Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to Panda v7 - support key rotation #58

Merged
merged 1 commit into from
Sep 20, 2024

Conversation

rtyley
Copy link
Member

@rtyley rtyley commented Aug 8, 2024

This upgrades Panda from v5 to v7, allowing us to perform key rotation.

  • Panda v7:
    • Support accepting multiple public keys pan-domain-authentication#150 means that code shouldn't directly reference private or public keys anymore (eg do not reference settings.signingKeyPair). Instead, use settings.signingAndVerification or publicSettings.verification. Note also that publicSettings.publicKey was previously optional, and publicSettings.verification is not.

@rtyley rtyley force-pushed the try-out-updated-panda-settings-code branch from 93c5161 to cd077eb Compare August 9, 2024 16:25
@rtyley rtyley changed the base branch from main to upgrade-to-panda-v5 August 9, 2024 16:25
Base automatically changed from upgrade-to-panda-v5 to main August 9, 2024 16:26
@rtyley rtyley force-pushed the try-out-updated-panda-settings-code branch from cd077eb to 7a248a0 Compare August 9, 2024 16:35
@rtyley rtyley force-pushed the try-out-updated-panda-settings-code branch 2 times, most recently from 451b447 to 9013ea0 Compare September 4, 2024 14:47
@rtyley rtyley force-pushed the try-out-updated-panda-settings-code branch 2 times, most recently from bce4733 to b960fc4 Compare September 13, 2024 10:20
rtyley added a commit to guardian/pan-domain-authentication that referenced this pull request Sep 13, 2024
I'm trying to find out why `PublicSettings` in s3-uploader (guardian/s3-upload#58)
didn't log that the panda settings had changed - maybe the refresh schedule did not start, or
possibly the interval was no good (rounded to nothing)?
@rtyley rtyley force-pushed the try-out-updated-panda-settings-code branch 3 times, most recently from 562b7ec to dc92a47 Compare September 13, 2024 11:56
rtyley added a commit to guardian/pan-domain-authentication that referenced this pull request Sep 13, 2024
I'm trying to find out why `PublicSettings` in s3-uploader (guardian/s3-upload#58)
didn't log that the panda settings had changed - maybe the refresh schedule did not start, or
possibly the interval was no good (rounded to nothing)?
@rtyley rtyley changed the title Try out updated Panda settings code Upgrade to Panda v7 - support key rotation Sep 18, 2024
@rtyley rtyley force-pushed the try-out-updated-panda-settings-code branch from dc92a47 to 6521fc0 Compare September 18, 2024 11:15
This upgrades Panda from v5 to v7, allowing us to use key rotation as
introduced with guardian/pan-domain-authentication#150.

* Panda v7:
  * guardian/pan-domain-authentication#150 means
    that code shouldn't directly reference private or public keys anymore
    (eg do not reference `settings.signingKeyPair`). Instead, use
    `settings.signingAndVerification` or `publicSettings.verification`.
    Note also that `publicSettings.publicKey` was previously optional, and
    `publicSettings.verification` is not.
@rtyley rtyley force-pushed the try-out-updated-panda-settings-code branch from 6521fc0 to 8af631e Compare September 18, 2024 11:19
Comment on lines -31 to +33
def authStatus(cookie: Cookie, publicKey: PublicKey): AuthenticationStatus = {
PanDomain.authStatus(
cookie.value,
publicKey,
PanDomain.guardianValidation,
apiGracePeriod = 0,
system = "s3-upload",
cacheValidation = false,
forceExpiry = false
)
}
def authStatus(cookie: Cookie, verification: Verification): AuthenticationStatus = PanDomain.authStatus(
cookie.value,
verification,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

guardian/pan-domain-authentication#150 means that code shouldn't directly reference private or public keys anymore (eg do not reference settings.signingKeyPair- there may be more accepted public keys than that field would have told you about!). Instead, we need to use settings.signingAndVerification or publicSettings.verification.

Comment on lines -31 to +33
def authStatus(cookie: Cookie, publicKey: PublicKey): AuthenticationStatus = {
PanDomain.authStatus(
cookie.value,
publicKey,
PanDomain.guardianValidation,
apiGracePeriod = 0,
system = "s3-upload",
cacheValidation = false,
forceExpiry = false
)
}
def authStatus(cookie: Cookie, verification: Verification): AuthenticationStatus = PanDomain.authStatus(
cookie.value,
verification,
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

guardian/pan-domain-authentication#150 means that code shouldn't directly reference private or public keys anymore (eg do not reference settings.signingKeyPair- there may be more accepted public keys than that field would have told you about!). Instead, we need to use settings.signingAndVerification or publicSettings.verification.

Comment on lines 59 to 72

case None =>
logger.error("Panda public key unavailable")
logger.warn("Panda cookie missing")
unauthenticatedResponse(request)
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that publicSettings.publicKey was previously optional (although that ended with guardian/pan-domain-authentication#151 in Panda v6), and publicSettings.verification (introduced with guardian/pan-domain-authentication#150 in Panda v7) is not optional.

If the Panda settings refresher can not load valid settings on startup, it will simply throw an exception, and the service should terminate.

@rtyley rtyley marked this pull request as ready for review September 19, 2024 10:03
@rtyley rtyley merged commit 55dd101 into main Sep 20, 2024
3 checks passed
@rtyley rtyley deleted the try-out-updated-panda-settings-code branch September 20, 2024 16:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants