Module: Mongo::Socket::OcspCache Private

Defined in:
lib/mongo/socket/ocsp_cache.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

This module caches OCSP responses for their indicated validity time.

The key is the CertificateId used for the OCSP request. The value is the SingleResponse.

Since:

  • 2.0.0

Class Method Summary collapse

Class Method Details

.clearObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Note:

Use Mongo.clear_ocsp_cache from applications instead of invoking this method directly.

Clears the driver’s OCSP response cache.

Since:

  • 2.0.0



84
85
86
# File 'lib/mongo/socket/ocsp_cache.rb', line 84

module_function def clear
  responses.replace([])
end

.delete(cert_id) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



74
75
76
77
78
# File 'lib/mongo/socket/ocsp_cache.rb', line 74

module_function def delete(cert_id)
  responses.delete_if do |resp|
    resp.certid.cmp(cert_id)
  end
end

.get(cert_id) ⇒ OpenSSL::OCSP::SingleResponse

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Retrieves a cached SingleResponse for the specified CertificateId.

This method may return expired responses if they are revoked. Such responses were valid when they were first received.

This method may also return responses that are valid but that may expire by the time caller uses them. The caller should not perform update time checks on the returned response.

Returns:

  • (OpenSSL::OCSP::SingleResponse)

    The previously retrieved response.

Since:

  • 2.0.0



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/mongo/socket/ocsp_cache.rb', line 44

module_function def get(cert_id)
  resp = responses.detect do |resp|
    resp.certid.cmp(cert_id)
  end
  if resp
    # Only expire responses with good status.
    # Once a certificate is revoked, it should stay revoked forever,
    # hence we should be able to cache revoked responses indefinitely.
    if resp.cert_status == OpenSSL::OCSP::V_CERTSTATUS_GOOD &&
      resp.next_update < Time.now
    then
      responses.delete(resp)
      resp = nil
    end
  end

  # If we have connected to a server and cached the OCSP response for it,
  # and then never connect to that server again, the cached OCSP response
  # is going to remain in memory indefinitely. Periodically remove all
  # expired OCSP responses, not just the ones matching the certificate id
  # we are querying by.
  if rand < 0.01
    responses.delete_if do |resp|
      resp.next_update < Time.now
    end
  end

  resp
end

.responsesObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



92
93
94
95
96
# File 'lib/mongo/socket/ocsp_cache.rb', line 92

module_function def responses
  LOCK.synchronize do
    @responses ||= []
  end
end

.set(cert_id, response) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Since:

  • 2.0.0



28
29
30
31
# File 'lib/mongo/socket/ocsp_cache.rb', line 28

module_function def set(cert_id, response)
  delete(cert_id)
  responses << response
end