Refactor cache operations to use read-safe methods for concurrent environments

components/org.wso2.carbon.identity.discovery/pom.xml

@@ -30,6 +30,7 @@
     <name>WSO2 Carbon - OAuth OpenId Connect Discovery</name>
     <description>OpenId Connect Discovery Bundle</description>
     <url>http://wso2.org</url>
+
     <dependencies>
         <dependency>
             <groupId>commons-codec</groupId>
@@ -148,6 +149,7 @@
                             org.wso2.carbon.identity.discovery.*;
                             version="${identity.inbound.auth.oauth.exp.pkg.version}"
                         </Export-Package>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth.ciba/pom.xml

@@ -176,6 +176,7 @@
                             org.wso2.carbon.identity.oauth.ciba.*;
                             version="${identity.inbound.auth.oauth.exp.pkg.version}",
                         </Export-Package>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth.common/pom.xml

@@ -105,6 +105,7 @@
                         <Export-Package>
                             org.wso2.carbon.identity.oauth.common.*;version="${identity.inbound.auth.oauth.exp.pkg.version}"
                         </Export-Package>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth.dcr/pom.xml

@@ -189,6 +189,7 @@
                             org.wso2.carbon.identity.oauth.dcr.*;version="${identity.inbound.auth.oauth.exp.pkg.version}",
                             org.wso2.carbon.identity.oauth.dcr.handler.*;version="${identity.inbound.auth.oauth.exp.pkg.version}"
                         </Export-Package>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/util/AuthzUtil.java

@@ -1375,7 +1375,7 @@ private static OAuthAppDO getAppInformation(OAuth2AuthorizeReqDTO authzReqDTO) t
             } else {
                 oAuthAppDO = new OAuthAppDAO().getAppInformation(authzReqDTO.getConsumerKey());
             }
-            AppInfoCache.getInstance().addToCache(authzReqDTO.getConsumerKey(), oAuthAppDO);
+            AppInfoCache.getInstance().addToCacheOnRead(authzReqDTO.getConsumerKey(), oAuthAppDO);
             return oAuthAppDO;
         }
     }

components/org.wso2.carbon.identity.oauth.extension/pom.xml

@@ -65,6 +65,7 @@
                         <Export-Package>
                             org.wso2.carbon.identity.oauth.extension.*;version="${identity.inbound.auth.oauth.exp.pkg.version}"
                         </Export-Package>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth.par/pom.xml

@@ -180,6 +180,7 @@
                             org.wso2.carbon.identity.oauth.par.*;
                             version="${identity.inbound.auth.oauth.exp.pkg.version}",
                         </Export-Package>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth.rar/pom.xml

@@ -192,6 +192,7 @@
                             org.wso2.carbon.identity.oauth.rar.*;
                             version="${identity.inbound.auth.oauth.exp.pkg.version}",
                         </Export-Package>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth.stub/pom.xml

@@ -121,6 +121,7 @@
                             org.wso2.carbon.identity.oauth.stub.*; version="${identity.inbound.auth.oauth.exp.pkg.version}",
                             org.wso2.carbon.identity.oauth2.stub.*; version="${identity.inbound.auth.oauth.exp.pkg.version}"
                         </Export-Package>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth.ui/pom.xml

@@ -134,6 +134,7 @@
                             org.wso2.carbon.identity.oauth.ui.*;version="${identity.inbound.auth.oauth.exp.pkg.version}"
                         </Export-Package>
                         <Carbon-Component>UIBundle</Carbon-Component>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth/pom.xml

@@ -495,11 +495,13 @@
                             org.wso2.carbon.identity.openidconnect.*;version="${identity.inbound.auth.oauth.exp.pkg.version}",
                         </Export-Package>
                         <DynamicImport-Package>*</DynamicImport-Package>
+                        <_contract>!JavaServlet</_contract>
                         <ListenerManager-RequiredServices>
                             org.wso2.carbon.identity.oauth2.OAuth2Service,
                             org.wso2.carbon.identity.oauth2.OAuth2ScopeService,
                             org.wso2.carbon.identity.oauth.OAuthAdminServiceImpl
                         </ListenerManager-RequiredServices>
+                        <_contract>!JavaServlet</_contract>
                     </instructions>
                 </configuration>
             </plugin>

