zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-05-28 07:02:00 +02:00
Code Issues Projects Releases Packages Wiki Activity

Refactor TmchCertificateAuthority

Browse source 
The main goal of this CL is to make the clock constructor injectable (so that tests do not need to use InjectRule to override the clock). The complication is that the clock is used by two static caches (ROOT_CACHE directly and CRL_CACHE indirectly). The clock is not actually used to construct the lock, but rather to verify that the root certificate is within its validity period.

For ROOT_CACHE we move the verification to its call sites. This adds a bit overhead because the validity check happens every time the cache is called, not just when the cache is built or refreshed. However this check is rather cheap.  Also the resources are included in the jar and the cache is valid for 1 year. Given that we deploy every week, there's not much point making it an expiring cache rather than a static map.

For CRL_CACHE we change the key to a tuple of TmchCaMode and X509Certificate. The certificate is no longer provided from the ROOT_CACHE directly and must be verified before it is provided as a cache key. We left the CRL verification inside the cache loader because it (signature verification) is more expensive compared to simple expiration check, and we do not want to do this every time the cache is called.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=218385684
This commit is contained in:
jianglai 2018-10-23 12:20:31 -07:00
parent 589e98a1db
commit 57d95d4bec
10 changed files with 65 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

4
javatests/google/registry/flows/FlowTestCase.java
View file

@ -110,8 +110,6 @@ public abstract class FlowTestCase<F extends Flow> extends ShardableTestCase {
ofy().saveWithoutBackup().entity(new ClaimsListSingleton()).now();
// For transactional flows
inject.setStaticField(Ofy.class, "clock", clock);
// For SignedMark signature validity
inject.setStaticField(TmchCertificateAuthority.class, "clock", clock);
}
protected void removeServiceExtensionUri(String uri) {
@ -286,7 +284,7 @@ public abstract class FlowTestCase<F extends Flow> extends ShardableTestCase {
TmchXmlSignature tmchXmlSignature =
testTmchXmlSignature != null
? testTmchXmlSignature
: new TmchXmlSignature(new TmchCertificateAuthority(tmchCaMode));
: new TmchXmlSignature(new TmchCertificateAuthority(tmchCaMode, clock));
return DaggerEppTestComponent.builder()
.fakesAndMocksModule(FakesAndMocksModule.create(clock, eppMetricBuilder, tmchXmlSignature))
.build()