Merge remote-tracking branch 'origin/main' into fix/fix-certificate-provisioning-failures-caused-by-acme-account-serialization-issue-and-localstack-auth-changes

Author: Hermann-Core

.env.template

@@ -23,6 +23,12 @@ APP_DATABASE__URL=postgres://postgres:postgres@db:5432/status-list
 # Redis configuration
 APP_REDIS__URI=redis://redis:6379
 APP_REDIS__REQUIRE_CLIENT_AUTH=false
+# TTL for the certificate cache in Redis. 
+# Set to 0 to disable and always fetch from S3.
+APP_REDIS__CERT_CACHE_TTL=3600
+# TTL for the Secrets Manager cache. 
+# Set to 0 to disable and always fetch from AWS API directly.
+APP_REDIS__SECRETS_CACHE_TTL=300
 
 # AWS SDK
 APP_AWS__REGION=us-east-1
@@ -31,6 +37,8 @@ AWS_ACCESS_KEY_ID=test
 AWS_SECRET_ACCESS_KEY=test
 
 # Cache configuration
+# TTL for the status list record cache. 
+# Set to 0 to disable and always fetch from the database.
 APP_CACHE__TTL=300
 APP_CACHE__MAX_CAPACITY=1000
 

src/config.rs

@@ -42,6 +42,7 @@ pub struct CertConfig {
 pub struct RedisConfig {
     pub uri: SecretString,
     pub require_client_auth: bool,
+    pub cert_cache_ttl: u64,
 }
 
 #[derive(Debug, Clone, Deserialize)]
@@ -52,6 +53,7 @@ pub struct DatabaseConfig {
 #[derive(Debug, Clone, Deserialize)]
 pub struct AwsConfig {
     pub region: String,
+    pub secrets_cache_ttl: u64,
 }
 
 #[derive(Debug, Clone, Deserialize)]
@@ -136,6 +138,8 @@ impl Config {
             )?
             .set_default("redis.uri", "redis://localhost:6379")?
             .set_default("redis.require_client_auth", false)?
+            .set_default("redis.cert_cache_ttl", 3600)? // Default 1 hour
+            .set_default("aws.secrets_cache_ttl", 300)? // Default 5 minutes
             .set_default("server.cert.email", "admin@example.com")?
             .set_default("server.cert.eku", vec![1, 3, 6, 1, 5, 5, 7, 3, 30])?
             .set_default("server.cert.organization", "adorsys GmbH & CO KG")?
@@ -225,6 +229,7 @@ mod tests {
         ("APP_SERVER__CERT__ORGANIZATION", "Test Org"),
         ("APP_SERVER__CERT__EKU", "1,3,6,1,5,5,7,3,30"),
         ("APP_AWS__REGION", "us-west-2"),
+        ("APP_AWS__SECRETS_CACHE_TTL", "600"),
         ("APP_CACHE__TTL", "600"),
         ("APP_CACHE__MAX_CAPACITY", "2000"),
     ])]

src/utils/cache.rs

@@ -5,16 +5,66 @@ use crate::models::StatusListRecord;
 
 #[derive(Clone)]
 pub struct Cache {
-    pub status_list_record_cache: MokaCache<String, StatusListRecord>,
+    inner: MokaCache<String, StatusListRecord>,
 }
 
 impl Cache {
-    pub fn new(ttl: u64, max_capacity: u64) -> Self {
-        Self {
-            status_list_record_cache: MokaCache::builder()
-                .time_to_live(Duration::from_secs(ttl))
-                .max_capacity(max_capacity)
-                .build(),
+    /// Creates a cache; TTL=0 disables it naturally.
+    pub fn new(ttl_secs: u64, max_capacity: u64) -> Self {
+        if ttl_secs == 0 {
+            tracing::info!("Cache disabled (TTL=0)");
         }
+        let inner = MokaCache::builder()
+            .time_to_live(Duration::from_secs(ttl_secs))
+            .max_capacity(max_capacity)
+            .build();
+        Self { inner }
+    }
+
+    pub async fn get(&self, key: &str) -> Option<StatusListRecord> {
+        self.inner.get(key).await
+    }
+
+    pub async fn insert(&self, key: String, value: StatusListRecord) {
+        self.inner.insert(key, value).await;
+    }
+
+    pub async fn invalidate(&self, key: &str) {
+        self.inner.invalidate(key).await;
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::models::{StatusList, StatusListRecord};
+
+    fn sample_record(id: &str) -> StatusListRecord {
+        StatusListRecord {
+            list_id: id.to_string(),
+            issuer: "issuer".to_string(),
+            sub: "sub".to_string(),
+            status_list: StatusList {
+                bits: 1,
+                lst: "test".to_string(),
+            },
+        }
+    }
+
+    #[tokio::test]
+    async fn cache_enabled_works() {
+        let cache = Cache::new(60, 10);
+        let record = sample_record("list-1");
+        cache.insert("list-1".to_string(), record.clone()).await;
+        assert!(cache.get("list-1").await.is_some());
+    }
+
+    #[tokio::test]
+    async fn cache_disabled_returns_none() {
+        let cache = Cache::new(0, 10);
+        cache
+            .insert("list-1".to_string(), sample_record("list-1"))
+            .await;
+        assert!(cache.get("list-1").await.is_none());
     }
 }

