feat(api): Add caching control directives to the well-known API handlers

Add the new `discovery-max-age` configuration variable to all API front
ends in order to configure the cache control headers for requests to the
well-known API.

Signed-off-by: Thomas Fossati <thomas.fossati@linaro.org>

Author: thomas-fossati

capability/common.go

@@ -0,0 +1,35 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package capability
+
+import (
+	"time"
+
+	"go.uber.org/zap"
+)
+
+// ParseCacheMaxAge parses a "max age" configuration string expressed in time
+// units (e.g., "1h", "30m") and returns a time.Duration.
+// If the input string is empty, negative or invalid, the function returns the
+// provided default duration and logs a warning message.
+// A duration string is a possibly signed sequence of decimal numbers, each with
+// optional fraction and a unit suffix, such as "300s", "1.5h" or "2h45m".
+// Valid time units are "h", "m", "s".
+func ParseCacheMaxAge(s string, dflt time.Duration, logger *zap.SugaredLogger) time.Duration {
+	if s == "" {
+		return dflt
+	}
+
+	ma, err := time.ParseDuration(s)
+	if err != nil {
+		logger.Warnf("invalid .well-known cache max age: %v. resetting to default (%v)", err, dflt)
+		return dflt
+	}
+
+	if ma < 0 {
+		logger.Warnf("negative .well-known cache max age: %v. resetting to default (%v)", err, dflt)
+		return dflt
+	}
+
+	return ma
+}

capability/common_test.go

@@ -0,0 +1,58 @@
+// Copyright 2026 Contributors to the Veraison project.
+// SPDX-License-Identifier: Apache-2.0
+package capability_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/veraison/services/capability"
+	"go.uber.org/zap"
+)
+
+func TestParseCacheMaxAge(t *testing.T) {
+	tests := []struct {
+		name   string
+		s      string
+		dflt   time.Duration
+		logger *zap.SugaredLogger
+		want   time.Duration
+	}{
+		{
+			name:   "empty string returns default",
+			s:      "",
+			dflt:   10 * time.Second,
+			logger: zap.NewNop().Sugar(),
+			want:   10 * time.Second,
+		},
+		{
+			name:   "valid duration string is parsed correctly",
+			s:      "1h30m",
+			dflt:   10 * time.Second,
+			logger: zap.NewNop().Sugar(),
+			want:   90 * time.Minute,
+		},
+		{
+			name:   "invalid duration string returns default",
+			s:      "invalid",
+			dflt:   10 * time.Second,
+			logger: zap.NewNop().Sugar(),
+			want:   10 * time.Second,
+		},
+		{
+			name:   "negative duration string returns default",
+			s:      "-1h",
+			dflt:   10 * time.Second,
+			logger: zap.NewNop().Sugar(),
+			want:   10 * time.Second,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := capability.ParseCacheMaxAge(tt.s, tt.dflt, tt.logger)
+			if got != tt.want {
+				t.Errorf("ParseCacheMaxAge() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

coserv/api/handler.go

@@ -1,4 +1,4 @@
-// Copyright 2025 Contributors to the Veraison project.
+// Copyright 2025-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 
 package api
@@ -15,6 +15,7 @@ import (
 	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/veraison/corim/coserv"
 	"github.com/veraison/go-cose"
+	"github.com/veraison/services/capability"
 	"github.com/veraison/services/config"
 	"github.com/veraison/services/coserv/endorsementdistributor"
 	"github.com/veraison/services/log"
@@ -28,20 +29,24 @@ var (
 		"application/coserv+cbor",
 		"application/coserv+cose",
 	}
+	defaultCacheMaxAge = 3600 * time.Second
 )
 
 type Handler struct {
 	Logger                *zap.SugaredLogger
 	EndorsementDistibutor endorsementdistributor.IEndorsementDistributor
+	WkCacheMaxAge         time.Duration
 }
 
 func NewHandler(
 	endorsementdistributor endorsementdistributor.IEndorsementDistributor,
 	logger *zap.SugaredLogger,
+	wkCacheMaxAge string,
 ) Handler {
 	return Handler{
 		EndorsementDistibutor: endorsementdistributor,
 		Logger:                logger,
+		WkCacheMaxAge:         capability.ParseCacheMaxAge(wkCacheMaxAge, defaultCacheMaxAge, logger),
 	}
 }
 
