fixed failed validation logs to log only for successful attestation

sophia-chen-ttd · sophia-chen-ttd · commit 34b682bf702a · 2025-04-30T17:09:21.000+10:00
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-shared</artifactId>
-    <version>9.1.17-alpha-219-SNAPSHOT</version>
+    <version>9.2.3</version>
     <name>${project.groupId}:${project.artifactId}</name>
     <description>Library for all the shared uid2 operations</description>
     <url>https://github.com/IABTechLab/uid2docs</url>
diff --git a/src/main/java/com/uid2/shared/middleware/AttestationMiddleware.java b/src/main/java/com/uid2/shared/middleware/AttestationMiddleware.java
@@ -105,21 +105,15 @@ public void handle(RoutingContext rc) {
                     } else {
                         if (this.enforceJwt) {
                             LOGGER.info("JWT is required, but was not received. Attestation validation failed. SiteId: {}, Name: {}, Contact: {}", operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact());
-                        } else {
-                            LOGGER.info("JWT is blank but is not required. SiteId: {}, Name: {}, Contact: {}", operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact());
                         }
                     }
-                } else {
-                    LOGGER.info("Attestation was not successful. JWT validation failed. SiteId: {}, Name: {}, Contact: {}", operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact());
                 }
-            } else {
-                LOGGER.info("Profile is not an OperatorKey. JWT validation failed. SiteId: {}, Contact: {}", profile.getSiteId(), profile.getContact());
             }
 
-            if (!isJwtValid && this.enforceJwt) {
+            if (success && !isJwtValid && this.enforceJwt) {
                 LOGGER.info("JWT validation has failed.");
                 success = false;
-            } else if (!isJwtValid && !this.enforceJwt) {
+            } else if (success && !isJwtValid && !this.enforceJwt) {
                 LOGGER.info("JWT validation has failed, but JWTs are not being enforced.");
             }
 
diff --git a/src/main/java/com/uid2/shared/model/SaltEntry.java b/src/main/java/com/uid2/shared/model/SaltEntry.java
@@ -1,31 +1,43 @@
 package com.uid2.shared.model;
 
-public class SaltEntry {
-    private final long id;
-    private final String hashedId;
-    private final long lastUpdated;
-    private final String salt;
+public record SaltEntry(
+        long id,
+        String hashedId,
+        long lastUpdated,
+        String currentSalt,
 
-    public SaltEntry(long id, String hashedId, long lastUpdated, String salt) {
-        this.id = id;
-        this.lastUpdated = lastUpdated;
-        this.hashedId = hashedId;
-        this.salt = salt;
-    }
-
-    public long getId() {
-        return id;
-    }
-
-    public String getHashedId() {
-        return hashedId;
-    }
+        Long refreshFrom, // needs to be nullable until V3 Identity Map is fully rolled out
+        String previousSalt,
 
-    public long getLastUpdated() {
-        return lastUpdated;
+        KeyMaterial currentKey,
+        KeyMaterial previousKey
+) {
+    @Override
+    public String toString() {
+        return "SaltEntry{" +
+                "id=" + id +
+                ", hashedId='" + hashedId + '\'' +
+                ", lastUpdated=" + lastUpdated +
+                ", currentSalt=<REDACTED>" +
+                ", refreshFrom=" + refreshFrom +
+                ", previousSalt=<REDACTED>" +
+                ", currentKey=" + currentKey +
+                ", previousKey=" + previousKey +
+                '}';
     }
 
-    public String getSalt() {
-        return salt;
+    public record KeyMaterial(
+            int id,
+            String key,
+            String salt
+    ) {
+        @Override
+        public String toString() {
+            return "KeyMaterial{" +
+                    "id=" + id +
+                    ", key=<REDACTED>" +
+                    ", currentSalt=<REDACTED>" +
+                    '}';
+        }
     }
 }
diff --git a/src/main/java/com/uid2/shared/store/salt/EncryptedRotatingSaltProvider.java b/src/main/java/com/uid2/shared/store/salt/EncryptedRotatingSaltProvider.java
@@ -1,4 +1,4 @@
-package com.uid2.shared.store;
+package com.uid2.shared.store.salt;
 
 import com.uid2.shared.cloud.DownloadCloudStorage;
 import com.uid2.shared.model.SaltEntry;
@@ -19,15 +19,8 @@ public EncryptedRotatingSaltProvider(DownloadCloudStorage fileStreamProvider, Ro
     }
 
