Added fast forward and updated token generate/refresh simulation

gmsdelmundo · gmsdelmundo · commit 9dedb2bcd51b · 2025-09-30T13:31:23.000+08:00
diff --git a/src/main/java/com/uid2/admin/salt/SaltRotation.java b/src/main/java/com/uid2/admin/salt/SaltRotation.java
@@ -15,6 +15,7 @@
 import java.time.temporal.ChronoUnit;
 import java.util.*;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 public class SaltRotation {
     private static final long THIRTY_DAYS_IN_MS = Duration.ofDays(30).toMillis();
@@ -76,11 +77,81 @@ public Result rotateSalts(
         return Result.fromSnapshot(nextSnapshot);
     }
 
+    public Result rotateSaltsFastForward(
+            SaltSnapshot snapshot,
+            Duration[] minAges,
+            double fraction,
+            TargetDate targetDate,
+            int iterations) throws Exception {
+        var currentSnapshot = snapshot;
+
+        for (int i = 0; i < iterations; i++) {
+            var preRotationSalts = currentSnapshot.getAllRotatingSalts();
+
+            var currentTargetDate = targetDate.plusDays(i);
+            var nextEffective = currentTargetDate.asInstant();
+            var nextExpires = nextEffective.plus(7, ChronoUnit.DAYS);
+            if (nextEffective.equals(currentSnapshot.getEffective()) || nextEffective.isBefore(currentSnapshot.getEffective())) {
+                return Result.noSnapshot("cannot create a new salt snapshot with effective timestamp equal or prior to that of an existing snapshot");
+            }
+
+            // Salts that can be rotated based on their refreshFrom being at target date
+            var refreshableSalts = findRefreshableSalts(preRotationSalts, currentTargetDate);
+
+            var saltsToRotate = pickSaltsToRotate(
+                    refreshableSalts,
+                    currentTargetDate,
+                    minAges,
+                    getNumSaltsToRotate(preRotationSalts, fraction)
+            );
+
+            if (saltsToRotate.isEmpty()) {
+                return Result.noSnapshot("all refreshable salts are below min rotation age");
+            }
+
+            var postRotationSalts = rotateSalts(preRotationSalts, saltsToRotate, currentTargetDate);
+
+            LOGGER.info("Salt rotation complete target_date={}", currentTargetDate);
+            logSaltAges("refreshable-salts", currentTargetDate, refreshableSalts);
+            logSaltAges("rotated-salts", currentTargetDate, saltsToRotate);
+            logSaltAges("total-salts", currentTargetDate, Arrays.asList(postRotationSalts));
+            logBucketFormatCount(currentTargetDate, postRotationSalts);
+
+            currentSnapshot = new SaltSnapshot(
+                    nextEffective,
+                    nextExpires,
+                    postRotationSalts,
+                    currentSnapshot.getFirstLevelSalt());
+        }
+
+        Map<Long, SaltEntry> originalSalts = Stream.of(snapshot.getAllRotatingSalts()).collect(Collectors.toMap(salt -> salt.id(), salt -> salt));
+        List<SaltEntry> salts = new ArrayList<>();
+        for (SaltEntry salt : currentSnapshot.getAllRotatingSalts()) {
+            SaltEntry originalSalt = originalSalts.get(salt.id());
+
+            salts.add(new SaltEntry(
+                    salt.id(),
+                    salt.hashedId(),
+                    originalSalt.lastUpdated(),
+                    salt.currentSalt(),
+                    originalSalt.refreshFrom(),
+                    salt.previousSalt(),
+                    salt.currentKeySalt(),
+                    salt.previousKeySalt()
+            ));
+        }
+
+        return Result.fromSnapshot(new SaltSnapshot(
+                snapshot.getEffective(),
+                snapshot.getExpires(),
+                salts.toArray(new SaltEntry[salts.size()]),
+                snapshot.getFirstLevelSalt()));
+    }
+
     public Result rotateSaltsZero(
             ISaltSnapshot effectiveSnapshot,
             TargetDate targetDate,
-            Instant nextEffective
-    ) throws Exception {
+            Instant nextEffective) throws Exception {
         var preRotationSalts = effectiveSnapshot.getAllRotatingSalts();
         var nextExpires = nextEffective.plus(7, ChronoUnit.DAYS);
 
