Avoid retrying for 5 minutes after failed key retrieval

Without this, a persistent failure in the key retrieval will not
be remembered, meaning rapid-fire retries from the client will result
in a similar number of key retrieval attempts.

This causes the next_update to be set forward by 5 minutes after each
failure.

Author: bbockelm

src/scitokens_cache.cpp

@@ -121,7 +121,7 @@ remove_issuer_entry(sqlite3 *db, const std::string &issuer, bool new_transaction
 
 
 bool
-scitokens::Validator::get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update) {
+scitokens::Validator::get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update, int64_t &expires) {
     auto cache_fname = get_cache_file();
     if (cache_fname.size() == 0) {return false;}
 
@@ -177,6 +177,7 @@ scitokens::Validator::get_public_keys_from_db(const std::string issuer, int64_t
             sqlite3_close(db);
             return false;
         }
+        expires = expiry;
         sqlite3_close(db);
         iter = top_obj.find("next_update");
         if (iter == top_obj.end() || !iter->second.is<int64_t>()) {

src/scitokens_internal.cpp

@@ -539,8 +539,8 @@ Validator::get_jwks(const std::string &issuer)
 {
     auto now = std::time(NULL);
     picojson::value jwks;
-    int64_t next_update;
-    if (get_public_keys_from_db(issuer, now, jwks, next_update)) {
+    int64_t next_update, expires;
+    if (get_public_keys_from_db(issuer, now, jwks, next_update, expires)) {
         return jwks.serialize();
     }
     return std::string("{\"keys\": []}");
@@ -578,13 +578,15 @@ Validator::get_public_key_pem(const std::string &issuer, const std::string &kid,
     picojson::value keys;
     int64_t next_update, expires;
     auto now = std::time(NULL);
-    if (get_public_keys_from_db(issuer, now, keys, next_update)) {
+    if (get_public_keys_from_db(issuer, now, keys, next_update, expires)) {
         if (now > next_update) {
             try {
                 get_public_keys_from_web(issuer, SimpleCurlGet::default_timeout, keys, next_update, expires);
                 store_public_keys(issuer, keys, next_update, expires);
             } catch (std::runtime_error &) {
-                // ignore the exception: we have a valid set of keys already/
+                // ignore the exception: we have a valid set of keys already.  However, we don't want to continuously
+                // hammer the upstream server which is not currently working ... move forward the next_update by 5 minutes.
+                store_public_keys(issuer, keys, now + 300, expires);
             }
         }
     } else {

src/scitokens_internal.h

@@ -549,7 +549,7 @@ class Validator {
 private:
     void get_public_key_pem(const std::string &issuer, const std::string &kid, std::string &public_pem, std::string &algorithm);
     static void get_public_keys_from_web(const std::string &issuer, unsigned timeout, picojson::value &keys, int64_t &next_update, int64_t &expires);
-    static bool get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update);
+    static bool get_public_keys_from_db(const std::string issuer, int64_t now, picojson::value &keys, int64_t &next_update, int64_t &expires);
     static bool store_public_keys(const std::string &issuer, const picojson::value &keys, int64_t next_update, int64_t expires);
 
     bool m_validate_all_claims{true};