-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade to Panda v7 - support key rotation #58
Conversation
93c5161
to
cd077eb
Compare
cd077eb
to
7a248a0
Compare
451b447
to
9013ea0
Compare
bce4733
to
b960fc4
Compare
I'm trying to find out why `PublicSettings` in s3-uploader (guardian/s3-upload#58) didn't log that the panda settings had changed - maybe the refresh schedule did not start, or possibly the interval was no good (rounded to nothing)?
562b7ec
to
dc92a47
Compare
I'm trying to find out why `PublicSettings` in s3-uploader (guardian/s3-upload#58) didn't log that the panda settings had changed - maybe the refresh schedule did not start, or possibly the interval was no good (rounded to nothing)?
dc92a47
to
6521fc0
Compare
This upgrades Panda from v5 to v7, allowing us to use key rotation as introduced with guardian/pan-domain-authentication#150. * Panda v7: * guardian/pan-domain-authentication#150 means that code shouldn't directly reference private or public keys anymore (eg do not reference `settings.signingKeyPair`). Instead, use `settings.signingAndVerification` or `publicSettings.verification`. Note also that `publicSettings.publicKey` was previously optional, and `publicSettings.verification` is not.
6521fc0
to
8af631e
Compare
def authStatus(cookie: Cookie, publicKey: PublicKey): AuthenticationStatus = { | ||
PanDomain.authStatus( | ||
cookie.value, | ||
publicKey, | ||
PanDomain.guardianValidation, | ||
apiGracePeriod = 0, | ||
system = "s3-upload", | ||
cacheValidation = false, | ||
forceExpiry = false | ||
) | ||
} | ||
def authStatus(cookie: Cookie, verification: Verification): AuthenticationStatus = PanDomain.authStatus( | ||
cookie.value, | ||
verification, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
guardian/pan-domain-authentication#150 means that code shouldn't directly reference private or public keys anymore (eg do not reference settings.signingKeyPair
- there may be more accepted public keys than that field would have told you about!). Instead, we need to use settings.signingAndVerification
or publicSettings.verification
.
def authStatus(cookie: Cookie, publicKey: PublicKey): AuthenticationStatus = { | ||
PanDomain.authStatus( | ||
cookie.value, | ||
publicKey, | ||
PanDomain.guardianValidation, | ||
apiGracePeriod = 0, | ||
system = "s3-upload", | ||
cacheValidation = false, | ||
forceExpiry = false | ||
) | ||
} | ||
def authStatus(cookie: Cookie, verification: Verification): AuthenticationStatus = PanDomain.authStatus( | ||
cookie.value, | ||
verification, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
guardian/pan-domain-authentication#150 means that code shouldn't directly reference private or public keys anymore (eg do not reference settings.signingKeyPair
- there may be more accepted public keys than that field would have told you about!). Instead, we need to use settings.signingAndVerification
or publicSettings.verification
.
|
||
case None => | ||
logger.error("Panda public key unavailable") | ||
logger.warn("Panda cookie missing") | ||
unauthenticatedResponse(request) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that publicSettings.publicKey
was previously optional (although that ended with guardian/pan-domain-authentication#151 in Panda v6), and publicSettings.verification
(introduced with guardian/pan-domain-authentication#150 in Panda v7) is not optional.
If the Panda settings refresher can not load valid settings on startup, it will simply throw an exception, and the service should terminate.
This upgrades Panda from v5 to v7, allowing us to perform key rotation.
settings.signingKeyPair
). Instead, usesettings.signingAndVerification
orpublicSettings.verification
. Note also thatpublicSettings.publicKey
was previously optional, andpublicSettings.verification
is not.