     @Override
-    protected SaltEntry[] readInputStream(InputStream inputStream, SaltEntryBuilder entryBuilder, Integer size) throws IOException {
+    protected SaltEntry[] readInputStream(InputStream inputStream, SaltFileParser saltFileParser, Integer size) throws IOException {
         String decrypted = decryptInputStream(inputStream, cloudEncryptionKeyProvider, "salts");
-        SaltEntry[] entries = new SaltEntry[size];
-        int idx = 0;
-        for (String line : decrypted.split("\n")) {
-            final SaltEntry entry = entryBuilder.toEntry(line);
-            entries[idx] = entry;
-            idx++;
-        }
-        return entries;
+        return saltFileParser.parseFile(decrypted, size);
     }
 }
diff --git a/src/main/java/com/uid2/shared/store/salt/ISaltProvider.java b/src/main/java/com/uid2/shared/store/salt/ISaltProvider.java
@@ -1,4 +1,4 @@
-package com.uid2.shared.store;
+package com.uid2.shared.store.salt;
 
 import com.uid2.shared.model.SaltEntry;
 import org.slf4j.Logger;
diff --git a/src/main/java/com/uid2/shared/store/salt/IdHashingScheme.java b/src/main/java/com/uid2/shared/store/salt/IdHashingScheme.java
@@ -0,0 +1,17 @@
+package com.uid2.shared.store.salt;
+
+import org.hashids.Hashids;
+
+public class IdHashingScheme {
+    private final String prefix;
+    private final Hashids hasher;
+
+    public IdHashingScheme(final String prefix, final String secret) {
+        this.prefix = prefix;
+        this.hasher = new Hashids(secret, 9);
+    }
+
+    public String encode(long id) {
+        return prefix + this.hasher.encode(id);
+    }
+}
diff --git a/src/main/java/com/uid2/shared/store/salt/RotatingSaltProvider.java b/src/main/java/com/uid2/shared/store/salt/RotatingSaltProvider.java
@@ -1,4 +1,4 @@
-package com.uid2.shared.store;
+package com.uid2.shared.store.salt;
 
 import com.uid2.shared.Utils;
 import com.uid2.shared.attest.UidCoreClient;
@@ -10,7 +10,6 @@
 import lombok.Getter;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
-import org.hashids.Hashids;
 
 import java.io.BufferedReader;
 import java.io.IOException;
@@ -41,9 +40,9 @@
        ]
     }
 
-  2. salt file format
-        <id>,   <hash_id>,    <salt>
-        9000099,1614556800000,salt
+  2. currentSalt file format
+        <id>,   <hash_id>,    <currentSalt>
+        9000099,1614556800000,currentSalt
  */
 public class RotatingSaltProvider implements ISaltProvider, IMetadataVersionedStore {
     private static final Logger LOGGER = LoggerFactory.getLogger(RotatingSaltProvider.class);
@@ -80,14 +79,14 @@ public long getVersion(JsonObject metadata) {
     public long loadContent(JsonObject metadata) throws Exception {
         final JsonArray salts = metadata.getJsonArray("salts");
         final String firstLevelSalt = metadata.getString("first_level");
-        final SaltEntryBuilder entryBuilder = new SaltEntryBuilder(
+        final SaltFileParser saltFileParser = new SaltFileParser(
                 new IdHashingScheme(metadata.getString("id_prefix"), metadata.getString("id_secret")));
         final Instant now = Instant.now();
         final List<SaltSnapshot> snapshots = new ArrayList<>();
 
         int saltCount = 0;
         for (int i = 0; i < salts.size(); ++i) {
-            final SaltSnapshot snapshot = this.loadSnapshot(salts.getJsonObject(i), firstLevelSalt, entryBuilder, now);
+            final SaltSnapshot snapshot = this.loadSnapshot(salts.getJsonObject(i), firstLevelSalt, saltFileParser, now);
             if (snapshot == null) continue;
             snapshots.add(snapshot);
 
@@ -120,33 +119,26 @@ public ISaltSnapshot getSnapshot(Instant asOf) {
             if (!snapshot.isEffective(asOf)) break;
             current = snapshot;
         }
-        return current != null ? current : snapshots.get(snapshots.size() - 1);
+        return current != null ? current : snapshots.getLast();
     }
 
-    private SaltSnapshot loadSnapshot(JsonObject spec, String firstLevelSalt, SaltEntryBuilder entryBuilder, Instant now) throws Exception {
+    private SaltSnapshot loadSnapshot(JsonObject spec, String firstLevelSalt, SaltFileParser saltFileParser, Instant now) throws Exception {
         final Instant defaultExpires = now.plus(365, ChronoUnit.DAYS);
         final Instant effective = Instant.ofEpochMilli(spec.getLong("effective"));
         final Instant expires = Instant.ofEpochMilli(spec.getLong("expires", defaultExpires.toEpochMilli()));
 
         final String path = spec.getString("location");
         Integer size = spec.getInteger("size");
-        SaltEntry[] entries = readInputStream(this.contentStreamProvider.download(path), entryBuilder, size);
+        SaltEntry[] entries = readInputStream(this.contentStreamProvider.download(path), saltFileParser, size);
 
