Implement reload cache clearing for AuthenticationProvider, EnsoSecretReader and AuditLog (#12541)

GregoryTravis · farmaazon · commit d28a0270576b · 2025-04-11T15:10:51.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -303,6 +303,8 @@
 - [Added `Table.geo_distance` to calculate the distance between two
   points.][12393]
 - [The reload button clears the Enso Cloud request cache.][12526]
+- [The reload button clears the AuthenticationProvider, EnsoSecretReader and
+  AuditLog caches.][12541]
 
 [11235]: https://github.com/enso-org/enso/pull/11235
 [11255]: https://github.com/enso-org/enso/pull/11255
@@ -317,6 +319,7 @@
 [12017]: https://github.com/enso-org/enso/pull/12017
 [12393]: https://github.com/enso-org/enso/pull/12393
 [12526]: https://github.com/enso-org/enso/pull/12526
+[12541]: https://github.com/enso-org/enso/pull/12526
 
 #### Enso Language & Runtime
 
diff --git a/distribution/lib/Standard/Base/0.0.0-dev/src/Enso_Cloud/Internal/Authentication.enso b/distribution/lib/Standard/Base/0.0.0-dev/src/Enso_Cloud/Internal/Authentication.enso
@@ -46,13 +46,13 @@ polyglot java import org.enso.base.enso_cloud.AuthenticationProvider
    and a new one will be returned. Because of that, this method may make network
    requests.
 get_access_token : Text
-get_access_token = AuthenticationProvider.getAccessToken
+get_access_token = AuthenticationProvider.INSTANCE.getAccessToken
 
 ## PRIVATE
    Forcibly refreshes the access token.
 refresh_access_token : Nothing
 refresh_access_token =
-    AuthenticationProvider.getAuthenticationServiceEnsoInstance.force_refresh
+    AuthenticationProvider.INSTANCE.getAuthenticationServiceEnsoInstance.force_refresh
 
 ## PRIVATE
 credentials_file : File
diff --git a/std-bits/base/src/main/java/org/enso/base/enso_cloud/AuthenticationProvider.java b/std-bits/base/src/main/java/org/enso/base/enso_cloud/AuthenticationProvider.java
@@ -1,53 +1,68 @@
 package org.enso.base.enso_cloud;
 
+import org.enso.base.cache.ReloadDetector;
 import org.enso.base.polyglot.EnsoMeta;
 import org.graalvm.polyglot.Value;
 
-public class AuthenticationProvider {
+public class AuthenticationProvider implements ReloadDetector.HasClearableCache {
+  public static AuthenticationProvider INSTANCE = new AuthenticationProvider();
+
+  private AuthenticationProvider() {
+    ReloadDetector.register(this);
+  }
 
   public interface AuthenticationService {
     String get_access_token();
 
     void force_refresh();
   }
 
-  private static Value authenticationServiceAsEnso = null;
-  private static AuthenticationService authenticationServiceAsJava = null;
+  private Value authenticationServiceAsEnso = null;
+  private AuthenticationService authenticationServiceAsJava = null;
 
-  public static void reset() {
+  public void reset() {
     authenticationServiceAsEnso = null;
     authenticationServiceAsJava = null;
   }
 
-  private static Value createAuthenticationService() {
+  private Value createAuthenticationService() {
     return EnsoMeta.callStaticModuleMethod(
         "Standard.Base.Enso_Cloud.Internal.Authentication", "instantiate_authentication_service");
   }
 
-  private static void ensureServicesSetup() {
+  private void ensureServicesSetup() {
     var ensoInstance = createAuthenticationService();
     var javaInstance = ensoInstance.as(AuthenticationService.class);
     authenticationServiceAsEnso = ensoInstance;
     authenticationServiceAsJava = javaInstance;
   }
 
