feat: Implementation of KMP CRL revocation factory with cache

pkg/keymanagementprovider/refresh/kubeRefresh.go

@@ -24,6 +24,7 @@ import (
 
 	re "github.com/ratify-project/ratify/errors"
 	kmp "github.com/ratify-project/ratify/pkg/keymanagementprovider"
+	nv "github.com/ratify-project/ratify/pkg/verifier/notation"
 	"github.com/sirupsen/logrus"
 	ctrl "sigs.k8s.io/controller-runtime"
 )
@@ -35,6 +36,7 @@ type KubeRefresher struct {
 	Resource                string
 	Result                  ctrl.Result
 	Status                  kmp.KeyManagementProviderStatus
+	CRLHandler              nv.RevocationFactory
 }
 
 // Register registers the kubeRefresher factory
@@ -54,6 +56,15 @@ func (kr *KubeRefresher) Refresh(ctx context.Context) error {
 		return kmpErr
 	}
 
+	// fetch CRLs and cache them
+	crlFetcher, err := kr.CRLHandler.NewFetcher()
+	if err != nil {
+		// log error and continue
+		logger.Warnf("Unable to create CRL fetcher for key management provider %s of type %s with error: %v", kr.Resource, kr.ProviderType, err)
+	}
+	for _, cert := range certificates {
+		nv.CacheCRL(ctx, cert, crlFetcher)
+	}
 	// fetch keys and store in map
 	keys, keyAttributes, err := kr.Provider.GetKeys(ctx)
 	if err != nil {
@@ -109,5 +120,6 @@ func (kr *KubeRefresher) Create(config RefresherConfig) (Refresher, error) {
 		ProviderType:            config.ProviderType,
 		ProviderRefreshInterval: config.ProviderRefreshInterval,
 		Resource:                config.Resource,
+		CRLHandler:              nv.NewCRLHandler(),
 	}, nil
 }

pkg/keymanagementprovider/refresh/kubeRefresh_test.go

@@ -21,14 +21,19 @@ import (
 	"crypto"
 	"crypto/x509"
 	"errors"
+	"net/http"
 	"reflect"
 	"testing"
 	"time"
 
+	"github.com/notaryproject/notation-core-go/revocation"
+	corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+	re "github.com/ratify-project/ratify/errors"
 	"github.com/ratify-project/ratify/pkg/keymanagementprovider"
 	"github.com/ratify-project/ratify/pkg/keymanagementprovider/config"
 	_ "github.com/ratify-project/ratify/pkg/keymanagementprovider/inline"
 	mock "github.com/ratify-project/ratify/pkg/keymanagementprovider/mocks"
+	nv "github.com/ratify-project/ratify/pkg/verifier/notation"
 	ctrl "sigs.k8s.io/controller-runtime"
 )
 
