traefikoidc/metadata_cache.go

package traefikoidc

import (
	"context"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"strings"
	"sync"
	"time"
)

const (
	// metadataCacheVersion is incremented when cache format changes
	// This ensures old cached data is automatically ignored
	metadataCacheVersion = "v2"
)

// MetadataCache wraps UniversalCache for metadata operations
type MetadataCache struct {
	cache  *UniversalCache
	logger *Logger
	wg     *sync.WaitGroup
}

// versionedKey adds version prefix to cache keys
func (mc *MetadataCache) versionedKey(key string) string {
	return metadataCacheVersion + ":" + key
}

// MetadataCacheEntry for compatibility
type MetadataCacheEntry struct {
}

// NewMetadataCache creates a new metadata cache
func NewMetadataCache(wg *sync.WaitGroup) *MetadataCache {
	manager := GetUniversalCacheManager(nil)
	return &MetadataCache{
		cache:  manager.GetMetadataCache(),
		logger: manager.logger,
		wg:     wg,
	}
}

// NewMetadataCacheWithLogger creates a metadata cache with specific logger
func NewMetadataCacheWithLogger(wg *sync.WaitGroup, logger *Logger) *MetadataCache {
	manager := GetUniversalCacheManager(logger)
	return &MetadataCache{
		cache:  manager.GetMetadataCache(),
		logger: logger,
		wg:     wg,
	}
}

// Set stores provider metadata with a TTL
func (mc *MetadataCache) Set(providerURL string, metadata *ProviderMetadata, ttl time.Duration) error {
	if metadata == nil {
		return fmt.Errorf("metadata cannot be nil")
	}

	mc.logger.Debugf("MetadataCache: Setting metadata for %s with TTL %v", providerURL, ttl)

	// Store as JSON for consistency
	data, err := json.Marshal(metadata)
	if err != nil {
		return fmt.Errorf("failed to marshal metadata: %w", err)
	}

	// Use versioned key to prevent stale data issues
	return mc.cache.Set(mc.versionedKey(providerURL), data, ttl)
}

// Get retrieves provider metadata from cache
func (mc *MetadataCache) Get(providerURL string) (*ProviderMetadata, bool) {
	// Use versioned key to prevent stale data issues
	value, exists := mc.cache.Get(mc.versionedKey(providerURL))
	if !exists {
		mc.logger.Debugf("MetadataCache: MISS for %s", providerURL)
		return nil, false
	}

	// Handle different value types
	var data []byte
	switch v := value.(type) {
	case []byte:
		data = v
	case string:
		data = []byte(v)
	default:
		mc.logger.Errorf("MetadataCache: Invalid data type for %s: %T", providerURL, value)
		return nil, false
	}

	// Debug: log first 100 chars of cached data to diagnose unmarshal issues
	dataPreview := string(data)
	if len(dataPreview) > 100 {
		dataPreview = dataPreview[:100]
	}
	mc.logger.Debugf("MetadataCache: Attempting to unmarshal for %s, data preview: %s", providerURL, dataPreview)

	var metadata ProviderMetadata
	if err := json.Unmarshal(data, &metadata); err != nil {
		// Graceful degradation: corrupt data is treated as cache miss
		mc.logger.Errorf("MetadataCache: Corrupt data detected for %s: %v (preview: %s) - deleting and treating as miss", providerURL, err, dataPreview)

		// Delete corrupt entry to prevent repeated errors (use versioned key)
		mc.cache.Delete(mc.versionedKey(providerURL))

		return nil, false
	}

	mc.logger.Debugf("MetadataCache: HIT for %s", providerURL)
	return &metadata, true
}

// GetProviderMetadata fetches metadata with automatic caching
func (mc *MetadataCache) GetProviderMetadata(ctx context.Context, providerURL string, httpClient *http.Client) (*ProviderMetadata, error) {
	// Check cache first
	if metadata, exists := mc.Get(providerURL); exists {
		return metadata, nil
	}

	// Fetch from provider
	// Ensure no double slashes by trimming trailing slash from provider URL
	metadataURL := strings.TrimRight(providerURL, "/") + "/.well-known/openid-configuration"
	mc.logger.Infof("Fetching provider metadata from: %s", metadataURL)

	req, err := http.NewRequestWithContext(ctx, "GET", metadataURL, nil)
	if err != nil {
		return nil, fmt.Errorf("failed to create request: %w", err)
	}

	resp, err := httpClient.Do(req)
	if err != nil {
		return nil, fmt.Errorf("failed to fetch metadata: %w", err)
	}
	defer func() { _ = resp.Body.Close() }() // Safe to ignore: closing body on defer

	if resp.StatusCode != http.StatusOK {
		return nil, fmt.Errorf("metadata fetch returned status %d", resp.StatusCode)
	}

	var metadata ProviderMetadata
	if err := json.NewDecoder(io.LimitReader(resp.Body, 1<<20)).Decode(&metadata); err != nil {
		return nil, fmt.Errorf("failed to decode metadata: %w", err)
	}

