now();
-
-        cacheMap.forEach((key, value) -> {
-            Instant cacheDataCreatedAt = value.getCreatedAt();
-            Duration cacheDataDuration = value.getDuration();
-
-            if (cacheDataCreatedAt.plus(cacheDataDuration).isBefore(now)) {
-                cacheMap.remove(key);
-            }
-        });
-    }
-
-    /**
-     * Represents the data stored in the cache under a specific key.
-     *
-     * <p>
-     * The cached data can be any serializable object. It is securely sealed using a
-     * {@link CryptoAccess} instance of type <code>T</code>.
-     * </p>
-     */
-    private class CacheData {
-
-        private final SealedObject sealedValue;
-        private final Duration duration;
-        private final Instant createdAt = Instant.now();
-
-        public CacheData(T value, Duration duration) {
-            requireNonNull(value, "Property 'value' must not be null");
-            this.sealedValue = InMemoryCache.this.cryptoAccess.seal(value);
-            this.duration = requireNonNull(duration, "Property 'duration' must not be null");
-        }
-
-        public T getValue() {
-            return cryptoAccess.unseal(sealedValue);
-        }
-
-        public Duration getDuration() {
-            return duration;
-        }
-
-        public Instant getCreatedAt() {
-            return createdAt;
+        if (logger.isTraceEnabled()) {
+            logger.trace("Cache:{} - clear cache", cacheName);
         }
+        cachePersistence.removeOutdated(Instant.now());
     }
 
 }

sechub-commons-core/src/main/java/com/mercedesbenz/sechub/commons/core/security/CryptoAccess.java

@@ -10,10 +10,14 @@
 import javax.crypto.SecretKey;
 
 /**
- * Represents a common possibility to encrypt data. The secret key of an
- * instance can unseal and seal objects for example. Be aware: Every crypto
- * access object has its own secret key inside! So you need to use the same
- * crypto access object for you operations...
+ * Represents a common possibility to encrypt data inside ONE JVM. The secret
+ * key of an instance can unseal and seal objects for example. Be aware: Every
+ * crypto access object has its own secret key inside! So you need to use the
+ * same crypto access object for you operations...
+ *
+ * NOTE: If you want to persist or share an object in a encrypted way you have
+ * to use other ways! This class is only meant to ensure that memory dumps do
+ * not reveal object data.
  *
  * @author Albert Tregnaghi
  *