SNOW-2117143 CRL caching (#2294)

Author: sfc-gh-rkowalski

src/main/java/net/snowflake/client/core/crl/CRLCache.java

@@ -0,0 +1,9 @@
+package net.snowflake.client.core.crl;
+
+interface CRLCache {
+  CRLCacheEntry get(String crlUrl);
+
+  void put(String crlUrl, CRLCacheEntry entry);
+
+  void cleanup();
+}

src/main/java/net/snowflake/client/core/crl/CRLCacheEntry.java

@@ -0,0 +1,37 @@
+package net.snowflake.client.core.crl;
+
+import java.security.cert.X509CRL;
+import java.time.Duration;
+import java.time.Instant;
+
+class CRLCacheEntry {
+  private final X509CRL crl;
+  private final Instant downloadTime;
+
+  CRLCacheEntry(X509CRL crl, Instant downloadTime) {
+    if (crl == null) {
+      throw new IllegalArgumentException("CRL cannot be null");
+    }
+    if (downloadTime == null) {
+      throw new IllegalArgumentException("Download time cannot be null");
+    }
+    this.crl = crl;
+    this.downloadTime = downloadTime;
+  }
+
+  X509CRL getCrl() {
+    return crl;
+  }
+
+  Instant getDownloadTime() {
+    return downloadTime;
+  }
+
+  boolean isCrlExpired(Instant time) {
+    return crl.getNextUpdate() != null && crl.getNextUpdate().toInstant().isBefore(time);
+  }
+
+  boolean isEvicted(Instant time, Duration cacheValidityTime) {
+    return downloadTime.plus(cacheValidityTime).isBefore(time);
+  }
+}

src/main/java/net/snowflake/client/core/crl/CRLCacheManager.java

@@ -0,0 +1,111 @@
+package net.snowflake.client.core.crl;
+
+import java.security.cert.X509CRL;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.concurrent.Executors;
+import java.util.concurrent.ScheduledExecutorService;
+import java.util.concurrent.ThreadFactory;
+import java.util.concurrent.TimeUnit;
+import net.snowflake.client.jdbc.SnowflakeSQLLoggedException;
+import net.snowflake.client.log.SFLogger;
+import net.snowflake.client.log.SFLoggerFactory;
+
+/**
+ * Cache manager that coordinates between in-memory and file-based CRL caches. Provides automatic
+ * cleanup of expired entries and proper lifecycle management.
+ */
+class CRLCacheManager {
+
+  private static final SFLogger logger = SFLoggerFactory.getLogger(CRLCacheManager.class);
+
+  private final CRLCache memoryCache;
+  private final CRLCache fileCache;
+  private final ScheduledExecutorService cleanupScheduler;
+  private final Runnable cleanupTask;
+  private final long cleanupIntervalInMs;
+
+  CRLCacheManager(CRLCache memoryCache, CRLCache fileCache, Duration cleanupInterval) {
+    this.memoryCache = memoryCache;
+    this.fileCache = fileCache;
+    this.cleanupIntervalInMs = cleanupInterval.toMillis();
+
+    this.cleanupTask =
+        () -> {
+          try {
+            logger.debug(
+                "Running periodic CRL cache cleanup with interval {} seconds",
+                cleanupIntervalInMs / 1000.0);
+            memoryCache.cleanup();
+            fileCache.cleanup();
+          } catch (Exception e) {
+            logger.error("An error occurred during scheduled CRL cache cleanup.", e);
+          }
+        };
+    ThreadFactory threadFactory =
+        r -> {
+          Thread t = new Thread(r, "crl-cache-cleanup");
+          t.setDaemon(true); // Don't prevent JVM shutdown
+          return t;
+        };
+    this.cleanupScheduler = Executors.newSingleThreadScheduledExecutor(threadFactory);
+  }
+
+  static CRLCacheManager fromConfig(CRLValidationConfig config) throws SnowflakeSQLLoggedException {
+    CRLCache memoryCache;
+    if (config.isInMemoryCacheEnabled()) {
+      logger.debug("Enabling in-memory CRL cache");
+      memoryCache = new CRLInMemoryCache(config.getCacheValidityTime());
+    } else {
+      logger.debug("In-memory CRL cache disabled");
+      memoryCache = NoopCRLCache.INSTANCE;
+    }
+
+    CRLCache fileCache;
+    if (config.isOnDiskCacheEnabled()) {
+      logger.debug("Enabling file based CRL cache");
+      fileCache = new CRLFileCache(config.getOnDiskCacheDir(), config.getOnDiskCacheRemovalDelay());
+    } else {
+      logger.debug("File based CRL cache disabled");
+      fileCache = NoopCRLCache.INSTANCE;
+    }
+
+    CRLCacheManager manager =
+        new CRLCacheManager(memoryCache, fileCache, config.getOnDiskCacheRemovalDelay());
+    if (config.isInMemoryCacheEnabled() || config.isOnDiskCacheEnabled()) {
+      manager.startPeriodicCleanup();
+    }
+    return manager;
+  }
+
+  CRLCacheEntry get(String crlUrl) {
+    CRLCacheEntry entry = memoryCache.get(crlUrl);
+    if (entry != null) {
+      return entry;
+    }
+
+    entry = fileCache.get(crlUrl);
+    if (entry != null) {
+      // Promote to memory cache
+      memoryCache.put(crlUrl, entry);
+      return entry;
+    }
+
+    logger.debug("CRL not found in cache for {}", crlUrl);
+    return null;
+  }
+
+  void put(String crlUrl, X509CRL crl, Instant downloadTime) {
+    CRLCacheEntry entry = new CRLCacheEntry(crl, downloadTime);
+    memoryCache.put(crlUrl, entry);
+    fileCache.put(crlUrl, entry);
+  }
+
+  private void startPeriodicCleanup() {
+    cleanupScheduler.scheduleAtFixedRate(
+        cleanupTask, cleanupIntervalInMs, cleanupIntervalInMs, TimeUnit.MILLISECONDS);
+
+    logger.debug(
+        "Scheduled CRL cache cleanup task to run every {} seconds.", cleanupIntervalInMs / 1000.0);
+  }
+}

