Add Retry option for primary OCSP service

Author: aarmam

pom.xml

@@ -71,10 +71,6 @@
             <artifactId>resilience4j-all</artifactId>
             <version>${resilience4j.version}</version>
             <exclusions>
-                <exclusion>
-                    <groupId>io.github.resilience4j</groupId>
-                    <artifactId>resilience4j-retry</artifactId>
-                </exclusion>
                 <exclusion>
                     <groupId>io.github.resilience4j</groupId>
                     <artifactId>resilience4j-bulkhead</artifactId>

src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java

@@ -26,6 +26,7 @@
 import eu.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
 import eu.webeid.security.validator.ocsp.service.FallbackOcspServiceConfiguration;
 import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
+import io.github.resilience4j.retry.RetryConfig;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 
 import java.net.MalformedURLException;
@@ -56,6 +57,7 @@ public final class AuthTokenValidationConfiguration {
     private DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration;
     private Collection<FallbackOcspServiceConfiguration> fallbackOcspServiceConfigurations = new HashSet<>();
     private CircuitBreakerConfig circuitBreakerConfig;
+    private RetryConfig circuitBreakerRetryConfig;
     // Don't allow Estonian Mobile-ID policy by default.
     private Collection<ASN1ObjectIdentifier> disallowedSubjectCertificatePolicies = newHashSet(
         SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V1,
@@ -79,6 +81,7 @@ private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other)
         this.designatedOcspServiceConfiguration = other.designatedOcspServiceConfiguration;
         this.fallbackOcspServiceConfigurations = Set.copyOf(other.fallbackOcspServiceConfigurations);
         this.circuitBreakerConfig = other.circuitBreakerConfig;
+        this.circuitBreakerRetryConfig = other.circuitBreakerRetryConfig;
         this.disallowedSubjectCertificatePolicies = Set.copyOf(other.disallowedSubjectCertificatePolicies);
         this.nonceDisabledOcspUrls = Set.copyOf(other.nonceDisabledOcspUrls);
     }
@@ -155,6 +158,14 @@ public void setCircuitBreakerConfig(CircuitBreakerConfig circuitBreakerConfig) {
         this.circuitBreakerConfig = circuitBreakerConfig;
     }
 
+    public RetryConfig getCircuitBreakerRetryConfig() {
+        return circuitBreakerRetryConfig;
+    }
+
+    public void setCircuitBreakerRetryConfig(RetryConfig circuitBreakerRetryConfig) {
+        this.circuitBreakerRetryConfig = circuitBreakerRetryConfig;
+    }
+
     public boolean isRejectUnknownOcspResponseStatus() {
         return rejectUnknownOcspResponseStatus;
     }

src/main/java/eu/webeid/security/validator/AuthTokenValidatorBuilder.java

@@ -29,6 +29,7 @@
 import eu.webeid.security.validator.ocsp.service.FallbackOcspServiceConfiguration;
 import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
 import io.github.resilience4j.core.IntervalFunction;
+import io.github.resilience4j.retry.RetryConfig;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -212,7 +213,6 @@ public AuthTokenValidatorBuilder withFallbackOcspServiceConfiguration(FallbackOc
      * @param failureRateThreshold
      * @param permittedNumberOfCallsInHalfOpenState
      * @param waitDurationInOpenState
-     *
      * @return the builder instance for method chaining
      */
     public AuthTokenValidatorBuilder withCircuitBreakerConfig(int slidingWindowSize, int minimumNumberOfCalls, int failureRateThreshold, int permittedNumberOfCallsInHalfOpenState, Duration waitDurationInOpenState) { // TODO: What do we allow to configure? Use configuration builder.
@@ -227,6 +227,17 @@ public AuthTokenValidatorBuilder withCircuitBreakerConfig(int slidingWindowSize,
         return this;
     }
 
