From cc2024ee9467a34865d1da5b0b46727a0eb072ec Mon Sep 17 00:00:00 2001
From: Zach Margolis <zachary.margolis@gsa.gov>
Date: Tue, 2 Nov 2021 14:09:29 -0700
Subject: [PATCH 1/3] Cache DB query that loads all ServiceProvider
 redirect_uris

- Very hot codepath, and 5 minutes of outdated data is likely acceptable
---
 config/application.rb                     | 9 ++++++++-
 spec/requests/openid_connect_cors_spec.rb | 3 +++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/config/application.rb b/config/application.rb
index 4970a1ef80f..d8d6b35a758 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -91,7 +91,14 @@ class Application < Rails::Application
         origins do |source, _env|
           next if source == IdentityConfig.store.domain_name
 
-          ServiceProvider.pluck(:redirect_uris).flatten.compact.find do |uri|
+          redirect_uris = Rails.cache.fetch(
+            'all_service_provider_redirect_uris',
+            expires_in: 5.minutes,
+          ) do
+            ServiceProvider.pluck(:redirect_uris).flatten.compact
+          end
+
+          redirect_uris.find do |uri|
             split_uri = uri.split('//')
             protocol = split_uri[0]
             domain = split_uri[1].split('/')[0] if split_uri.size > 1
diff --git a/spec/requests/openid_connect_cors_spec.rb b/spec/requests/openid_connect_cors_spec.rb
index 084493fe057..24e355c054f 100644
--- a/spec/requests/openid_connect_cors_spec.rb
+++ b/spec/requests/openid_connect_cors_spec.rb
@@ -1,6 +1,9 @@
 require 'rails_helper'
 
 RSpec.describe 'CORS headers for OpenID Connect endpoints' do
+  before { Rails.cache.clear }
+  after { Rails.cache.clear }
+
   describe 'configuration endpoint' do
     context 'origin is included in ServiceProvider redirect_uris' do
       it 'allows origin' do

From 0351df7491e2d072052bebd06ed0142af0e04adf Mon Sep 17 00:00:00 2001
From: Zach Margolis <zachary.margolis@gsa.gov>
Date: Tue, 2 Nov 2021 14:12:30 -0700
Subject: [PATCH 2/3] Make it configurable

---
 config/application.rb          | 2 +-
 config/application.yml.default | 1 +
 lib/identity_config.rb         | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/config/application.rb b/config/application.rb
index d8d6b35a758..8341ebbf75e 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -93,7 +93,7 @@ class Application < Rails::Application
 
           redirect_uris = Rails.cache.fetch(
             'all_service_provider_redirect_uris',
-            expires_in: 5.minutes,
+            expires_in: IdentityConfig.store.all_redirect_uris_cache_duration_minutes.minutes,
           ) do
             ServiceProvider.pluck(:redirect_uris).flatten.compact
           end
diff --git a/config/application.yml.default b/config/application.yml.default
index 147881f14c8..ee11df50fc7 100644
--- a/config/application.yml.default
+++ b/config/application.yml.default
@@ -20,6 +20,7 @@ aamva_cert_enabled: 'true'
 aamva_sp_banlist_issuers: '[]'
 aamva_verification_request_timeout: '5'
 aamva_verification_url: https://example.org:12345/verification/url
+all_redirect_uris_cache_duration_minutes: '5'
 account_reset_token_valid_for_days: '1'
 account_reset_wait_period_days: '1'
 acuant_maintenance_window_start:
diff --git a/lib/identity_config.rb b/lib/identity_config.rb
index 3afa76e51bd..e74026155cb 100644
--- a/lib/identity_config.rb
+++ b/lib/identity_config.rb
@@ -72,6 +72,7 @@ def self.build_store(config_map)
     config.add(:aamva_sp_banlist_issuers, type: :json)
     config.add(:aamva_verification_request_timeout, type: :integer)
     config.add(:aamva_verification_url)
+    config.add(:all_redirect_uris_cache_duration_minutes, type: :integer)
     config.add(:account_reset_token_valid_for_days, type: :integer)
     config.add(:account_reset_wait_period_days, type: :integer)
     config.add(:acuant_maintenance_window_start, type: :timestamp, allow_nil: true)

From c4c987a949ec056741034059bd24d8118123f0ed Mon Sep 17 00:00:00 2001
From: Zach Margolis <zachmargolis@users.noreply.github.com>
Date: Tue, 2 Nov 2021 14:17:03 -0700
Subject: [PATCH 3/3] Update config/application.yml.default

Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov>
---
 config/application.yml.default | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/application.yml.default b/config/application.yml.default
index ee11df50fc7..609b7cb8ec4 100644
--- a/config/application.yml.default
+++ b/config/application.yml.default
@@ -20,7 +20,7 @@ aamva_cert_enabled: 'true'
 aamva_sp_banlist_issuers: '[]'
 aamva_verification_request_timeout: '5'
 aamva_verification_url: https://example.org:12345/verification/url
-all_redirect_uris_cache_duration_minutes: '5'
+all_redirect_uris_cache_duration_minutes: '2'
 account_reset_token_valid_for_days: '1'
 account_reset_wait_period_days: '1'
 acuant_maintenance_window_start: