Merge pull request #141 from CyberSource/features-ready-to-release

Features ready to release

Author: gnongsie

cybersource_rest_client.gemspec

@@ -17,7 +17,7 @@ require "cybersource_rest_client/version"
 
 Gem::Specification.new do |s|
   s.name        = "cybersource_rest_client"
-  s.version     = "0.0.75"
+  s.version     = "0.0.76"
   s.platform    = Gem::Platform::RUBY
   s.authors     = ["CyberSource"]
   s.email       = ["cybersourcedev@gmail.com"]

generator/cybersource-ruby-template/api_client.mustache

@@ -8,6 +8,7 @@ require 'logger'
 require 'tempfile'
 require 'typhoeus'
 require 'addressable/uri'
+require_relative 'ethon_extensions'
 
 module {{moduleName}}
   class ApiClient
@@ -144,7 +145,8 @@ module {{moduleName}}
         :sslcert => @config.cert_file,
         :sslkeypasswd => @merchantconfig.sslKeyPassword || "",
         :sslkey => @config.key_file,
-        :verbose => @config.debugging
+        :verbose => @config.debugging,
+        :maxage_conn => @merchantconfig.keepAliveTime || 118 # Default to 118 seconds as same as default of libcurl
       }
 
       # set custom cert, if provided

lib/AuthenticationSDK/authentication/jwt/JwtToken.rb

@@ -21,29 +21,18 @@ def getToken(merchantconfig_obj,gmtDatetime)
 
       jwtBody = ''
       request_type = merchantconfig_obj.requestType.upcase
-      filePath = merchantconfig_obj.keysDirectory + '/' + merchantconfig_obj.keyFilename + '.p12'
-
-      if (!File.exist?(filePath))
-        raise Constants::ERROR_PREFIX + Constants::FILE_NOT_FOUND + File.expand_path(filePath)
-      end
-
-      p12File = File.binread(filePath)
+      
       jwtBody=getJwtBody(request_type, gmtDatetime, merchantconfig_obj)
       claimSet = JSON.parse(jwtBody)
-      p12FilePath = OpenSSL::PKCS12.new(p12File, merchantconfig_obj.keyPass)
-
-      # Generating certificate.
-      cacheObj = ActiveSupport::Cache::MemoryStore.new
-      x5Cert = Cache.new.fetchCachedCertificate(filePath, p12File, merchantconfig_obj.keyPass, merchantconfig_obj.keyAlias, cacheObj)
 
-      # Generating Public key.
-      publicKey = OpenSSL::PKey::RSA.new(p12FilePath.key.public_key)
+      cache_value = Cache.new.fetchJwtCertsAndKeys(merchantconfig_obj)
+      privateKey = cache_value.private_key
+      jwt_cert_obj = cache_value.cert
+      jwt_cert_in_der= Base64.strict_encode64(jwt_cert_obj.to_der)
 
-      #Generating Private Key
-      privateKey = OpenSSL::PKey::RSA.new(p12FilePath.key)
 
       # JWT token-Generates using RS256 algorithm only
-      x5clist = [x5Cert]
+      x5clist = [jwt_cert_in_der]
       customHeaders = {}
       customHeaders['v-c-merchant-id'] = merchantconfig_obj.keyAlias
       customHeaders['x5c'] = x5clist

lib/AuthenticationSDK/core/MerchantConfig.rb

@@ -44,6 +44,8 @@ def initialize(cybsPropertyObj)
     @log_config = LogConfiguration.new(cybsPropertyObj['logConfiguration'])
     # Custom Default Headers
     @defaultCustomHeaders = cybsPropertyObj['defaultCustomHeaders']
+    # Keep Alive Time for Connection Pooling
+    @keepAliveTime = cybsPropertyObj['keepAliveTime'] || 118 # Default to 118 seconds as same as default of libcurl
     # Path to client JWE pem file directory
     @pemFileDirectory = cybsPropertyObj['pemFileDirectory']
     @mleKeyAlias = cybsPropertyObj['mleKeyAlias']
@@ -56,6 +58,11 @@ def initialize(cybsPropertyObj)
 
     #fall back logic
     def validateMerchantDetails()
+      if !@keepAliveTime.is_a?(Integer)
+        err = StandardError.new(Constants::ERROR_PREFIX + "keepAliveTime must be an integer and in seconds")
+        raise err
+      end
+      
       logmessage = ''
       @log_config.validate(logmessage)
       @log_obj = Log.new @log_config, "MerchantConfig"
@@ -267,7 +274,7 @@ def validateMLEConfiguration
         end
       end
 