+    /**
+     * // TODO: Describe the configuration option
+     *
+     * @return the builder instance for method chaining
+     */
+    public AuthTokenValidatorBuilder withCircuitBreakerRetryConfig() { // TODO: What do we allow to configure? Use configuration builder.
+        configuration.setCircuitBreakerRetryConfig(RetryConfig.ofDefaults());
+        LOG.debug("Using the OCSP circuit breaker retry configuration");
+        return this;
+    }
+
     /**
      * // TODO: Describe the configuration option
      *

src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java

@@ -98,6 +98,7 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
                 configuration.getFallbackOcspServiceConfigurations());
             resilientOcspService = new ResilientOcspService(ocspClient, ocspServiceProvider,
                 configuration.getCircuitBreakerConfig(),
+                configuration.getCircuitBreakerRetryConfig(),
                 configuration.getAllowedOcspResponseTimeSkew(),
                 configuration.getMaxOcspResponseThisUpdateAge(),
                 configuration.isRejectUnknownOcspResponseStatus());

src/main/java/eu/webeid/security/validator/ocsp/ResilientOcspService.java

@@ -32,6 +32,9 @@
 import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
 import io.github.resilience4j.circuitbreaker.CircuitBreakerRegistry;
 import io.github.resilience4j.decorators.Decorators;
+import io.github.resilience4j.retry.Retry;
+import io.github.resilience4j.retry.RetryConfig;
+import io.github.resilience4j.retry.RetryRegistry;
 import io.vavr.CheckedFunction0;
 import io.vavr.control.Try;
 import org.bouncycastle.asn1.ocsp.OCSPObjectIdentifiers;
@@ -61,8 +64,9 @@ public class ResilientOcspService {
     private final Duration maxOcspResponseThisUpdateAge;
     private final boolean rejectUnknownOcspResponseStatus;
     private final CircuitBreakerRegistry circuitBreakerRegistry;
+    private final RetryRegistry retryRegistry;
 
-    public ResilientOcspService(OcspClient ocspClient, OcspServiceProvider ocspServiceProvider, CircuitBreakerConfig circuitBreakerConfig, Duration allowedOcspResponseTimeSkew, Duration maxOcspResponseThisUpdateAge, boolean rejectUnknownOcspResponseStatus) {
+    public ResilientOcspService(OcspClient ocspClient, OcspServiceProvider ocspServiceProvider, CircuitBreakerConfig circuitBreakerConfig, RetryConfig retryConfig, Duration allowedOcspResponseTimeSkew, Duration maxOcspResponseThisUpdateAge, boolean rejectUnknownOcspResponseStatus) {
         this.ocspClient = ocspClient;
         this.ocspServiceProvider = ocspServiceProvider;
         this.allowedOcspResponseTimeSkew = allowedOcspResponseTimeSkew;
@@ -71,6 +75,9 @@ public ResilientOcspService(OcspClient ocspClient, OcspServiceProvider ocspServi
         this.circuitBreakerRegistry = CircuitBreakerRegistry.custom()
             .withCircuitBreakerConfig(getCircuitBreakerConfig(circuitBreakerConfig))
             .build();
+        this.retryRegistry = retryConfig != null ? RetryRegistry.custom()
+            .withRetryConfig(getRetryConfigConfig(retryConfig))
+            .build() : null;
         if (LOG.isDebugEnabled()) {
             this.circuitBreakerRegistry.getEventPublisher()
                 .onEntryAdded(entryAddedEvent -> {
@@ -89,10 +96,15 @@ public OcspValidationInfo validateSubjectCertificateNotRevoked(X509Certificate s
             CircuitBreaker circuitBreaker = circuitBreakerRegistry.circuitBreaker(ocspService.getAccessLocation().toASCIIString());
             CheckedFunction0<OcspValidationInfo> primarySupplier = () -> request(ocspService, subjectCertificate, issuerCertificate);
             CheckedFunction0<OcspValidationInfo> fallbackSupplier = () -> request(ocspService.getFallbackService(), subjectCertificate, issuerCertificate);
-            CheckedFunction0<OcspValidationInfo> decoratedSupplier = Decorators.ofCheckedSupplier(primarySupplier)
-                .withCircuitBreaker(circuitBreaker)
-                .withFallback(List.of(UserCertificateOCSPCheckFailedException.class, CallNotPermittedException.class, UserCertificateUnknownException.class), e -> fallbackSupplier.apply())
-                .decorate();
+            Decorators.DecorateCheckedSupplier<OcspValidationInfo> decorateCheckedSupplier = Decorators.ofCheckedSupplier(primarySupplier);
+            if (retryRegistry != null) {
+                Retry retry = retryRegistry.retry(ocspService.getAccessLocation().toASCIIString());
+                decorateCheckedSupplier.withRetry(retry);
+            }
+            decorateCheckedSupplier.withCircuitBreaker(circuitBreaker)
+                .withFallback(List.of(UserCertificateOCSPCheckFailedException.class, CallNotPermittedException.class, UserCertificateUnknownException.class), e -> fallbackSupplier.apply());
+
+            CheckedFunction0<OcspValidationInfo> decoratedSupplier = decorateCheckedSupplier.decorate();
 
