Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

117 delay option for new set of key signing #118

Merged
merged 17 commits into from
Feb 13, 2025
Merged

117 delay option for new set of key signing #118

merged 17 commits into from
Feb 13, 2025

Conversation

TheLydonKing
Copy link
Collaborator

@TheLydonKing TheLydonKing commented Feb 6, 2025
edited
Loading

Release Notes:

  • Added new Optional Config setting that allows for a layover period before signing new JWT's with the new keys
  • Fixed RefreshToken to use both available public keys

closes #117

@TheLydonKing TheLydonKing self-assigned this Feb 6, 2025
@TheLydonKing TheLydonKing linked an issue Feb 6, 2025 that may be closed by this pull request
Delay option for new set of key signing #117
Closed
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 6, 2025
edited
Loading

JaCoCo code coverage report - scala:2.12.17

File Coverage [83.51%] 🍏
InMemoryKeyConfig.scala 100% 🍏
KeyConfig.scala 95.94% 🍏
AwsSecretsManagerKeyConfig.scala 91.51% 🍏
JWTService.scala 83.11% 🍏
AwsSecretsUtils.scala 0%
Total Project Coverage 67.88% 🍏

dk1844
dk1844 reviewed Feb 6, 2025
View reviewed changes
Copy link
Collaborator

@dk1844 dk1844 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of the comments are details, but adding tests to the AwsSecretsManagerKeyConfig seem necessary

api/src/main/resources/example.application.yaml Outdated Show resolved Hide resolved
api/src/main/resources/example.application.yaml Outdated Show resolved Hide resolved
api/src/main/scala/za/co/absa/loginsvc/rest/config/jwt/AwsSecretsManagerKeyConfig.scala Outdated
Comment on lines 39 to 40
keyPhaseOutTime: Option[FiniteDuration],
keyLayOverTime: Option[FiniteDuration]
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
keyPhaseOutTime: Option[FiniteDuration],
keyLayOverTime: Option[FiniteDuration]
keyLayOverTime: Option[FiniteDuration],
keyPhaseOutTime: Option[FiniteDuration]

Same reason as above.

api/src/main/scala/za/co/absa/loginsvc/rest/config/jwt/AwsSecretsManagerKeyConfig.scala Outdated
@@ -79,7 +80,15 @@ case class AwsSecretsManagerKeyConfig(
}
}

(currentKeyPair, previousKeyPair)
previousKeyPair.fold {(currentKeyPair, previousKeyPair)} { pk =>
val exp = keyLayOverTime.exists(!isExpired(currentSecrets.createTime, _))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
val exp = keyLayOverTime.exists(!isExpired(currentSecrets.createTime, _))
val layoverIsActive = keyLayOverTime.exists(!isExpired(currentSecrets.createTime, _))

I think better names denoting more closely what is meant would be welcome. Same with

val exp = keyPhaseOutTime.exists(isExpired(currentSecrets.createTime, _))

(perhaps rename to val phaseOutIsActive)?

api/src/main/scala/za/co/absa/loginsvc/rest/config/jwt/AwsSecretsManagerKeyConfig.scala Outdated Show resolved Hide resolved
api/src/test/scala/za/co/absa/loginsvc/rest/service/jwt/JWTServiceTest.scala Outdated Show resolved Hide resolved
@TheLydonKing TheLydonKing requested a review from dk1844 February 11, 2025 14:12
dk1844
dk1844 reviewed Feb 12, 2025
View reviewed changes
README.md Outdated
Comment on lines 222 to 223
t=15-29m: layover is over: new key from after rotation is used for signing. Both public keys available from public-keys endpoint.
t=30m+: phase-out happens: new key from after rotation is used for signing. Old Key is no longer available from public-keys endpoint.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
t=15-29m: layover is over: new key from after rotation is used for signing. Both public keys available from public-keys endpoint.
t=30m+: phase-out happens: new key from after rotation is used for signing. Old Key is no longer available from public-keys endpoint.
t=15-44m: layover is over: new key from after rotation is used for signing. Both public keys available from public-keys endpoint.
t=45m+: phase-out happens: new key from after rotation is used for signing. Old Key is no longer available from public-keys endpoint.

Since now you have made phase-out window to be counted after the layover is concluded.

README.md Outdated
Comment on lines 264 to 265
t=15-29m: layover is over: new key from after rotation is used for signing. Both public keys available from public-keys endpoint.
t=30m+: phase-out happens: new key from after rotation is used for signing. Old Key is no longer available from public-keys endpoint.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
t=15-29m: layover is over: new key from after rotation is used for signing. Both public keys available from public-keys endpoint.
t=30m+: phase-out happens: new key from after rotation is used for signing. Old Key is no longer available from public-keys endpoint.
t=15-44m: layover is over: new key from after rotation is used for signing. Both public keys available from public-keys endpoint.
t=45m+: phase-out happens: new key from after rotation is used for signing. Old Key is no longer available from public-keys endpoint.

Same as above, I think

@TheLydonKing TheLydonKing requested a review from dk1844 February 12, 2025 08:52
dk1844
dk1844 reviewed Feb 12, 2025
View reviewed changes
Copy link
Collaborator

@dk1844 dk1844 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some details (code quality/readability improvements)

api/src/test/scala/za/co/absa/loginsvc/rest/config/jwt/AwsSecretsManagerKeyConfigTest.scala Outdated Show resolved Hide resolved
api/src/main/scala/za/co/absa/loginsvc/utils/AwsSecretsUtils.scala Outdated Show resolved Hide resolved
api/src/main/scala/za/co/absa/loginsvc/rest/config/jwt/AwsSecretsManagerKeyConfig.scala Outdated Show resolved Hide resolved
@TheLydonKing TheLydonKing requested a review from dk1844 February 12, 2025 14:17
@TheLydonKing TheLydonKing merged commit f278e13 into master Feb 13, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dk1844 dk1844 dk1844 approved these changes

@jakipatryk jakipatryk Awaiting requested review from jakipatryk jakipatryk is a code owner

Assignees

@TheLydonKing TheLydonKing

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Delay option for new set of key signing
2 participants
@TheLydonKing @dk1844