fix: validate tenantUrl, derive cache TTL from JWT exp, dedupe tests

- Validate tenantUrl is a bare hostname (reject scheme/port/path/whitespace)
  so users get a clear error instead of an opaque gRPC connect failure
- Drive cached-token TTL from the JWT exp claim instead of a fixed 3600s
  default, with safe fallback when the JWT can't be parsed
- Drop the brittle reflection-based test that forced an unreachable rebuild
  failure; replace with focused secondsUntilJwtExpiry unit tests
- Collapse the duplicate TokenProcessorSupplier delegation test that
  re-exercised JWT parsing already covered in DirectCdpTokenProcessorTest
- Generate JWTs dynamically in tests so exp stays in the future

Author: KaviarasuSakthivadivel

jdbc-http/src/main/java/com/salesforce/datacloud/jdbc/auth/DirectCdpTokenProcessor.java

@@ -7,8 +7,12 @@
 import static com.salesforce.datacloud.jdbc.util.PropertyParsingUtils.takeOptional;
 import static com.salesforce.datacloud.jdbc.util.PropertyParsingUtils.takeRequired;
 
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import com.salesforce.datacloud.jdbc.auth.model.DataCloudTokenResponse;
 import java.sql.SQLException;
+import java.time.Instant;
+import java.util.Base64;
 import java.util.Optional;
 import java.util.Properties;
 import lombok.extern.slf4j.Slf4j;
@@ -18,7 +22,8 @@ public class DirectCdpTokenProcessor {
     static final String CDP_TOKEN_KEY = "cdpToken";
     static final String TENANT_URL_KEY = "tenantUrl";
     static final String DATASPACE_KEY = "dataspace";
-    static final int DEFAULT_EXPIRES_IN = 3600;
+    static final int FALLBACK_EXPIRES_IN_SECONDS = 3600;
+    private static final ObjectMapper JSON = new ObjectMapper();
 
     private final String cdpToken;
     private final String tenantUrl;
@@ -38,7 +43,7 @@ public static boolean hasCdpToken(Properties properties) {
     public static DirectCdpTokenProcessor ofDestructive(Properties properties) throws SQLException {
         try {
             String cdpToken = takeRequired(properties, CDP_TOKEN_KEY);
-            String tenantUrl = takeRequired(properties, TENANT_URL_KEY);
+            String tenantUrl = validateTenantHost(takeRequired(properties, TENANT_URL_KEY));
             String dataspace = takeOptional(properties, DATASPACE_KEY).orElse(null);
             DirectCdpTokenProcessor processor = new DirectCdpTokenProcessor(cdpToken, tenantUrl, dataspace);
             processor.validateToken();
@@ -48,6 +53,24 @@ public static DirectCdpTokenProcessor ofDestructive(Properties properties) throw
         }
     }
 
+    /**
+     * tenantUrl must be a bare hostname — gRPC's {@code ManagedChannelBuilder.forAddress} requires it.
+     * Reject schemes, ports, paths, and whitespace so users get a clear error rather than a confusing
+     * connection failure later.
+     */
+    static String validateTenantHost(String tenantUrl) {
+        if (tenantUrl.contains("://") || tenantUrl.contains("/") || tenantUrl.contains(":")) {
+            throw new IllegalArgumentException(
+                    "tenantUrl must be a bare hostname (e.g. 'tenant.c360a.salesforce.com'), got: '" + tenantUrl + "'");
+        }
+        String trimmed = tenantUrl.trim();
+        if (trimmed.isEmpty() || trimmed.length() != tenantUrl.length()) {
+            throw new IllegalArgumentException(
+                    "tenantUrl must be a non-empty hostname with no whitespace, got: '" + tenantUrl + "'");
+        }
+        return trimmed;
+    }
+
     private void validateToken() throws SQLException {
         try {
             DataCloudToken token = buildDataCloudToken();
@@ -60,18 +83,10 @@ private void validateToken() throws SQLException {
     }
 