-      if mle_configured && !Constants::AUTH_TYPE_JWT.eql?(@authenticationType)
+      if mle_configured && !Constants::AUTH_TYPE_JWT.eql?(@authenticationType.upcase)
         err = StandardError.new(Constants::ERROR_PREFIX + "MLE can only be used with JWT authentication")
         @log_obj.logger.error(ExceptionHandler.new.new_api_exception err)
         raise err
@@ -306,6 +313,7 @@ def logAllProperties(merchantPropertyObj)
     attr_accessor :keyFilename
     attr_accessor :useMetaKey
     attr_accessor :portfolioID
+    attr_accessor :keepAliveTime
     attr_accessor :enableClientCert
     attr_accessor :clientCertDirectory
     attr_accessor :sslClientCert

lib/AuthenticationSDK/util/Cache.rb

@@ -1,48 +1,123 @@
 require 'openssl'
 require 'base64'
+require 'active_support'
+require 'thread'
+require_relative 'CacheValue'
+
 public
 # P12 file certificate Cache
   class Cache
-    def fetchCachedCertificate(filePath, p12File, keyPass, keyAlias, cacheObj)
-      certCache = cacheObj.read(keyAlias.to_s.upcase)
-      cachedLastModifiedTimeStamp = cacheObj.read(keyAlias.to_s.upcase + '_LastModifiedTime')
-      if File.exist?(filePath)
-        currentFileLastModifiedTime = File.mtime(filePath)
-        if certCache.to_s.empty? || cachedLastModifiedTimeStamp.to_s.empty?
-          certificateFromP12File = getCertificate(p12File, keyPass, keyAlias, cacheObj, currentFileLastModifiedTime)
-          return certificateFromP12File
-        elsif currentFileLastModifiedTime > cachedLastModifiedTimeStamp
-        # Function call to read the file and put values to new cache
-          certificateFromP12File = getCertificate(p12File, keyPass, keyAlias, cacheObj, currentFileLastModifiedTime)
-          return certificateFromP12File
-        else
-          return certCache
+    @@cache_obj = ActiveSupport::Cache::MemoryStore.new
+    @@mutex = Mutex.new
+
+    def fetchJwtCertsAndKeys(merchantConfig)
+      merchantId = merchantConfig.merchantId
+      filePath = merchantConfig.keysDirectory + '/' + merchantConfig.keyFilename + '.p12'
+      if (!File.exist?(filePath))
+        raise Constants::ERROR_PREFIX + Constants::FILE_NOT_FOUND + File.expand_path(filePath)
+      end
+
+      cacheKey = merchantId.to_s + '_JWT'
+      
+      # Thread-safe cache access with race condition protection
+      @@mutex.synchronize do
+        certCache = @@cache_obj.read(cacheKey)
+        fileModTime = File.mtime(filePath)
+
+        if !certCache || certCache.empty? || certCache.file_modified_time != fileModTime
+          setupCache(cacheKey, filePath, merchantConfig)
+          certCache = @@cache_obj.read(cacheKey)
         end
-      else
-        raise Constants::ERROR_PREFIX + Constants::FILE_NOT_FOUND + filePath
+        
+        return certCache
+      end
+    end    
+    
+    def fetchMLECert(merchantConfig)
+      merchantId = merchantConfig.merchantId
+      filePath = merchantConfig.keysDirectory + '/' + merchantConfig.keyFilename + '.p12'
+      if (!File.exist?(filePath))
+        raise Constants::ERROR_PREFIX + Constants::FILE_NOT_FOUND + File.expand_path(filePath)
+      end
+
+      cacheKey = merchantId.to_s + '_MLE'
+      
+      # Thread-safe cache access with race condition protection
+      @@mutex.synchronize do
+        certCache = @@cache_obj.read(cacheKey)
+        fileModTime = File.mtime(filePath)
+
+        if !certCache || certCache.empty? || certCache.file_modified_time != fileModTime
+          setupCache(cacheKey, filePath, merchantConfig)
+          certCache = @@cache_obj.read(cacheKey)
+        end
+        
+        return certCache
       end
     end
 
