Merge pull request #562 from IABTechLab/gdm-UID2-5448-cleanup

Cleaned up refresh from and salt age threshold flags

Author: gmsdelmundo

conf/default-config.json

@@ -1,4 +1,3 @@
 {
-  "enable_keysets": false,
-  "enable_salt_rotation_refresh_from": false
-}
+  "enable_keysets": false
+}

conf/local-config.json

@@ -12,7 +12,6 @@
   "keys_acl_metadata_path": "keys_acl/metadata.json",
   "salts_metadata_path": "salts/metadata.json",
   "salt_snapshot_location_prefix": "salts/salts.txt.",
-  "enable_salt_rotation_refresh_from": false,
   "operators_metadata_path": "operators/metadata.json",
   "enclaves_metadata_path": "enclaves/metadata.json",
   "partners_metadata_path": "partners/metadata.json",

src/main/java/com/uid2/admin/AdminConst.java

@@ -1,10 +1,11 @@
 package com.uid2.admin;
 
-public class AdminConst {
-    public static String enableKeysetConfigProp = "enable_keysets";
+public final class AdminConst {
+    private AdminConst() {
+    }
+
+    public static final String enableKeysetConfigProp = "enable_keysets";
     public static final String ROLE_OKTA_GROUP_MAP_MAINTAINER = "role_okta_group_map_maintainer";
     public static final String ROLE_OKTA_GROUP_MAP_PRIVILEGED = "role_okta_group_map_privileged";
     public static final String ROLE_OKTA_GROUP_MAP_SUPER_USER = "role_okta_group_map_super_user";
-    public static final String ENABLE_SALT_ROTATION_REFRESH_FROM = "enable_salt_rotation_refresh_from";
-    public static final String ENABLE_SALT_ROTATION_CUSTOM_AGE_THRESHOLDS = "enable_salt_rotation_custom_age_thresholds";
 }

src/main/java/com/uid2/admin/Main.java

@@ -233,7 +233,7 @@ public void run() {
             WriteLock writeLock = new WriteLock();
             KeyHasher keyHasher = new KeyHasher();
             IKeypairGenerator keypairGenerator = new SecureKeypairGenerator();
-            SaltRotation saltRotation = new SaltRotation(config, keyGenerator);
+            SaltRotation saltRotation = new SaltRotation(keyGenerator);
             EncryptionKeyService encryptionKeyService = new EncryptionKeyService(
                     config, auth, writeLock, encryptionKeyStoreWriter, keysetKeyStoreWriter, keyProvider, keysetKeysProvider, adminKeysetProvider, adminKeysetStoreWriter, keyGenerator, clock);
             KeysetManager keysetManager = new KeysetManager(

src/main/java/com/uid2/admin/salt/SaltRotation.java

@@ -1,13 +1,10 @@
 package com.uid2.admin.salt;
 
-import com.uid2.admin.AdminConst;
 import com.uid2.shared.model.SaltEntry;
 import com.uid2.shared.secret.IKeyGenerator;
 
-import com.uid2.shared.store.salt.ISaltProvider;
 import com.uid2.shared.store.salt.ISaltProvider.ISaltSnapshot;
 import com.uid2.shared.store.salt.RotatingSaltProvider.SaltSnapshot;
-import io.vertx.core.json.JsonObject;
 import lombok.Getter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -22,18 +19,10 @@ public class SaltRotation {
     private static final double MAX_SALT_PERCENTAGE = 0.8;
 
     private final IKeyGenerator keyGenerator;
-    private final boolean isRefreshFromEnabled;
-    private final boolean isCustomAgeThresholdEnabled;
     private static final Logger LOGGER = LoggerFactory.getLogger(SaltRotation.class);
 
