Migrate CachingPasswordEncoder to Caffeine Cache.

Remove Guava Library

Signed-off-by: Duane May <duane.may@broadcom.com>

Author: duanemay

dependencies.gradle

@@ -14,7 +14,6 @@ versions.springBootVersion = "2.7.18"
 versions.springFrameworkVersion = "5.3.39"
 versions.springSecurityVersion = "5.8.16"
 versions.tomcatCargoVersion = "9.0.97"
-versions.guavaVersion = "33.3.1-jre"
 versions.seleniumVersion = "4.27.0"
 versions.braveVersion = "6.0.3"
 versions.jacksonVersion = "2.18.2"
@@ -58,8 +57,6 @@ libraries.dumbster = "dumbster:dumbster:1.6"
 libraries.eclipseJgit = "org.eclipse.jgit:org.eclipse.jgit:7.0.0.202409031743-r"
 libraries.flywayCore = "org.flywaydb:flyway-core"
 libraries.greenmail = "com.icegreen:greenmail:1.6.15"
-libraries.guava = "com.google.guava:guava:${versions.guavaVersion}"
-libraries.guavaTestLib = "com.google.guava:guava-testlib:${versions.guavaVersion}"
 libraries.hamcrest = "org.hamcrest:hamcrest:${versions.hamcrestVersion}"
 libraries.hibernateValidator = "org.hibernate.validator:hibernate-validator"
 libraries.hsqldb = "org.hsqldb:hsqldb"

server/build.gradle

@@ -33,8 +33,6 @@ dependencies {
     implementation(libraries.bouncyCastleTlsFips)
     implementation(libraries.bouncyCastlePkixFips)
 
-    implementation(libraries.guava)
-
     implementation(libraries.aspectJRt)
     implementation(libraries.aspectJWeaver)
 
@@ -105,7 +103,6 @@ dependencies {
     testImplementation(libraries.tomcatJdbc)
 
     testImplementation(libraries.jsonPathAssert)
-    testImplementation(libraries.guavaTestLib)
     testImplementation(libraries.xmlUnit)
 
     implementation(libraries.commonsIo)

server/src/main/java/org/cloudfoundry/identity/uaa/util/CachingPasswordEncoder.java

@@ -1,13 +1,14 @@
 package org.cloudfoundry.identity.uaa.util;
 
-import com.google.common.cache.Cache;
-import com.google.common.cache.CacheBuilder;
+import com.github.benmanes.caffeine.cache.Cache;
+import com.github.benmanes.caffeine.cache.Caffeine;
+import com.google.common.annotations.VisibleForTesting;
+import org.cloudfoundry.identity.uaa.oauth.common.util.RandomValueStringGenerator;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.crypto.codec.Hex;
 import org.springframework.security.crypto.codec.Utf8;
 import org.springframework.security.crypto.keygen.KeyGenerators;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.cloudfoundry.identity.uaa.oauth.common.util.RandomValueStringGenerator;
 
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
@@ -18,7 +19,6 @@
 import java.util.List;
 import java.util.Set;
 import java.util.concurrent.ConcurrentMap;
-import java.util.concurrent.TimeUnit;
 
 import static org.springframework.security.crypto.util.EncodingUtils.concatenate;
 
@@ -28,24 +28,30 @@
  */
 public class CachingPasswordEncoder implements PasswordEncoder {
 
+    private static final int ITERATIONS = 25;
+    private static final int MAX_KEYS = 1000;
+    private static final int MAX_ENCODED_PASSWORDS = 5;
+
+    @VisibleForTesting
+    static Duration DEFAULT_CACHE_TTL = Duration.ofMinutes(5L);
+
     private final MessageDigest messageDigest;
     private final byte[] secret;
     private final byte[] salt;
 
-    private static final int ITERATIONS = 25;
-    private static final int MAX_KEYS = 1000;
-    private static final int MAX_ENCODED_PASSWORDS = 5;
-    private final Duration CACHE_TTL = Duration.ofMinutes(5L);
-    private volatile Cache<CharSequence, Set<String>> cache;
+    private final Cache<CharSequence, Set<String>> cache;
 
     private final PasswordEncoder passwordEncoder;
 
     CachingPasswordEncoder(final PasswordEncoder passwordEncoder) throws NoSuchAlgorithmException {
         this.passwordEncoder = passwordEncoder;
-        this.messageDigest = MessageDigest.getInstance("SHA-256");
-        this.secret = Utf8.encode(new RandomValueStringGenerator().generate());
-        this.salt = KeyGenerators.secureRandom().generateKey();
-        buildCache();
+        messageDigest = MessageDigest.getInstance("SHA-256");
+        secret = Utf8.encode(new RandomValueStringGenerator().generate());
+        salt = KeyGenerators.secureRandom().generateKey();
+        cache = Caffeine.newBuilder()
+                .expireAfterWrite(DEFAULT_CACHE_TTL)
+                .maximumSize(MAX_KEYS)
+                .build();
     }
 
