feat: bust the tenant cache on the token expiry (#1279)

* feat: bust the cache on token expiry

* fix: rename ExpirationDate to Expiry

Author: d0ugal

internal/tenants/manager.go

@@ -25,7 +25,7 @@ type tenantInfo struct {
 	tenant     *sm.Tenant
 }
 
-// NewTenantManager creates a new tenant manager that is able to
+// NewManager creates a new tenant manager that is able to
 // retrieve tenants from the remote API using the specified
 // tenantsClient or receive them over the provided tenantCh channel. It
 // will keep them for a duration no longer than `timeout`.
@@ -57,6 +57,19 @@ func (tm *Manager) run(ctx context.Context) {
 	}
 }
 
+// calculateValidUntil determines the expiration time for a tenant based on the timeout
+// and the secret store expiration date (if set), returning the earlier of the two.
+func (tm *Manager) calculateValidUntil(tenant *sm.Tenant) time.Time {
+	validUntil := time.Now().Add(tm.timeout)
+	if tenant.SecretStore != nil && tenant.SecretStore.Expiry > 0 {
+		expirationTime := time.Unix(0, int64(tenant.SecretStore.Expiry*1e9))
+		if expirationTime.Before(validUntil) {
+			validUntil = expirationTime
+		}
+	}
+	return validUntil
+}
+
 func (tm *Manager) updateTenant(tenant sm.Tenant) {
 	tm.tenantsMutex.Lock()
 
@@ -87,7 +100,10 @@ func (tm *Manager) updateTenant(tenant sm.Tenant) {
 
 	info.mutex.Lock()
 	if info.tenant == nil || info.tenant.Modified < tenant.Modified {
-		info.validUntil = time.Now().Add(tm.timeout)
+		// Set validUntil to the earlier of:
+		// - Now + timeout
+		// - Secret store expiration date (if set)
+		info.validUntil = tm.calculateValidUntil(&tenant)
 		info.tenant = &tenant
 	}
 	info.mutex.Unlock()
@@ -130,7 +146,10 @@ func (tm *Manager) GetTenant(ctx context.Context, req *sm.TenantInfo) (*sm.Tenan
 
 	// If tenant was retrieved from the API, update it in the cache
 	if err == nil {
-		info.validUntil = time.Now().Add(tm.timeout)
+		// Set validUntil to the earlier of:
+		// - Now + timeout
+		// - Secret store expiration date (if set)
+		info.validUntil = tm.calculateValidUntil(tenant)
 		info.tenant = tenant
 	}
 

internal/tenants/manager_test.go

@@ -161,3 +161,65 @@ func TestTenantManagerGetTenant(t *testing.T) {
 	require.Equal(t, 1, tc.requestCount[t3.Id])
 	require.Equal(t, t3, *tenant)
 }
+
+func TestCalculateValidUntil(t *testing.T) {
+	now := time.Now()
+	timeout := 5 * time.Minute
+	timeWindow := 100 * time.Millisecond
+
+	tests := map[string]struct {
+		tenant         *sm.Tenant
+		expectedBefore time.Time
+		expectedAfter  time.Time
+	}{
+		"no secret store": {
+			tenant:         &sm.Tenant{},
+			expectedBefore: now.Add(timeout).Add(timeWindow),
+			expectedAfter:  now.Add(timeout).Add(-timeWindow),
+		},
+		"secret store with no expiration": {
+			tenant: &sm.Tenant{
+				SecretStore: &sm.SecretStore{},
+			},
+			expectedBefore: now.Add(timeout).Add(timeWindow),
+			expectedAfter:  now.Add(timeout).Add(-timeWindow),
+		},
+		"secret store with earlier expiration": {
+			tenant: &sm.Tenant{
+				SecretStore: &sm.SecretStore{
+					Token:  "token",
+					Expiry: float64(now.Add(2*time.Minute).UnixNano()) / 1e9,
+				},
+			},
+			expectedBefore: now.Add(2 * time.Minute).Add(timeWindow),
+			expectedAfter:  now.Add(2 * time.Minute).Add(-timeWindow),
+		},
+		"secret store with later expiration": {
+			tenant: &sm.Tenant{
+				SecretStore: &sm.SecretStore{
+					Token:  "token",
+					Expiry: float64(now.Add(10*time.Minute).UnixNano()) / 1e9,
+				},
+			},
+			expectedBefore: now.Add(timeout).Add(timeWindow),
+			expectedAfter:  now.Add(timeout).Add(-timeWindow),
+		},
+	}
+
+	for name, tt := range tests {
+		t.Run(name, func(t *testing.T) {
+			tm := &Manager{
+				timeout: timeout,
+			}
+
+			validUntil := tm.calculateValidUntil(tt.tenant)
+
+			if validUntil.After(tt.expectedBefore) {
+				t.Errorf("validUntil %v is after expected time %v", validUntil, tt.expectedBefore)
+			}
+			if validUntil.Before(tt.expectedAfter) {
+				t.Errorf("validUntil %v is before expected time %v", validUntil, tt.expectedAfter)
+			}
+		})
+	}
+}