Add caching for JWT tokens (#151)

* Add caching for JWT tokens

* code style

* Add tests

* refresh token 5 minutes early

Author: igorbernstein2

oauth2_http/java/com/google/auth/oauth2/ServiceAccountJwtAccessCredentials.java

@@ -47,6 +47,12 @@
 import com.google.common.annotations.VisibleForTesting;
 import com.google.common.base.MoreObjects;
 
+import com.google.common.base.Throwables;
+import com.google.common.base.Ticker;
+import com.google.common.cache.CacheBuilder;
+import com.google.common.cache.CacheLoader;
+import com.google.common.cache.LoadingCache;
+import com.google.common.util.concurrent.UncheckedExecutionException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
@@ -61,7 +67,9 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
+import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Executor;
+import java.util.concurrent.TimeUnit;
 
 /**
  * Service Account credentials for calling Google APIs using a JWT directly for access.
@@ -73,12 +81,16 @@ public class ServiceAccountJwtAccessCredentials extends Credentials
 
   private static final long serialVersionUID = -7274955171379494197L;
   static final String JWT_ACCESS_PREFIX = OAuth2Utils.BEARER_PREFIX;
+  @VisibleForTesting
+  static final long LIFE_SPAN_SECS = TimeUnit.HOURS.toSeconds(1);
 
   private final String clientId;
   private final String clientEmail;
   private final PrivateKey privateKey;
   private final String privateKeyId;
   private final URI defaultAudience;
+  private transient LoadingCache<URI, String> tokenCache;
+
 
   // Until we expose this to the users it can remain transient and non-serializable
   @VisibleForTesting
@@ -119,6 +131,7 @@ public ServiceAccountJwtAccessCredentials(String clientId, String clientEmail,
     this.privateKey = Preconditions.checkNotNull(privateKey);
     this.privateKeyId = privateKeyId;
     this.defaultAudience = defaultAudience;
+    this.tokenCache = createCache();
   }
 
   /**
@@ -228,6 +241,28 @@ public static ServiceAccountJwtAccessCredentials fromStream(InputStream credenti
             + " Expecting '%s'.", fileType, SERVICE_ACCOUNT_FILE_TYPE));
   }
 
+  private LoadingCache<URI, String> createCache() {
+    return CacheBuilder.newBuilder()
+        .maximumSize(100)
+        .expireAfterWrite(LIFE_SPAN_SECS - 300, TimeUnit.SECONDS)
+        .ticker(
+            new Ticker() {
+              @Override
+              public long read() {
+                return TimeUnit.MILLISECONDS.toNanos(clock.currentTimeMillis());
+              }
+            }
+        )
+        .build(
+            new CacheLoader<URI, String>() {
+              @Override
+              public String load(URI key) throws Exception {
+                return generateJwtAccess(key);
+              }
+            }
+        );
+  }
+
   @Override
   public String getAuthenticationType() {
     return "JWTAccess";
@@ -275,10 +310,25 @@ public Map<String, List<String>> getRequestMetadata(URI uri) throws IOException
    */
   @Override
   public void refresh() {
+    tokenCache.invalidateAll();
   }
 
   private String getJwtAccess(URI uri) throws IOException {
+    try {
+      return tokenCache.get(uri);
+    } catch (ExecutionException e) {
+      Throwables.propagateIfPossible(e.getCause(), IOException.class);
+      // Should never happen
+      throw new IllegalStateException("generateJwtAccess threw an unexpected checked exception", e.getCause());
+
+    } catch (UncheckedExecutionException e) {
+      Throwables.propagateIfPossible(e);
+      // Should never happen
+      throw new IllegalStateException("generateJwtAccess threw an unchecked exception that couldn't be rethrown", e);
+    }
+  }
 