     public DataCloudToken getDataCloudToken() throws SQLException {
-        if (cachedDataCloudToken != null && cachedDataCloudToken.isAlive()) {
-            return cachedDataCloudToken;
-        }
-
-        try {
-            DataCloudToken token = buildDataCloudToken();
-            cachedDataCloudToken = token;
-            return token;
-        } catch (Exception ex) {
-            cachedDataCloudToken = null;
-            throw new SQLException(ex.getMessage(), "28000", ex);
+        if (cachedDataCloudToken == null || !cachedDataCloudToken.isAlive()) {
+            cachedDataCloudToken = buildDataCloudToken();
         }
+        return cachedDataCloudToken;
     }
 
     public String getLakehouse() throws SQLException {
@@ -87,7 +102,32 @@ private DataCloudToken buildDataCloudToken() throws SQLException {
         response.setToken(cdpToken);
         response.setInstanceUrl(tenantUrl);
         response.setTokenType("Bearer");
-        response.setExpiresIn(DEFAULT_EXPIRES_IN);
+        response.setExpiresIn(secondsUntilJwtExpiry(cdpToken));
         return DataCloudToken.of(response);
     }
+
+    /**
+     * Returns seconds remaining until the JWT's `exp` claim, clamped to a minimum of 0.
+     * If the JWT cannot be parsed or has no `exp` claim, falls back to {@link #FALLBACK_EXPIRES_IN_SECONDS}
+     * so callers behave identically to the previous fixed-TTL behavior.
+     */
+    static int secondsUntilJwtExpiry(String jwt) {
+        try {
+            String[] chunks = jwt.split("\\.", -1);
+            if (chunks.length < 2) {
+                return FALLBACK_EXPIRES_IN_SECONDS;
+            }
+            byte[] decoded = Base64.getUrlDecoder().decode(chunks[1]);
+            JsonNode payload = JSON.readTree(decoded);
+            JsonNode exp = payload.get("exp");
+            if (exp == null || !exp.canConvertToLong()) {
+                return FALLBACK_EXPIRES_IN_SECONDS;
+            }
+            long remaining = exp.asLong() - Instant.now().getEpochSecond();
+            return remaining > 0 ? (int) Math.min(remaining, Integer.MAX_VALUE) : 0;
+        } catch (Exception ex) {
+            log.debug("Could not derive exp from CDP token, using default TTL", ex);
+            return FALLBACK_EXPIRES_IN_SECONDS;
+        }
+    }
 }

jdbc-http/src/test/java/com/salesforce/datacloud/jdbc/auth/DirectCdpTokenProcessorTest.java

@@ -7,19 +7,48 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
-import com.salesforce.datacloud.jdbc.auth.model.DataCloudTokenResponse;
-import java.lang.reflect.Field;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
+import java.nio.charset.StandardCharsets;
 import java.sql.SQLException;
+import java.time.Instant;
+import java.util.Base64;
 import java.util.Properties;
 import java.util.UUID;
 import org.junit.jupiter.api.Test;
 