-  static AuthenticationService getAuthenticationService() {
+  AuthenticationService getAuthenticationService() {
     if (authenticationServiceAsJava == null) {
       ensureServicesSetup();
     }
 
     return authenticationServiceAsJava;
   }
 
-  public static Value getAuthenticationServiceEnsoInstance() {
+  public Value getAuthenticationServiceEnsoInstance() {
+    ReloadDetector.clearOnReload(this);
+
     if (authenticationServiceAsEnso == null) {
       ensureServicesSetup();
     }
 
     return authenticationServiceAsEnso;
   }
 
-  public static String getAccessToken() {
+  public String getAccessToken() {
+    ReloadDetector.clearOnReload(this);
+
     return getAuthenticationService().get_access_token();
   }
+
+  @Override /* HasClearableCache */
+  public void clearCache() {
+    reset();
+  }
 }
diff --git a/std-bits/base/src/main/java/org/enso/base/enso_cloud/CloudAPI.java b/std-bits/base/src/main/java/org/enso/base/enso_cloud/CloudAPI.java
@@ -37,8 +37,8 @@ public static String getCloudSessionId() {
 
   public static void flushCloudCaches() {
     CloudRequestCache.INSTANCE.clear();
-    AuthenticationProvider.reset();
-    EnsoSecretReader.flushCache();
+    AuthenticationProvider.INSTANCE.reset();
+    EnsoSecretReader.INSTANCE.flushCache();
     AuditLog.resetCache();
   }
 }
diff --git a/std-bits/base/src/main/java/org/enso/base/enso_cloud/EnsoSecretHelper.java b/std-bits/base/src/main/java/org/enso/base/enso_cloud/EnsoSecretHelper.java
@@ -16,6 +16,7 @@
 import java.util.Comparator;
 import java.util.List;
 import java.util.Properties;
+import org.enso.base.cache.ReloadDetector;
 import org.enso.base.cache.ResponseTooLargeException;
 import org.enso.base.net.URISchematic;
 import org.enso.base.net.URIWithSecrets;
@@ -104,7 +105,7 @@ public static EnsoHttpResponse makeRequest(
   }
 
   public static void deleteSecretFromCache(String secretId) {
-    EnsoSecretReader.removeFromCache(secretId);
+    EnsoSecretReader.INSTANCE.removeFromCache(secretId);
   }
 
   private static class RequestMaker implements EnsoHTTPResponseCache.RequestMaker {
@@ -194,6 +195,16 @@ public static EnsoHTTPResponseCache getOrCreateCache() {
     return cache;
   }
 
+  /** Visible for testing */
+  public static int getEnsoSecretReaderCacheSize() {
+    return EnsoSecretReader.INSTANCE.getCacheSize();
+  }
+
+  /** Visible for testing */
+  public static void simulateEnsoSecretReaderReload() {
+    ReloadDetector.simulateReloadTestOnly(EnsoSecretReader.INSTANCE);
+  }
+
   private static final Comparator<Pair<String, String>> headerNameComparator =
       Comparator.comparing((Pair<String, String> pair) -> pair.getLeft())
           .thenComparing(Comparator.comparing(pair -> pair.getRight()));
diff --git a/std-bits/base/src/main/java/org/enso/base/enso_cloud/EnsoSecretReader.java b/std-bits/base/src/main/java/org/enso/base/enso_cloud/EnsoSecretReader.java
@@ -7,16 +7,25 @@
 import java.net.http.HttpResponse;
 import java.util.HashMap;
 import java.util.Map;
+import org.enso.base.cache.ReloadDetector;
 
 /** * Internal class to read secrets from the Enso Cloud. */
-class EnsoSecretReader {
-  private static final Map<String, String> secrets = new HashMap<>();
+class EnsoSecretReader implements ReloadDetector.HasClearableCache {
+  static final EnsoSecretReader INSTANCE = new EnsoSecretReader();
 
-  static void flushCache() {
+  private final Map<String, String> secrets = new HashMap<>();
+
+  private EnsoSecretReader() {
+    ReloadDetector.register(this);
+  }
+
+  void flushCache() {
     secrets.clear();
   }
 
-  static void removeFromCache(String secretId) {
+  void removeFromCache(String secretId) {
+    ReloadDetector.clearOnReloadIfRegistered(this);
+
     secrets.remove(secretId);
   }
 