     @Override
@@ -65,7 +71,7 @@ public boolean matches(CharSequence rawPassword, String encodedPassword) throws
     Set<String> getOrCreateHashList(String cacheKey) {
         Set<String> result = cache.getIfPresent(cacheKey);
         if (result == null) {
-            if (cache.size() >= MAX_KEYS) {
+            if (cache.estimatedSize() >= MAX_KEYS) {
                 cache.invalidateAll();
             }
             cache.put(cacheKey, Collections.synchronizedSet(new LinkedHashSet<>()));
@@ -86,8 +92,8 @@ private boolean internalMatches(String cacheKey, CharSequence rawPassword, Strin
             result = true;
             cacheValue = getOrCreateHashList(cacheKey);
             if (cacheValue != null) {
-                //this list should never grow very long.
-                //Only if you store multiple versions of the same password more than once
+                // This list should never grow very long.
+                // Only if you store multiple versions of the same password more than once
                 if (cacheValue.size() >= MAX_ENCODED_PASSWORDS) {
                     cacheValue.clear();
                 }
@@ -140,16 +146,10 @@ int getMaxEncodedPasswords() {
     }
 
     long getNumberOfKeys() {
-        return cache.size();
+        return cache.estimatedSize();
     }
 
     ConcurrentMap<CharSequence, Set<String>> asMap() {
         return cache.asMap();
     }
-
-    void buildCache() {
-        cache = CacheBuilder.newBuilder()
-                .expireAfterWrite(CACHE_TTL.getSeconds(), TimeUnit.SECONDS)
-                .build();
-    }
 }

server/src/test/java/org/cloudfoundry/identity/uaa/util/CachingPasswordEncoderTest.java

@@ -1,11 +1,10 @@
 package org.cloudfoundry.identity.uaa.util;
 
+import org.cloudfoundry.identity.uaa.oauth.common.util.RandomValueStringGenerator;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
-import org.cloudfoundry.identity.uaa.oauth.common.util.RandomValueStringGenerator;
-import org.springframework.test.util.ReflectionTestUtils;
 
 import java.security.NoSuchAlgorithmException;
 import java.time.Duration;
@@ -60,19 +59,19 @@ void matches() {
     @Test
     void matchesButExpires() throws Exception {
         Duration shortTTL = Duration.ofSeconds(1);
-        ReflectionTestUtils.setField(cachingPasswordEncoder, "CACHE_TTL", shortTTL);
-        cachingPasswordEncoder.buildCache();
+        synchronized (CachingPasswordEncoder.class) {
+            CachingPasswordEncoder.DEFAULT_CACHE_TTL = shortTTL;
+            cachingPasswordEncoder = new CachingPasswordEncoder(passwordEncoder);
+            CachingPasswordEncoder.DEFAULT_CACHE_TTL = Duration.ofMinutes(5);
+        }
         String encoded = cachingPasswordEncoder.encode(password);
         String cacheKey = cachingPasswordEncoder.cacheEncode(password);
 
         assertTrue(passwordEncoder.matches(password, encoded));
         assertTrue(cachingPasswordEncoder.matches(password, encoded));
-
-        assertTrue(!cachingPasswordEncoder.getOrCreateHashList(cacheKey).isEmpty(),
-                "Password is no longer cached when we expected it to be cached");
+        assertFalse(cachingPasswordEncoder.getOrCreateHashList(cacheKey).isEmpty(), "Password is no longer cached when we expected it to be cached");
 
         Thread.sleep(shortTTL.toMillis() + 100);
-
         assertEquals(0, cachingPasswordEncoder.getOrCreateHashList(cacheKey).size(), "Password is still cached when we expected it to be expired");
     }
 
@@ -95,7 +94,7 @@ void cacheIs10XFasterThanNonCached() throws NoSuchAlgorithmException {
 
         int iterations = 10;
 
-        String password = new RandomValueStringGenerator().generate();
+        password = new RandomValueStringGenerator().generate();
         String encodedBCrypt = cachingPasswordEncoder.encode(password);
         PasswordEncoder nonCachingPasswordEncoder = passwordEncoder;
 
@@ -122,24 +121,23 @@ void cacheIs10XFasterThanNonCached() throws NoSuchAlgorithmException {
     }
 
     @Test
-    // TODO: This test takes a long time to run :(
+        // TODO: This test takes a long time to run :(
     void ensureNoMemoryLeak() {
         assertEquals(0, cachingPasswordEncoder.getNumberOfKeys());
         for (int i = 0; i < cachingPasswordEncoder.getMaxKeys(); i++) {
-            String password = new RandomValueStringGenerator().generate();
+            password = new RandomValueStringGenerator().generate();
             for (int j = 0; j < cachingPasswordEncoder.getMaxEncodedPasswords(); j++) {
                 String encoded = cachingPasswordEncoder.encode(password);
                 assertTrue(cachingPasswordEncoder.matches(password, encoded));
             }
         }
         assertEquals(cachingPasswordEncoder.getMaxKeys(), cachingPasswordEncoder.getNumberOfKeys());
-        String password = new RandomValueStringGenerator().generate();
+        password = new RandomValueStringGenerator().generate();
         String encoded = cachingPasswordEncoder.encode(password);
         assertTrue(cachingPasswordEncoder.matches(password, encoded));
         //overflow happened
         assertEquals(1, cachingPasswordEncoder.getNumberOfKeys());
 
-
         for (int j = 1; j < cachingPasswordEncoder.getMaxEncodedPasswords(); j++) {
             encoded = cachingPasswordEncoder.encode(password);
             assertTrue(cachingPasswordEncoder.matches(password, encoded));