Consider max-age directive of cache-control response header when determining PKC JWK set reload delay.

Author: ebarlas

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwkSetLoader.java

@@ -320,7 +320,10 @@ void scheduleReload(TimeValue period) {
 
         void reload() {
             doLoad(ActionListener.wrap(res -> {
-                TimeValue period = calculateNextUrlReload(reloadIntervalMin, reloadIntervalMax, res.expires(), URL_RELOAD_JITTER_PCT);
+                Instant targetTime = res.expires() != null
+                    ? res.expires()
+                    : (res.maxAgeSeconds() != null ? Instant.now().plusSeconds(res.maxAgeSeconds()) : null);
+                TimeValue period = calculateNextUrlReload(reloadIntervalMin, reloadIntervalMax, targetTime, URL_RELOAD_JITTER_PCT);
                 logger.debug("Successfully reloaded PKC JWK set from HTTPS URI [{}], reload delay is [{}]", jwkSetPathUri, period);
                 listener.accept(res.content()); // exception here will be caught by ActionListener.wrap and handled below
                 scheduleReload(period);

x-pack/plugin/security/src/main/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtil.java

@@ -76,8 +76,9 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
-import java.util.Optional;
 import java.util.function.Supplier;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
@@ -337,7 +338,8 @@ public void completed(final HttpResponse result) {
                             listener.onResponse(
                                 new JwksResponse(
                                     inputStream.readAllBytes(),
-                                    Optional.ofNullable(result.getFirstHeader("Expires")).map(Header::getValue).orElse(null)
+                                    firstHeaderValue(result, "Expires"),
+                                    firstHeaderValue(result, "Cache-Control")
                                 )
                             );
                         } catch (Exception e) {
@@ -366,6 +368,11 @@ public void cancelled() {
         });
     }
 
+    private static String firstHeaderValue(final HttpResponse response, final String headerName) {
+        final Header header = response.getFirstHeader(headerName);
+        return header != null ? header.getValue() : null;
+    }
+
     public static Path resolvePath(final Environment environment, final String jwkSetPath) {
         final Path directoryPath = environment.configDir();
         return directoryPath.resolve(jwkSetPath);
@@ -491,9 +498,11 @@ private static boolean containsAtLeastTwoDots(SecureString secureString) {
         return false;
     }
 
-    record JwksResponse(byte[] content, Instant expires) {
-        JwksResponse(byte[] content, String expires) {
-            this(content, parseExpires(expires));
+    record JwksResponse(byte[] content, Instant expires, Integer maxAgeSeconds) {
+        private static final Pattern MAX_AGE_PATTERN = Pattern.compile("\\bmax-age\\s*=\\s*(\\d+)\\b", Pattern.CASE_INSENSITIVE);
+
+        JwksResponse(byte[] content, String expires, String cacheControl) {
+            this(content, parseExpires(expires), parseMaxAge(cacheControl));
         }
 
         /**
@@ -514,5 +523,27 @@ static Instant parseExpires(String expires) {
                 return null;
             }
         }
+
+        /**
+         * Parse the Cache-Control header to extract the max-age value.
+         * @return the parsed max-age value as Integer, or null if the header is null or cannot be parsed
+         */
+        static Integer parseMaxAge(String cacheControl) {
+            if (cacheControl == null) {
+                return null;
+            }
+
+            Matcher matcher = MAX_AGE_PATTERN.matcher(cacheControl);
+            if (matcher.find() == false) {
+                return null;
+            }
+
+            try {
+                return Integer.parseInt(matcher.group(1));
+            } catch (NumberFormatException e) {
+                LOGGER.debug("Failed to parse max-age value from Cache-Control HTTP response header", e);
+                return null;
+            }
+        }
     }
 }

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwkSetLoaderTests.java

@@ -51,7 +51,7 @@
 import static org.hamcrest.Matchers.lessThan;
 import static org.hamcrest.Matchers.lessThanOrEqualTo;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.ArgumentMatchers.isNull;
 import static org.mockito.Mockito.doAnswer;
 import static org.mockito.Mockito.mock;
@@ -261,7 +261,7 @@ private void verifySchedulingIteration(
         ArgumentCaptor<FutureCallback<HttpResponse>> responseFn = ArgumentCaptor.forClass(FutureCallback.class);
         verify(httpClient, times(1)).execute(any(HttpGet.class), responseFn.capture());
         byte[] bytes = "x".repeat(iteration).getBytes(StandardCharsets.UTF_8);
-        HttpResponse response = makeHttpResponse(bytes);
+        HttpResponse response = makeHttpResponse(bytes, randomBoolean());
 
