web-eid
diff --git a/‎pom.xml‎
Lines changed: 34 additions & 0 deletions b/‎pom.xml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java‎
Lines changed: 19 additions & 0 deletions b/‎src/main/java/eu/webeid/security/validator/AuthTokenValidationConfiguration.java‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎src/main/java/eu/webeid/security/validator/AuthTokenValidatorBuilder.java‎
Lines changed: 39 additions & 0 deletions b/‎src/main/java/eu/webeid/security/validator/AuthTokenValidatorBuilder.java‎
Lines changed: 39 additions & 0 deletions
diff --git a/‎src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java‎
Lines changed: 9 additions & 10 deletions b/‎src/main/java/eu/webeid/security/validator/AuthTokenValidatorImpl.java‎
Lines changed: 9 additions & 10 deletions
@@ -16,6 +16,7 @@
         <bouncycastle.version>1.81</bouncycastle.version>
         <jackson.version>2.19.1</jackson.version>
         <slf4j.version>2.0.17</slf4j.version>
+        <resilience4j.version>1.7.0</resilience4j.version>
         <junit-jupiter.version>5.13.3</junit-jupiter.version>
         <assertj.version>3.27.3</assertj.version>
         <mockito.version>5.18.0</mockito.version>
@@ -65,6 +66,33 @@
             <artifactId>bcpkix-jdk18on</artifactId>
             <version>${bouncycastle.version}</version>
         </dependency>
+        <dependency>
+            <groupId>io.github.resilience4j</groupId>
+            <artifactId>resilience4j-all</artifactId>
+            <version>${resilience4j.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-retry</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-bulkhead</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-cache</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-ratelimiter</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.github.resilience4j</groupId>
+                    <artifactId>resilience4j-timelimiter</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
 
         <dependency>
             <groupId>org.junit.jupiter</groupId>
@@ -90,6 +118,12 @@
             <version>${slf4j.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.awaitility</groupId>
+            <artifactId>awaitility</artifactId>
+            <version>4.3.0</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>
 
@@ -24,6 +24,8 @@
 
 import eu.webeid.security.certificate.SubjectCertificatePolicies;
 import eu.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
+import eu.webeid.security.validator.ocsp.service.FallbackOcspServiceConfiguration;
+import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 
 import java.net.MalformedURLException;
@@ -51,6 +53,8 @@ public final class AuthTokenValidationConfiguration {
     private Duration allowedOcspResponseTimeSkew = Duration.ofMinutes(15);
     private Duration maxOcspResponseThisUpdateAge = Duration.ofMinutes(2);
     private DesignatedOcspServiceConfiguration designatedOcspServiceConfiguration;
+    private Collection<FallbackOcspServiceConfiguration> fallbackOcspServiceConfigurations = new HashSet<>();
+    private CircuitBreakerConfig circuitBreakerConfig;
     // Don't allow Estonian Mobile-ID policy by default.
     private Collection<ASN1ObjectIdentifier> disallowedSubjectCertificatePolicies = newHashSet(
         SubjectCertificatePolicies.ESTEID_SK_2015_MOBILE_ID_POLICY_V1,
@@ -71,6 +75,8 @@ private AuthTokenValidationConfiguration(AuthTokenValidationConfiguration other)
         this.allowedOcspResponseTimeSkew = other.allowedOcspResponseTimeSkew;
         this.maxOcspResponseThisUpdateAge = other.maxOcspResponseThisUpdateAge;
         this.designatedOcspServiceConfiguration = other.designatedOcspServiceConfiguration;
+        this.fallbackOcspServiceConfigurations = Set.copyOf(other.fallbackOcspServiceConfigurations);
+        this.circuitBreakerConfig = other.circuitBreakerConfig;
         this.disallowedSubjectCertificatePolicies = Set.copyOf(other.disallowedSubjectCertificatePolicies);
         this.nonceDisabledOcspUrls = Set.copyOf(other.nonceDisabledOcspUrls);
     }
@@ -135,6 +141,18 @@ public Collection<URI> getNonceDisabledOcspUrls() {
         return nonceDisabledOcspUrls;
     }
 
+    public Collection<FallbackOcspServiceConfiguration> getFallbackOcspServiceConfigurations() {
+        return fallbackOcspServiceConfigurations;
+    }
+
+    public CircuitBreakerConfig getCircuitBreakerConfig() {
+        return circuitBreakerConfig;
+    }
+
+    public void setCircuitBreakerConfig(CircuitBreakerConfig circuitBreakerConfig) {
+        this.circuitBreakerConfig = circuitBreakerConfig;
+    }
+
     /**
      * Checks that the configuration parameters are valid.
      *
@@ -150,6 +168,7 @@ void validate() {
         requirePositiveDuration(ocspRequestTimeout, "OCSP request timeout");
         requirePositiveDuration(allowedOcspResponseTimeSkew, "Allowed OCSP response time-skew");
         requirePositiveDuration(maxOcspResponseThisUpdateAge, "Max OCSP response thisUpdate age");
+        // TODO: Add OCSP fallback/response validation
     }
 