 class DirectCdpTokenProcessorTest {
 
-    private static final String TENANT_URL = "https://test.c360a.salesforce.com";
-    static final String FAKE_TOKEN =
-            "eyJraWQiOiJDT1JFLjAwRE9LMDAwMDAwOVp6ci4xNzE4MDUyMTU0NDIyIiwidHlwIjoiSldUIiwiYWxnIjoiRVMyNTYifQ.eyJzdWIiOiJodHRwczovL2xvZ2luLnRlc3QxLnBjLXJuZC5zYWxlc2ZvcmNlLmNvbS9pZC8wMERPSzAwMDAwMDlaenIyQUUvMDA1T0swMDAwMDBVeTkxWUFDIiwic2NwIjoiY2RwX3Byb2ZpbGVfYXBpIGNkcF9pbmdlc3RfYXBpIGNkcF9pZGVudGl0eXJlc29sdXRpb25fYXBpIGNkcF9zZWdtZW50X2FwaSBjZHBfcXVlcnlfYXBpIGNkcF9hcGkiLCJpc3MiOiJodHRwczovL2xvZ2luLnRlc3QxLnBjLXJuZC5zYWxlc2ZvcmNlLmNvbS8iLCJvcmdJZCI6IjAwRE9LMDAwMDAwOVp6ciIsImlzc3VlclRlbmFudElkIjoiY29yZS9mYWxjb250ZXN0MS1jb3JlNG9yYTE1LzAwRE9LMDAwMDAwOVp6cjJBRSIsInNmYXBwaWQiOiIzTVZHOVhOVDlUbEI3VmtZY0tIVm5sUUZzWEd6cUJuMGszUC5zNHJBU0I5V09oRU1OdkgyNzNpM1NFRzF2bWl3WF9YY2NXOUFZbHA3VnJnQ3BGb0ZXIiwiYXVkaWVuY2VUZW5hbnRJZCI6ImEzNjAvZmFsY29uZGV2L2E2ZDcyNmE3M2Y1MzQzMjdhNmE4ZTJlMGYzY2MzODQwIiwiY3VzdG9tX2F0dHJpYnV0ZXMiOnsiZGF0YXNwYWNlIjoiZGVmYXVsdCJ9LCJhdWQiOiJhcGkuYTM2MC5zYWxlc2ZvcmNlLmNvbSIsIm5iZiI6MTcyMDczMTAyMSwic2ZvaWQiOiIwMERPSzAwMDAwMDlaenIiLCJzZnVpZCI6IjAwNU9LMDAwMDAwVXk5MSIsImV4cCI6MTcyMDczODI4MCwiaWF0IjoxNzIwNzMxMDgxLCJqdGkiOiIwYjYwMzc4OS1jMGI2LTQwZTMtYmIzNi03NDQ3MzA2MzAxMzEifQ.lXgeAhJIiGoxgNpBi0W5oBWyn2_auB2bFxxajGuK6DMHlkqDhHJAlFN_uf6QPSjGSJCh5j42Ow5SrEptUDJwmQ";
-    static final String FAKE_TENANT_ID = "a360/falcondev/a6d726a73f534327a6a8e2e0f3cc3840";
+    private static final String TENANT_HOST = "test.c360a.salesforce.com";
+    private static final String TENANT_ID = "a360/falcondev/a6d726a73f534327a6a8e2e0f3cc3840";
+
+    /**
+     * Builds an unsigned JWT with the given audienceTenantId and exp claim. The {@link DataCloudToken}
+     * decoder only base64-parses the payload — it does not verify the signature — so a fixed bogus
+     * signature is enough to exercise the production path.
+     */
+    private static String jwtWithExp(long expEpochSeconds) {
+        try {
+            ObjectNode header = new ObjectMapper().createObjectNode();
+            header.put("alg", "ES256");
+            header.put("typ", "JWT");
+
+            ObjectNode payload = new ObjectMapper().createObjectNode();
+            payload.put("audienceTenantId", TENANT_ID);
+            payload.put("exp", expEpochSeconds);
+
+            Base64.Encoder enc = Base64.getUrlEncoder().withoutPadding();
+            String h = enc.encodeToString(header.toString().getBytes(StandardCharsets.UTF_8));
+            String p = enc.encodeToString(payload.toString().getBytes(StandardCharsets.UTF_8));
+            return h + "." + p + ".sig";
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static String validJwt() {
+        return jwtWithExp(Instant.now().getEpochSecond() + 3600);
+    }
 
     private static Properties propertiesForCdpToken(String cdpToken, String tenantUrl) {
         Properties properties = new Properties();
@@ -30,51 +59,69 @@ private static Properties propertiesForCdpToken(String cdpToken, String tenantUr
 
     @Test
     void getDataCloudTokenReturnsValidToken() throws SQLException {
+        String token = validJwt();
         DirectCdpTokenProcessor processor =
-                DirectCdpTokenProcessor.ofDestructive(propertiesForCdpToken(FAKE_TOKEN, TENANT_URL));
-        DataCloudToken token = processor.getDataCloudToken();
+                DirectCdpTokenProcessor.ofDestructive(propertiesForCdpToken(token, TENANT_HOST));
+        DataCloudToken dcToken = processor.getDataCloudToken();
+
+        assertThat(dcToken.getAccessToken()).isEqualTo("Bearer " + token);
+        assertThat(dcToken.getTenantUrl()).isEqualTo(TENANT_HOST);
+        assertThat(dcToken.getTenantId()).isEqualTo(TENANT_ID);
+        assertThat(dcToken.isAlive()).isTrue();
+    }
 