+  private String generateJwtAccess(URI uri) throws IOException {
     JsonWebSignature.Header header = new JsonWebSignature.Header();
     header.setAlgorithm("RS256");
     header.setType("JWT");
@@ -291,7 +341,7 @@ private String getJwtAccess(URI uri) throws IOException {
     payload.setSubject(clientEmail);
     payload.setAudience(uri.toString());
     payload.setIssuedAtTimeSeconds(currentTime / 1000);
-    payload.setExpirationTimeSeconds(currentTime / 1000 + 3600);
+    payload.setExpirationTimeSeconds(currentTime / 1000 + LIFE_SPAN_SECS);
 
     JsonFactory jsonFactory = OAuth2Utils.JSON_FACTORY;
 
@@ -369,6 +419,7 @@ public boolean equals(Object obj) {
   private void readObject(ObjectInputStream input) throws IOException, ClassNotFoundException {
     input.defaultReadObject();
     clock = Clock.SYSTEM;
+    tokenCache = createCache();
   }
 
   public static Builder newBuilder() {

oauth2_http/javatests/com/google/auth/oauth2/ServiceAccountJwtAccessCredentialsTest.java

@@ -34,6 +34,7 @@
 import static org.junit.Assert.assertArrayEquals;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertSame;
@@ -45,6 +46,7 @@
 import com.google.api.client.json.webtoken.JsonWebSignature;
 import com.google.api.client.util.Clock;
 import com.google.auth.Credentials;
+import com.google.auth.TestClock;
 import com.google.auth.http.AuthHttpConstants;
 import com.google.auth.oauth2.GoogleCredentialsTest.MockHttpTransportFactory;
 
@@ -62,6 +64,7 @@
 import java.security.SignatureException;
 import java.util.List;
 import java.util.Map;
+import java.util.concurrent.TimeUnit;
 
 /**
  * Test case for {@link ServiceAccountCredentials}.
@@ -224,6 +227,54 @@ public void getRequestMetadata_blocking_noURI_throws() throws IOException {
     }
   }
 
+  @Test
+  public void getRequestMetadata_blocking_cached() throws IOException {
+    TestClock testClock = new TestClock();
+
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
+    ServiceAccountJwtAccessCredentials credentials = ServiceAccountJwtAccessCredentials.newBuilder()
+        .setClientId(SA_CLIENT_ID)
+        .setClientEmail(SA_CLIENT_EMAIL)
+        .setPrivateKey(privateKey)
+        .setPrivateKeyId(SA_PRIVATE_KEY_ID)
+        .build();
+    credentials.clock = testClock;
+
+    Map<String, List<String>> metadata1 = credentials.getRequestMetadata(CALL_URI);
+
+    // Fast forward time a little
+    long lifeSpanMs = TimeUnit.SECONDS.toMillis(10);
+    testClock.setCurrentTime(lifeSpanMs);
+
+    Map<String, List<String>> metadata2 = credentials.getRequestMetadata(CALL_URI);
+
+    assertEquals(metadata1, metadata2);
+  }
+
+  @Test
+  public void getRequestMetadata_blocking_cache_expired() throws IOException {
+    TestClock testClock = new TestClock();
+
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
+    ServiceAccountJwtAccessCredentials credentials = ServiceAccountJwtAccessCredentials.newBuilder()
+        .setClientId(SA_CLIENT_ID)
+        .setClientEmail(SA_CLIENT_EMAIL)
+        .setPrivateKey(privateKey)
+        .setPrivateKeyId(SA_PRIVATE_KEY_ID)
+        .build();
+    credentials.clock = testClock;
+
+    Map<String, List<String>> metadata1 = credentials.getRequestMetadata(CALL_URI);
+
+    // Fast forward time past the expiration
+    long lifeSpanMs = TimeUnit.SECONDS.toMillis(ServiceAccountJwtAccessCredentials.LIFE_SPAN_SECS);
+    testClock.setCurrentTime(lifeSpanMs);
+
+    Map<String, List<String>> metadata2 = credentials.getRequestMetadata(CALL_URI);
+
+    assertNotEquals(metadata1, metadata2);
+  }
+
   @Test
   public void getRequestMetadata_async_hasJwtAccess() throws IOException {
     PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
@@ -278,6 +329,60 @@ public void getRequestMetadata_async_noURI_exception() throws IOException {
     assertNotNull(callback.exception);
   }
 