-    public SaltRotation(JsonObject config, IKeyGenerator keyGenerator) {
+    public SaltRotation(IKeyGenerator keyGenerator) {
         this.keyGenerator = keyGenerator;
-        this.isRefreshFromEnabled = config.getBoolean(AdminConst.ENABLE_SALT_ROTATION_REFRESH_FROM, false);
-        this.isCustomAgeThresholdEnabled = config.getBoolean(AdminConst.ENABLE_SALT_ROTATION_CUSTOM_AGE_THRESHOLDS, false);
-    }
-
-    public boolean isCustomAgeThresholdEnabled() {
-        return this.isCustomAgeThresholdEnabled;
     }
 
     public Result rotateSalts(
@@ -97,7 +86,6 @@ public Result rotateSaltsZero(
         return Result.fromSnapshot(nextSnapshot);
     }
 
-
     private static int getNumSaltsToRotate(SaltEntry[] preRotationSalts, double fraction) {
         return (int) Math.ceil(preRotationSalts.length * fraction);
     }
@@ -107,11 +95,7 @@ private Set<SaltEntry> findRefreshableSalts(SaltEntry[] preRotationSalts, Target
     }
 
     private boolean isRefreshable(TargetDate targetDate, SaltEntry salt) {
-        if (this.isRefreshFromEnabled) {
-            return Instant.ofEpochMilli(salt.refreshFrom()).truncatedTo(ChronoUnit.DAYS).equals(targetDate.asInstant());
-        }
-
-        return true;
+        return Instant.ofEpochMilli(salt.refreshFrom()).truncatedTo(ChronoUnit.DAYS).equals(targetDate.asInstant());
     }
 
     private SaltEntry[] rotateSalts(SaltEntry[] oldSalts, List<SaltEntry> saltsToRotate, TargetDate targetDate) throws Exception {
@@ -163,7 +147,7 @@ private List<SaltEntry> pickSaltsToRotate(
             TargetDate targetDate,
             Duration[] minAges,
             int numSaltsToRotate) {
-        var maxSaltsPerAge = this.isRefreshFromEnabled ? (int) (numSaltsToRotate * MAX_SALT_PERCENTAGE) : numSaltsToRotate;
+        var maxSaltsPerAge = (int) (numSaltsToRotate * MAX_SALT_PERCENTAGE);
 
         var thresholds = Arrays.stream(minAges)
                 .map(minAge -> targetDate.asInstant().minusSeconds(minAge.getSeconds()))

src/main/java/com/uid2/admin/vertx/service/SaltService.java

@@ -132,14 +132,7 @@ private void handleSaltRotate(RoutingContext rc) {
             final Optional<Double> fraction = RequestUtil.getDouble(rc, "fraction");
             if (fraction.isEmpty()) return;
 
-            final Duration[] ageThresholds;
-            if (saltRotation.isCustomAgeThresholdEnabled()) {
-                 ageThresholds = RequestUtil.getDurations(rc, "min_ages_in_seconds");
-                 if (ageThresholds == null) return;
-            } else {
-                ageThresholds = SALT_ROTATION_AGE_THRESHOLDS;
-            }
-            LOGGER.info("Salt rotation age thresholds in seconds: {}", Arrays.stream(ageThresholds).map(Duration::toSeconds).collect(Collectors.toList()));
+            LOGGER.info("Salt rotation age thresholds in seconds: {}", Arrays.stream(SALT_ROTATION_AGE_THRESHOLDS).map(Duration::toSeconds).collect(Collectors.toList()));
 
             final TargetDate targetDate =
                     RequestUtil.getDate(rc, "target_date", DateTimeFormatter.ISO_LOCAL_DATE)
@@ -155,7 +148,7 @@ private void handleSaltRotate(RoutingContext rc) {
             final List<RotatingSaltProvider.SaltSnapshot> snapshots = saltProvider.getSnapshots();
             final RotatingSaltProvider.SaltSnapshot lastSnapshot = snapshots.getLast();
 