-        assertThat(token.getAccessToken()).isEqualTo("Bearer " + FAKE_TOKEN);
-        assertThat(token.getTenantUrl()).isEqualTo(TENANT_URL);
-        assertThat(token.getTenantId()).isEqualTo(FAKE_TENANT_ID);
-        assertThat(token.isAlive()).isTrue();
+    @Test
+    void ofDestructiveRejectsTenantUrlWithScheme() {
+        for (String invalid : new String[] {
+            "https://" + TENANT_HOST, "http://" + TENANT_HOST, TENANT_HOST + ":443", TENANT_HOST + "/",
+        }) {
+            Properties props = propertiesForCdpToken(validJwt(), invalid);
+            SQLException ex = assertThrows(
+                    SQLException.class,
+                    () -> DirectCdpTokenProcessor.ofDestructive(props),
+                    "Expected rejection of: " + invalid);
+            assertThat(ex.getMessage()).contains("bare hostname");
+        }
+    }
+
+    @Test
+    void ofDestructiveRejectsTenantUrlWithWhitespace() {
+        Properties props = propertiesForCdpToken(validJwt(), "  " + TENANT_HOST + "  ");
+        SQLException ex = assertThrows(SQLException.class, () -> DirectCdpTokenProcessor.ofDestructive(props));
+        assertThat(ex.getMessage()).contains("whitespace");
     }
 
     @Test
     void getDataCloudTokenReturnsCachedToken() throws SQLException {
         DirectCdpTokenProcessor processor =
-                DirectCdpTokenProcessor.ofDestructive(propertiesForCdpToken(FAKE_TOKEN, TENANT_URL));
+                DirectCdpTokenProcessor.ofDestructive(propertiesForCdpToken(validJwt(), TENANT_HOST));
         DataCloudToken first = processor.getDataCloudToken();
         DataCloudToken second = processor.getDataCloudToken();
 
-        assertThat(first.getAccessToken()).isEqualTo(second.getAccessToken());
+        assertThat(first).isSameAs(second);
     }
 
     @Test
     void getLakehouseWithoutDataspace() throws SQLException {
         DirectCdpTokenProcessor processor =
-                DirectCdpTokenProcessor.ofDestructive(propertiesForCdpToken(FAKE_TOKEN, TENANT_URL));
-        String lakehouse = processor.getLakehouse();
-
-        assertThat(lakehouse).isEqualTo("lakehouse:" + FAKE_TENANT_ID + ";");
+                DirectCdpTokenProcessor.ofDestructive(propertiesForCdpToken(validJwt(), TENANT_HOST));
+        assertThat(processor.getLakehouse()).isEqualTo("lakehouse:" + TENANT_ID + ";");
     }
 
     @Test
     void getLakehouseWithDataspace() throws SQLException {
         String dataspace = UUID.randomUUID().toString();
-        Properties props = propertiesForCdpToken(FAKE_TOKEN, TENANT_URL);
+        Properties props = propertiesForCdpToken(validJwt(), TENANT_HOST);
         props.setProperty("dataspace", dataspace);
 
         DirectCdpTokenProcessor processor = DirectCdpTokenProcessor.ofDestructive(props);
-        String lakehouse = processor.getLakehouse();
-
-        assertThat(lakehouse).isEqualTo("lakehouse:" + FAKE_TENANT_ID + ";" + dataspace);
+        assertThat(processor.getLakehouse()).isEqualTo("lakehouse:" + TENANT_ID + ";" + dataspace);
     }
 
     @Test
     void ofDestructiveThrowsWhenCdpTokenMissing() {
         Properties props = new Properties();
-        props.setProperty("tenantUrl", TENANT_URL);
+        props.setProperty("tenantUrl", TENANT_HOST);
 
