feat: Retry with exponential backoff on 429 from Azure Key Vault.

dep-sha256.json

@@ -911,11 +911,11 @@
       "sha256": "GvpPTiLMCTL0YX_AM3NqP0aFd1R4WNnz3M1MKsyrlec="
     },
     {
-      "id": "it.pagopa.swclient.mil:azure-services:jar:4.0.2",
+      "id": "it.pagopa.swclient.mil:azure-services:jar:4.1.0",
       "artifactId": "azure-services",
       "groupId": "it.pagopa.swclient.mil",
-      "version": "4.0.2",
-      "sha256": "IXRHPzfjg2ks-oalvmCqYMaVA4uu5IBzHsHJiwTYD5o="
+      "version": "4.1.0",
+      "sha256": "CHyDQH4YYB2VP9iMS1i4QTe7xCNH9sluavfa3LZLgl0="
     },
     {
       "id": "com.nimbusds:nimbus-jose-jwt:jar:9.39",

pom.xml

@@ -8,7 +8,7 @@
 
 	<groupId>it.pagopa.swclient.mil</groupId>
 	<artifactId>auth</artifactId>
-	<version>2.4.7</version>
+	<version>2.4.9</version>
 	<description>Authorization Microservice for Multi-channel Integration Layer of SW Client Project.</description>
 
 	<developers>
@@ -40,7 +40,7 @@
 		<quarkus.platform.version>3.11.0</quarkus.platform.version>
 		<!-- Other dependecies version -->
 		<common.version>2.3.0</common.version>
-		<azure-services.version>4.0.2</azure-services.version>
+		<azure-services.version>4.1.0</azure-services.version>
 		<lombok.version>1.18.32</lombok.version>
 		<otel-exporter-azure.version>3.8.3.0</otel-exporter-azure.version>
 		<assertj-core.version>3.25.3</assertj-core.version>

src/main/java/it/pagopa/swclient/mil/auth/bean/KeyIdCache.java

@@ -8,7 +8,6 @@
 import java.time.Instant;
 
 import io.quarkus.logging.Log;
-import lombok.AccessLevel;
 import lombok.Getter;
 import lombok.Setter;
 import lombok.experimental.Accessors;
@@ -21,13 +20,6 @@
 @Setter
 @Accessors(chain = true)
 public class KeyIdCache {
-	/*
-	 * 
-	 */
-	@Getter(AccessLevel.NONE)
-	@Setter(AccessLevel.NONE)
-	private int expireAfterWrite;
-
 	/*
 	 * 
 	 */
@@ -43,21 +35,13 @@ public class KeyIdCache {
 	 */
 	private long storedAt;
 
-	/**
-	 * 
-	 * @param expireAfterWrite
-	 */
-	public KeyIdCache(int expireAfterWrite) {
-		Log.tracef("expireAfterWrite = %d", expireAfterWrite);
-		this.expireAfterWrite = expireAfterWrite;
-	}
-
 	/**
 	 * 
 	 * @param remainingLife
+	 * @param expireAfterWrite
 	 * @return
 	 */
-	public boolean isValid(long remainingLife) {
+	public boolean isValid(long remainingLife, long expireAfterWrite) {
 		if (kid == null) {
 			Log.debug("kid is null");
 			return false;

src/main/java/it/pagopa/swclient/mil/auth/service/ClaimEncryptor.java

@@ -35,7 +35,7 @@ public class ClaimEncryptor extends KeyManCapabilities {
 	ClaimEncryptor() {
 		super();
 	}
-	
+
 	/**
 	 * 
 	 * @param keysExtService

src/main/java/it/pagopa/swclient/mil/auth/service/KeyManCapabilities.java

@@ -27,7 +27,7 @@
  * 
  * @author Antonio Tarricone
  */
-abstract class KeyManCapabilities {
+public abstract class KeyManCapabilities {
 	/*
 	 * 
 	 */
@@ -39,12 +39,12 @@ abstract class KeyManCapabilities {
 	 */
 	@ConfigProperty(name = "keysize", defaultValue = "4096")
 	int keysize;
-	
+
 	/*
 	 * 
 	 */
 	@ConfigProperty(name = "keyid-cache.expire-after-write", defaultValue = "3600")
-	int keyidCacheExpireAfterWrite;
+	long keyidCacheExpireAfterWrite;
 
