From c391d3d5b05b25af53adb600ff2a8b14afb1f60e Mon Sep 17 00:00:00 2001
From: jmxnzo <jakob.lammering@ruhr-uni-bochum.de>
Date: Tue, 3 Dec 2024 17:22:04 +0100
Subject: [PATCH] kds-cache: add fallback cache for CRLs on request failure

---
 .../attestation/certcache/cached_client.go    | 33 +++++++++++--------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/internal/attestation/certcache/cached_client.go b/internal/attestation/certcache/cached_client.go
index 0262fcaf11..eb6c00f210 100644
--- a/internal/attestation/certcache/cached_client.go
+++ b/internal/attestation/certcache/cached_client.go
@@ -44,25 +44,32 @@ func (c *CachedHTTPSGetter) Get(url string) ([]byte, error) {
 	default:
 	}
 
-	// Don't cache CRLs. Unlike VCEKs, these can change over time and the KDS
-	// doesn't rate-limit requests to these.
-	canCache := !crlURL.MatchString(url)
-
-	if canCache {
-		if cached, ok := c.cache.Get(url); ok {
-			c.logger.Debug("Get cached", "url", url)
-			return cached, nil
+	if crlURL.MatchString(url) {
+		// For CRLs always query. When request failure, fallback to cache.
+		c.logger.Debug("Request CRL", "url", url)
+		res, err := c.HTTPSGetter.Get(url)
+		if err != nil {
+			if cached, ok := c.cache.Get(url); ok {
+				c.logger.Debug("CRL request failed, fallback to cached CRL", "url", url)
+				return cached, nil
+			}
+			c.logger.Debug("CRL request failed and CRL was not found in cache", "url", url)
+			return nil, err
 		}
+		c.cache.Set(url, res)
+		return res, nil
 	}
-
-	c.logger.Debug("Get not cached", "url", url)
+	// For VCEK get cache first and request if not present
+	if cached, ok := c.cache.Get(url); ok {
+		c.logger.Debug("Get cached VCEK", "url", url)
+		return cached, nil
+	}
+	c.logger.Debug("Request VCEK, missing in cache", "url", url)
 	res, err := c.HTTPSGetter.Get(url)
 	if err != nil {
 		return nil, err
 	}
-	if canCache {
-		c.cache.Set(url, res)
-	}
+	c.cache.Set(url, res)
 	return res, nil
 }