         SQLException ex = assertThrows(SQLException.class, () -> DirectCdpTokenProcessor.ofDestructive(props));
         assertThat(ex.getMessage()).contains("cdpToken");
@@ -83,23 +130,23 @@ void ofDestructiveThrowsWhenCdpTokenMissing() {
     @Test
     void ofDestructiveThrowsWhenTenantUrlMissing() {
         Properties props = new Properties();
-        props.setProperty("cdpToken", FAKE_TOKEN);
+        props.setProperty("cdpToken", validJwt());
 
         SQLException ex = assertThrows(SQLException.class, () -> DirectCdpTokenProcessor.ofDestructive(props));
         assertThat(ex.getMessage()).contains("tenantUrl");
     }
 
     @Test
     void ofDestructiveThrowsWhenCdpTokenIsInvalidJwt() {
-        Properties props = propertiesForCdpToken("not-a-valid-jwt", TENANT_URL);
+        Properties props = propertiesForCdpToken("not-a-valid-jwt", TENANT_HOST);
 
         SQLException ex = assertThrows(SQLException.class, () -> DirectCdpTokenProcessor.ofDestructive(props));
         assertThat(ex.getMessage()).contains("Invalid CDP token");
     }
 
     @Test
     void ofDestructiveRemovesPropertiesFromInput() throws SQLException {
-        Properties props = propertiesForCdpToken(FAKE_TOKEN, TENANT_URL);
+        Properties props = propertiesForCdpToken(validJwt(), TENANT_HOST);
         props.setProperty("dataspace", "myspace");
 
         DirectCdpTokenProcessor.ofDestructive(props);
@@ -111,75 +158,50 @@ void ofDestructiveRemovesPropertiesFromInput() throws SQLException {
 
     @Test
     void hasCdpTokenReturnsTrueWhenBothPresent() {
-        Properties props = propertiesForCdpToken(FAKE_TOKEN, TENANT_URL);
+        Properties props = propertiesForCdpToken(validJwt(), TENANT_HOST);
         assertThat(DirectCdpTokenProcessor.hasCdpToken(props)).isTrue();
     }
 
     @Test
-    void getDataCloudTokenRebuildsWhenCachedTokenExpired() throws Exception {
-        DirectCdpTokenProcessor processor =
-                DirectCdpTokenProcessor.ofDestructive(propertiesForCdpToken(FAKE_TOKEN, TENANT_URL));
-
-        DataCloudTokenResponse expiredResponse = new DataCloudTokenResponse();
-        expiredResponse.setToken(FAKE_TOKEN);
-        expiredResponse.setInstanceUrl(TENANT_URL);
-        expiredResponse.setTokenType("Bearer");
-        expiredResponse.setExpiresIn(-1);
-        DataCloudToken expired = DataCloudToken.of(expiredResponse);
-        assertThat(expired.isAlive()).isFalse();
+    void hasCdpTokenReturnsFalseWhenMissing() {
+        assertThat(DirectCdpTokenProcessor.hasCdpToken(new Properties())).isFalse();
+        assertThat(DirectCdpTokenProcessor.hasCdpToken(null)).isFalse();
 
-        Field cache = DirectCdpTokenProcessor.class.getDeclaredField("cachedDataCloudToken");
-        cache.setAccessible(true);
-        cache.set(processor, expired);
+        Properties onlyCdpToken = new Properties();
+        onlyCdpToken.setProperty("cdpToken", validJwt());
+        assertThat(DirectCdpTokenProcessor.hasCdpToken(onlyCdpToken)).isFalse();
 
-        DataCloudToken rebuilt = processor.getDataCloudToken();
-        assertThat(rebuilt).isNotSameAs(expired);
-        assertThat(rebuilt.isAlive()).isTrue();
+        Properties onlyTenantUrl = new Properties();
+        onlyTenantUrl.setProperty("tenantUrl", TENANT_HOST);
+        assertThat(DirectCdpTokenProcessor.hasCdpToken(onlyTenantUrl)).isFalse();
     }
 
