Add CzertainlyAuthenticationCache

[LukasNajman]

Add CzertainlyAuthenticationCache with caching for authentication methods, eviction mechanisms, and tests

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Copilot]

Pull request overview

This PR introduces an authentication caching layer (CzertainlyAuthenticationCache) backed by Spring Cache + Caffeine, adds cache-aware authentication entrypoints on CzertainlyAuthenticationClient, and wires eviction into user/role/certificate mutations with accompanying tests.

Changes:

• Add AuthenticationCache abstraction + CzertainlyAuthenticationCache implementation and Spring CacheConfig (Caffeine) to cache auth results for system users, user UUID, certificate thumbprints, and token jti.
• Update authentication flow to compute certificate thumbprints in CzertainlyAuthenticationFilter and route to cache-enabled client methods; update OAuth2/JWT paths similarly.
• Add/extend tests to cover caching behavior and eviction behavior across user/role/certificate operations.

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
src/test/java/com/czertainly/core/service/UserManagementServiceTest.java	Replaces inline session table setup with SessionTableHelper call.
src/test/java/com/czertainly/core/service/UserManagementServiceCacheEvictionTest.java	New tests verifying per-user cache eviction behavior on user mutations.
src/test/java/com/czertainly/core/service/RoleManagementServiceTest.java	New tests verifying role mutations evict the entire auth cache.
src/test/java/com/czertainly/core/service/CertificateServiceTest.java	Adds tests for auth-cache eviction behavior on certificate operations.
src/test/java/com/czertainly/core/security/authn/client/CzertainlyAuthenticationClientTest.java	Extends client tests to validate cache hit/miss behavior.
src/test/java/com/czertainly/core/security/authn/client/CzertainlyAuthenticationCacheTest.java	New unit tests for cache semantics and eviction behavior.
src/test/java/com/czertainly/core/security/authn/CzertainlyAuthenticationFilterTest.java	New tests for cert-thumbprint routing and filter behavior.
src/test/java/com/czertainly/core/auth/oauth2/CzertainlyJwtAuthenticationConverterTest.java	New tests for JWT claim extraction + token auth routing.
src/main/java/com/czertainly/core/util/AuthHelper.java	Switches system/user proxy authentication to cache-enabled client methods.
src/main/java/com/czertainly/core/service/impl/UserManagementServiceImpl.java	Adds targeted per-user cache eviction on user updates/role changes/disable/delete.
src/main/java/com/czertainly/core/service/impl/RoleManagementServiceImpl.java	Evicts entire auth cache on role/permission mutations.
src/main/java/com/czertainly/core/service/impl/CertificateServiceImpl.java	Adds cert/user auth-cache eviction on revoke and user↔cert association changes; adds lookup by user UUID.
src/main/java/com/czertainly/core/service/CertificateService.java	Exposes findCertificateEntityByUserUuid.
src/main/java/com/czertainly/core/security/authn/client/CzertainlyAuthenticationClient.java	Adds cache-aware helper methods for system user / UUID / cert / token authentication.
src/main/java/com/czertainly/core/security/authn/client/CzertainlyAuthenticationCache.java	New cache implementation with token jti secondary index for per-user token eviction.
src/main/java/com/czertainly/core/security/authn/client/AuthenticationCache.java	New interface defining cache operations + eviction API.
src/main/java/com/czertainly/core/security/authn/CzertainlyAuthenticationFilter.java	Computes certificate thumbprint and routes to certificate auth via cache-aware client.
src/main/java/com/czertainly/core/config/CacheConfig.java	Enables caching and configures a Caffeine-based CacheManager.
src/main/java/com/czertainly/core/auth/oauth2/OAuth2LoginFilter.java	Routes token auth via cache-aware authenticateByToken.
src/main/java/com/czertainly/core/auth/oauth2/CzertainlyJwtAuthenticationConverter.java	Routes token auth via cache-aware authenticateByToken.
pom.xml	Adds Spring cache starter and Caffeine dependency.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ivosh]

Good job with the authentication cache! And kudos for fixing the pre-existing problem with malformed certificate header.

I have a couple of generic comments which do not fit into individual lines of the source code changes:

• Address the SonarQube issues
• Prepare a follow-up PR for documentation changes against https://github.com/OmniTrustILM/documentation
• Use the same approach with TokenJtiIndex for certificate fingerprints. Currently there are multiple call sites which need to retrieve the old cert and pass it to evictByUserUuid(userUuid, fingerprint). This is brittle and adds additional responsibility to the callers. The caching mechanism shall keep this information by itself because it has all the information available already. And this approach is already used by TokenJtiIndex. Call it UserCertificateIndex if you wish.
• There is no real integration test. I expect at least a couple of them, exercising full roundtrip, such as: populate real cache -> mutate user -> verify loader re-invoked.
• Have you considered wiring up cache eviction also on enableUser?
• The cache parameters (TTL, size) must definitely come from the application properties (application.yml).
• Wire up cache statistics into Micrometer stats.

[LukasNajman]

• Address the SonarQube issues - One issue remains, fails possitive, won't fix it. But can't accepted in SQ, I don't have rights for that.
• Prepare a follow-up PR for documentation changes against https://github.com/OmniTrustILM/documentation - Document the authentication cache documentation#293
• Use the same approach with TokenJtiIndex for certificate fingerprints. Currently there are multiple call sites which need to retrieve the old cert and pass it to evictByUserUuid(userUuid, fingerprint). This is brittle and adds additional responsibility to the callers. The caching mechanism shall keep this information by itself because it has all the information available already. And this approach is already used by TokenJtiIndex. Call it UserCertificateIndex if you wish. - Implemented
• There is no real integration test. I expect at least a couple of them, exercising full roundtrip, such as: populate real cache -> mutate user -> verify loader re-invoked. - added a bunch
• Have you considered wiring up cache eviction also on enableUser? - Yes, if the used was disabled, it will not be in the cache, so there is no need of evicting it.
• The cache parameters (TTL, size) must definitely come from the application properties (application.yml). - Added to application.yml and also to helm chart values
• Wire up cache statistics into Micrometer stats. - wired

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
92.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Review already performed.

[ivosh]

Ready for merge.