src/utils/cert_manager/storage/aws.rs

@@ -26,14 +26,17 @@ pub struct AwsSecretsManager {
 
 impl AwsSecretsManager {
     /// Create a new instance of [AwsSecretsManager] with the given AWS SDK config
-    pub async fn new(config: &SdkConfig) -> Result<Self, StorageError> {
+    pub async fn new(
+        config: &SdkConfig,
+        secrets_cache_ttl: Duration,
+    ) -> Result<Self, StorageError> {
         let client = SecretsClient::new(config);
         let asm_builder = SecretsConfig::from(config).to_builder();
-        // Cache size: 100 and a TTL of 5 minutes
+
         let cache = SecretsCacheClient::from_builder(
             asm_builder,
             NonZeroUsize::new(100).unwrap(),
-            Duration::from_secs(300),
+            secrets_cache_ttl,
             true,
         )
         .await

src/utils/cert_manager/storage/redis.rs

@@ -30,15 +30,17 @@ impl Redis {
 impl Storage for Redis {
     async fn store(&self, key: &str, value: &str) -> Result<(), StorageError> {
         let mut conn = self.conn.clone();
-        if let Some(ttl) = self.ttl {
-            let _: () = conn.set_ex(key, value, ttl).await?;
-        } else {
-            let _: () = conn.set(key, value).await?;
+        match self.ttl {
+            Some(0) => Ok(()), // Cache disabled
+            Some(v) => Ok(conn.set_ex(key, value, v).await?),
+            None => Ok(conn.set(key, value).await?),
         }
-        Ok(())
     }
 
     async fn load(&self, key: &str) -> Result<Option<String>, StorageError> {
+        if matches!(self.ttl, Some(0)) {
+            return Ok(None);
+        }
         let mut conn = self.conn.clone();
         Ok(conn.get(key).await?)
     }

src/utils/state.rs

@@ -13,7 +13,7 @@ use color_eyre::eyre::{Context, Result as EyeResult};
 use sea_orm::Database;
 use sea_orm_migration::MigratorTrait;
 use secrecy::ExposeSecret;
-use std::sync::Arc;
+use std::{sync::Arc, time::Duration};
 
 use super::{
     cache::Cache,
@@ -67,10 +67,14 @@ pub async fn build_state(config: &AppConfig) -> EyeResult<AppState> {
     };
 
     // Initialize the storage backends for the certificate manager
-    let cache = Redis::new(redis_conn.clone());
+    let cache = Redis::new(redis_conn.clone()).with_ttl(config.redis.cert_cache_ttl);
     let cert_storage =
         AwsS3::new(&aws_config, BUCKET_NAME, config.aws.region.clone()).with_cache(cache);
-    let secrets_storage = AwsSecretsManager::new(&aws_config).await?;
+    let secrets_storage = AwsSecretsManager::new(
+        &aws_config,
+        Duration::from_secs(config.aws.secrets_cache_ttl),
+    )
+    .await?;
 
     let mut certificate_manager = CertManager::new(
         [&config.server.domain],

src/web/handlers/status_list/get_status_list.rs

@@ -61,7 +61,7 @@ async fn build_status_list_token(
     state: &AppState,
 ) -> Result<impl IntoResponse + Debug, StatusListError> {
     // Check cache for status list record
-    if let Some(cached_record) = state.cache.status_list_record_cache.get(list_id).await {
+    if let Some(cached_record) = state.cache.get(list_id).await {
         tracing::info!("Cache hit for status list record: {list_id}");
         // Record is in cache, proceed with building the response
         return build_response_from_record(accept, &cached_record, state).await;
@@ -82,7 +82,6 @@ async fn build_status_list_token(
     // Store the token in the cache for future requests
     state
         .cache
-        .status_list_record_cache
         .insert(list_id.to_string(), status_record.clone())
         .await;
 

src/web/handlers/status_list/update_status.rs

@@ -77,11 +77,7 @@ pub async fn update_status(
         })?;
 
     // Invalidate cache entry to ensure next read fetches the updated record
-    appstate
-        .cache
-        .status_list_record_cache
-        .invalidate(&exact_status_list.list_id)
-        .await;
+    appstate.cache.invalidate(&exact_status_list.list_id).await;
     tracing::info!(
         "Invalidated cache for status list: {}",
         exact_status_list.list_id