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/OAuthAdminServiceImpl.java

@@ -2723,7 +2723,7 @@ OAuthAppDO getOAuthApp(String consumerKey, String tenantDomain) throws InvalidOA
             if (LOG.isDebugEnabled()) {
                 LOG.debug("OAuth app with consumerKey: " + consumerKey + " retrieved from database.");
             }
-            AppInfoCache.getInstance().addToCache(consumerKey, oauthApp, tenantDomain);
+            AppInfoCache.getInstance().addToCacheOnRead(consumerKey, oauthApp, tenantDomain);
         }
         return oauthApp;
     }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/cache/AuthorizationGrantCache.java

@@ -106,7 +106,7 @@ public AuthorizationGrantCacheEntry getValueFromCacheByTokenId(AuthorizationGran
             }
             cacheEntry = getFromSessionStore(tokenId);
             if (cacheEntry != null && key != null) {
-                super.addToCache(key, cacheEntry);
+                super.addToCacheOnRead(key, cacheEntry);
             }
         }
         return cacheEntry;
@@ -130,7 +130,7 @@ public AuthorizationGrantCacheEntry getValueFromCacheByTokenId(AuthorizationGran
             }
             cacheEntry = getFromSessionStore(tokenId, operation);
             if (cacheEntry != null) {
-                super.addToCache(key, cacheEntry);
+                super.addToCacheOnRead(key, cacheEntry);
             }
         }
         return cacheEntry;
@@ -155,7 +155,7 @@ public AuthorizationGrantCacheEntry getValueFromCacheByToken(AuthorizationGrantC
             }
             cacheEntry = getFromSessionStore(replaceFromTokenId(key.getUserAttributesId()));
             if (cacheEntry != null) {
-                super.addToCache(key, cacheEntry);
+                super.addToCacheOnRead(key, cacheEntry);
             }
         }
         return cacheEntry;
@@ -238,7 +238,7 @@ public AuthorizationGrantCacheEntry getValueFromCacheByCode(AuthorizationGrantCa
             }
             cacheEntry = getFromSessionStore(replaceFromCodeId(key.getUserAttributesId()));
             if (cacheEntry != null) {
-                super.addToCache(key, cacheEntry);
+                super.addToCacheOnRead(key, cacheEntry);
             }
         }
         return cacheEntry;

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/cache/OAuthCache.java

@@ -76,6 +76,22 @@ public void addToCache(OAuthCacheKey key, CacheEntry entry) {
         }
     }
 
+    @Override
+    public void addToCacheOnRead(OAuthCacheKey key, CacheEntry entry) {
+
+        if (entry instanceof AccessTokenDO) {
+            AccessTokenDO tokenDO = (AccessTokenDO) entry;
+            String tenantDomain = tokenDO.getAuthzUser().getTenantDomain();
+            if (LOG.isDebugEnabled()) {
+                LOG.debug(String.format("[AddToCacheOnRead] AccessTokenDO was added for the given token identifier: " +
+                                "%s in the tenant: %s.", ((AccessTokenDO) entry).getTokenId(), tenantDomain));
+            }
+            super.addToCacheOnRead(key, entry, tenantDomain);
+        } else {
+            super.addToCacheOnRead(key, entry);
+        }
+    }
+
     @Override
     public void clearCacheEntry(OAuthCacheKey key, String tenantDomain) {
 

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/cache/OAuthScopeBindingCache.java

@@ -63,6 +63,20 @@ public void addToCache(OAuthScopeBindingCacheKey key, Scope[] entry, int tenantI
         }
     }
 
+    /**
+     * Add a cache entry during a READ operation.
+     *
+     * @param key   Key which cache entry is indexed.
+     * @param entry Actual object where cache entry is placed.
+     */
+    public void addToCacheOnRead(OAuthScopeBindingCacheKey key, Scope[] entry, int tenantId) {
+
+        super.addToCacheOnRead(key, entry, tenantId);
+        if (log.isDebugEnabled()) {
+            log.debug("[AddToCacheOnRead] Scope bindings are added to the cache. \n" + ArrayUtils.toString(entry));
+        }
+    }
+
     /**
      * Retrieves a cache entry.
      *

