googleapis · bshaffer · Oct 10, 2023 · Sep 8, 2023 · Sep 8, 2023 · Sep 8, 2023
@@ -311,11 +311,9 @@ private function getCerts($location, $cacheKey, array $options = [])
         $cacheItem = $this->cache->getItem($cacheKey);
         $certs = $cacheItem ? $cacheItem->get() : null;
 
-        $gotNewCerts = false;
+        $expireTime = null;
         if (!$certs) {
-            $certs = $this->retrieveCertsFromLocation($location, $options);
-
-            $gotNewCerts = true;
+            list($certs, $expireTime) = $this->retrieveCertsFromLocation($location, $options);
         }
 
         if (!isset($certs['keys'])) {
@@ -331,8 +329,8 @@ private function getCerts($location, $cacheKey, array $options = [])
 
         // Push caching off until after verifying certs are in a valid format.
         // Don't want to cache bad data.
-        if ($gotNewCerts) {
-            $cacheItem->expiresAt(new DateTime('+1 hour'));
+        if ($expireTime) {
+            $cacheItem->expiresAt(new DateTime($expireTime));
             $cacheItem->set($certs);
             $this->cache->save($cacheItem);
         }
@@ -345,13 +343,14 @@ private function getCerts($location, $cacheKey, array $options = [])
      *
      * @param string $url location
      * @param array<mixed> $options [optional] Configuration options.
-     * @return array<mixed> certificates
+     * @return array{array<mixed>, string}
      * @throws InvalidArgumentException If certs could not be retrieved from a local file.
      * @throws RuntimeException If certs could not be retrieved from a remote location.
      */
     private function retrieveCertsFromLocation($url, array $options = [])
     {
         // If we're retrieving a local file, just grab it.
+        $expireTime = '+1 hour';
         if (strpos($url, 'http') !== 0) {
             if (!file_exists($url)) {
                 throw new InvalidArgumentException(sprintf(
@@ -360,14 +359,28 @@ private function retrieveCertsFromLocation($url, array $options = [])
                 ));
             }
 
-            return json_decode((string) file_get_contents($url), true);
+            return [
+                json_decode((string) file_get_contents($url), true),
+                $expireTime
+            ];
         }
 
         $httpHandler = $this->httpHandler;
         $response = $httpHandler(new Request('GET', $url), $options);
 
         if ($response->getStatusCode() == 200) {
-            return json_decode((string) $response->getBody(), true);
+            if ($cacheControl = $response->getHeaderLine('Cache-Control')) {
+                array_map(function ($value) use (&$expireTime) {
+                    list($key, $value) = explode('=', $value) + [null, null];
+                    if (trim($key) == 'max-age') {
+                        $expireTime = '+' . $value . ' seconds';
+                    }
+                }, explode(',', $cacheControl));
+            }
+            return [
+                json_decode((string) $response->getBody(), true),
+                $expireTime
+            ];
         }
 
         throw new RuntimeException(sprintf(

@@ -264,22 +264,33 @@ public function testEsVerifyEndToEnd()
         $this->assertEquals('https://cloud.google.com/iap', $payload['iss']);
     }
 
-    public function testGetCertsForIap()
+    /**
+     * @dataProvider provideCertsFromUrl
+     */
+    public function testGetCertsFromUrl($certUrl)
     {
         $token = new AccessToken();
         $reflector = new \ReflectionObject($token);
         $cacheKeyMethod = $reflector->getMethod('getCacheKeyFromCertLocation');
         $cacheKeyMethod->setAccessible(true);
         $getCertsMethod = $reflector->getMethod('getCerts');
         $getCertsMethod->setAccessible(true);
-        $cacheKey = $cacheKeyMethod->invoke($token, AccessToken::IAP_CERT_URL);
+        $cacheKey = $cacheKeyMethod->invoke($token, $certUrl);
         $certs = $getCertsMethod->invoke(
             $token,
-            AccessToken::IAP_CERT_URL,
+            $certUrl,
             $cacheKey
         );
         $this->assertTrue(is_array($certs));
-        $this->assertEquals(5, count($certs));
+        $this->assertGreaterThanOrEqual(2, count($certs));
+    }
+
+    public function provideCertsFromUrl()
+    {
+        return [
+            [AccessToken::IAP_CERT_URL],
+            [AccessToken::FEDERATED_SIGNON_CERT_URL],
+        ];
     }
 
     public function testRetrieveCertsFromLocationLocalFile()
@@ -398,6 +409,51 @@ public function testRetrieveCertsFromLocationLocalFileInvalidFileData()
         ]);
     }
 
+    public function testRetrieveCertsFromLocationRespectsCacheControl()
+    {
+        $certsLocation = __DIR__ . '/fixtures/federated-certs.json';
+        $certsJson = file_get_contents($certsLocation);
+        $certsData = json_decode($certsJson, true);
+
+        $httpHandler = function (RequestInterface $request) use ($certsJson) {
+            return new Response(200, [
+                'cache-control' => 'public, max-age=1000',
+            ], $certsJson);
+        };
+
+        $phpunit = $this;
+
+        $item = $this->prophesize('Psr\Cache\CacheItemInterface');
+        $item->get()
+            ->shouldBeCalledTimes(1)
+            ->willReturn(null);
+        $item->set($certsData)
+            ->shouldBeCalledTimes(1)
+            ->willReturn($item->reveal());
+
+        // Assert date-time is set with difference of 1000 (the max-age in the Cache-Control header)
+        $item->expiresAt(Argument::type('\DateTime'))
+            ->shouldBeCalledTimes(1)
+            ->will(function ($value) use ($phpunit) {
+                $phpunit->assertEqualsWithDelta(1000, $value[0]->getTimestamp() - time(), 1);
+                return $this;
+            });
+
+        $this->cache->getItem('google_auth_certs_cache|federated_signon_certs_v3')
+            ->shouldBeCalledTimes(1)
+            ->willReturn($item->reveal());
+
+        $this->cache->save(Argument::type('Psr\Cache\CacheItemInterface'))
+            ->shouldBeCalledTimes(1);
+
+        $token = new AccessTokenStub(
+            $httpHandler,
+            $this->cache->reveal()
+        );
+
+        $token->verify($this->token);
+    }
+
     public function testRetrieveCertsFromLocationRemote()
     {
         $certsLocation = __DIR__ . '/fixtures/federated-certs.json';