         reset(threadPool);
         reset(httpClient);
@@ -287,7 +287,7 @@ private void verifySchedulingIterationWithListenerException(ThreadPool threadPoo
         @SuppressWarnings("unchecked")
         ArgumentCaptor<FutureCallback<HttpResponse>> responseFn = ArgumentCaptor.forClass(FutureCallback.class);
         verify(httpClient, times(1)).execute(any(HttpGet.class), responseFn.capture());
-        HttpResponse response = makeHttpResponse(new byte[0]);
+        HttpResponse response = makeHttpResponse(new byte[0], randomBoolean());
 
         reset(threadPool);
         reset(httpClient);
@@ -307,21 +307,34 @@ private static void verifyScheduleTime(boolean firstIteration, ArgumentCaptor<Ti
         }
     }
 
-    private static HttpResponse makeHttpResponse(byte[] bytes) throws IOException {
+    private static HttpResponse makeHttpResponse(byte[] bytes, boolean expiresHeader) throws IOException {
         HttpEntity entity = mock(HttpEntity.class);
-        Header header = mock(Header.class);
         StatusLine statusLine = mock(StatusLine.class);
         when(statusLine.getStatusCode()).thenReturn(200);
-        when(header.getValue()).thenReturn(expiresHeader(10)); // expires in 10 minutes
         when(entity.getContent()).thenReturn(new ByteArrayInputStream(bytes));
         HttpResponse response = mock(HttpResponse.class);
         when(response.getStatusLine()).thenReturn(statusLine);
         when(response.getEntity()).thenReturn(entity);
-        when(response.getFirstHeader(anyString())).thenReturn(header);
+        Header eh = expiresHeader ? expiresHeader(10) : null;
+        Header cc = expiresHeader ? null : cacheControlHeader(10);
+        when(response.getFirstHeader(eq("Expires"))).thenReturn(eh);
+        when(response.getFirstHeader(eq("Cache-Control"))).thenReturn(cc);
         return response;
     }
 
-    private static String expiresHeader(int plusMinutes) {
+    private static Header expiresHeader(int minutes) {
+        Header header = mock(Header.class);
+        when(header.getValue()).thenReturn(expiresHeaderValue(minutes));
+        return header;
+    }
+
+    private static Header cacheControlHeader(int minutes) {
+        Header header = mock(Header.class);
+        when(header.getValue()).thenReturn("max-age=" + (minutes * 60));
+        return header;
+    }
+
+    private static String expiresHeaderValue(int plusMinutes) {
         ZonedDateTime nowUtc = ZonedDateTime.now(ZoneId.of("UTC"));
         ZonedDateTime zdt = nowUtc.plusMinutes(plusMinutes);
         return zdt.format(DateTimeFormatter.RFC_1123_DATE_TIME);

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/jwt/JwtUtilTests.java

@@ -11,6 +11,11 @@
 import org.elasticsearch.common.settings.SettingsException;
 import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
 
+import java.time.Instant;
+import java.time.ZoneId;
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.is;
 import static org.hamcrest.Matchers.notNullValue;
@@ -158,4 +163,21 @@ public void testParseHttpsUriAccepted() {
         assertThat(JwtUtil.parseHttpsUri("https://example.com:443/path/jwkset.json"), notNullValue());
         assertThat(JwtUtil.parseHttpsUri("https://example.com:8443/path/jwkset.json"), notNullValue());
     }
+
+    public void testParseExpires() {
+        ZonedDateTime nowUtc = ZonedDateTime.now(ZoneId.of("UTC"));
+        Instant parsed = JwtUtil.JwksResponse.parseExpires(nowUtc.format(DateTimeFormatter.RFC_1123_DATE_TIME));
+        assertThat(parsed.getEpochSecond(), equalTo(nowUtc.toEpochSecond()));
+        assertThat(JwtUtil.JwksResponse.parseExpires(null), nullValue());
+        assertThat(JwtUtil.JwksResponse.parseExpires(""), nullValue());
+        assertThat(JwtUtil.JwksResponse.parseExpires("Jan 2024"), nullValue());
+    }
+
+    public void testParseMaxAge() {
+        assertThat(JwtUtil.JwksResponse.parseMaxAge("public, max-age=3600, immutable"), equalTo(3600));
+        assertThat(JwtUtil.JwksResponse.parseMaxAge("max-age=7200"), equalTo(7200));
+        assertThat(JwtUtil.JwksResponse.parseMaxAge("no-cache, no-store"), nullValue());
+        assertThat(JwtUtil.JwksResponse.parseMaxAge(""), nullValue());
+        assertThat(JwtUtil.JwksResponse.parseMaxAge(null), nullValue());
+    }
 }