     AuthTokenValidationConfiguration copy() {
 
@@ -26,6 +26,8 @@
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspClientImpl;
 import eu.webeid.security.validator.ocsp.service.DesignatedOcspServiceConfiguration;
+import eu.webeid.security.validator.ocsp.service.FallbackOcspServiceConfiguration;
+import io.github.resilience4j.circuitbreaker.CircuitBreakerConfig;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -187,6 +189,43 @@ public AuthTokenValidatorBuilder withDesignatedOcspServiceConfiguration(Designat
         return this;
     }
 
+    /**
+     * // TODO: Describe the configuration option
+     *
+     * @param serviceConfiguration configurations of the fallback OCSP services
+     * @return the builder instance for method chaining
+     */
+    public AuthTokenValidatorBuilder withFallbackOcspServiceConfiguration(FallbackOcspServiceConfiguration... serviceConfiguration) {
+        // TODO: Validate that no two configurations have the same OCSP service access location
+        Collections.addAll(configuration.getFallbackOcspServiceConfigurations(), serviceConfiguration);
+        LOG.debug("Fallback OCSP services set to {}", configuration.getFallbackOcspServiceConfigurations());
+        return this;
+    }
+
+
+    /**
+     * // TODO: Describe the configuration option
+     *
+     * @param slidingWindowSize
+     * @param minimumNumberOfCalls
+     * @param failureRateThreshold
+     * @param permittedNumberOfCallsInHalfOpenState
+     * @param waitDurationInOpenState
+     *
+     * @return the builder instance for method chaining
+     */
+    public AuthTokenValidatorBuilder withCircuitBreakerConfig(int slidingWindowSize, int minimumNumberOfCalls, int failureRateThreshold, int permittedNumberOfCallsInHalfOpenState, Duration waitDurationInOpenState) { // TODO: What do we allow to configure? Use configuration builder.
+        configuration.setCircuitBreakerConfig(CircuitBreakerConfig.custom()
+            .slidingWindowSize(slidingWindowSize)
+            .minimumNumberOfCalls(minimumNumberOfCalls)
+            .failureRateThreshold(failureRateThreshold)
+            .permittedNumberOfCallsInHalfOpenState(permittedNumberOfCallsInHalfOpenState)
+            .waitDurationInOpenState(waitDurationInOpenState)
+            .build());
+        LOG.debug("Using the OCSP circuit breaker configuration");
+        return this;
+    }
+
     /**
      * Uses the provided OCSP client instance during user certificate revocation check with OCSP.
      * The provided client instance must be thread-safe.
 
@@ -37,6 +37,7 @@
 import eu.webeid.security.validator.certvalidators.SubjectCertificateValidatorBatch;
 import eu.webeid.security.validator.ocsp.OcspClient;
 import eu.webeid.security.validator.ocsp.OcspServiceProvider;
+import eu.webeid.security.validator.ocsp.ResilientOcspService;
 import eu.webeid.security.validator.ocsp.service.AiaOcspServiceConfiguration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -65,9 +66,8 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
     private final CertStore trustedCACertificateCertStore;
     // OcspClient uses built-in HttpClient internally by default.
     // A single HttpClient instance is reused for all HTTP calls to utilize connection and thread pools.
-    private OcspClient ocspClient;
-    private OcspServiceProvider ocspServiceProvider;
     private final AuthTokenSignatureValidator authTokenSignatureValidator;
+    private ResilientOcspService resilientOcspService;
 
     /**
      * @param configuration configuration parameters for the token validator
@@ -88,12 +88,15 @@ final class AuthTokenValidatorImpl implements AuthTokenValidator {
 
         if (configuration.isUserCertificateRevocationCheckWithOcspEnabled()) {
             // The OCSP client may be provided by the API consumer.
-            this.ocspClient = Objects.requireNonNull(ocspClient, "OCSP client must not be null when OCSP check is enabled");
-            ocspServiceProvider = new OcspServiceProvider(
+            Objects.requireNonNull(ocspClient, "OCSP client must not be null when OCSP check is enabled");
+            OcspServiceProvider ocspServiceProvider = new OcspServiceProvider(
                 configuration.getDesignatedOcspServiceConfiguration(),
                 new AiaOcspServiceConfiguration(configuration.getNonceDisabledOcspUrls(),
                     trustedCACertificateAnchors,
-                    trustedCACertificateCertStore));
+                    trustedCACertificateCertStore),
+                configuration.getFallbackOcspServiceConfigurations());
+            resilientOcspService = new ResilientOcspService(ocspClient, ocspServiceProvider, configuration.getCircuitBreakerConfig(), configuration.getAllowedOcspResponseTimeSkew(),
+                configuration.getMaxOcspResponseThisUpdateAge());
         }
 
         authTokenSignatureValidator = new AuthTokenSignatureValidator(configuration.getSiteOrigin());
@@ -182,11 +185,7 @@ private SubjectCertificateValidatorBatch getCertTrustValidators() {
         return SubjectCertificateValidatorBatch.createFrom(
             certTrustedValidator::validateCertificateTrusted
         ).addOptional(configuration.isUserCertificateRevocationCheckWithOcspEnabled(),
-            new SubjectCertificateNotRevokedValidator(certTrustedValidator,
-                ocspClient, ocspServiceProvider,
-                configuration.getAllowedOcspResponseTimeSkew(),
-                configuration.getMaxOcspResponseThisUpdateAge()
-            )::validateCertificateNotRevoked
+            new SubjectCertificateNotRevokedValidator(resilientOcspService, certTrustedValidator)::validateCertificateNotRevoked
         );
     }