             return Try.of(decoratedSupplier).getOrElseThrow(throwable -> {
                 if (throwable instanceof AuthTokenException) {
@@ -156,6 +168,12 @@ private static CircuitBreakerConfig getCircuitBreakerConfig(CircuitBreakerConfig
         return configurationBuilder.build();
     }
 
+    private static RetryConfig getRetryConfigConfig(RetryConfig retryConfig) {
+        return RetryConfig.from(retryConfig)
+            .ignoreExceptions(UserCertificateRevokedException.class) // TODO: Revoked status is a valid response, not a failure and should be ignored. Any other exceptions to ignore?
+            .build();
+    }
+
     CircuitBreakerRegistry getCircuitBreakerRegistry() {
         return circuitBreakerRegistry;
     }

src/test/java/eu/webeid/security/validator/certvalidators/SubjectCertificateNotRevokedValidatorTest.java

@@ -353,6 +353,7 @@ private SubjectCertificateNotRevokedValidator getSubjectCertificateNotRevokedVal
 
     private SubjectCertificateNotRevokedValidator getSubjectCertificateNotRevokedValidator(OcspClient client, OcspServiceProvider ocspServiceProvider) {
         ResilientOcspService resilientOcspService = new ResilientOcspService(client, ocspServiceProvider,
+            null,
             null,
             CONFIGURATION.getAllowedOcspResponseTimeSkew(),
             CONFIGURATION.getMaxOcspResponseThisUpdateAge(),

src/test/java/eu/webeid/security/validator/ocsp/ResilientOcspServiceTest.java

@@ -32,6 +32,7 @@
 import io.github.resilience4j.circuitbreaker.CircuitBreaker;
 import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
 import io.github.resilience4j.circuitbreaker.CircuitBreakerRegistry;
+import io.github.resilience4j.retry.RetryConfig;
 import org.bouncycastle.cert.ocsp.OCSPResp;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.jupiter.api.BeforeAll;
@@ -121,6 +122,7 @@ void whenFallbackConfigured_thenFallbackAndRecoverySucceeds() throws Exception {
             ocspClient,
             ocspServiceProvider,
             circuitBreakerConfig,
+            null,
             ALLOWED_TIME_SKEW,
             MAX_THIS_UPDATE_AGE,
             false
@@ -206,6 +208,7 @@ void whenOcspResponseGood_thenNoFallbackAndSucceeds() throws Exception {
             ocspClient,
             ocspServiceProvider,
             null,
+            null,
             ALLOWED_TIME_SKEW,
             MAX_THIS_UPDATE_AGE,
             false
@@ -230,6 +233,45 @@ void whenOcspResponseGood_thenNoFallbackAndSucceeds() throws Exception {
         }
     }
 