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth/cache/OAuthScopeCache.java

@@ -69,6 +69,22 @@ public void addToCache(OAuthScopeCacheKey key, Scope entry, int tenantId) {
         }
     }
 
+    /**
+     * Add a cache entry during a READ operation.
+     *
+     * @param key   Key which cache entry is indexed.
+     * @param entry Actual object where cache entry is placed.
+     */
+    public void addToCacheOnRead(OAuthScopeCacheKey key, Scope entry, int tenantId) {
+
+        if (IdentityUtil.getIdentityCacheConfig(IDENTITY_CACHE_MANAGER, OAUTH_SCOPE_CACHE_NAME).isEnabled()) {
+            super.addToCacheOnRead(key, entry, tenantId);
+            if (log.isDebugEnabled()) {
+                log.debug("[AddToCacheOnRead] Scope is added to the cache. \n" + entry.toString());
+            }
+        }
+    }
+
     /**
      * Retrieves a cache entry.
      *

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/OAuth2ScopeService.java

@@ -236,7 +236,7 @@ public Scope getScope(String name) throws IdentityOAuth2ScopeException {
                     if (log.isDebugEnabled()) {
                         log.debug("Scope is getting from the database. \n" + scope.toString());
                     }
-                    OAuthScopeCache.getInstance().addToCache(new OAuthScopeCacheKey(name), scope, tenantID);
+                    OAuthScopeCache.getInstance().addToCacheOnRead(new OAuthScopeCacheKey(name), scope, tenantID);
                 }
 
             } catch (IdentityOAuth2ScopeServerException e) {

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/AuthorizationHandlerManager.java

@@ -711,7 +711,7 @@ private OAuthAppDO getAppInformation(OAuth2AuthorizeReqDTO authzReqDTO) throws I
             } else {
                 oAuthAppDO = new OAuthAppDAO().getAppInformation(authzReqDTO.getConsumerKey());
             }
-            AppInfoCache.getInstance().addToCache(authzReqDTO.getConsumerKey(), oAuthAppDO);
+            AppInfoCache.getInstance().addToCacheOnRead(authzReqDTO.getConsumerKey(), oAuthAppDO);
             return oAuthAppDO;
         }
     }

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/authz/handlers/util/ResponseTypeHandlerUtil.java

@@ -615,7 +615,7 @@ private static AccessTokenDO getExistingTokenFromDB(OAuthAuthzReqMessageContext
             if (TOKEN_STATE_ACTIVE.equals(existingToken.getTokenState()) && expireTime != 0 && cacheEnabled) {
                 // Active token retrieved from db, adding to cache if cacheEnabled
                 try {
-                    addTokenToCache(getOAuthCacheKey(consumerKey, scope, authorizedUser.getUserId(),
+                    addTokenToCacheOnRead(getOAuthCacheKey(consumerKey, scope, authorizedUser.getUserId(),
                             OAuth2Util.getAuthenticatedIDP(authorizedUser)), existingToken);
                 } catch (UserIdNotFoundException e) {
                     throw new IdentityOAuth2Exception("Error occurred while retrieving the user id for user: "
@@ -1141,6 +1141,27 @@ private static void addTokenToCache(OAuthCacheKey cacheKey, AccessTokenDO tokenB
         }
     }
 
+    private static void addTokenToCacheOnRead(OAuthCacheKey cacheKey, AccessTokenDO tokenBean) {
+
+        /*
+         * If no token persistence, the token will be not be cached against a cache key with userId, scope, client and
+         * idp. But, token will be cached and managed as an AccessTokenDO against the token identifier.
+         */
+        if (OAuth2Util.isTokenPersistenceEnabled()) {
+            OAuthCache.getInstance().addToCacheOnRead(cacheKey, tokenBean);
+        }
+        // Adding AccessTokenDO to improve validation performance.
+        OAuthCacheKey accessTokenCacheKey = new OAuthCacheKey(tokenBean.getAccessToken());
+        OAuthCache.getInstance().addToCacheOnRead(accessTokenCacheKey, tokenBean);
+        if (log.isDebugEnabled()) {
+            log.debug("Access token info was added to the cache for cache key : " + cacheKey.getCacheKeyString());
+            if (IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.ACCESS_TOKEN)) {
+                log.debug("Access token was added to OAuthCache for cache key : " + accessTokenCacheKey
+                        .getCacheKeyString());
+            }
+        }
+    }
+
     private static void removeTokenFromCache(OAuthCacheKey cacheKey, AccessTokenDO tokenBean) {
 