@@ -92,6 +97,8 @@ func (o Handler) GetEdApiWellKnownInfo(c *gin.Context) {
 		keySet,
 	)
 
+	c.Header("Cache-Control", fmt.Sprintf("max-age=%d", int64(o.WkCacheMaxAge.Seconds())))
+	c.Header("Expires", time.Now().Add(o.WkCacheMaxAge).UTC().Format(time.RFC1123))
 	c.Header("Content-Type", CoservDiscoveryMediaType)
 	c.JSON(http.StatusOK, obj)
 }

coserv/api/handler_test.go

@@ -1,4 +1,4 @@
-// Copyright 2025 Contributors to the Veraison project.
+// Copyright 2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 
 package api

coserv/cmd/coserv-service/config.yaml

@@ -7,6 +7,7 @@ coserv:
   protocol: https
   cert: ../../../deployments/docker/src/certs/verification.crt
   cert-key: ../../../deployments/docker/src/certs/verification.key
+  discovery-max-age: 1h
 vts:
   server-addr: localhost:50051
   tls: true

coserv/cmd/coserv-service/main.go

@@ -1,4 +1,4 @@
-// Copyright 2025 Contributors to the Veraison project.
+// Copyright 2025-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package main
 
@@ -20,17 +20,23 @@ var (
 )
 
 type cfg struct {
-	ListenAddr string `mapstructure:"listen-addr" valid:"dialstring"`
-	Protocol   string `mapstructure:"protocol" valid:"in(http|https)"`
-	Cert       string `mapstructure:"cert" config:"zerodefault"`
-	CertKey    string `mapstructure:"cert-key" config:"zerodefault"`
+	ListenAddr      string `mapstructure:"listen-addr" valid:"dialstring"`
+	Protocol        string `mapstructure:"protocol" valid:"in(http|https)"`
+	Cert            string `mapstructure:"cert" config:"zerodefault"`
+	CertKey         string `mapstructure:"cert-key" config:"zerodefault"`
+	DiscoveryMaxAge string `mapstructure:"discovery-max-age" config:"zerodefault"`
 }
 
 func (o cfg) Validate() error {
 	if o.Protocol == "https" && (o.Cert == "" || o.CertKey == "") {
 		return errors.New(`both cert and cert-key must be specified when protocol is "https"`)
 	}
 
+	// Note: we don't validate discovery-max-age here because it is optional and
+	// has a default value, and the parsing of it is handled in the handler
+	// where we can log a warning if it's invalid and fall back to the default
+	// value.
+
 	return nil
 }
 
@@ -87,7 +93,7 @@ func main() {
 	log.Info("initializing endorsement distributor")
 	endorsementdistributor := endorsementdistributor.New(vtsClient)
 
-	apiHandler := api.NewHandler(endorsementdistributor, log.Named("coserv"))
+	apiHandler := api.NewHandler(endorsementdistributor, log.Named("coserv"), cfg.DiscoveryMaxAge)
 
 	if cfg.Protocol == "https" {
 		apiServerTLS(apiHandler, cfg.ListenAddr, cfg.Cert, cfg.CertKey)

provisioning/api/handler.go

@@ -1,4 +1,4 @@
-// Copyright 2022-2024 Contributors to the Veraison project.
+// Copyright 2022-2026 Contributors to the Veraison project.
 // SPDX-License-Identifier: Apache-2.0
 package api
 
@@ -17,7 +17,8 @@ import (
 )
 
 var (
-	tenantID = "0"
+	tenantID           = "0"
+	defaultCacheMaxAge = 60 * time.Second
 )
 
 type IHandler interface {
@@ -28,16 +29,19 @@ type IHandler interface {
 type Handler struct {
 	Provisioner provisioner.IProvisioner
 
-	logger *zap.SugaredLogger
+	WkCacheMaxAge time.Duration
+	logger        *zap.SugaredLogger
 }
 
 func NewHandler(
 	p provisioner.IProvisioner,
 	logger *zap.SugaredLogger,
+	wkCacheMaxAge string,
 ) IHandler {
 	return &Handler{
-		Provisioner: p,
-		logger:      logger,
+		Provisioner:   p,
+		logger:        logger,
+		WkCacheMaxAge: capability.ParseCacheMaxAge(wkCacheMaxAge, defaultCacheMaxAge, logger),
 	}
 }
 