+    @Test
+    void whenRetryEnabledAndRetrySucceeds_thenNoFallbackAndSucceeds() throws Exception {
+        final OcspClient ocspClient = mock(OcspClient.class);
+        when(ocspClient.request(eq(PRIMARY_OCSP_URL), any()))
+            .thenThrow(new IOException("Mocked exception 1"))
+            .thenThrow(new IOException("Mocked exception 2"))
+            .thenReturn(new OCSPResp(validOcspResponseBytes));
+        when(ocspClient.request(eq(FALLBACK_OCSP_URL), any()))
+            .thenReturn(new OCSPResp(validOcspResponseBytes));
+        OcspServiceProvider ocspServiceProvider = createOcspServiceProviderWithFallback();
+        ResilientOcspService resilientOcspService = new ResilientOcspService(
+            ocspClient,
+            ocspServiceProvider,
+            null,
+            RetryConfig.ofDefaults(), // Retry enabled
+            ALLOWED_TIME_SKEW,
+            MAX_THIS_UPDATE_AGE,
+            false
+        );
+        CircuitBreakerRegistry circuitBreakerRegistry = resilientOcspService.getCircuitBreakerRegistry();
+        CircuitBreaker circuitBreaker = circuitBreakerRegistry.circuitBreaker(PRIMARY_OCSP_URL.toASCIIString());
+        try (var mockedClock = mockStatic(DateAndTime.DefaultClock.class)) {
+            mockDate("2021-09-17T18:25:24", mockedClock);
+
+            OcspValidationInfo validationInfo = resilientOcspService.validateSubjectCertificateNotRevoked(subjectCertificate, issuerCertificate);
+            assertThat(validationInfo).isNotNull();
+            assertThat(validationInfo).extracting(OcspValidationInfo::getSubjectCertificate)
+                .isEqualTo(subjectCertificate);
+            assertThat(validationInfo).extracting(OcspValidationInfo::getOcspResponderUri)
+                .isEqualTo(new URI("http://aia.demo.sk.ee/esteid2018"));
+            assertThat(validationInfo).extracting(OcspValidationInfo::getOcspResponse)
+                .isNotNull();
+
+            verify(ocspClient, times(3)).request(eq(PRIMARY_OCSP_URL), any());
+            verify(ocspClient, times(0)).request(eq(FALLBACK_OCSP_URL), any());
+            assertThat(circuitBreaker.getState()).isEqualTo(CircuitBreaker.State.CLOSED);
+        }
+    }
+
     @Test
     void whenOcspResponseRevoked_thenNoFallbackAndThrows() throws Exception {
         final OcspClient ocspClient = mock(OcspClient.class);
@@ -242,6 +284,7 @@ void whenOcspResponseRevoked_thenNoFallbackAndThrows() throws Exception {
             ocspClient,
             ocspServiceProvider,
             null,
+            null,
             ALLOWED_TIME_SKEW,
             MAX_THIS_UPDATE_AGE,
             false
@@ -279,6 +322,7 @@ void whenOcspResponseUnknown_thenNoFallbackAndThrows() throws Exception {
             ocspClient,
             ocspServiceProvider,
             null,
+            null,
             ALLOWED_TIME_SKEW,
             MAX_THIS_UPDATE_AGE,
             false
@@ -316,6 +360,7 @@ void whenPrimaryOcspResponseUnknownAndRejectUnknownOcspResponseStatusConfigurati
             ocspClient,
             ocspServiceProvider,
             null,
+            null,
             ALLOWED_TIME_SKEW,
             MAX_THIS_UPDATE_AGE,
             true // rejectUnknownOcspResponseStatus
@@ -358,6 +403,7 @@ void whenPrimaryAndFallbackRevocationStatusUnknownAndRejectUnknownOcspResponseSt
             ocspClient,
             ocspServiceProvider,
             null,
+            null,
             ALLOWED_TIME_SKEW,
             MAX_THIS_UPDATE_AGE,
             true // rejectUnknownOcspResponseStatus
@@ -396,6 +442,7 @@ void whenPrimaryAndFallbackConnectionFail_thenThrows() throws Exception {
             ocspClient,
             ocspServiceProvider,
             null,
+            null,
             ALLOWED_TIME_SKEW,
             MAX_THIS_UPDATE_AGE,
             false
@@ -430,6 +477,7 @@ void whenNoFallbackConfigured_thenPrimaryFailureThrows() throws Exception {
             ocspClient,
             ocspServiceProvider,
             null,
+            null,
             ALLOWED_TIME_SKEW,
             MAX_THIS_UPDATE_AGE,
             false