-    def getCertificate(p12File, keyPass, keyAlias, cacheObj, currentFileLastModifiedTime)
-      x5CertDer = Utility.new.fetchCert(keyPass, p12File, keyAlias)
-      cacheObj.write(keyAlias.to_s.upcase, x5CertDer)
-      cacheObj.write(keyAlias.to_s.upcase + '_LastModifiedTime', currentFileLastModifiedTime)
-      x5CertDer
+    def setupCache(cacheKey, filePath, merchantConfig)
+      if(cacheKey.end_with?("_JWT"))
+        private_key, certs = getCertsAndKeysFromP12(filePath, merchantConfig)
+        jwt_cert = Utility.getCertBasedOnKeyAlias(certs, merchantConfig.keyAlias)
+        currentFileLastModifiedTime = File.mtime(filePath)
+        
+        # Create CacheValue object with all 3 parameters
+        cache_value = CacheValue.new(private_key, jwt_cert, currentFileLastModifiedTime)
+        
+        # Store the cache value object in cache
+        @@cache_obj.write(cacheKey, cache_value)
+      end
+      if(cacheKey.end_with?("_MLE"))
+        private_key, certs = getCertsAndKeysFromP12(filePath, merchantConfig)
+        mle_cert = Utility.getCertBasedOnKeyAlias(certs, merchantConfig.mleKeyAlias)
+        currentFileLastModifiedTime = File.mtime(filePath)
+        
+        # Create CacheValue object with all 3 parameters
+        cache_value = CacheValue.new(nil, mle_cert, currentFileLastModifiedTime)
+        
+        # Store the cache value object in cache
+        @@cache_obj.write(cacheKey, cache_value)
+      end
+
+    end
+
+    def getCertsAndKeysFromP12(filePath, merchantConfig)
+      p12File = File.binread(filePath)
+      p12Object = OpenSSL::PKCS12.new(p12File, merchantConfig.keyPass)
+      #Generating Private Key
+      private_key = OpenSSL::PKey::RSA.new(p12Object.key)
+      # Generating Public key.
+      # publicKey = OpenSSL::PKey::RSA.new(p12Object.key.public_key)
+
+      # Get all certs from p12
+      x5_cert_primary = p12Object.certificate
+      x5_certs_others = p12Object.ca_certs
+      certs = [x5_cert_primary]
+      certs.concat(x5_certs_others) if x5_certs_others
+      return [private_key, certs]
     end
 
     # <b>DEPRECATED:</b> This method has been marked as Deprecated and will be removed in coming releases.
-    def fetchPEMFileForNetworkTokenization(filePath, cacheObj)
+    def fetchPEMFileForNetworkTokenization(filePath)
       warn("[DEPRECATED] 'fetchPEMFileForNetworkTokenization' method is deprecated and will be removed in coming releases.")
-      pem_file_cache = cacheObj.read('privateKeyFromPEMFile')
-      cached_pem_file_last_updated_time = cacheObj.read('cachedLastModifiedTimeOfPEMFile')
-      if File.exist?(filePath)
-        current_last_modified_time_of_PEM_file = File.mtime(filePath)
-        if pem_file_cache.nil? || pem_file_cache.to_s.empty? || current_last_modified_time_of_PEM_file > cached_pem_file_last_updated_time
-          private_key = JOSE::JWK.from_pem_file filePath
-          cacheObj.write('privateKeyFromPEMFile', private_key)
-          cacheObj.write('cachedLastModifiedTimeOfPEMFile', current_last_modified_time_of_PEM_file)
+      
+      # Thread-safe cache access for deprecated method
+      @@mutex.synchronize do
+        pem_file_cache = @@cache_obj.read('privateKeyFromPEMFile')
+        cached_pem_file_last_updated_time = @@cache_obj.read('cachedLastModifiedTimeOfPEMFile')
+        
+        if File.exist?(filePath)
+          current_last_modified_time_of_PEM_file = File.mtime(filePath)
+          if pem_file_cache.nil? || pem_file_cache.to_s.empty? || current_last_modified_time_of_PEM_file > cached_pem_file_last_updated_time
+            private_key = JOSE::JWK.from_pem_file filePath
+            @@cache_obj.write('privateKeyFromPEMFile', private_key)
+            @@cache_obj.write('cachedLastModifiedTimeOfPEMFile', current_last_modified_time_of_PEM_file)
+          end
         end
+        
+        return @@cache_obj.read('privateKeyFromPEMFile')
       end
-      return cacheObj.read('privateKeyFromPEMFile')
     end
+    
   end

lib/AuthenticationSDK/util/CacheValue.rb

@@ -0,0 +1,18 @@
+# Cache value object to store certificate data
+class CacheValue
+  attr_accessor :private_key, :cert, :file_modified_time
+
+  def initialize(private_key = nil, cert = nil, file_modified_time = nil)
+    @private_key = private_key
+    @cert = cert
+    @file_modified_time = file_modified_time
+  end
+
+  def to_s
+    "CacheValue(private_key: #{@private_key ? 'present' : 'nil'}, cert: #{@cert ? 'present' : 'nil'}, file_modified_time: #{@file_modified_time})"
+  end
+
+  def empty?
+    @private_key.nil? && @cert.nil? && @file_modified_time.nil?
+  end
+end