         OAuthCache.getInstance().clearCacheEntry(cacheKey);

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/CacheBackedOAuthUserConsentedScopesDAOImpl.java

@@ -42,7 +42,7 @@ public UserApplicationScopeConsentDO getUserConsentForApplication(String userId,
             return entry.getUserApplicationScopeConsentDO();
         }
         UserApplicationScopeConsentDO userConsent = dao.getUserConsentForApplication(userId, appId, tenantId);
-        cache.addToCache(userId, new OAuthUserConsentedScopeCacheEntry(appId, userConsent), tenantId);
+        cache.addToCacheOnRead(userId, new OAuthUserConsentedScopeCacheEntry(appId, userConsent), tenantId);
         return userConsent;
     }
 

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java

@@ -1051,6 +1051,24 @@ private void addTokenToCache(OAuthCacheKey cacheKey, AccessTokenDO existingAcces
         }
     }
 
+    private void addTokenToCacheOnRead(OAuthCacheKey cacheKey, AccessTokenDO existingAccessTokenDO) {
+
+        if (isHashDisabled && cacheEnabled) {
+            oauthCache.addToCacheOnRead(cacheKey, existingAccessTokenDO);
+            // Adding AccessTokenDO to improve validation performance.
+            OAuthCacheKey accessTokenCacheKey = new OAuthCacheKey(existingAccessTokenDO.getAccessToken());
+            oauthCache.addToCacheOnRead(accessTokenCacheKey, existingAccessTokenDO);
+            if (log.isDebugEnabled()) {
+                log.debug("Access Token info was added to the cache for the cache key : " +
+                        cacheKey.getCacheKeyString());
+                if (IdentityUtil.isTokenLoggable(IdentityConstants.IdentityTokens.ACCESS_TOKEN)) {
+                    log.debug("Access token was added to OAuthCache for cache key : " + accessTokenCacheKey
+                            .getCacheKeyString());
+                }
+            }
+        }
+    }
+
     private OAuth2AccessTokenRespDTO createResponseWithTokenBean(OAuthTokenReqMessageContext tokenReqMessageContext,
                                                                  AccessTokenDO existingAccessTokenDO,
                                                                  long expireTimeMillis, String scope)
@@ -1313,7 +1331,7 @@ private AccessTokenDO getExistingTokenFromDB(OAuthTokenReqMessageContext tokenMs
             if (TOKEN_STATE_ACTIVE.equals(existingToken.getTokenState()) &&
                     expireTime != 0) {
                 // Active token retrieved from db, adding to cache if cacheEnabled
-                addTokenToCache(cacheKey, existingToken);
+                addTokenToCacheOnRead(cacheKey, existingToken);
             }
         }
         return existingToken;