+  @Test
+  public void getRequestMetadata_async_cache_expired() throws IOException {
+    TestClock testClock = new TestClock();
+
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
+    ServiceAccountJwtAccessCredentials credentials = ServiceAccountJwtAccessCredentials.newBuilder()
+        .setClientId(SA_CLIENT_ID)
+        .setClientEmail(SA_CLIENT_EMAIL)
+        .setPrivateKey(privateKey)
+        .setPrivateKeyId(SA_PRIVATE_KEY_ID)
+        .build();
+    credentials.clock = testClock;
+    MockExecutor executor = new MockExecutor();
+
+    MockRequestMetadataCallback callback1 = new MockRequestMetadataCallback();
+    credentials.getRequestMetadata(CALL_URI, executor, callback1);
+
+    // Fast forward time past the expiration
+    long lifeSpanMs = TimeUnit.SECONDS.toMillis(ServiceAccountJwtAccessCredentials.LIFE_SPAN_SECS);
+    testClock.setCurrentTime(lifeSpanMs);
+
+    MockRequestMetadataCallback callback2 = new MockRequestMetadataCallback();
+    credentials.getRequestMetadata(CALL_URI, executor, callback2);
+
+    assertNotEquals(callback1.metadata, callback2.metadata);
+  }
+
+  @Test
+  public void getRequestMetadata_async_cached() throws IOException {
+    TestClock testClock = new TestClock();
+
+    PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
+    ServiceAccountJwtAccessCredentials credentials = ServiceAccountJwtAccessCredentials.newBuilder()
+        .setClientId(SA_CLIENT_ID)
+        .setClientEmail(SA_CLIENT_EMAIL)
+        .setPrivateKey(privateKey)
+        .setPrivateKeyId(SA_PRIVATE_KEY_ID)
+        .build();
+    credentials.clock = testClock;
+    MockExecutor executor = new MockExecutor();
+
+    MockRequestMetadataCallback callback1 = new MockRequestMetadataCallback();
+    credentials.getRequestMetadata(CALL_URI, executor, callback1);
+
+    // Fast forward time a little
+    long lifeSpanMs = TimeUnit.SECONDS.toMillis(10);
+    testClock.setCurrentTime(lifeSpanMs);
+
+    MockRequestMetadataCallback callback2 = new MockRequestMetadataCallback();
+    credentials.getRequestMetadata(CALL_URI, executor, callback2);
+
+    assertEquals(callback1.metadata, callback2.metadata);
+  }
+
   @Test
   public void getAccount_sameAs() throws IOException {
     PrivateKey privateKey = ServiceAccountCredentials.privateKeyFromPkcs8(SA_PRIVATE_KEY_PKCS8);
@@ -466,6 +571,7 @@ public void serialize() throws IOException, ClassNotFoundException {
         .build();
     ServiceAccountJwtAccessCredentials deserializedCredentials =
         serializeAndDeserialize(credentials);
+    verifyJwtAccess(deserializedCredentials.getRequestMetadata(), SA_CLIENT_EMAIL, CALL_URI, SA_PRIVATE_KEY_ID);
     assertEquals(credentials, deserializedCredentials);
     assertEquals(credentials.hashCode(), deserializedCredentials.hashCode());
     assertEquals(credentials.toString(), deserializedCredentials.toString());

pom.xml

@@ -46,7 +46,7 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <java.version>1.6</java.version>
     <project.google.http.version>1.19.0</project.google.http.version>
-    <project.junit.version>4.8.2</project.junit.version>
+    <project.junit.version>4.12</project.junit.version>
     <project.guava.version>19.0</project.guava.version>
     <project.appengine.version>1.9.34</project.appengine.version>
   </properties>