Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Invalid Tokens from cache when found #1333

Merged
merged 7 commits into from
Sep 16, 2024
Merged

Remove Invalid Tokens from cache when found #1333

merged 7 commits into from
Sep 16, 2024

Conversation

saquino0827
Copy link
Contributor

@saquino0827 saquino0827 commented Sep 13, 2024
edited by luis-pabon-tf
Loading

Description

  • Uncache our TI token if an InvalidToken is caught and found.

Issue

#1326

Checklist

  • I have added tests to cover my changes
  • I have added logging where useful (with appropriate log level)
  • I have added JavaDocs where required
  • I have updated the documentation accordingly

Note: You may remove items that are not applicable

jcrichlake
jcrichlake reviewed Sep 16, 2024
View reviewed changes
app/src/main/java/gov/hhs/cdc/trustedintermediary/auth/AuthRequestValidator.java
@Inject private Secrets secrets;
@Inject private Logger logger;

String ourPublicKey = "trusted-intermediary-public-key-" + ApplicationContext.getEnvironment();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we want this public key name hardcoded here? And if so do we need a #pragma allow secret

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It previously existed, but I moved it to a higher level so it's accessible in tests. I can add the #pragma allow secrets if we want but I also don't think it got flagged before as a secret.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool

luis-pabon-tf
luis-pabon-tf reviewed Sep 16, 2024
View reviewed changes
app/src/main/java/gov/hhs/cdc/trustedintermediary/auth/AuthRequestValidator.java
@@ -21,10 +21,12 @@ public class AuthRequestValidator {
private static final AuthRequestValidator INSTANCE = new AuthRequestValidator();

@Inject private AuthEngine jwtEngine;
@Inject private Cache keyCache;
@Inject Cache keyCache;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems this is the only inject we actually use in this class. Would a small doc be good?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you sure? I see jwtEngine, secrets, and logger being used below.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some extra comments on the class. I think all the injects are used unless I'm misunderstanding what you mean.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
75.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

pluckyswan
pluckyswan reviewed Sep 16, 2024
View reviewed changes
Copy link
Contributor

@pluckyswan pluckyswan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checklist needs to be updated (remove items or check them off)

@saquino0827 saquino0827 merged commit 2ef6e94 into main Sep 16, 2024
16 checks passed
@saquino0827 saquino0827 deleted the story/1326/no-cache-bad-key branch September 16, 2024 15:53
@somesylvie
Copy link
Contributor

/review

@github-actions GitHub Actions
Copy link

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅

1326 - Fully compliant

Fully compliant requirements:

  • Update TI service's caching system to remove cached token when an Invalid Token is caught.
⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

Token Removal Logic
Ensure that the logic for removing tokens from cache upon catching an InvalidTokenException is correctly implemented and tested.

github-actions[bot]
github-actions bot reviewed Oct 15, 2024
View reviewed changes
app/src/main/java/gov/hhs/cdc/trustedintermediary/auth/AuthRequestValidator.java
@@ -49,12 +52,12 @@ public boolean isValidAuthenticatedRequest(DomainRequest request)
return true;
} catch (InvalidTokenException e) {
logger.logError("Invalid bearer token!", e);
this.keyCache.remove(ourPublicKey);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider adding a log statement before removing the key from the cache to aid in debugging and operational monitoring. [important]

@somesylvie
Copy link
Contributor

/describe

@github-actions GitHub Actions
Copy link

Title

Remove Invalid Tokens from cache when found

User description

Description

  • Uncache our TI token if an InvalidToken is caught and found.

Issue

#1326

Checklist

  • I have added tests to cover my changes
  • I have added logging where useful (with appropriate log level)
  • I have added JavaDocs where required
  • I have updated the documentation accordingly

Note: You may remove items that are not applicable

PR Type

bug_fix, enhancement

Description

  • Implemented functionality to remove invalid tokens from the cache in AuthRequestValidator.
  • Added unit tests to verify that invalid tokens are correctly removed from the cache.
  • Introduced a remove method in KeyCache and updated the Cache interface to support this functionality.

Changes walkthrough 📝

Relevant files
Tests
AuthRequestValidatorTest.groovy
Update Unit Tests for AuthRequestValidator to Reflect Cache Changes

app/src/test/groovy/gov/hhs/cdc/trustedintermediary/auth/AuthRequestValidatorTest.groovy

  • Modified unit test to use singleton instance of KeyCache instead of a
    mock.
  • Updated test to verify that invalid tokens are removed from the cache.