lib/AuthenticationSDK/util/JWEUtility.rb

@@ -8,8 +8,7 @@ class AuthJWEUtility
   # <b>DEPRECATED:</b> This method has been marked as Deprecated and will be removed in coming releases. Use <tt>decrypt_jwe_using_private_key()</tt> instead.
   def self.decrypt_jwe_using_pem(merchant_config, encoded_response)
     warn("[DEPRECATED] `decrypt_jwe_using_pem()` method is deprecated and will be removed in coming releases. Use `decrypt_jwe_using_private_key()` instead.")
-    cache_obj = ActiveSupport::Cache::MemoryStore.new
-    key = Cache.new.fetchPEMFileForNetworkTokenization(merchant_config.pemFileDirectory, cache_obj)
+    key = Cache.new.fetchPEMFileForNetworkTokenization(merchant_config.pemFileDirectory)
     return JOSE::JWE.block_decrypt(key, encoded_response).first
   end
 

lib/AuthenticationSDK/util/MLEUtility.rb

@@ -1,7 +1,6 @@
 require_relative '../logging/log_factory.rb'
 require 'jose'
 require_relative './Cache'
-require 'active_support'
 
 public
   class MLEUtility
@@ -30,23 +29,22 @@ def self.encrypt_request_payload(merchant_config, request_payload)
       @log_obj.logger.debug('LOG_REQUEST_BEFORE_MLE: ' + request_payload)
 
       begin
-        file_path = merchant_config.keysDirectory + '/' + merchant_config.keyFilename + '.p12'
-        p12_file = File.binread(file_path)
-        cache_obj = ActiveSupport::Cache::MemoryStore.new
-        cert_der = Cache.new.fetchCachedCertificate(merchant_config.keysDirectory, p12_file,  merchant_config.keyPass, merchant_config.mleKeyAlias, cache_obj)
-        if cert_der.nil?
+        cache_value = Cache.new.fetchMLECert(merchant_config)
+        if cache_value.nil? || cache_value.cert.nil?
           @log_obj.logger.error('Failed to get certificate for MLE')
           raise StandardError.new('Failed to get certificate for MLE')
         end
-        certificate = OpenSSL::X509::Certificate.new(Base64.decode64(cert_der))
-        validate_certificate(certificate, merchant_config.mleKeyAlias, @log_obj)
-        serial_number = extract_serial_number_from_certificate(certificate)
+        mle_cert_obj = cache_value.cert
+
+        # certificate = OpenSSL::X509::Certificate.new(Base64.decode64(cert_der))
+        validate_certificate(mle_cert_obj, merchant_config.mleKeyAlias, @log_obj)
+        serial_number = extract_serial_number_from_certificate(mle_cert_obj)
         if serial_number.nil?
           @log_obj.logger.error('Serial number not found in certificate for MLE')
           raise StandardError.new('Serial number not found in MLE certificate')
         end
 
-        jwk = JOSE::JWK.from_key(certificate.public_key)
+        jwk = JOSE::JWK.from_key(mle_cert_obj.public_key)
         if jwk.nil?
           @log_obj.logger.error('Failed to create JWK object from public key')
           raise StandardError.new('Failed to create JWK object from public key')

lib/AuthenticationSDK/util/Utility.rb

@@ -33,19 +33,15 @@ def getResponseCodeMessage(responseCode)
       return tempResponseCodeMessage
     end
 
-    def fetchCert(key_pass, file, key_alias)
-      p12_file = OpenSSL::PKCS12.new(file, key_pass)
-      x5_cert_pem = p12_file.certificate
-      x5_cert_pem.subject.to_a.each do |attribute|
-        return  Base64.strict_encode64(x5_cert_pem.to_der) if attribute[1].include?(key_alias)
-      end
-      unless p12_file.ca_certs.nil?
-        p12_file.ca_certs.each do |cert|
+     def self.getCertBasedOnKeyAlias(x5_certs, key_alias)
+      unless x5_certs.nil?
+        x5_certs.each do |cert|
           cert.subject.to_a.each do |attribute|
-            return  Base64.strict_encode64(cert.to_der) if attribute[1].include?(key_alias)
+            return  cert if attribute[1].include?(key_alias)
           end
         end
       end
       nil
     end
-  end
+  end
+

lib/cybersource_rest_client/api_client.rb

@@ -15,6 +15,7 @@
 require 'tempfile'
 require 'typhoeus'
 require 'addressable/uri'
+require_relative 'ethon_extensions'
 
 module CyberSource
   class ApiClient
@@ -148,7 +149,8 @@ def build_request(http_method, path, opts = {})
         :sslcert => @config.cert_file,
         :sslkeypasswd => @merchantconfig.sslKeyPassword || "",
         :sslkey => @config.key_file,
-        :verbose => @config.debugging
+        :verbose => @config.debugging,
+        :maxage_conn => @merchantconfig.keepAliveTime || 118 # Default to 118 seconds as same as default of libcurl
       }
 
       # set custom cert, if provided