     @Test
-    void getDataCloudTokenRebuildsAfterCacheCleared() throws Exception {
-        DirectCdpTokenProcessor processor =
-                DirectCdpTokenProcessor.ofDestructive(propertiesForCdpToken(FAKE_TOKEN, TENANT_URL));
-
-        Field cache = DirectCdpTokenProcessor.class.getDeclaredField("cachedDataCloudToken");
-        cache.setAccessible(true);
-        cache.set(processor, null);
-
-        DataCloudToken rebuilt = processor.getDataCloudToken();
-        assertThat(rebuilt.getAccessToken()).isEqualTo("Bearer " + FAKE_TOKEN);
-        assertThat(rebuilt.getTenantId()).isEqualTo(FAKE_TENANT_ID);
+    void secondsUntilJwtExpiryReturnsRemainingForValidJwt() {
+        long futureExp = Instant.now().getEpochSecond() + 1234;
+        int remaining = DirectCdpTokenProcessor.secondsUntilJwtExpiry(jwtWithExp(futureExp));
+        assertThat(remaining).isBetween(1230, 1234);
     }
 
     @Test
-    void getDataCloudTokenWrapsRebuildFailure() throws Exception {
-        DirectCdpTokenProcessor processor =
-                DirectCdpTokenProcessor.ofDestructive(propertiesForCdpToken(FAKE_TOKEN, TENANT_URL));
-
-        Field cache = DirectCdpTokenProcessor.class.getDeclaredField("cachedDataCloudToken");
-        cache.setAccessible(true);
-        cache.set(processor, null);
-
-        Field tenantUrl = DirectCdpTokenProcessor.class.getDeclaredField("tenantUrl");
-        tenantUrl.setAccessible(true);
-        tenantUrl.set(processor, null);
-
-        SQLException ex = assertThrows(SQLException.class, processor::getDataCloudToken);
-        assertThat(ex.getSQLState()).isEqualTo("28000");
-        assertThat(cache.get(processor)).isNull();
+    void secondsUntilJwtExpiryFallsBackWhenJwtSingleSegment() {
+        assertThat(DirectCdpTokenProcessor.secondsUntilJwtExpiry("only-one-segment"))
+                .isEqualTo(DirectCdpTokenProcessor.FALLBACK_EXPIRES_IN_SECONDS);
     }
 
     @Test
-    void hasCdpTokenReturnsFalseWhenMissing() {
-        assertThat(DirectCdpTokenProcessor.hasCdpToken(new Properties())).isFalse();
-        assertThat(DirectCdpTokenProcessor.hasCdpToken(null)).isFalse();
-
-        Properties onlyCdpToken = new Properties();
-        onlyCdpToken.setProperty("cdpToken", FAKE_TOKEN);
-        assertThat(DirectCdpTokenProcessor.hasCdpToken(onlyCdpToken)).isFalse();
+    void secondsUntilJwtExpiryFallsBackWhenPayloadNotBase64() {
+        // Two segments but second one is not valid base64url
+        assertThat(DirectCdpTokenProcessor.secondsUntilJwtExpiry("header.@@not-base64@@.sig"))
+                .isEqualTo(DirectCdpTokenProcessor.FALLBACK_EXPIRES_IN_SECONDS);
+    }
 
-        Properties onlyTenantUrl = new Properties();
-        onlyTenantUrl.setProperty("tenantUrl", TENANT_URL);
-        assertThat(DirectCdpTokenProcessor.hasCdpToken(onlyTenantUrl)).isFalse();
+    @Test
+    void secondsUntilJwtExpiryFallsBackWhenExpClaimMissing() {
+        Base64.Encoder enc = Base64.getUrlEncoder().withoutPadding();
+        String header = enc.encodeToString("{\"typ\":\"JWT\"}".getBytes(StandardCharsets.UTF_8));
+        String payload = enc.encodeToString("{\"sub\":\"x\"}".getBytes(StandardCharsets.UTF_8));
+        assertThat(DirectCdpTokenProcessor.secondsUntilJwtExpiry(header + "." + payload + ".sig"))
+                .isEqualTo(DirectCdpTokenProcessor.FALLBACK_EXPIRES_IN_SECONDS);
     }
 }