@@ -216,6 +220,8 @@ func (o *Handler) GetWellKnownProvisioningInfo(c *gin.Context) {
 		return
 	}
 
+	c.Header("Cache-Control", fmt.Sprintf("max-age=%d", int64(o.WkCacheMaxAge.Seconds())))
+	c.Header("Expires", time.Now().Add(o.WkCacheMaxAge).UTC().Format(time.RFC1123))
 	c.Header("Content-Type", capability.WellKnownMediaType)
 	c.JSON(http.StatusOK, obj)
 }

provisioning/api/handler_test.go

@@ -75,7 +75,7 @@ func TestHandler_Submit_UnsupportedMediaType(t *testing.T) {
 		SupportedMediaTypes().
 		Return(supportedMediaTypes, nil)
 
-	h := NewHandler(dm, log.Named("test"))
+	h := NewHandler(dm, log.Named("test"), "1h")
 
 	expectedCode := http.StatusUnsupportedMediaType
 	expectedType := "application/problem+json"
@@ -118,7 +118,7 @@ func TestHandler_Submit_NoBody(t *testing.T) {
 		).
 		Return(true, nil)
 
-	h := NewHandler(dm, log.Named("test"))
+	h := NewHandler(dm, log.Named("test"), "1h")
 
 	expectedCode := http.StatusBadRequest
 	expectedType := "application/problem+json"
@@ -168,7 +168,7 @@ func TestHandler_Submit_DecodeFailure(t *testing.T) {
 		).
 		Return(errors.New(handlerError))
 
-	h := NewHandler(dm, log.Named("test"))
+	h := NewHandler(dm, log.Named("test"), "1h")
 
 	expectedCode := http.StatusOK
 	expectedType := ProvisioningSessionMediaType
@@ -204,7 +204,7 @@ func TestHandler_Submit_ok(t *testing.T) {
 	expectedType := ProvisioningSessionMediaType
 	expectedStatus := "success"
 	dm := mock_deps.NewMockIProvisioner(ctrl)
-	h := NewHandler(dm, log.Named("api"))
+	h := NewHandler(dm, log.Named("api"), "1h")
 
 	w := httptest.NewRecorder()
 	g, _ := gin.CreateTestContext(w)
@@ -249,7 +249,7 @@ func TestHandler_GetWellKnownProvisioningInfo_ok(t *testing.T) {
 		GetVTSState().
 		Return(&testGoodServiceState, nil)
 
-	h := NewHandler(dm, log.Named("test"))
+	h := NewHandler(dm, log.Named("test"), "1h")
 
 	expectedCode := http.StatusOK
 	expectedType := capability.WellKnownMediaType
@@ -291,7 +291,7 @@ func TestHandler_GetWellKnownProvisioningInfo_GetRegisteredMediaTypes_empty(t *t
 		GetVTSState().
 		Return(&testGoodServiceState, nil)
 
-	h := NewHandler(dm, log.Named("test"))
+	h := NewHandler(dm, log.Named("test"), "1h")
 
 	expectedCode := http.StatusOK
 	expectedType := capability.WellKnownMediaType
@@ -332,7 +332,7 @@ func TestHandler_GetWellKnownProvisioningInfo_GetServiceState_fail(t *testing.T)
 		GetVTSState().
 		Return(nil, errors.New("blah"))
 
-	h := NewHandler(dm, log.Named("test"))
+	h := NewHandler(dm, log.Named("test"), "1h")
 
 	expectedCode := http.StatusInternalServerError
 	expectedType := "application/problem+json"

provisioning/cmd/provisioning-service/config-docker.yaml

@@ -7,6 +7,7 @@ provisioning:
   protocol: https
   cert: ../../../deployments/docker/src/certs/provisioning.crt
   cert-key: ../../../deployments/docker/src/certs/provisioning.key
+  discovery-max-age: 1m
 vts:
   server-addr: vts-service:50051
   tls: true

provisioning/cmd/provisioning-service/config.yaml

@@ -7,6 +7,7 @@ provisioning:
   protocol: https
   cert: ../../../deployments/docker/src/certs/provisioning.crt
   cert-key: ../../../deployments/docker/src/certs/provisioning.key
+  discovery-max-age: 1m
 vts:
   server-addr: localhost:50051
   tls: true