-            final SaltRotation.Result result = saltRotation.rotateSalts(lastSnapshot, ageThresholds, fraction.get(), targetDate);
+            final SaltRotation.Result result = saltRotation.rotateSalts(lastSnapshot, SALT_ROTATION_AGE_THRESHOLDS, fraction.get(), targetDate);
             if (!result.hasSnapshot()) {
                 ResponseUtil.error(rc, 200, result.getReason());
                 return;

src/main/resources/localstack/s3/core/salts/encrypted/123_public/metadata.json

@@ -1,6 +1,6 @@
 {
-  "version" : 1744264807066,
-  "generated" : 1744264807,
+  "version" : 1,
+  "generated" : 1754901630,
   "first_level" : "fOGY/aRE44peL23i+cE9MkJrzmEeNZZziNZBfq7qqk8=",
   "id_prefix" : "b",
   "id_secret" : "HF6Qz42HBbVHINxhh191dB09BCuTWyBkNtrNicO4ZCw=",
@@ -10,10 +10,10 @@
     "location" : "salts/encrypted/123_public/salts.txt.1670796729291",
     "size" : 2
   }, {
-    "effective" : 1766125493000,
+    "effective" : 1745907348982,
     "expires" : 1766720293000,
-    "location" : "salts/encrypted/123_public/salts.txt.1766125493000",
-    "size" : 4
+    "location" : "salts/encrypted/123_public/salts.txt.1745907348982",
+    "size" : 2
   } ],
   "key_id" : 3
 }

src/main/resources/localstack/s3/core/salts/encrypted/123_public/salts.txt.1670796729291

@@ -1,5 +1,5 @@
 {
   "key_id" : 3,
   "encryption_version" : "1.0",
-  "encrypted_payload" : "9vKzSl5qhansVyce77wGN1PPaqauuiB18AMnDk1qlCU0idX2yPbrVOnulSqzDk3riG03T43qbx80bhGyxYe0oEbUeNmRV/9xmwMjmmkVzBZlCUPomhVxkmHMrOR2nKUWit0s02lm4lxFvkTdjw5yyZA/gPFmNpfP04URb/l6vw+d0Le1TIrE9esYi6GycqTPf8armDW8rEzEJhhN4uSgZvPG"
+  "encrypted_payload" : "T+Gb8K0+APNgzfQ70bIv6d46r3xMIg2ZoLzKkBIJJ1jYN3s0F/5K6rru7gcdoYGWU8+Oe3i8VCUBAxk7i5NvExsKPObSZZFVxNhkYV9w3PMvTilWTXhSZTSu7fPPr2vb2TPP8MNYb8EqwrygwclHCKTT5GM9tChA5xxjMWa5P9S6tlaIdWrIrlov3zzxEm1XTCvnhQi6sWl3EfmI8pakFjI0jY1O7YtJ2ZELa16I780VeW4d4s1IgMIvVR3oGRtBD3KI0ikmjSJ12S36dp4cZhe/uHRt0UanN4rEjgnNWtujBLK2qoLf0bbZgin3GonG4Q+Y3mzTM8I="
 }

src/main/resources/localstack/s3/core/salts/encrypted/123_public/salts.txt.1745907348982

@@ -0,0 +1,5 @@
+{
+  "key_id" : 3,
+  "encryption_version" : "1.0",
+  "encrypted_payload" : "baVbB6zql5BepnPma05MDRHC+o1FP2Fs02wydarYH6/KkPcVwZY3EgSAzGqpgT0xli3+tz4VBB00jjz2uVtRMCNJlvMH4GSPUfdi6qjWgX1fHMXeU+Z5Rxcyg6elsX81pMFD0/87pQBllo6+5rOSfDfan881QqhM2cVJY7gVG/z9plDp33CEhWQ0/dWaoGiyBWMyqmGwkkhipeVAT/lH3gr5W7sMnuG3Z9PQw6sWv5PJLdFiCiN4EjWYIv3qpJ689sbYKGaGi3HNaq3bHsO9nFInDc+80vK+MWpMHb/wRIQgfUGJytfSNuDdczDEijQyTJNElpypQ74="
+}