@@ -41,6 +46,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
 		GetCertsFunc            func(_ context.Context) (map[keymanagementprovider.KMPMapKey][]*x509.Certificate, keymanagementprovider.KeyManagementProviderStatus, error)
 		GetKeysFunc             func(_ context.Context) (map[keymanagementprovider.KMPMapKey]crypto.PublicKey, keymanagementprovider.KeyManagementProviderStatus, error)
 		IsRefreshableFunc       func() bool
+		NewCRLHandler           nv.RevocationFactory
 		expectedResult          ctrl.Result
 		expectedError           bool
 	}{
@@ -49,6 +55,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
 			providerRawParameters: []byte(`{"contentType": "certificate", "value": "-----BEGIN CERTIFICATE-----\nMIID2jCCAsKgAwIBAgIQXy2VqtlhSkiZKAGhsnkjbDANBgkqhkiG9w0BAQsFADBvMRswGQYDVQQD\nExJyYXRpZnkuZXhhbXBsZS5jb20xDzANBgNVBAsTBk15IE9yZzETMBEGA1UEChMKTXkgQ29tcGFu\neTEQMA4GA1UEBxMHUmVkbW9uZDELMAkGA1UECBMCV0ExCzAJBgNVBAYTAlVTMB4XDTIzMDIwMTIy\nNDUwMFoXDTI0MDIwMTIyNTUwMFowbzEbMBkGA1UEAxMScmF0aWZ5LmV4YW1wbGUuY29tMQ8wDQYD\nVQQLEwZNeSBPcmcxEzARBgNVBAoTCk15IENvbXBhbnkxEDAOBgNVBAcTB1JlZG1vbmQxCzAJBgNV\nBAgTAldBMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL10bM81\npPAyuraORABsOGS8M76Bi7Guwa3JlM1g2D8CuzSfSTaaT6apy9GsccxUvXd5cmiP1ffna5z+EFmc\nizFQh2aq9kWKWXDvKFXzpQuhyqD1HeVlRlF+V0AfZPvGt3VwUUjNycoUU44ctCWmcUQP/KShZev3\n6SOsJ9q7KLjxxQLsUc4mg55eZUThu8mGB8jugtjsnLUYvIWfHhyjVpGrGVrdkDMoMn+u33scOmrt\nsBljvq9WVo4T/VrTDuiOYlAJFMUae2Ptvo0go8XTN3OjLblKeiK4C+jMn9Dk33oGIT9pmX0vrDJV\nX56w/2SejC1AxCPchHaMuhlwMpftBGkCAwEAAaNyMHAwDgYDVR0PAQH/BAQDAgeAMAkGA1UdEwQC\nMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU0eaKkZj+MS9jCp9Dg1zdv3v/aKww\nHQYDVR0OBBYEFNHmipGY/jEvYwqfQ4Nc3b97/2isMA0GCSqGSIb3DQEBCwUAA4IBAQBNDcmSBizF\nmpJlD8EgNcUCy5tz7W3+AAhEbA3vsHP4D/UyV3UgcESx+L+Nye5uDYtTVm3lQejs3erN2BjW+ds+\nXFnpU/pVimd0aYv6mJfOieRILBF4XFomjhrJOLI55oVwLN/AgX6kuC3CJY2NMyJKlTao9oZgpHhs\nLlxB/r0n9JnUoN0Gq93oc1+OLFjPI7gNuPXYOP1N46oKgEmAEmNkP1etFrEjFRgsdIFHksrmlOlD\nIed9RcQ087VLjmuymLgqMTFX34Q3j7XgN2ENwBSnkHotE9CcuGRW+NuiOeJalL8DBmFXXWwHTKLQ\nPp5g6m1yZXylLJaFLKz7tdMmO355\n-----END CERTIFICATE-----\n"}`),
 			providerType:          "inline",
 			IsRefreshableFunc:     func() bool { return false },
+			NewCRLHandler:         nv.NewCRLHandler(),
 			expectedResult:        ctrl.Result{},
 			expectedError:         false,
 		},
@@ -57,6 +64,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
 			providerRawParameters:   []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
 			providerType:            "test-kmp",
 			providerRefreshInterval: "",
+			NewCRLHandler:           nv.NewCRLHandler(),
 			IsRefreshableFunc:       func() bool { return true },
 			expectedResult:          ctrl.Result{},
 			expectedError:           false,
@@ -66,6 +74,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
 			providerRawParameters:   []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
 			providerType:            "test-kmp",
 			providerRefreshInterval: "1m",
+			NewCRLHandler:           nv.NewCRLHandler(),
 			IsRefreshableFunc:       func() bool { return true },
 			expectedResult:          ctrl.Result{RequeueAfter: time.Minute},
 			expectedError:           false,
@@ -75,6 +84,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
 			providerRawParameters:   []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
 			providerType:            "test-kmp",
 			providerRefreshInterval: "1mm",
+			NewCRLHandler:           nv.NewCRLHandler(),
 			IsRefreshableFunc:       func() bool { return true },
 			expectedResult:          ctrl.Result{},
 			expectedError:           true,
@@ -88,6 +98,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
 			providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
 			providerType:          "test-kmp-error",
 			IsRefreshableFunc:     func() bool { return true },
+			NewCRLHandler:         nv.NewCRLHandler(),
 			expectedError:         true,
 		},
 		{
@@ -99,14 +110,29 @@ func TestKubeRefresher_Refresh(t *testing.T) {
 			providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
 			providerType:          "test-kmp-error",
 			IsRefreshableFunc:     func() bool { return true },
+			NewCRLHandler:         nv.NewCRLHandler(),
 			expectedError:         true,
 		},
+		{
+			name: "Error Caching with CRL Fetcher (non-blocking)",
+			GetCertsFunc: func(_ context.Context) (map[keymanagementprovider.KMPMapKey][]*x509.Certificate, keymanagementprovider.KeyManagementProviderStatus, error) {
+				return map[keymanagementprovider.KMPMapKey][]*x509.Certificate{
+					{Name: "sample"}: {&x509.Certificate{}},
+				}, keymanagementprovider.KeyManagementProviderStatus{}, nil
+			},
+			providerRawParameters:   []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
+			providerType:            "test-kmp",
+			providerRefreshInterval: "1m",
+			IsRefreshableFunc:       func() bool { return true },
+			NewCRLHandler:           &MockCRLHandler{CacheEnabled: true, httpClient: &http.Client{}},
+			expectedResult:          ctrl.Result{RequeueAfter: time.Minute},
+			expectedError:           false,
+		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var factory mock.TestKeyManagementProviderFactory
-
 			if tt.GetCertsFunc != nil {
 				factory = mock.TestKeyManagementProviderFactory{
 					GetCertsFunc:      tt.GetCertsFunc,
@@ -130,6 +156,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
 				ProviderType:            tt.providerType,
 				ProviderRefreshInterval: tt.providerRefreshInterval,
 				Resource:                "kmpname",
+				CRLHandler:              tt.NewCRLHandler,
 			}
 
