-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to Panda v7 - support key rotation #361
Conversation
2e68740
to
c27cb00
Compare
d53a040
to
df972c9
Compare
df972c9
to
08de9bd
Compare
Trying out guardian/pan-domain-authentication#150 at guardian/pan-domain-authentication@a6ae5e8 on CODE, everything looks good, except that we seem to be getting way more "Panda settings changed" messages in the logs than we were expecting - there should be just 1 per EC2 instance, but we actually see, for just 1 instance, 56, then 64, then 80, for the 3 successive phases of rotation. |
Having `def panDomainSettings: PanDomainAuthSettingsRefresher` in the `AuthActions` trait as a `def` means that implementors of `AuthActions` are able to make the mistake of also defining their implementation of that field as a `def`, meaning that every reference to it can potentially create _another_ instance of the refresher, as seen here: guardian/atom-workshop#361 (comment) Surprisingly, this seems to have been a problem since at least as far back as #41 in February 2018. Changing the field type to `val` forces implementers to also use `val` for that field, effectively making it a singleton, as we want. Changing the abstract field of a trait to be `val` does open up another danger due the initialization order of vals - the field could end up being evaluated as `null` if the trait immediately evaluates the field: See: https://docs.scala-lang.org/tutorials/FAQ/initialization-order.html ...consequently, I've made all `val` declarations in the `AuthActions` trait (that evaluate `panDomainSettings` in some way) into `lazy val`s. This hopefully should fix the problem.
Looks like guardian/pan-domain-authentication@6e11a68 has fixed the problem, looking at the logs: |
Having `def panDomainSettings: PanDomainAuthSettingsRefresher` in the `AuthActions` trait as a `def` means that implementors of `AuthActions` are able to make the mistake of also defining their implementation of that field as a `def`, meaning that every reference to it can potentially create _another_ instance of the refresher, as seen here: guardian/atom-workshop#361 (comment) Surprisingly, this seems to have been a problem since at least as far back as #41 in February 2018. Changing the field type to `val` forces implementers to also use `val` for that field, effectively making it a singleton, as we want. Changing the abstract field of a trait to be `val` does open up another danger due the initialization order of vals - the field could end up being evaluated as `null` if the trait immediately evaluates the field: See: https://docs.scala-lang.org/tutorials/FAQ/initialization-order.html ...consequently, I've made all `val` declarations in the `AuthActions` trait (that evaluate `panDomainSettings` in some way) into `lazy val`s. This hopefully should fix the problem.
035d40d
to
74a86ea
Compare
74a86ea
to
e751708
Compare
This upgrades Panda from v5 to v7, allowing us to use key rotation as introduced with guardian/pan-domain-authentication#150. As login.gutools.co.uk is pretty special user of Panda the upgrade is slightly more involved than other upgrades (eg guardian/atom-workshop#361): * Panda v6: * guardian/pan-domain-authentication#152 `CookieUtils.generateCookieData()` now communicates errors with `CookieResult` values containing `CookieIntegrityFailure`, rather than exceptions. * Panda v7: * guardian/pan-domain-authentication#150 means that code shouldn't directly reference private or public keys anymore (eg do not reference `settings.signingKeyPair`). Instead, use `settings.signingAndVerification` or `publicSettings.verification`. Note also that `publicSettings.publicKey` was previously optional, and `publicSettings.verification` is not.
This upgrades Panda from v5 to v7, allowing us to use key rotation as introduced with guardian/pan-domain-authentication#150. As Atom Workshop is pretty standard user of Panda, the upgrade is pretty simple: * Panda v6: * guardian/pan-domain-authentication#155 requires `panDomainSettings` is a `val`, not a `def`
e751708
to
a7e95f1
Compare
override def panDomainSettings: PanDomainAuthSettingsRefresher = new PanDomainAuthSettingsRefresher( | ||
override val panDomainSettings: PanDomainAuthSettingsRefresher = PanDomainAuthSettingsRefresher( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The def
→ val
is necessary due to:
bucketName = "pan-domain-auth-settings", | ||
settingsFileKey = s"${config.pandaDomain}.settings", | ||
s3Client = AWS.S3Client, | ||
S3BucketLoader.forAwsSdkV1(AWS.S3Client, "pan-domain-auth-settings") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This PR:
...introduced the new S3BucketLoader
abstraction, which simplifies constructing a PanDomainAuthSettingsRefresher
and means that Panda is no longer tied to AWS SDK v1 - an alternative AWS SDK v2 implementation of S3BucketLoader
could be introduced.
This upgrades Panda from v5 to v7, allowing us to use key rotation as introduced with guardian/pan-domain-authentication#150. As login.gutools.co.uk is pretty special user of Panda the upgrade is slightly more involved than other upgrades (eg guardian/atom-workshop#361): * Panda v6: * guardian/pan-domain-authentication#152 `CookieUtils.generateCookieData()` now communicates errors with `CookieResult` values containing `CookieIntegrityFailure`, rather than exceptions. * Panda v7: * guardian/pan-domain-authentication#150 means that code shouldn't directly reference private or public keys anymore (eg do not reference `settings.signingKeyPair`). Instead, use `settings.signingAndVerification` or `publicSettings.verification`. Note also that `publicSettings.publicKey` was previously optional, and `publicSettings.verification` is not.
This upgrades Panda from v5 to v7, allowing us to use key rotation.
As Atom Workshop is pretty standard user of Panda, the upgrade is pretty simple:
PanDomainAuthSettingsRefresher
instances, makepanDomainSettings
aval
pan-domain-authentication#155 requirespanDomainSettings
is aval
, not adef
S3BucketLoader
abstraction, which simplifies constructing aPanDomainAuthSettingsRefresher
and means that Panda is no longer tied to AWS SDK v1 - an alternative AWS SDK v2 implementation ofS3BucketLoader
could be introduced.This has been successfully deployed to https://atomworkshop.code.dev-gutools.co.uk/ at 55de061, which is using guardian/pan-domain-authentication@4c87946.
Testing
Using https://atomworkshop.code.dev-gutools.co.uk/ (running Panda with the version from guardian/pan-domain-authentication#151) in the same browser as https://composer.code.dev-gutools.co.uk/ (running standard Panda v4), I've verified that they both accept the same cookie, and don't need to reauth over the top of each-others cookie:
Screen.Recording.2024-08-09.at.17.02.11.mov