diff --git a/src/main/java/com/uid2/admin/vertx/AdminVerticle.java b/src/main/java/com/uid2/admin/vertx/AdminVerticle.java
@@ -109,8 +109,12 @@ private void handleHealthCheck(RoutingContext rc) {
     }
 
     private void handleUserinfo(RoutingContext rc) {
-        if (isAuthDisabled(config)) rc.response().setStatusCode(200).end(
-                JsonObject.of("groups", JsonArray.of("developer", "developer-elevated", "infra-admin", "admin"), "email", "test.user@unifiedid.com").toString());
+        if (isAuthDisabled(config)) {
+            rc.response().setStatusCode(200).end(
+                    JsonObject.of("groups", JsonArray.of("developer", "developer-elevated", "infra-admin", "admin"), "email", "test.user@unifiedid.com").toString());
+            return;
+        }
+
         try {
             Jwt idJwt = this.authProvider.getIdTokenVerifier().decode(rc.user().principal().getString("id_token"), null);
             JsonObject jo = new JsonObject();
@@ -122,19 +126,18 @@ private void handleUserinfo(RoutingContext rc) {
                 JsonObject userDetails = new JsonObject();
                 userDetails.put("email", idJwt.getClaims().get("email"));
                 userDetails.put("sub", idJwt.getClaims().get("sub"));
-    
-                LOGGER.info("Authenticated user accessing admin page - User: {}", userDetails.toString());
+
+                LOGGER.info("Authenticated user accessing admin page - User: {}", userDetails);
                 rc.put("user_details", userDetails);
                 this.audit.log(rc, new AuditParams());
             }
-        
+
             rc.response().setStatusCode(200).end(jo.toString());
         } catch (Exception e) {
-            if (rc.session() !=  null) {
+            if (rc.session() != null) {
                 rc.session().destroy();
             }
             rc.response().putHeader("REQUIRES_AUTH", "1").setStatusCode(401).end();
         }
     }
-
 }
diff --git a/src/main/java/com/uid2/admin/vertx/service/SaltService.java b/src/main/java/com/uid2/admin/vertx/service/SaltService.java
@@ -77,7 +77,7 @@ public class SaltService implements IService {
     private static final String OPERATOR_URL = "http://proxy:80";
     private static final Map<String, String> OPERATOR_HEADERS = Map.of("Authorization", String.format("Bearer %s", CLIENT_API_KEY));
 
-    private static final int IDENTITY_COUNT = 10_000;
+    private static final int IDENTITY_COUNT = 1_000;
     private static final int TIMESTAMP_LENGTH = 8;
     private static final int IV_LENGTH = 12;
 
@@ -110,13 +110,19 @@ public void setupRoutes(Router router) {
             }
         }, new AuditParams(List.of("fraction", "target_date"), Collections.emptyList()), Role.SUPER_USER, Role.SECRET_ROTATION));
 
-        router.post("/api/salt/simulate/token").blockingHandler(auth.handle((ctx) -> {
+        router.post("/api/salt/fastForward").blockingHandler(auth.handle(ctx -> {
+            synchronized (writeLock) {
+                this.handleSaltFastForward(ctx);
+            }
+        }, new AuditParams(List.of("fraction"), Collections.emptyList()), Role.MAINTAINER, Role.SECRET_ROTATION));
+
+        router.post("/api/salt/simulateToken").blockingHandler(auth.handle(ctx -> {
             synchronized (writeLock) {
                 this.handleSaltSimulateToken(ctx);
             }
-        }, new AuditParams(List.of("target_date"), Collections.emptyList()), Role.MAINTAINER, Role.SECRET_ROTATION));
+        }, new AuditParams(List.of("fraction", "target_date"), Collections.emptyList()), Role.MAINTAINER, Role.SECRET_ROTATION));
 
-        router.post("/api/salt/simulate").blockingHandler(auth.handle((ctx) -> {
+        router.post("/api/salt/simulate").blockingHandler(auth.handle(ctx -> {
             synchronized (writeLock) {
                 this.handleSaltSimulate(ctx);
             }
@@ -221,6 +227,40 @@ private JsonObject toJson(RotatingSaltProvider.SaltSnapshot snapshot) {
         return jo;
     }
 