 			err := kr.Refresh(context.Background())
@@ -144,9 +171,24 @@ func TestKubeRefresher_Refresh(t *testing.T) {
 	}
 }
 
+type MockCRLHandler struct {
+	CacheEnabled bool
+	Fetcher      corecrl.Fetcher
+	httpClient   *http.Client
+}
+
+func (h *MockCRLHandler) NewFetcher() (corecrl.Fetcher, error) {
+	return nil, re.ErrorCodeConfigInvalid.WithDetail("failed to create CRL fetcher")
+}
+
+func (h *MockCRLHandler) NewValidator(_ revocation.Options) (revocation.Validator, error) {
+	return nil, nil
+}
+
 func TestKubeRefresher_GetResult(t *testing.T) {
 	kr := &KubeRefresher{
-		Result: ctrl.Result{RequeueAfter: time.Minute},
+		Result:     ctrl.Result{RequeueAfter: time.Minute},
+		CRLHandler: nv.NewCRLHandler(),
 	}
 
 	result := kr.GetResult()
@@ -162,6 +204,7 @@ func TestKubeRefresher_GetStatus(t *testing.T) {
 			"attribute1": "value1",
 			"attribute2": "value2",
 		},
+		CRLHandler: nv.NewCRLHandler(),
 	}
 
 	status := kr.GetStatus()
@@ -210,7 +253,7 @@ func TestKubeRefresher_Create(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			kr := &KubeRefresher{}
+			kr := &KubeRefresher{CRLHandler: nv.NewCRLHandler()}
 			refresher, err := kr.Create(tt.config)
 			if err != nil {
 				t.Fatalf("Expected no error, but got %v", err)

pkg/verifier/notation/notation.go

@@ -95,7 +95,8 @@ func init() {
 }
 
 func (f *notationPluginVerifierFactory) Create(_ string, verifierConfig config.VerifierConfig, pluginDirectory string, namespace string) (verifier.ReferenceVerifier, error) {
-	logger.GetLogger(context.Background(), logOpt).Debugf("creating Notation verifier with config %v, namespace '%v'", verifierConfig, namespace)
+	ctx := context.Background()
+	logger.GetLogger(ctx, logOpt).Debugf("creating Notation verifier with config %v, namespace '%v'", verifierConfig, namespace)
 	verifierName := fmt.Sprintf("%s", verifierConfig[types.Name])
 	verifierTypeStr := ""
 	if _, ok := verifierConfig[types.Type]; ok {
@@ -105,7 +106,7 @@ func (f *notationPluginVerifierFactory) Create(_ string, verifierConfig config.V
 	if err != nil {
 		return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create the Notation Verifier").WithError(err)
 	}
-	verifyService, err := getVerifierService(conf, pluginDirectory, NewRevocationFactoryImpl())
+	verifyService, err := getVerifierService(ctx, conf, pluginDirectory, NewCRLHandler())
 	if err != nil {
 		return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create the Notation Verifier").WithError(err)
 	}
@@ -177,7 +178,7 @@ func (v *notationPluginVerifier) Verify(ctx context.Context,
 	return verifier.NewVerifierResult("", v.name, v.verifierType, "Notation signature verification success", true, nil, extensions), nil
 }
 
-func getVerifierService(conf *NotationPluginVerifierConfig, pluginDirectory string, revocationFactory RevocationFactory) (notation.Verifier, error) {
+func getVerifierService(ctx context.Context, conf *NotationPluginVerifierConfig, pluginDirectory string, revocationFactory RevocationFactory) (notation.Verifier, error) {
 	store, err := newTrustStore(conf.VerificationCerts, conf.VerificationCertStores)
 	if err != nil {
 		return nil, err
@@ -190,7 +191,7 @@ func getVerifierService(conf *NotationPluginVerifierConfig, pluginDirectory stri
 	// Related File: https://github.com/notaryproject/notation/commits/main/cmd/notation/verify.go5
 	crlFetcher, err := revocationFactory.NewFetcher()
 	if err != nil {
-		return nil, err
+		logger.GetLogger(ctx, logOpt).Warnf("Unable to create CRL fetcher for notation verifier %s with error: %s", conf.Name, err)
 	}
 	revocationCodeSigningValidator, err := revocationFactory.NewValidator(revocation.Options{
 		CRLFetcher:       crlFetcher,