	// Pin the advertised issuer to the configured provider host. The issuer is
	// the trust anchor for JWT issuer validation; rejecting a mismatch here
	// ensures a poisoned discovery document advertising an attacker-chosen
	// issuer is never cached or returned. Real providers (Google, Azure,
	// Keycloak, Okta, Auth0) keep the issuer on the same host as providerURL.
	if metadata.Issuer != "" && !sameHost(metadata.Issuer, providerURL) {
		return nil, fmt.Errorf("discovery issuer %q host does not match provider %q", metadata.Issuer, providerURL)
	}

	// Cache for 1 hour by default
	if err := mc.Set(providerURL, &metadata, 1*time.Hour); err != nil {
		mc.logger.Errorf("Failed to cache metadata: %v", err)
	}

	return &metadata, nil
}

// Clear removes all cached metadata
func (mc *MetadataCache) Clear() {
	mc.cache.Clear()
	mc.logger.Info("MetadataCache: Cleared all entries")
}

// Close shuts down the cache
func (mc *MetadataCache) Close() {
	// Cache is managed globally, so we don't close it here
	mc.logger.Debug("MetadataCache: Close called (managed by global cache manager)")
}

// GetMetrics returns cache metrics
func (mc *MetadataCache) GetMetrics() map[string]interface{} {
	return mc.cache.GetMetrics()
}

// Size returns the number of cached entries
func (mc *MetadataCache) Size() int {
	return mc.cache.Size()
}

// GetMetadata fetches metadata with HTTP client and logger
func (mc *MetadataCache) GetMetadata(providerURL string, httpClient *http.Client, logger *Logger) (*ProviderMetadata, error) {
	// Check cache first
	if metadata, exists := mc.Get(providerURL); exists {
		return metadata, nil
	}

	// Use context with timeout
	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
	defer cancel()

	return mc.GetProviderMetadata(ctx, providerURL, httpClient)
}

// GetMetadataWithRecovery fetches metadata with retry support for startup scenarios.
// This handles the race condition where Traefik initializes the plugin before the
// OIDC provider routes are fully established, or before TLS certificates are loaded.
// Uses aggressive retry settings (10 attempts, 1s intervals) to give the infrastructure
// time to stabilize during cold starts.
// See: https://github.com/lukaszraczylo/traefikoidc/issues/90
func (mc *MetadataCache) GetMetadataWithRecovery(providerURL string, httpClient *http.Client, logger *Logger, errorRecoveryManager *ErrorRecoveryManager) (*ProviderMetadata, error) {
	// Check cache first - if we have valid cached metadata, use it
	if metadata, exists := mc.Get(providerURL); exists {
		return metadata, nil
	}

	// Create a retry executor with metadata-fetch-specific configuration
	retryConfig := MetadataFetchRetryConfig()
	retryExecutor := NewRetryExecutor(retryConfig, logger)

	var metadata *ProviderMetadata
	var lastErr error

	// Use context with overall timeout for the entire retry sequence
	// 10 attempts * ~10s max delay = ~100s worst case, so use 2 minute timeout
	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute)
	defer cancel()

	err := retryExecutor.ExecuteWithContext(ctx, func() error {
		// Create per-attempt context with shorter timeout
		attemptCtx, attemptCancel := context.WithTimeout(ctx, 15*time.Second)
		defer attemptCancel()

		var fetchErr error
		metadata, fetchErr = mc.GetProviderMetadata(attemptCtx, providerURL, httpClient)
		if fetchErr != nil {
			lastErr = fetchErr
			if logger != nil {
				logger.Debugf("Metadata fetch attempt failed: %v", fetchErr)
			}
			return fetchErr
		}
		return nil
	})

	if err != nil {
		// Return the last actual error, not the retry wrapper error
		if lastErr != nil {
			return nil, lastErr
		}
		return nil, err
	}

	return metadata, nil
}

// GetStats returns cache statistics for testing
func (mc *MetadataCache) GetStats() map[string]interface{} {
	return mc.cache.GetMetrics()
}

// CleanupExpired triggers cleanup of expired entries
func (mc *MetadataCache) CleanupExpired() {
	mc.cache.Cleanup()
}

// Delete removes an entry from the cache
func (mc *MetadataCache) Delete(key string) {
	mc.cache.Delete(mc.versionedKey(key))
}

// Mutex returns the cache mutex for testing
func (mc *MetadataCache) Mutex() *sync.RWMutex {
	return &mc.cache.mu
}