         LOGGER.info("Loaded {} salts", size);
         return new SaltSnapshot(effective, expires, entries, firstLevelSalt);
     }
 
-    protected SaltEntry[] readInputStream(InputStream inputStream, SaltEntryBuilder entryBuilder, Integer size) throws IOException {
+    protected SaltEntry[] readInputStream(InputStream inputStream, SaltFileParser saltFileParser, Integer size) throws IOException {
         try (BufferedReader reader = new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8))) {
-            String line;
-            SaltEntry[] entries = new SaltEntry[size];
-            int idx = 0;
-            while ((line = reader.readLine()) != null) {
-                final SaltEntry entry = entryBuilder.toEntry(line);
-                entries[idx] = entry;
-                idx++;
-            }
-            return entries;
+            String[] saltFileLines = reader.lines().toArray(String[]::new);
+            return saltFileParser.parseFileLines(saltFileLines, size);
         }
     }
 
@@ -167,10 +159,10 @@ public SaltSnapshot(Instant effective, Instant expires, SaltEntry[] entries, Str
             this.entries = entries;
             this.firstLevelSalt = firstLevelSalt;
             if (entries.length == 1_048_576) {
-                LOGGER.info("Total salt entries 1 million, {}, special production salt entry indexer", entries.length);
+                LOGGER.info("Total currentSalt entries 1 million, {}, special production currentSalt entry indexer", entries.length);
                 this.saltEntryIndexer = MILLION_ENTRY_INDEXER;
             } else {
-                LOGGER.warn("Total salt entries {}, using slower mod-based indexer", entries.length);
+                LOGGER.warn("Total currentSalt entries {}, using slower mod-based indexer", entries.length);
                 this.saltEntryIndexer = MOD_BASED_INDEXER;
             }
         }
@@ -203,42 +195,8 @@ public SaltEntry getRotatingSalt(byte[] identity) {
         @Override
         public List<SaltEntry> getModifiedSince(Instant timestamp) {
             final long timestampMillis = timestamp.toEpochMilli();
-            return Arrays.stream(this.entries).filter(e -> e.getLastUpdated() >= timestampMillis).collect(Collectors.toList());
-        }
-    }
-
-    protected static final class IdHashingScheme {
-        private final String prefix;
-        private final Hashids hasher;
-
-        public IdHashingScheme(final String prefix, final String secret) {
-            this.prefix = prefix;
-            this.hasher = new Hashids(secret, 9);
-        }
-
-        public String encode(long id) {
-            return prefix + this.hasher.encode(id);
+            return Arrays.stream(this.entries).filter(e -> e.lastUpdated() >= timestampMillis).collect(Collectors.toList());
         }
     }
 
-    protected static final class SaltEntryBuilder {
-        private final IdHashingScheme idHashingScheme;
-
-        public SaltEntryBuilder(IdHashingScheme idHashingScheme) {
-            this.idHashingScheme = idHashingScheme;
-        }
-
-        public SaltEntry toEntry(String line) {
-            try {
-                final String[] fields = line.split(",");
-                final long id = Integer.parseInt(fields[0]);
-                final String hashedId = this.idHashingScheme.encode(id);
-                final long lastUpdated = Long.parseLong(fields[1]);
-                final String salt = fields[2];
-                return new SaltEntry(id, hashedId, lastUpdated, salt);
-            } catch (Exception e) {
-                throw new RuntimeException("Trouble parsing Salt Entry " + line, e);
-            }
-        }
-    }
 }
diff --git a/src/main/java/com/uid2/shared/store/salt/SaltFileParser.java b/src/main/java/com/uid2/shared/store/salt/SaltFileParser.java
@@ -0,0 +1,63 @@
+package com.uid2.shared.store.salt;
+
+import com.uid2.shared.model.SaltEntry;
+
+public class SaltFileParser {
+    private final IdHashingScheme idHashingScheme;
+
+    public SaltFileParser(IdHashingScheme idHashingScheme) {
+        this.idHashingScheme = idHashingScheme;
+    }
+
+    public SaltEntry[] parseFile(String saltFileContent, Integer size) {
+        var lines = saltFileContent.split("\n");
+        return parseFileLines(lines, size);
+    }
+
+    public SaltEntry[] parseFileLines(String[] saltFileLines, Integer size) {
+        var entries = new SaltEntry[size];
+        int lineNumber = 0;
+        for (String line : saltFileLines) {
+            final SaltEntry entry = parseLine(line, lineNumber);
+            entries[lineNumber] = entry;
+            lineNumber++;
+        }
+        return entries;
+    }
+
+    private SaltEntry parseLine(String line, int lineNumber) {
+        try {
+            final String[] fields = line.split(",");
+            final long id = Integer.parseInt(fields[0]);
+            final String hashedId = this.idHashingScheme.encode(id);
+            final long lastUpdated = Long.parseLong(fields[1]);
+            final String salt = fields[2];
+
+            Long refreshFrom = null;
+            String previousSalt = null;
+            SaltEntry.KeyMaterial currentKey = null;
+            SaltEntry.KeyMaterial previousKey = null;
+
+            // TODO: The fields below should stop being optional once the refresh from, previous salt
+            // and refreshable UIDs features get rolled out in production. We can remove them one by one as necessary.
+            // AU, 2025/04/28
+            if (fields.length > 3) {
+                refreshFrom = Long.parseLong(fields[3]);
+            }
+            if (fields.length > 4) {
+                previousSalt = fields[4];
+            }
+            if (fields.length > 7) {
+                currentKey = new SaltEntry.KeyMaterial(Integer.parseInt(fields[5]), fields[6], fields[7]);
+            }
+            if (fields.length > 10) {
+                previousKey = new SaltEntry.KeyMaterial(Integer.parseInt(fields[8]), fields[9], fields[10]);
+            }
+
+            return new SaltEntry(id, hashedId, lastUpdated, salt, refreshFrom, previousSalt, currentKey, previousKey);
+        } catch (Exception e) {
+            throw new RuntimeException("Trouble parsing Salt Entry, line number: " + lineNumber, e);
+        }
+    }
+
+}
diff --git a/src/test/java/com/uid2/shared/secret/KeyHasherTest.java b/src/test/java/com/uid2/shared/secret/KeyHasherTest.java
@@ -22,7 +22,7 @@ public void hashKey_returnsNewHashEverytime_withRandomSalt() {
         KeyHashResult result2 = hasher.hashKey("test-key");
 