@@ -26,21 +35,23 @@ static void removeFromCache(String secretId) {
    * @param secretId the ID of the secret to read.
    * @return the secret value.
    */
-  static String readSecret(String secretId) {
+  String readSecret(String secretId) {
+    ReloadDetector.clearOnReloadIfRegistered(this);
+
     if (secrets.containsKey(secretId)) {
       return secrets.get(secretId);
     }
 
     return fetchSecretValue(secretId, 3);
   }
 
-  private static String fetchSecretValue(String secretId, int retryCount) {
+  private String fetchSecretValue(String secretId, int retryCount) {
     var apiUri = CloudAPI.getAPIRootURI() + "s3cr3tz/" + secretId;
     var client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.ALWAYS).build();
     var request =
         HttpRequest.newBuilder()
             .uri(URI.create(apiUri))
-            .header("Authorization", "Bearer " + AuthenticationProvider.getAccessToken())
+            .header("Authorization", "Bearer " + AuthenticationProvider.INSTANCE.getAccessToken())
             .GET()
             .build();
 
@@ -64,7 +75,7 @@ private static String fetchSecretValue(String secretId, int retryCount) {
             "Unable to read secret - numerous " + kind + " failures (status code " + status + ").");
       } else {
         // We forcibly refresh the access token and try again.
-        AuthenticationProvider.getAuthenticationService().force_refresh();
+        AuthenticationProvider.INSTANCE.getAuthenticationService().force_refresh();
         return fetchSecretValue(secretId, retryCount - 1);
       }
     }
@@ -80,9 +91,19 @@ private static String fetchSecretValue(String secretId, int retryCount) {
     return secretValue;
   }
 
-  private static String readValueFromString(String json) {
+  private String readValueFromString(String json) {
     var base64 = json.substring(1, json.length() - 1).translateEscapes();
     return new String(
         java.util.Base64.getDecoder().decode(base64), java.nio.charset.StandardCharsets.UTF_8);
   }
+
+  @Override /* HasClearableCache */
+  public void clearCache() {
+    flushCache();
+  }
+
+  /** Visible for testing */
+  public int getCacheSize() {
+    return secrets.size();
+  }
 }
diff --git a/std-bits/base/src/main/java/org/enso/base/enso_cloud/ExternalLibraryCredentialHelper.java b/std-bits/base/src/main/java/org/enso/base/enso_cloud/ExternalLibraryCredentialHelper.java
@@ -62,7 +62,7 @@ public static CredentialConfig readCredential(CredentialReference credentialRefe
       throws EnsoSecretAccessDenied {
     RestrictedAccess.checkAccess(allowParseCredential);
 
-    String secretPayload = EnsoSecretReader.readSecret(credentialReference.secretId());
+    String secretPayload = EnsoSecretReader.INSTANCE.readSecret(credentialReference.secretId());
     ObjectMapper jsonMapper = new ObjectMapper();
     JsonNode json;
     try {
@@ -103,7 +103,7 @@ public static AccessToken requestAccessToken(CredentialReference credentialRefer
     var request =
         HttpRequest.newBuilder()
             .uri(URI.create(apiUri))
-            .header("Authorization", "Bearer " + AuthenticationProvider.getAccessToken())
+            .header("Authorization", "Bearer " + AuthenticationProvider.INSTANCE.getAccessToken())
             .POST(HttpRequest.BodyPublishers.noBody())
             .build();
     // TODO retries?
diff --git a/std-bits/base/src/main/java/org/enso/base/enso_cloud/SecretValueResolver.java b/std-bits/base/src/main/java/org/enso/base/enso_cloud/SecretValueResolver.java
@@ -10,7 +10,7 @@ sealed class SecretValueResolver permits EnsoSecretHelper, ExternalLibrarySecret
   protected static String resolveValue(HideableValue value) {
     return switch (value) {
       case HideableValue.PlainValue plainValue -> plainValue.value();
-      case HideableValue.SecretValue secretValue -> EnsoSecretReader.readSecret(
+      case HideableValue.SecretValue secretValue -> EnsoSecretReader.INSTANCE.readSecret(
           secretValue.secretId());
       case HideableValue.ConcatValues concatValues -> {
         String left = resolveValue(concatValues.left());
diff --git a/std-bits/base/src/main/java/org/enso/base/enso_cloud/audit/AuditLogApiAccess.java b/std-bits/base/src/main/java/org/enso/base/enso_cloud/audit/AuditLogApiAccess.java
@@ -16,14 +16,15 @@
 import java.util.concurrent.ThreadPoolExecutor;
 import java.util.concurrent.TimeUnit;
 import java.util.logging.Logger;
+import org.enso.base.cache.ReloadDetector;
 import org.enso.base.enso_cloud.AuthenticationProvider;
 import org.enso.base.enso_cloud.CloudAPI;
 
