Make JWKS connection timeouts configurable (#1146)

---------

Signed-off-by: Oriol Muñoz <oriol.munoz@digitalasset.com>

Author: OriolMunoz-da

.pre-commit-config.yaml

@@ -87,3 +87,4 @@ repos:
      - id: rstcheck
        name: Check sphinx format
        additional_dependencies: ['rstcheck[sphinx]']
+       args: [--report-level, WARNING]

apps/app/src/pack/examples/sv-helm/sv-values.yaml

@@ -14,6 +14,10 @@ auth:
   audience: "OIDC_AUTHORITY_SV_AUDIENCE"
   # replace OIDC_AUTHORITY_URL with your provider's OIDC URL
   jwksUrl: "https://OIDC_AUTHORITY_URL/.well-known/jwks.json"
+  # optionally, reconfigure the timeouts used when querying the JWKS endpoint:
+  # jwks:
+  #   connectionTimeout: "10 seconds"
+  #   readTimeout: "10 seconds"
 cometBFT:
   enabled: true
   connectionUri: "http://global-domain-MIGRATION_ID-cometbft-cometbft-rpc:26657"

apps/app/src/pack/examples/sv-helm/validator-values.yaml

@@ -26,6 +26,11 @@ auth:
   # replace OIDC_AUTHORITY_URL with your provider's OIDC URL
   jwksUrl: "https://OIDC_AUTHORITY_URL/.well-known/jwks.json"
 
+  # optionally, reconfigure the timeouts used when querying the JWKS endpoint:
+  # jwks:
+  #   connectionTimeout: "10 seconds"
+  #   readTimeout: "10 seconds"
+
 # ENABLEWALLET_START
 # This will disable the wallet HTTP server and wallet automations when set to false
 enableWallet: true

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/auth/AuthConfig.scala

@@ -3,6 +3,8 @@
 
 package org.lfdecentralizedtrust.splice.auth
 
+import com.digitalasset.canton.config.NonNegativeDuration
+
 import java.net.URL
 
 sealed trait AuthConfig {
@@ -18,6 +20,8 @@ object AuthConfig {
   case class Rs256(
       audience: String,
       jwksUrl: URL,
+      connectionTimeout: NonNegativeDuration = NonNegativeDuration.ofSeconds(10),
+      readTimeout: NonNegativeDuration = NonNegativeDuration.ofSeconds(10),
   ) extends AuthConfig
 
   def hideConfidential(config: AuthConfig): AuthConfig = {
@@ -26,7 +30,8 @@ object AuthConfig {
       case Hs256Unsafe(audience, _) => Hs256Unsafe(audience, hidden)
       // being explicit here to avoid accidental leaks if we extend
       // `AuthConfig` at some point
-      case Rs256(audience, jwksUrl) => Rs256(audience, jwksUrl)
+      case Rs256(audience, jwksUrl, connectionTimeout, readTimeout) =>
+        Rs256(audience, jwksUrl, connectionTimeout, readTimeout)
     }
   }
 }

apps/common/src/main/scala/org/lfdecentralizedtrust/splice/auth/SignatureVerifier.scala

@@ -7,6 +7,7 @@ import com.auth0.jwk.{JwkProvider, JwkProviderBuilder}
 import com.auth0.jwt.JWT
 import com.auth0.jwt.algorithms.Algorithm
 import com.auth0.jwt.interfaces.DecodedJWT
+import com.digitalasset.canton.config.NonNegativeDuration
 
 import java.net.URL
 import java.util.concurrent.TimeUnit
@@ -49,12 +50,19 @@ trait SignatureVerifier {
   }
 }
 
-class RSAVerifier(audience: String, jwksUrl: URL) extends SignatureVerifier {
+class RSAVerifier(audience: String, jwksUrl: URL, timeoutsConfig: RSAVerifier.TimeoutsConfig)
+    extends SignatureVerifier {
   override val expectedAudience: String = audience;
 
   private val provider: JwkProvider = new JwkProviderBuilder(jwksUrl)
     .cached(10, 24, TimeUnit.HOURS)
     .rateLimited(10, 1, TimeUnit.MINUTES)
+    .timeouts(
+      // You'd need 2^31 milliseconds for this to overflow, which is about 25 days.
+      // Surely nobody needs timeouts that long.
+      timeoutsConfig.connectTimeout.duration.toMillis.toInt,
+      timeoutsConfig.readTimeout.duration.toMillis.toInt,
+    )
     .build()
 
   private def algorithm = Algorithm.RSA256(new JwksRSAKeyProvider(provider))
@@ -63,9 +71,12 @@ class RSAVerifier(audience: String, jwksUrl: URL) extends SignatureVerifier {
     case _ => Left("Invalid token algorithm for rs-256 auth mode")
   }
 }
+object RSAVerifier {
+  case class TimeoutsConfig(connectTimeout: NonNegativeDuration, readTimeout: NonNegativeDuration)
+}
 
 class HMACVerifier(audience: String, secret: String) extends SignatureVerifier {
-  override val expectedAudience: String = audience;
+  override val expectedAudience: String = audience
 
   private def algorithm = Algorithm.HMAC256(secret)
   override def validateAlgorithm(algorithm: String) = algorithm match {

apps/sv/src/main/scala/org/lfdecentralizedtrust/splice/sv/SvApp.scala

@@ -496,7 +496,12 @@ class SvApp(
 
       verifier = config.auth match {
         case AuthConfig.Hs256Unsafe(audience, secret) => new HMACVerifier(audience, secret)
-        case AuthConfig.Rs256(audience, jwksUrl) => new RSAVerifier(audience, jwksUrl)
+        case AuthConfig.Rs256(audience, jwksUrl, connectionTimeout, readTimeout) =>
+          new RSAVerifier(
+            audience,
+            jwksUrl,
+            RSAVerifier.TimeoutsConfig(connectionTimeout, readTimeout),
+          )
       }
 