src/main/java/net/snowflake/client/core/crl/CRLFileCache.java

@@ -0,0 +1,178 @@
+package net.snowflake.client.core.crl;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.StandardOpenOption;
+import java.nio.file.attribute.BasicFileAttributes;
+import java.nio.file.attribute.FileTime;
+import java.nio.file.attribute.PosixFilePermissions;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509CRL;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.concurrent.locks.Lock;
+import java.util.concurrent.locks.ReentrantLock;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import net.snowflake.client.core.Constants;
+import net.snowflake.client.jdbc.SnowflakeSQLLoggedException;
+import net.snowflake.client.log.SFLogger;
+import net.snowflake.client.log.SFLoggerFactory;
+import net.snowflake.common.core.SqlState;
+
+class CRLFileCache implements CRLCache {
+
+  private static final SFLogger logger = SFLoggerFactory.getLogger(CRLFileCache.class);
+
+  private final Path cacheDir;
+  private final Duration removalDelay;
+  private final Lock cacheLock = new ReentrantLock();
+
+  CRLFileCache(Path cacheDir, Duration removalDelay) throws SnowflakeSQLLoggedException {
+    this.cacheDir = cacheDir;
+    this.removalDelay = removalDelay;
+
+    ensureCacheDirectoryExists(cacheDir);
+  }
+
+  public CRLCacheEntry get(String crlUrl) {
+    try {
+      cacheLock.lock();
+      Path crlFilePath = getCrlFilePath(crlUrl);
+      if (Files.exists(crlFilePath)) {
+        logger.debug("Found CRL on disk for {}", crlFilePath);
+
+        BasicFileAttributes attrs = Files.readAttributes(crlFilePath, BasicFileAttributes.class);
+        Instant downloadTime = attrs.lastModifiedTime().toInstant();
+
+        CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+        try (InputStream crlBytes = Files.newInputStream(crlFilePath)) {
+          X509CRL crl = (X509CRL) certFactory.generateCRL(crlBytes);
+          return new CRLCacheEntry(crl, downloadTime);
+        }
+      }
+    } catch (Exception e) {
+      logger.warn("Failed to read CRL from disk cache for {}: {}", crlUrl, e.getMessage());
+    } finally {
+      cacheLock.unlock();
+    }
+
+    return null;
+  }
+
+  public void put(String crlUrl, CRLCacheEntry entry) {
+    try {
+      cacheLock.lock();
+      Path crlFilePath = getCrlFilePath(crlUrl);
+
+      Files.write(
+          crlFilePath,
+          entry.getCrl().getEncoded(),
+          StandardOpenOption.CREATE,
+          StandardOpenOption.WRITE,
+          StandardOpenOption.TRUNCATE_EXISTING);
+
+      Files.setLastModifiedTime(crlFilePath, FileTime.from(entry.getDownloadTime()));
+
+      if (Constants.getOS() != Constants.OS.WINDOWS) {
+        Files.setPosixFilePermissions(crlFilePath, PosixFilePermissions.fromString("rw-------"));
+      }
+
+      logger.debug("Updated disk cache for {}", crlUrl);
+    } catch (Exception e) {
+      logger.warn("Failed to write CRL to disk cache for {}: {}", crlUrl, e.getMessage());
+    } finally {
+      cacheLock.unlock();
+    }
+  }
+
+  public void cleanup() {
+    Instant now = Instant.now();
+    logger.debug("Cleaning up on-disk CRL cache at {}", now);
+
+    try {
+      if (!Files.exists(cacheDir)) {
+        return;
+      }
+
+      int removedCount = 0;
+      try (Stream<Path> files = Files.list(cacheDir)) {
+        cacheLock.lock();
+        for (Path filePath : files.filter(Files::isRegularFile).collect(Collectors.toList())) {
+          try {
+            try (InputStream crlBytes = Files.newInputStream(filePath)) {
+              CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
+              X509CRL crl = (X509CRL) certFactory.generateCRL(crlBytes);
+              CRLCacheEntry entry =
+                  new CRLCacheEntry(crl, Files.getLastModifiedTime(filePath).toInstant());
+
+              boolean expired = entry.isCrlExpired(now);
+              boolean evicted = entry.isEvicted(now, removalDelay);
+              if (expired || evicted) {
+                Files.delete(filePath);
+                removedCount++;
+                logger.debug(
+                    "Removing file based CRL cache entry for {}: expired={}, evicted={}",
+                    filePath,
+                    expired,
+                    evicted);
+              }
+            }
+          } catch (IOException | CRLException | CertificateException e) {
+            // If we can't parse the file, it's probably corrupted - remove it
+            try {
+              Files.delete(filePath);
+              removedCount++;
+            } catch (IOException deleteError) {
+              logger.warn(
+                  "Failed to delete corrupted CRL file {}: {}", filePath, deleteError.getMessage());
+            }
+          }
+        }
+      } finally {
+        cacheLock.unlock();
+      }
+
+      if (removedCount > 0) {
+        logger.debug("Removed {} expired/corrupted files from disk CRL cache", removedCount);
+      }
+    } catch (Exception e) {
+      logger.warn("Failed to cleanup disk CRL cache: {}", e.getMessage());
+    }
+  }
+
+  private Path getCrlFilePath(String crlUrl) throws UnsupportedEncodingException {
+    String encodedUrl = URLEncoder.encode(crlUrl, StandardCharsets.UTF_8.toString());
+    return cacheDir.resolve(encodedUrl);
+  }
+
+  private static boolean ownerOnlyPermissions(Path cacheDir) throws IOException {
+    return Files.getPosixFilePermissions(cacheDir)
+        .equals(PosixFilePermissions.fromString("rwx------"));
+  }
+
+  private static void ensureCacheDirectoryExists(Path cacheDir) throws SnowflakeSQLLoggedException {
+    try {
+      boolean exists = Files.exists(cacheDir);
+      if (!exists) {
+        Files.createDirectories(cacheDir);
+        logger.debug("Initialized CRL cache directory: {}", cacheDir);
+      }
+
+      if (Constants.getOS() != Constants.OS.WINDOWS && !ownerOnlyPermissions(cacheDir)) {
+        Files.setPosixFilePermissions(cacheDir, PosixFilePermissions.fromString("rwx------"));
+        logger.debug("Set CRL cache directory permissions to 'rwx------");
+      }
+    } catch (Exception e) {
+      throw new SnowflakeSQLLoggedException(
+          null, null, SqlState.INTERNAL_ERROR, "Failed to create CRL cache directory", e);
+    }
+  }
+}

