change that hoists the redirect-free reqwest::Client into a single, lazily-initialized static so every call to validate_jwt re-uses the same handle (and therefore the same connection-pool, DNS cache, TLS session cache, etc)

2025-07-14 17:22:37 -07:00 · 2025-07-14 17:22:37 -07:00 · ee6332a78d
commit ee6332a78d
parent d72452159b
4 changed files with 14 additions and 14 deletions
--- a/src/reporter/json_format.rs
+++ b/src/reporter/json_format.rs
@ -390,7 +390,6 @@ mod tests {
        cli::commands::scan::ScanArgs {
            num_jobs: 1,
            no_dedup: false,
-            ignore_tests: false,
            rules: RuleSpecifierArgs {
                rules_path: Vec::new(),
                rule: vec!["all".into()],
--- a/src/scanner/enumerate.rs
+++ b/src/scanner/enumerate.rs
@ -37,7 +37,6 @@ use crate::{
        util::is_compressed_file,
    },
    scanner_pool::ScannerPool,
-    util::is_test_like_path,
    EnumeratorConfig, EnumeratorFileResult, FileResult, FilesystemEnumerator, FoundInput,
    GitRepoEnumerator, GitRepoResult, GitRepoWithMetadataEnumerator, PathBuf,
 };
--- a/src/validation/jwt.rs
+++ b/src/validation/jwt.rs
@ -3,12 +3,24 @@ use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine as _};
 use chrono::Utc;
 use ipnet::IpNet;
 use jsonwebtoken::{decode, decode_header, jwk::JwkSet, DecodingKey, Validation as JwtValidation};
+use once_cell::sync::Lazy;
 use reqwest::{redirect::Policy, Client, Url};
 use serde::Deserialize;
 use tokio::net::lookup_host;

 use super::utils::check_url_resolvable;

+/// One global, redirect-free client.  Building a `Client` is comparatively
+/// expensive; re-using it lets reqwest share its internal connection pool
+/// and TLS sessions across JWT validations.  `Lazy` ensures thread-safe,
+/// one-time initialisation.
+static NO_REDIRECT_CLIENT: Lazy<Client> = Lazy::new(|| {
+    Client::builder()
+        .redirect(Policy::none()) // disable all redirects
+        .build()
+        .expect("failed to build no-redirect Client")
+});
+
 /// RFC 1918 + loopback + link-local nets we refuse to contact
 const BLOCKED_NETS: &[&str] = &[
    "10.0.0.0/8",
@ -66,12 +78,7 @@ pub async fn validate_jwt(token: &str, client: &Client) -> Result<(bool, String)

        // build discovery URL and fetch it (redirects disabled)
        let config_url = format!("{}/.well-known/openid-configuration", iss.trim_end_matches('/'));
-        let no_redirect_client = Client::builder()
-            .redirect(Policy::none())
-            .build()
-            .map_err(|e| anyhow!("client build: {e}"))?;
-
-        let cfg_resp = no_redirect_client
+        let cfg_resp = NO_REDIRECT_CLIENT
            .get(&config_url)
            .send()
            .await
@ -122,7 +129,7 @@ pub async fn validate_jwt(token: &str, client: &Client) -> Result<(bool, String)
        check_url_resolvable(&url).await.map_err(|e| anyhow!("jwks uri unresolvable: {e}"))?;

        // fetch JWKS with redirect-free client
-        let jwks_resp = no_redirect_client
+        let jwks_resp = NO_REDIRECT_CLIENT
            .get(url)
            .send()
            .await
--- a/tests/smoke_update.rs
+++ b/tests/smoke_update.rs
@ -1,9 +1,4 @@
-use std::fs::{self, File};
-
-use flate2::{write::GzEncoder, Compression};
 use kingfisher::{cli::global::GlobalArgs, update::check_for_update};
-use tar::Builder;
-use tempfile::tempdir;
 use tokio;
 use wiremock::{
    matchers::{method, path},