 	/*
 	 * 
@@ -65,7 +65,7 @@ abstract class KeyManCapabilities {
 	 * 
 	 */
 	KeyManCapabilities() {
-		keyIdCache = new KeyIdCache(keyidCacheExpireAfterWrite);
+		keyIdCache = new KeyIdCache();
 	}
 
 	/**
@@ -76,7 +76,7 @@ abstract class KeyManCapabilities {
 	KeyManCapabilities(AzureKeyVaultKeysExtReactiveService keysExtService, AzureKeyVaultKeysReactiveService keysService) {
 		this.keysExtService = keysExtService;
 		this.keysService = keysService;
-		keyIdCache = new KeyIdCache(keyidCacheExpireAfterWrite);
+		keyIdCache = new KeyIdCache();
 	}
 
 	/**
@@ -123,7 +123,7 @@ protected Uni<KeyBundle> createKey(List<String> keyOps) {
 	protected Uni<String> retrieveKey(List<String> keyOps) {
 		Log.trace("Retrieve key");
 
-		if (keyIdCache.isValid(0)) {
+		if (keyIdCache.isValid(0, keyidCacheExpireAfterWrite)) {
 			Log.debug("Returned cached kid");
 			return UniGenerator.item(keyIdCache.getKid());
 		}
@@ -146,7 +146,7 @@ protected Uni<String> retrieveKey(List<String> keyOps) {
 				return keyBundle.getKey().getKid();
 			});
 	}
-	
+
 	/**
 	 * 
 	 */

src/main/java/it/pagopa/swclient/mil/auth/service/TokenSigner.java

@@ -44,14 +44,14 @@ public class TokenSigner extends KeyManCapabilities {
 	 * 
 	 */
 	private static final String ERROR_MSG_TEMPL = "[%s] Error signing token";
-	
+
 	/**
 	 * 
 	 */
 	TokenSigner() {
 		super();
 	}
-	
+
 	/**
 	 * 
 	 * @param keysExtService

src/main/resources/application.properties

@@ -9,22 +9,22 @@ quarkus.log.console.format=%d{yyyy-MM-dd HH:mm:ss.SSS} [%X{requestId}] [%p] [%c{
 quarkus.log.console.json=false
 quarkus.rest-client.logging.body-limit=-1
 quarkus.log.min-level=TRACE
-quarkus.log.category."it.pagopa.swclient.mil.auth".min-level=TRACE
+quarkus.log.category."it.pagopa.swclient.mil".min-level=TRACE
 quarkus.log.category."org.jboss.resteasy.reactive.client.logging".level=DEBUG
 quarkus.log.category."io.quarkus.smallrye.jwt.runtime.auth.MpJwtValidator".level=${auth.jwt-validator-log:ERROR}
 quarkus.log.category."io.quarkus.smallrye.jwt.runtime.auth.MpJwtValidator".min-level=${auth.jwt-validator-log:ERROR}
 
 %dev.quarkus.log.level=INFO
-%dev.quarkus.log.category."it.pagopa.swclient.mil.auth".level=DEBUG
+%dev.quarkus.log.category."it.pagopa.swclient.mil".level=DEBUG
 %dev.quarkus.rest-client.logging.scope=request-response
 
 %test.quarkus.log.level=ERROR
-%test.quarkus.log.category."it.pagopa.swclient.mil.auth".level=TRACE
+%test.quarkus.log.category."it.pagopa.swclient.mil".level=TRACE
 %test.quarkus.rest-client.logging.scope=none
 
 %prod.quarkus.log.console.json=${auth.json-log:true}
 %prod.quarkus.log.level=${auth.quarkus-log-level}
-%prod.quarkus.log.category."it.pagopa.swclient.mil.auth".level=${auth.app-log-level}
+%prod.quarkus.log.category."it.pagopa.swclient.mil".level=${auth.app-log-level}
 %prod.quarkus.rest-client.logging.scope=${auth.quarkus-rest-client-logging-scope}
 
