add cacheing for identity client + keyfetch client

Signed-off-by: Ashley Davis <ashley.davis@cyberark.com>

Author: SgtCoDFish

internal/cyberark/identity/identity.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/url"
 	"sync"
+	"time"
 
 	"k8s.io/klog/v2"
 
@@ -180,6 +181,7 @@ type Client struct {
 
 	tokenCached      token
 	tokenCachedMutex sync.Mutex
+	tokenCachedTime  time.Time
 }
 
 // token is a wrapper type for holding auth tokens we want to cache.
@@ -205,12 +207,23 @@ func New(httpClient *http.Client, baseURL string, subdomain string) *Client {
 // Tokens are cached internally and are not directly accessible to code; use Client.AuthenticateRequest to add credentials
 // to an *http.Request.
 func (c *Client) LoginUsernamePassword(ctx context.Context, username string, password []byte) error {
+	// note: we hold the mutex for the whole login attempt to ensure that only one login attempt can be in flight at once,
+	// and to ensure that the token cache is correctly updated
+	c.tokenCachedMutex.Lock()
+	defer c.tokenCachedMutex.Unlock()
+
 	defer func() {
 		for i := range password {
 			password[i] = 0x00
 		}
 	}()
 
+	if time.Since(c.tokenCachedTime) < 15*time.Minute && c.tokenCached.Username == username {
+		// If the cached token is recent and for the same username, we can reuse it.
+		klog.FromContext(ctx).V(2).Info("reusing cached token for user", "username", username)
+		return nil
+	}
+
 	advanceRequestBody, err := c.doStartAuthentication(ctx, username)
 	if err != nil {
 		return err
@@ -405,15 +418,13 @@ func (c *Client) doAdvanceAuthentication(ctx context.Context, username string, p
 
 	klog.FromContext(ctx).Info("successfully completed AdvanceAuthentication request to CyberArk Identity; login complete", "username", username)
 
-	c.tokenCachedMutex.Lock()
-
+	// NB: This assumes we already hold the token cache mutex, which we do in LoginUsernamePassword, so this is safe.
+	c.tokenCachedTime = time.Now()
 	c.tokenCached = token{
 		Username: username,
 		Token:    advanceAuthResponse.Result.Token,
 	}
 
-	c.tokenCachedMutex.Unlock()
-
 	return nil
 }
 

internal/envelope/keyfetch/client.go

@@ -8,6 +8,8 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"sync"
+	"time"
 
 	"github.com/jetstack/venafi-connection-lib/http_client"
 	"github.com/lestrrat-go/jwx/v3/jwk"
@@ -53,6 +55,10 @@ type Client struct {
 
 	// httpClient is the HTTP client used for requests
 	httpClient *http.Client
+
+	cachedKey      PublicKey
+	cachedKeyMutex sync.Mutex
+	cachedKeyTime  time.Time
 }
 
 // NewClient creates a new key fetching client.
@@ -82,6 +88,15 @@ func NewClient(ctx context.Context, discoveryClient *servicediscovery.Client, cf
 // FetchKey retrieves the public keys from the configured endpoint.
 // It returns a slice of PublicKey structs containing the key material and metadata.
 func (c *Client) FetchKey(ctx context.Context) (PublicKey, error) {
+	logger := klog.FromContext(ctx).WithName("keyfetch")
+	c.cachedKeyMutex.Lock()
+	defer c.cachedKeyMutex.Unlock()
+
+	if time.Since(c.cachedKeyTime) < 15*time.Minute {
+		klog.FromContext(ctx).WithName("keyfetch").V(2).Info("using cached key", "fetchedAt", c.cachedKeyTime.Format(time.RFC3339Nano), "kid", c.cachedKey.KeyID)
+		return c.cachedKey, nil
+	}
+
 	services, _, err := c.discoveryClient.DiscoverServices(ctx)
 	if err != nil {
 		return PublicKey{}, fmt.Errorf("failed to get services from discovery client: %w", err)
@@ -176,12 +191,17 @@ func (c *Client) FetchKey(ctx context.Context) (PublicKey, error) {
 			continue
 		}
 
-		klog.FromContext(ctx).WithName("keyfetch").Info("found valid RSA key", "kid", kid)
 		// return the first valid key we find
-		return PublicKey{
+
+		logger.Info("fetched valid RSA key", "kid", kid)
+
+		c.cachedKey = PublicKey{
 			KeyID: kid,
 			Key:   rsaKey,
-		}, nil
+		}
+		c.cachedKeyTime = time.Now()
+
+		return c.cachedKey, nil
 	}
 
 	return PublicKey{}, fmt.Errorf("no valid RSA keys found at %s", endpoint)