 /**
  * Gives access to the low-level log event API in the Cloud and manages asynchronously submitting
  * the logs.
  */
-class AuditLogApiAccess {
+public final class AuditLogApiAccess implements ReloadDetector.HasClearableCache {
   private static final Logger logger = Logger.getLogger(AuditLogApiAccess.class.getName());
 
   /**
@@ -45,16 +46,21 @@ private AuditLogApiAccess() {
     // If the thread is idle for 60 seconds, it will be shut down.
     backgroundThreadService =
         new ThreadPoolExecutor(0, 1, 60L, TimeUnit.SECONDS, new LinkedBlockingQueue<>());
+    ReloadDetector.register(this);
   }
 
   public Future<Void> logWithConfirmation(LogMessage message) {
+    ReloadDetector.clearOnReload(this);
+
     var currentRequestConfig = getRequestConfig();
     CompletableFuture<Void> completionNotification = new CompletableFuture<>();
     enqueueJob(new LogJob(message, completionNotification, currentRequestConfig));
     return completionNotification;
   }
 
   public void logWithoutConfirmation(LogMessage message) {
+    ReloadDetector.clearOnReload(this);
+
     var currentRequestConfig = getRequestConfig();
     enqueueJob(new LogJob(message, null, currentRequestConfig));
   }
@@ -195,7 +201,7 @@ private RequestConfig getRequestConfig() {
     }
 
     var uri = URI.create(CloudAPI.getAPIRootURI() + "logs");
-    var config = new RequestConfig(uri, AuthenticationProvider.getAccessToken());
+    var config = new RequestConfig(uri, AuthenticationProvider.INSTANCE.getAccessToken());
     cachedRequestConfig = config;
     return config;
   }
@@ -213,6 +219,14 @@ private RequestConfig getRequestConfig() {
    */
   private record RequestConfig(URI apiUri, String accessToken) {}
 
+  public String getAccessTokenTestOnly() {
+    if (cachedRequestConfig == null) {
+      return null;
+    } else {
+      return cachedRequestConfig.accessToken();
+    }
+  }
+
   private void sendLogRequest(HttpRequest request, int retryCount) throws RequestFailureException {
     try {
       try {
@@ -265,4 +279,9 @@ record LogJob(
   void resetCache() {
     cachedRequestConfig = null;
   }
+
+  @Override /* HasClearableCache */
+  public void clearCache() {
+    resetCache();
+  }
 }
diff --git a/std-bits/table/src/main/java/org/enso/table/excel/ExcelConnectionPool.java b/std-bits/table/src/main/java/org/enso/table/excel/ExcelConnectionPool.java
@@ -228,8 +228,8 @@ public void clearCache() {
           LOGGER.error("Unable to close " + record, e);
         }
       }
-      records.clear();
     }
+    records.clear();
   }
 
   /** Public for testing. */
diff --git a/test/Base_Tests/src/Network/Enso_Cloud/Audit_Log_Spec.enso b/test/Base_Tests/src/Network/Enso_Cloud/Audit_Log_Spec.enso
@@ -9,7 +9,11 @@ from Standard.Test import all
 import Standard.Test.Test_Environment
 
 import project.Network.Enso_Cloud.Cloud_Tests_Setup.Cloud_Tests_Setup
+import project.Network.Enso_Cloud.Cloud_Tests_Setup.Mock_Credentials
 