src/main/java/net/snowflake/client/core/crl/CRLInMemoryCache.java

@@ -0,0 +1,56 @@
+package net.snowflake.client.core.crl;
+
+import java.time.Duration;
+import java.time.Instant;
+import java.util.concurrent.ConcurrentHashMap;
+import net.snowflake.client.log.SFLogger;
+import net.snowflake.client.log.SFLoggerFactory;
+
+class CRLInMemoryCache implements CRLCache {
+
+  private static final SFLogger logger = SFLoggerFactory.getLogger(CRLInMemoryCache.class);
+  private final ConcurrentHashMap<String, CRLCacheEntry> cache = new ConcurrentHashMap<>();
+  private final Duration cacheValidityTime;
+
+  CRLInMemoryCache(Duration cacheValidityTime) {
+    this.cacheValidityTime = cacheValidityTime;
+  }
+
+  public CRLCacheEntry get(String crlUrl) {
+    CRLCacheEntry entry = cache.get(crlUrl);
+    if (entry != null) {
+      logger.debug("Found CRL in memory cache for {}", crlUrl);
+    }
+    return entry;
+  }
+
+  public void put(String crlUrl, CRLCacheEntry entry) {
+    cache.put(crlUrl, entry);
+  }
+
+  public void cleanup() {
+    Instant now = Instant.now();
+    logger.debug("Cleaning up in-memory CRL cache at {}", now);
+
+    int initialSize = cache.size();
+    cache
+        .entrySet()
+        .removeIf(
+            entry -> {
+              CRLCacheEntry cacheEntry = entry.getValue();
+              boolean expired = cacheEntry.isCrlExpired(now);
+              boolean evicted = cacheEntry.isEvicted(now, cacheValidityTime);
+              logger.debug(
+                  "Removing in-memory CRL cache entry for {}: expired={}, evicted={}",
+                  entry.getKey(),
+                  expired,
+                  evicted);
+              return expired || evicted;
+            });
+
+    int removedCount = initialSize - cache.size();
+    if (removedCount > 0) {
+      logger.debug("Removed {} expired/evicted entries from in-memory CRL cache", removedCount);
+    }
+  }
+}