+    private void handleSaltFastForward(RoutingContext rc) {
+        try {
+            final double fraction = RequestUtil.getDouble(rc, "fraction").orElse(0.002740);
+            final int iterations = RequestUtil.getDouble(rc, "fast_forward_iterations").orElse(0.0).intValue();
+            final boolean enableV4 = RequestUtil.getBoolean(rc, "enable_v4", false).orElse(false);
+
+            TargetDate targetDate =
+                    RequestUtil.getDate(rc, "target_date", DateTimeFormatter.ISO_LOCAL_DATE)
+                            .map(TargetDate::new)
+                            .orElse(TargetDate.now().plusDays(1));
+
+            saltProvider.loadContent();
+            storageManager.archiveSaltLocations();
+
+            var snapshot = saltProvider.getSnapshots().getLast();
+
+            saltRotation.setEnableV4RawUid(enableV4);
+            var result = saltRotation.rotateSaltsFastForward(snapshot, SALT_ROTATION_AGE_THRESHOLDS, fraction, targetDate, iterations);
+            if (!result.hasSnapshot()) {
+                ResponseUtil.error(rc, 200, result.getReason());
+                return;
+            }
+
+            storageManager.upload(result.getSnapshot());
+
+            rc.response()
+                    .putHeader(HttpHeaders.CONTENT_TYPE, "application/json")
+                    .end(toJson(result.getSnapshot()).encode());
+        } catch (Exception e) {
+            LOGGER.error(e.getMessage(), e);
+            rc.fail(500, e);
+        }
+    }
+
     private void handleSaltSimulateToken(RoutingContext rc) {
         try {
             final double fraction = RequestUtil.getDouble(rc, "fraction").orElse(0.002740);
@@ -231,16 +271,25 @@ private void handleSaltSimulateToken(RoutingContext rc) {
                             .map(TargetDate::new)
                             .orElse(TargetDate.now().plusDays(1));
 
-            // Step 1. Run /v2/token/generate for 10,000 emails
+            // Step 1. Run /v2/token/generate for all emails
             List<String> emails = new ArrayList<>();
+            Map<String, Boolean> preRotationEmailToSaltMap = new HashMap<>();
+            RotatingSaltProvider.SaltSnapshot snapshot = saltProvider.getSnapshots().getLast();
             for (int j = 0; j < IDENTITY_COUNT; j++) {
                 String email = randomEmail();
                 emails.add(email);
+
+                SaltEntry salt = getSalt(email, snapshot);
+                boolean isV4 = salt.currentKeySalt() != null && salt.currentKeySalt().key() != null && salt.currentKeySalt().salt() != null;
+                preRotationEmailToSaltMap.put(email, isV4);
             }
 
             Map<String, String> emailToRefreshTokenMap = new HashMap<>();
             Map<String, String> emailToRefreshResponseKeyMap = new HashMap<>();
-            for (String email : emails) {
+            for (int i = 0; i < emails.size(); i++) {
+                LOGGER.info("Step 2 - Token Generate {}/{}", i + 1, emails.size());
+                String email = emails.get(i);
+
                 JsonNode tokens = v2TokenGenerate(email);
                 String refreshToken = tokens.at("/body/refresh_token").asText();
                 String refreshResponseKey = tokens.at("/body/refresh_response_key").asText();
@@ -251,22 +300,25 @@ private void handleSaltSimulateToken(RoutingContext rc) {
 
             // Step 2. Rotate salts
             saltRotation.setEnableV4RawUid(true);
-            RotatingSaltProvider.SaltSnapshot snapshot = null;
+            snapshot = null;
             for (int i = 0; i < iterations; i++) {
                 snapshot = rotateSalts(rc, fraction, targetDate, i);
             }
 
-            // Step 3. Count how many emails are v2 vs v4 salts
-            Map<String, Boolean> emailToV4TokenMap = new HashMap<>();
+            Map<String, Boolean> postRotationEmailToSaltMap = new HashMap<>();
             for (String email : emails) {
                 SaltEntry salt = getSalt(email, snapshot);
                 boolean isV4 = salt.currentKeySalt() != null && salt.currentKeySalt().key() != null && salt.currentKeySalt().salt() != null;
-                emailToV4TokenMap.put(email, isV4);
+                postRotationEmailToSaltMap.put(email, isV4);
             }
 