    		•  +2/-7     
    KeyCacheTest.groovy
    Add Unit Test for Key Removal in KeyCache                               

    shared/src/test/groovy/gov/hhs/cdc/trustedintermediary/external/inmemory/KeyCacheTest.groovy

  • Added a new test to verify the functionality of the remove method in
    KeyCache.
    		•  +14/-0   
    Enhancement
    AuthRequestValidator.java
    Implement Removal of Invalid Tokens from Cache in AuthRequestValidator

    app/src/main/java/gov/hhs/cdc/trustedintermediary/auth/AuthRequestValidator.java

  • Added removal of invalid tokens from cache in
    isValidAuthenticatedRequest method.
  • Made ourPublicKey a class variable for better accessibility.
    		•  +6/-3     
    KeyCache.java
    Implement Key Removal Method in KeyCache                                 

    shared/src/main/java/gov/hhs/cdc/trustedintermediary/external/inmemory/KeyCache.java

  • Implemented the remove method to support deletion of keys from the
    cache.
    		•  +5/-0     
    Cache.java
    Extend Cache Interface with Remove Method                               

    shared/src/main/java/gov/hhs/cdc/trustedintermediary/wrappers/Cache.java

    • Added the remove method to the Cache interface.
    		 +2/-0     

    💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

    @somesylvie
    Copy link
    Contributor

    /improve

    @github-actions GitHub Actions
    Copy link

    github-actions bot commented Oct 15, 2024
    edited
    Loading

    PR Code Suggestions ✨

    CategorySuggestion                                                                                                                                    Score
    Possible bug
    Add validation for the ourPublicKey variable before cache operations

    Validate the ourPublicKey variable to ensure it is not null or empty before using it
    to access or remove keys from the cache.

    app/src/main/java/gov/hhs/cdc/trustedintermediary/auth/AuthRequestValidator.java [55]

    -this.keyCache.remove(ourPublicKey);
+if (ourPublicKey != null && !ourPublicKey.isEmpty()) {
+    this.keyCache.remove(ourPublicKey);
+}
    Suggestion importance[1-10]: 8

    Why: Validating the ourPublicKey before using it in cache operations prevents potential runtime errors or security issues, making this a critical enhancement.

    		8
    Enhancement
    Add logging for the removal of public keys from the cache

    Ensure that the removal of the public key from the cache is logged for better
    traceability and debugging.

    app/src/main/java/gov/hhs/cdc/trustedintermediary/auth/AuthRequestValidator.java [55]

     this.keyCache.remove(ourPublicKey);
+logger.logDebug("Public key removed from cache.");
    Suggestion importance[1-10]: 7

    Why: Adding logging for key removal operations enhances traceability and debugging, which is crucial for maintaining security-related features.

    		7
    Best practice
    Implement exception handling for cache key removal

    Consider implementing a mechanism to handle potential exceptions when removing keys
    from the cache to avoid application crashes.

    app/src/main/java/gov/hhs/cdc/trustedintermediary/auth/AuthRequestValidator.java [55]

    -this.keyCache.remove(ourPublicKey);
+try {
+    this.keyCache.remove(ourPublicKey);
+} catch (Exception e) {
+    logger.logError("Failed to remove public key from cache", e);
+}
    Suggestion importance[1-10]: 6

    Why: Implementing exception handling for cache operations is a best practice that ensures the application's robustness, although the current context does not indicate frequent issues with this operation.

    		6
    Maintainability
    Refactor the construction of ourPublicKey into a separate method

    Refactor the retrieval of the environment-specific public key into a separate method
    to enhance modularity and readability.

    app/src/main/java/gov/hhs/cdc/trustedintermediary/auth/AuthRequestValidator.java [29]

    -String ourPublicKey = "trusted-intermediary-public-key-" + ApplicationContext.getEnvironment();
+String ourPublicKey = getEnvironmentSpecificPublicKey();
 
+private String getEnvironmentSpecificPublicKey() {
+    return "trusted-intermediary-public-key-" + ApplicationContext.getEnvironment();
+}
+
    Suggestion importance[1-10]: 5

    Why: Refactoring the public key retrieval into a separate method improves modularity and readability, although it's a relatively minor maintainability improvement.

    		5

    @somesylvie somesylvie mentioned this pull request Oct 15, 2024
    Closed
    15 tasks
    @saquino0827 saquino0827 mentioned this pull request Oct 16, 2024
    Closed
    5 tasks
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Reviewers

    @pluckyswan pluckyswan pluckyswan left review comments

    @github-actions github-actions[bot] github-actions[bot] left review comments

    @luis-pabon-tf luis-pabon-tf luis-pabon-tf left review comments

    @jcrichlake jcrichlake jcrichlake approved these changes

    @halprin halprin halprin approved these changes

    Assignees
    No one assigned
    Labels
    None yet
    Projects
    None yet
    Milestone
    No milestone
    Development

    Successfully merging this pull request may close these issues.
    6 participants
    @saquino0827 @somesylvie @luis-pabon-tf @halprin @pluckyswan @jcrichlake