+polyglot java import org.enso.base.cache.ReloadDetector
+polyglot java import org.enso.base.enso_cloud.AuthenticationProvider
+polyglot java import org.enso.base.enso_cloud.audit.AuditLogApiAccess
 
 add_specs suite_builder =
     ## By default, these tests are run only on the Cloud mock, not on the real deployment.
@@ -65,6 +69,29 @@ add_specs suite_builder =
                 events = get_audit_log_events . filter ev-> (ev.metadata.get "my_field") == random_payload
                 events.length . should_equal 121
 
+    suite_builder.group "Clear cache on reload" pending=setup.pending group_builder->
+        group_builder.specify "AuditLogApiAccess cache should be cleared when a reload is detected" <| setup.with_prepared_environment <|
+            ## We detect the cache clearing by modifying the credentials on disk
+               and observing when they are reloaded
+            access_token0 = "access-token-0"
+            access_token1 = "access-token-1"
+            creds0 = Mock_Credentials.default "url" . set_access_token access_token0
+            creds1 = Mock_Credentials.default "url" . set_access_token access_token1
+            setup0 = Cloud_Tests_Setup.prepare_mock_setup creds0
+            setup1 = Cloud_Tests_Setup.prepare_mock_setup creds1
+            setup0.with_prepared_environment <|
+                Audit_Log.report_event "TestEvent" "Message"
+                AuditLogApiAccess.INSTANCE.getAccessTokenTestOnly . should_equal access_token0
+                AuditLogApiAccess.INSTANCE.getAccessTokenTestOnly . should_equal access_token0
+                setup1.credentials_location.copy_to setup0.credentials_location True
+                AuditLogApiAccess.INSTANCE.getAccessTokenTestOnly . should_equal access_token0
+                # The modified token is only read after the cache is cleared.
+                # The token is read through two levels of cache.
+                ReloadDetector.simulateReloadTestOnly AuditLogApiAccess.INSTANCE
+                ReloadDetector.simulateReloadTestOnly AuthenticationProvider.INSTANCE
+                Audit_Log.report_event "TestEvent" "Message"
+                AuditLogApiAccess.INSTANCE.getAccessTokenTestOnly . should_equal access_token1
+
 main filter=Nothing =
     suite = Test.build suite_builder->
         add_specs suite_builder
diff --git a/test/Base_Tests/src/Network/Enso_Cloud/Cloud_Tests_Setup.enso b/test/Base_Tests/src/Network/Enso_Cloud/Cloud_Tests_Setup.enso
diff --git a/test/Base_Tests/src/Network/Enso_Cloud/Enso_Cloud_Spec.enso b/test/Base_Tests/src/Network/Enso_Cloud/Enso_Cloud_Spec.enso
diff --git a/test/Base_Tests/src/Network/URI_Spec.enso b/test/Base_Tests/src/Network/URI_Spec.enso

Original file line number	Diff line number	Diff line change
`@@ -37,8 +37,8 @@ public static String getCloudSessionId() {`
`37`	`37`
`38`	`38`	`public static void flushCloudCaches() {`
`39`	`39`	`CloudRequestCache.INSTANCE.clear();`
`40`		`- AuthenticationProvider.reset();`
`41`		`- EnsoSecretReader.flushCache();`
	`40`	`+ AuthenticationProvider.INSTANCE.reset();`
	`41`	`+ EnsoSecretReader.INSTANCE.flushCache();`
`42`	`42`	`AuditLog.resetCache();`
`43`	`43`	`}`
`44`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -228,8 +228,8 @@ public void clearCache() {`
`228`	`228`	`LOGGER.error("Unable to close " + record, e);`
`229`	`229`	`}`
`230`	`230`	`}`
`231`		`- records.clear();`
`232`	`231`	`}`
	`232`	`+ records.clear();`
`233`	`233`	`}`
`234`	`234`
`235`	`235`	`/** Public for testing. */`