 # ------------------------------------------------------------------------------
@@ -82,6 +82,10 @@ azure-identity.x-identity-header=dummy
 azure-key-vault-keys.api-version=7.4
 azure-key-vault-keys.get-keys.maxresults=${auth.keyvault.maxresults:999}
 azure-key-vault-keys.get-key-version.maxresults=${auth.keyvault.maxresults:999}
+azure-key-vault-keys.backoff.initial-duration=${auth.keyvault.backoff.initial-duration:1}
+azure-key-vault-keys.backoff.jitter=${auth.keyvault.backoff.jitter:0.2}
+azure-key-vault-keys.backoff.number-of-attempts=${auth.keyvault.backoff.number-of-attempts:3}
+
 quarkus.rest-client.azure-key-vault-keys.url=http://dummy
 %prod.quarkus.rest-client.azure-key-vault-keys.url=${auth.keyvault.url}
 

src/test/java/it/pagopa/swclient/mil/auth/bean/KeyIdCacheTest.java

@@ -40,34 +40,34 @@ void init(TestInfo testInfo) {
 	 */
 	@Test
 	void given_nullKid_when_isValidIsInvoked_then_getFalse() {
-		assertFalse(new KeyIdCache(60)
+		assertFalse(new KeyIdCache()
 			.setExp(Instant.now().plus(15, ChronoUnit.MINUTES).toEpochMilli())
 			.setKid(null)
 			.setStoredAt(Instant.now().toEpochMilli())
-			.isValid(0));
+			.isValid(0, 60));
 	}
 
 	/**
 	 * Test method for {@link it.pagopa.swclient.mil.auth.bean.KeyIdCache#isValid(long)}.
 	 */
 	@Test
 	void given_expiredKey_when_isValidIsInvoked_then_getFalse() {
-		assertFalse(new KeyIdCache(60)
+		assertFalse(new KeyIdCache()
 			.setExp(Instant.now().minus(15, ChronoUnit.MINUTES).getEpochSecond())
 			.setKid("kid")
 			.setStoredAt(Instant.now().getEpochSecond())
-			.isValid(0));
+			.isValid(0, 60));
 	}
 
 	/**
 	 * Test method for {@link it.pagopa.swclient.mil.auth.bean.KeyIdCache#isValid(long)}.
 	 */
 	@Test
 	void given_expiredCache_when_isValidIsInvoked_then_getFalse() {
-		assertFalse(new KeyIdCache(60)
+		assertFalse(new KeyIdCache()
 			.setExp(Instant.now().plus(15, ChronoUnit.MINUTES).getEpochSecond())
 			.setKid("kid")
 			.setStoredAt(Instant.now().minus(5, ChronoUnit.MINUTES).getEpochSecond())
-			.isValid(0));
+			.isValid(0, 60));
 	}
 }

src/test/k6/script-fixed-rate-dev.js

@@ -0,0 +1,37 @@
+import http from 'k6/http';
+import { sleep, check } from 'k6';
+
+export const options = {
+	discardResponseBodies: true,
+	scenarios: {
+		contacts: {
+			executor: 'constant-arrival-rate',
+			duration: '5m',
+			rate: __ENV.RATE,
+			timeUnit: '1s',
+			preAllocatedVUs: 1000,
+		},
+	},
+};
+
+export default function() {
+	http.post(
+		"https://mil-d-auth-ca.agreeablestone-406ca858.westeurope.azurecontainerapps.io/token",
+		{
+			client_secret: "5ceef788-4115-43a7-a704-b1bcc9a47c86",
+			client_id: "3965df56-ca9a-49e5-97e8-061433d4a25b",
+			grant_type: "client_credentials"
+		},
+		{
+
+			headers: {
+				'Content-Type': 'application/x-www-form-urlencoded',
+				'RequestId': "00000000-0000-0000-0000-100000000001",
+				'AcquirerId': "4585625",
+				'Channel': "POS",
+				'MerchantId': "28405fHfk73x88D",
+				'TerminalId': "01234567"
+			}
+		}
+	);
+}