kds-cache: add fallback cache for CRLs on request failure

edgelesssys · Dec 3, 2024 · c391d3d · c391d3d
1 parent bfc6d2c
commit c391d3d
Showing 1 changed file with 20 additions and 13 deletions.
diff --git a/internal/attestation/certcache/cached_client.go b/internal/attestation/certcache/cached_client.go
@@ -44,25 +44,32 @@ func (c *CachedHTTPSGetter) Get(url string) ([]byte, error) {
 	default:
 	}
 
-	// Don't cache CRLs. Unlike VCEKs, these can change over time and the KDS
-	// doesn't rate-limit requests to these.
-	canCache := !crlURL.MatchString(url)
-
-	if canCache {
-		if cached, ok := c.cache.Get(url); ok {
-			c.logger.Debug("Get cached", "url", url)
-			return cached, nil
+	if crlURL.MatchString(url) {
+		// For CRLs always query. When request failure, fallback to cache.
+		c.logger.Debug("Request CRL", "url", url)
+		res, err := c.HTTPSGetter.Get(url)
+		if err != nil {
+			if cached, ok := c.cache.Get(url); ok {
+				c.logger.Debug("CRL request failed, fallback to cached CRL", "url", url)
+				return cached, nil
+			}
+			c.logger.Debug("CRL request failed and CRL was not found in cache", "url", url)
+			return nil, err
 		}
+		c.cache.Set(url, res)
+		return res, nil
 	}
-
-	c.logger.Debug("Get not cached", "url", url)
+	// For VCEK get cache first and request if not present
+	if cached, ok := c.cache.Get(url); ok {
+		c.logger.Debug("Get cached VCEK", "url", url)
+		return cached, nil
+	}
+	c.logger.Debug("Request VCEK, missing in cache", "url", url)
 	res, err := c.HTTPSGetter.Get(url)
 	if err != nil {
 		return nil, err
 	}
-	if canCache {
-		c.cache.Set(url, res)
-	}
+	c.cache.Set(url, res)
 	return res, nil
 }