adds Cache-Control header to oidc .well-known endpoints (#7108)

2026-05-05 04:16:31 +02:00 · 2019-07-15 11:04:45 -07:00 · 2019-07-15 11:04:45 -07:00 · aaad1e3c8c
commit aaad1e3c8c
parent 525383982a
3 changed files with 31 additions and 3 deletions
--- a/http/logical.go
+++ b/http/logical.go
@ -456,6 +456,10 @@ WRITE_RESPONSE:
 		w.Header().Set("Content-Type", contentType)
 	}

+	if cacheControl, ok := resp.Data[logical.HTTPRawCacheControl].(string); ok {
+		w.Header().Set("Cache-Control", cacheControl)
+	}
+
 	w.WriteHeader(status)
 	w.Write(body)
 }
--- a/sdk/logical/response.go
+++ b/sdk/logical/response.go
@ -33,6 +33,10 @@ const (
 	// that it has already been unmarshaled. That way we don't need to simply
 	// ignore errors.
 	HTTPRawBodyAlreadyJSONDecoded = "http_raw_body_already_json_decoded"
+
+	// If set, HTTPRawCacheControl will replace the default Cache-Control=no-store header
+	// set by the generic wrapping handler. The value must be a string.
+	HTTPRawCacheControl = "http_raw_cache_control"
 )

 // Response is a struct that stores the response of a request.
--- a/vault/identity_store_oidc.go
+++ b/vault/identity_store_oidc.go
@ -1018,9 +1018,10 @@ func (i *IdentityStore) pathOIDCDiscovery(ctx context.Context, req *logical.Requ

 	resp := &logical.Response{
 		Data: map[string]interface{}{
-			logical.HTTPStatusCode:  200,
-			logical.HTTPRawBody:     data,
-			logical.HTTPContentType: "application/json",
+			logical.HTTPStatusCode:      200,
+			logical.HTTPRawBody:         data,
+			logical.HTTPContentType:     "application/json",
+			logical.HTTPRawCacheControl: "max-age=3600",
 		},
 	}

@ -1061,6 +1062,25 @@ func (i *IdentityStore) pathOIDCReadPublicKeys(ctx context.Context, req *logical
 		},
 	}

+	// set a Cache-Control header only if there are keys, if there aren't keys
+	// then nextRun should not be used to set Cache-Control header because it chooses
+	// a time in the future that isn't based on key rotation/expiration values
+	keys, err := listOIDCPublicKeys(ctx, req.Storage)
+	if err != nil {
+		return nil, err
+	}
+	if len(keys) > 0 {
+		if v, ok := i.oidcCache.Get(nilNamespace, "nextRun"); ok {
+			now := time.Now()
+			expireAt := v.(time.Time)
+			if expireAt.After(now) {
+				expireInSeconds := expireAt.Sub(time.Now()).Seconds()
+				expireInString := fmt.Sprintf("max-age=%.0f", expireInSeconds)
+				resp.Data[logical.HTTPRawCacheControl] = expireInString
+			}
+		}
+	}
+
 	return resp, nil
 }