components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java

@@ -842,9 +842,11 @@ own cache key and cache entry class every time we need to put something to it? I
                  */
                 if (isUsernameCaseSensitive) {
                     OAuthCache.getInstance()
-                            .addToCache(new OAuthCacheKey(clientId + ":" + username), new ClientCredentialDO(username));
+                            .addToCacheOnRead(new OAuthCacheKey(clientId + ":" + username),
+                                    new ClientCredentialDO(username));
                 } else {
-                    OAuthCache.getInstance().addToCache(new OAuthCacheKey(clientId + ":" + username.toLowerCase()),
+                    OAuthCache.getInstance().addToCacheOnRead(
+                            new OAuthCacheKey(clientId + ":" + username.toLowerCase()),
                             new ClientCredentialDO(username));
                 }
                 if (log.isDebugEnabled()) {
@@ -2316,7 +2318,7 @@ public static AccessTokenDO getAccessTokenDOFromTokenIdentifier(String accessTok
         // Add the token back to the cache in the case of a cache miss but don't add to cache when OAuth2 token
         // hashing feature enabled inorder to reduce the complexity.
         if (!cacheHit & OAuth2Util.isHashDisabled()) {
-            OAuthCache.getInstance().addToCache(cacheKey, accessTokenDO);
+            OAuthCache.getInstance().addToCacheOnRead(cacheKey, accessTokenDO);
             if (log.isDebugEnabled()) {
                 log.debug("Access Token Info object was added back to the cache.");
             }
@@ -2614,7 +2616,7 @@ public static OAuthAppDO getAppInformationByClientId(String clientId)
         } else {
             oAuthAppDO = new OAuthAppDAO().getAppInformation(clientId, IdentityTenantUtil.getLoginTenantId());
             if (oAuthAppDO != null) {
-                AppInfoCache.getInstance().addToCache(clientId, oAuthAppDO);
+                AppInfoCache.getInstance().addToCacheOnRead(clientId, oAuthAppDO);
             }
             return oAuthAppDO;
         }
@@ -2638,10 +2640,10 @@ public static OAuthAppDO getAppInformationByClientId(String clientId, String ten
             if (oAuthAppDO != null) {
                 if (!AuthzUtil.isLegacyAuthzRuntime() && oAuthAppDO.getAppOwner() != null &&
                         StringUtils.isNotEmpty(oAuthAppDO.getAppOwner().getTenantDomain())) {
-                    AppInfoCache.getInstance().addToCache(clientId, oAuthAppDO,
+                    AppInfoCache.getInstance().addToCacheOnRead(clientId, oAuthAppDO,
                             oAuthAppDO.getAppOwner().getTenantDomain());
                 } else {
-                    AppInfoCache.getInstance().addToCache(clientId, oAuthAppDO, tenantDomain);
+                    AppInfoCache.getInstance().addToCacheOnRead(clientId, oAuthAppDO, tenantDomain);
                 }
             }
         }
@@ -2671,7 +2673,7 @@ public static OAuthAppDO getAppInformationByClientIdOnly(String clientId)
                 throw new InvalidOAuthClientException(message);
             }
             oAuthAppDO = appList[0];
-            AppInfoCache.getInstance().addToCache(clientId, oAuthAppDO);
+            AppInfoCache.getInstance().addToCacheOnRead(clientId, oAuthAppDO);
         }
         return oAuthAppDO;
     }
@@ -2732,7 +2734,7 @@ public static Optional<OAuthAppDO> getAppInformation(String clientId, String org
         try {
             oAuthAppDO = new OAuthAppDAO().getAppInformation(clientId, IdentityTenantUtil.getTenantId(tenantDomain));
             if (oAuthAppDO != null) {
-                AppInfoCache.getInstance().addToCache(clientId, oAuthAppDO, tenantDomain);
+                AppInfoCache.getInstance().addToCacheOnRead(clientId, oAuthAppDO, tenantDomain);
                 return Optional.of(oAuthAppDO);
             }
             return Optional.empty();
@@ -2764,10 +2766,10 @@ public static OAuthAppDO getAppInformationByAccessTokenDO(AccessTokenDO accessTo
             if (oAuthAppDO != null) {
                 if (!AuthzUtil.isLegacyAuthzRuntime() && oAuthAppDO.getAppOwner() != null &&
                         StringUtils.isNotEmpty(oAuthAppDO.getAppOwner().getTenantDomain())) {
-                    AppInfoCache.getInstance().addToCache(clientId, oAuthAppDO,
+                    AppInfoCache.getInstance().addToCacheOnRead(clientId, oAuthAppDO,
                             oAuthAppDO.getAppOwner().getTenantDomain());
                 } else {
-                    AppInfoCache.getInstance().addToCache(clientId, oAuthAppDO);
+                    AppInfoCache.getInstance().addToCacheOnRead(clientId, oAuthAppDO);
                 }
             }
         }