pkg/verifier/notation/notation_test.go

@@ -625,7 +625,7 @@ func TestGetVerifierService(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			_, err := getVerifierService(tt.conf, tt.pluginDir, tt.RevocationFactory)
+			_, err := getVerifierService(context.Background(), tt.conf, tt.pluginDir, tt.RevocationFactory)
 			if (err != nil) != tt.expectErr {
 				t.Errorf("error = %v, expectErr = %v", err, tt.expectErr)
 			}

pkg/verifier/notation/notationrevocationfactory.go

@@ -15,49 +15,63 @@ package notation
 
 import (
 	"net/http"
+	"sync"
 
 	"github.com/notaryproject/notation-core-go/revocation"
 	corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
 	"github.com/notaryproject/notation-go/dir"
-	"github.com/notaryproject/notation-go/verifier/crl"
+	re "github.com/ratify-project/ratify/errors"
 )
 
-type RevocationFactoryImpl struct {
-	cacheRoot  string
-	httpClient *http.Client
+type CRLHandler struct {
+	CacheEnabled bool
+	Fetcher      corecrl.Fetcher
+	httpClient   *http.Client
 }
 
-// NewRevocationFactoryImpl returns a new NewRevocationFactoryImpl instance
-func NewRevocationFactoryImpl() RevocationFactory {
-	return &RevocationFactoryImpl{
-		cacheRoot:  dir.PathCRLCache,
-		httpClient: &http.Client{},
-	}
+var fetcherOnce sync.Once
+
+// NewCRLHandler returns a new NewCRLHandler instance. Enable cache by default.
+func NewCRLHandler() RevocationFactory {
+	return &CRLHandler{CacheEnabled: true, httpClient: &http.Client{}}
 }
 
-// NewFetcher returns a new fetcher instance
-func (f *RevocationFactoryImpl) NewFetcher() (corecrl.Fetcher, error) {
-	crlFetcher, err := corecrl.NewHTTPFetcher(f.httpClient)
+// NewFetcher creates a new instance of a Fetcher if it doesn't already exist.
+// If a Fetcher instance is already present, it returns the existing instance.
+// The method also configures the cache for the Fetcher.
+// Returns an instance of corecrl.Fetcher or an error if the Fetcher creation fails.
+func (h *CRLHandler) NewFetcher() (corecrl.Fetcher, error) {
+	var err error
+	fetcherOnce.Do(func() {
+		h.Fetcher, err = CreateCRLFetcher(h.httpClient, dir.PathCRLCache)
+		if err == nil {
+			h.configureCache()
+		}
+	})
 	if err != nil {
 		return nil, err
 	}
-	crlFetcher.Cache, err = newFileCache(f.cacheRoot)
-	if err != nil {
-		return nil, err
+	// Check if the fetcher is nil, return an error if it is.
+	// one possible edge case is that an error happened in the first call,
+	// the following calls will not get the error since the sync.Once block will be skipped.
+	if h.Fetcher == nil {
+		return nil, re.ErrorCodeConfigInvalid.WithDetail("failed to create CRL fetcher")
 	}
-	return crlFetcher, nil
+	return h.Fetcher, nil
 }
 
 // NewValidator returns a new validator instance
-func (f *RevocationFactoryImpl) NewValidator(opts revocation.Options) (revocation.Validator, error) {
+func (h *CRLHandler) NewValidator(opts revocation.Options) (revocation.Validator, error) {
 	return revocation.NewWithOptions(opts)
 }
 
-// newFileCache returns a new file cache instance
-func newFileCache(root string) (*crl.FileCache, error) {
-	cacheRoot, err := dir.CacheFS().SysPath(root)
-	if err != nil {
-		return nil, err
+// configureCache disables the cache for the HTTPFetcher if caching is not enabled.
+// If the EnableCache field is set to false, this method sets the Cache field of the
+// HTTPFetcher to nil, effectively disabling caching for HTTP fetch operations.
+func (h *CRLHandler) configureCache() {
+	if !h.CacheEnabled {
+		if httpFetcher, ok := h.Fetcher.(*corecrl.HTTPFetcher); ok {
+			httpFetcher.Cache = nil
+		}
 	}
-	return crl.NewFileCache(cacheRoot)
 }