             // Step 4. Run /v2/token/refresh for all emails
+            v2LoadSalts();
             Map<String, Boolean> emailToRefreshSuccessMap = new HashMap<>();
-            for (String email : emails) {
+            for (int i = 0; i < emails.size(); i++) {
+                LOGGER.info("Step 4 - Token Refresh {}/{}", i + 1, emails.size());
+                String email = emails.get(i);
+
                 try {
                     JsonNode response = v2TokenRefresh(emailToRefreshTokenMap.get(email), emailToRefreshResponseKeyMap.get(email));
                     emailToRefreshSuccessMap.put(email, response != null);
@@ -277,11 +329,14 @@ private void handleSaltSimulateToken(RoutingContext rc) {
             }
 
             LOGGER.info(
-                    "UID token simulation: success_count={}, failure_count={}, v4_count={}, v2_count={}",
+                    "UID token simulation: success_count={}, failure_count={}, " +
+                            "v2_to_v4_count={}, v4_to_v4_count={}, v4_to_v2_count={}, v2_to_v2_count={}",
                     emailToRefreshSuccessMap.values().stream().filter(x -> x).count(),
                     emailToRefreshSuccessMap.values().stream().filter(x -> !x).count(),
-                    emailToV4TokenMap.values().stream().filter(x -> x).count(),
-                    emailToV4TokenMap.values().stream().filter(x -> !x).count());
+                    emails.stream().filter(email -> !preRotationEmailToSaltMap.get(email) && postRotationEmailToSaltMap.get(email)).count(),
+                    emails.stream().filter(email -> preRotationEmailToSaltMap.get(email) && postRotationEmailToSaltMap.get(email)).count(),
+                    emails.stream().filter(email -> preRotationEmailToSaltMap.get(email) && !postRotationEmailToSaltMap.get(email)).count(),
+                    emails.stream().filter(email -> !preRotationEmailToSaltMap.get(email) && !postRotationEmailToSaltMap.get(email)).count());
 
             rc.response()
                     .putHeader(HttpHeaders.CONTENT_TYPE, "application/json")
@@ -296,9 +351,9 @@ private void handleSaltSimulate(RoutingContext rc) {
         try {
             final double fraction = RequestUtil.getDouble(rc, "fraction").orElse(0.002740);
 
-            final int preMigrationIterations = RequestUtil.getDouble(rc, "preMigrationIterations").orElse(0.0).intValue();
-            final int migrationV4Iterations = RequestUtil.getDouble(rc, "migrationV4Iterations").orElse(0.0).intValue();
-            final int migrationV2V3Iterations = RequestUtil.getDouble(rc, "migrationV2V3Iterations").orElse(0.0).intValue();
+            final int preMigrationIterations = RequestUtil.getDouble(rc, "pre_migration_iterations").orElse(0.0).intValue();
+            final int migrationV4Iterations = RequestUtil.getDouble(rc, "migration_v4_iterations").orElse(0.0).intValue();
+            final int migrationV2Iterations = RequestUtil.getDouble(rc, "migration_v2_iterations").orElse(0.0).intValue();
 
             TargetDate targetDate =
                     RequestUtil.getDate(rc, "target_date", DateTimeFormatter.ISO_LOCAL_DATE)
@@ -331,8 +386,8 @@ private void handleSaltSimulate(RoutingContext rc) {
             }
 
             saltRotation.setEnableV4RawUid(false);
-            for (int i = 0; i < migrationV2V3Iterations; i++) {
-                LOGGER.info("Step 3 - Migration V2/V3 Iteration {}/{}", i + 1, migrationV2V3Iterations);
+            for (int i = 0; i < migrationV2Iterations; i++) {
+                LOGGER.info("Step 3 - Migration V2 Iteration {}/{}", i + 1, migrationV2Iterations);
                 simulationIteration(rc, fraction, targetDate, preMigrationIterations + migrationV4Iterations + i, false, emails, emailToUidMapping);
                 targetDate = targetDate.plusDays(1);
             }
@@ -723,6 +778,10 @@ private String toBase64String(byte[] b) {
         return Base64.getEncoder().encodeToString(b);
     }
 
+    private void v2LoadSalts() throws Exception {
+        HTTP_CLIENT.post(String.format("%s/v2/salts/load", OPERATOR_URL), "", OPERATOR_HEADERS);
+    }
+
     private JsonNode v3IdentityMap(List<String> emails) throws Exception {
         StringBuilder reqBody = new StringBuilder("{ \"email\": [");
         for (String email : emails) {
diff --git a/webroot/adm/salt.html b/webroot/adm/salt.html
