Migrate JWT/JWK auto-refresh from RPCSessions to curl multi singleton (#7989)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>
Co-authored-by: Amaury Chamayou <amaury@xargs.fr>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 3 people

CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [7.0.7]
+
+[7.0.7]: https://github.com/microsoft/CCF/releases/tag/ccf-7.0.7
+
+### Changed
+
+- JWT/JWK auto-refresh outbound HTTP fetches (OpenID metadata and JWKS) now use the curl multi singleton client introduced in #7102, replacing the previous `RPCSessions::create_client()` path. Connection and TLS failures are now counted in refresh failure metrics via `send_refresh_jwt_keys_error()`, improving observability of network-level refresh errors (#7989).
+- JWT/JWK auto-refresh now supports configuring the maximum response body size for fetched OpenID metadata and JWKS via the `jwt.key_refresh_max_response_size` node startup config setting (#7989).
+
 ## [7.0.6]
 
 [7.0.6]: https://github.com/microsoft/CCF/releases/tag/ccf-7.0.6

doc/build_apps/auth/jwt.rst

@@ -107,7 +107,7 @@ Now the issuer can be created with auto-refresh enabled:
 
 .. note::
 
-    The key refresh interval is set via the ``jwt.key_refresh_interval_s`` configuration entry, where the default is 30 min (1800 seconds).
+  The key refresh interval is set via the ``jwt.key_refresh_interval`` configuration entry, where the default is 30 min (1800 seconds). The maximum response body size accepted when fetching OpenID metadata and JWKS is set via ``jwt.key_refresh_max_response_size``, where the default is 1 MB.
 
 Removing a token issuer
 -----------------------

doc/dev/jwk_refresh_curl_multi_migration_plan.md

@@ -653,6 +653,11 @@
           "type": "string",
           "default": "30min",
           "description": "Interval at which JWT keys for issuers registered with auto-refresh are automatically refreshed"
+        },
+        "key_refresh_max_response_size": {
+          "type": "string",
+          "default": "1MB",
+          "description": "Maximum response body size accepted when fetching OpenID metadata and JWKS for JWT issuer auto-refresh"
         }
       },
       "description": "This section includes configuration for JWT issuers automatic refresh",

doc/host_config_schema/host_config.json

@@ -65,6 +65,7 @@ namespace ccf
     struct JWT
     {
       ccf::ds::TimeString key_refresh_interval = {"30min"};
+      ccf::ds::SizeString key_refresh_max_response_size = {"1MB"};
 
       bool operator==(const JWT&) const = default;
     };

include/ccf/node/startup_config.h

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "ccf"
-version = "7.0.6"
+version = "7.0.7"
 authors = [
   { name="CCF Team", email="CCF-Sec@microsoft.com" },
 ]

python/pyproject.toml

@@ -505,12 +505,10 @@ function checkReconfigurationType(config, new_config) {
   const from = config.reconfiguration_type;
   const to = new_config.reconfiguration_type;
   if (from !== to && to !== undefined) {
-    if (
-      !(
-        (from === undefined || from === "OneTransaction") &&
-        to === "TwoTransaction"
-      )
-    ) {
+    if (!(
+      (from === undefined || from === "OneTransaction") &&
+      to === "TwoTransaction"
+    )) {
       throw new Error(
         `Cannot change reconfiguration type from ${from} to ${to}.`,
       );

samples/constitutions/default/actions.js

@@ -485,12 +485,10 @@ function checkReconfigurationType(config, new_config) {
   const from = config.reconfiguration_type;
   const to = new_config.reconfiguration_type;
   if (from !== to && to !== undefined) {
-    if (
-      !(
-        (from === undefined || from === "OneTransaction") &&
-        to === "TwoTransaction"
-      )
-    ) {
+    if (!(
+      (from === undefined || from === "OneTransaction") &&
+      to === "TwoTransaction"
+    )) {
       throw new Error(
         `Cannot change reconfiguration type from ${from} to ${to}.`,
       );

samples/minimal_ccf/app/actions.js

@@ -73,7 +73,8 @@ namespace ccf
 
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(CCFConfig::JWT);
   DECLARE_JSON_REQUIRED_FIELDS(CCFConfig::JWT);
-  DECLARE_JSON_OPTIONAL_FIELDS(CCFConfig::JWT, key_refresh_interval);
+  DECLARE_JSON_OPTIONAL_FIELDS(
+    CCFConfig::JWT, key_refresh_interval, key_refresh_max_response_size);
 
   DECLARE_JSON_TYPE_WITH_OPTIONAL_FIELDS(CCFConfig::Attestation::Environment);
   DECLARE_JSON_REQUIRED_FIELDS(CCFConfig::Attestation::Environment);