       // Start the servers for the SvApp's APIs

apps/validator/src/main/scala/org/lfdecentralizedtrust/splice/validator/ValidatorApp.scala

@@ -870,7 +870,12 @@ class ValidatorApp(
 
       verifier = config.auth match {
         case AuthConfig.Hs256Unsafe(audience, secret) => new HMACVerifier(audience, secret)
-        case AuthConfig.Rs256(audience, jwksUrl) => new RSAVerifier(audience, jwksUrl)
+        case AuthConfig.Rs256(audience, jwksUrl, connectionTimeout, readTimeout) =>
+          new RSAVerifier(
+            audience,
+            jwksUrl,
+            RSAVerifier.TimeoutsConfig(connectionTimeout, readTimeout),
+          )
       }
 
       handler =

cluster/helm/splice-sv-node/templates/sv.yaml

@@ -108,6 +108,14 @@ spec:
               value: {{ .Values.auth.audience | quote }}
             - name: SPLICE_APP_SV_AUTH_JWKS_URL
               value: {{ .Values.auth.jwksUrl | quote }}
+            {{ if (.Values.auth.jwks).connectionTimeout }}
+            - name: SPLICE_APP_VALIDATOR_AUTH_JWKS_CONNECTION_TIMEOUT
+              value: {{ .Values.auth.jwks.connectionTimeout | quote }}
+            {{ end }}
+            {{ if (.Values.auth.jwks).readTimeout }}
+            - name: SPLICE_APP_VALIDATOR_AUTH_JWKS_READ_TIMEOUT
+              value: {{ .Values.auth.jwks.readTimeout | quote }}
+            {{ end }}
             {{ if .Values.disableIngestUpdateHistoryFromParticipantBegin }}
             - name: ADDITIONAL_CONFIG_UPDATE_HISTORY_INGESTION
               value: |

cluster/helm/splice-sv-node/tests/sv_test.yaml

@@ -0,0 +1,53 @@
+# Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+suite: "Validator values"
+templates:
+  - sv.yaml
+release:
+  # Set for testing labels
+  name: mock-sv
+chart:
+  # Override for testing labels
+  version: 0.1.1
+  appVersion: 0.1.0
+tests:
+  - it: "sets JWKS timeouts"
+    set:
+      # Things we need just to pass the schema
+      domain:
+        sequencerPublicUrl: "https://sequencer.mock.com"
+        sequencerAddress: "sequencer-address"
+        mediatorAddress: "mediator-address"
+        sequencerPruningConfig:
+          enabled: false
+      scan:
+        publicUrl: "https://scan.mock.com"
+        internalUrl: "https://scan-internal.mock.com"
+      nodeIdentifier: "helm-mock-1-validator"
+      onboardingName: "some-sv"
+      participantAddress: "mock-address"
+      spliceInstanceNames:
+        networkName: MockNet
+        networkFaviconUrl: https://mock.net/favicon.ico
+        amuletName: Mocklet
+        amuletNameAcronym: MCK
+        nameServiceName: Mock Name Service
+        nameServiceNameAcronym: MNS
+      auth:
+        jwksUrl: "https://mock.com/.well-known/jwks.json"
+        audience: "mock_audience"
+        # actual test
+        jwks:
+          connectionTimeout: "33s"
+          readTimeout: "44s"
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='sv-app')].env[?(@.name=='SPLICE_APP_VALIDATOR_AUTH_JWKS_CONNECTION_TIMEOUT')].value
+          value: "33s"
+      - equal:
+          path: spec.template.spec.containers[?(@.name=='sv-app')].env[?(@.name=='SPLICE_APP_VALIDATOR_AUTH_JWKS_READ_TIMEOUT')].value
+          value: "44s"

cluster/helm/splice-validator/templates/validator.yaml

@@ -93,6 +93,14 @@ spec:
           value: {{ .Values.auth.audience | quote }}
         - name: SPLICE_APP_VALIDATOR_AUTH_JWKS_URL
           value: {{ .Values.auth.jwksUrl | quote }}
+        {{ if (.Values.auth.jwks).connectionTimeout }}
+        - name: SPLICE_APP_VALIDATOR_AUTH_JWKS_CONNECTION_TIMEOUT
+          value: {{ .Values.auth.jwks.connectionTimeout | quote }}
+        {{ end }}
+        {{ if (.Values.auth.jwks).readTimeout }}
+        - name: SPLICE_APP_VALIDATOR_AUTH_JWKS_READ_TIMEOUT
+          value: {{ .Values.auth.jwks.readTimeout | quote }}
+        {{ end }}
         {{ if .Values.svValidator }}
         - name: SPLICE_APP_VALIDATOR_SV_VALIDATOR
           value: "true"