         assertAll(
-                "hashKey returns new hash every time with random salt",
+                "hashKey returns new hash every time with random currentSalt",
                 () -> assertNotEquals(result1.getHash(), result2.getHash()),
                 () -> assertNotEquals(result1.getSalt(), result2.getSalt())
         );
diff --git a/src/test/java/com/uid2/shared/secure/AttestationTokenTest.java b/src/test/java/com/uid2/shared/secure/AttestationTokenTest.java
@@ -18,7 +18,7 @@
 
 public class AttestationTokenTest {
     private static final String ENCRYPTION_KEY = "attestation-token-secret";
-    private static final String SALT = "attestation-token-salt";
+    private static final String SALT = "attestation-token-currentSalt";
 
     private final Clock clock = mock(Clock.class);
 
diff --git a/src/test/java/com/uid2/shared/store/EncryptedRotatingSaltProviderTest.java b/src/test/java/com/uid2/shared/store/EncryptedRotatingSaltProviderTest.java
diff --git a/src/test/java/com/uid2/shared/store/RotatingSaltProviderTest.java b/src/test/java/com/uid2/shared/store/RotatingSaltProviderTest.java
diff --git a/src/test/java/com/uid2/shared/store/salt/SaltFileParserTest.java b/src/test/java/com/uid2/shared/store/salt/SaltFileParserTest.java
diff --git a/version.json b/version.json

Original file line number	Diff line number	Diff line change
`@@ -105,21 +105,15 @@ public void handle(RoutingContext rc) {`
`105`	`105`	`} else {`
`106`	`106`	`if (this.enforceJwt) {`
`107`	`107`	`LOGGER.info("JWT is required, but was not received. Attestation validation failed. SiteId: {}, Name: {}, Contact: {}", operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact());`
`108`		`- } else {`
`109`		`- LOGGER.info("JWT is blank but is not required. SiteId: {}, Name: {}, Contact: {}", operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact());`
`110`	`108`	`}`
`111`	`109`	`}`
`112`		`- } else {`
`113`		`- LOGGER.info("Attestation was not successful. JWT validation failed. SiteId: {}, Name: {}, Contact: {}", operatorKey.getSiteId(), operatorKey.getName(), operatorKey.getContact());`
`114`	`110`	`}`
`115`		`- } else {`
`116`		`- LOGGER.info("Profile is not an OperatorKey. JWT validation failed. SiteId: {}, Contact: {}", profile.getSiteId(), profile.getContact());`
`117`	`111`	`}`
`118`	`112`
`119`		`- if (!isJwtValid && this.enforceJwt) {`
	`113`	`+ if (success && !isJwtValid && this.enforceJwt) {`
`120`	`114`	`LOGGER.info("JWT validation has failed.");`
`121`	`115`	`success = false;`
`122`		`- } else if (!isJwtValid && !this.enforceJwt) {`
	`116`	`+ } else if (success && !isJwtValid && !this.enforceJwt) {`
`123`	`117`	`LOGGER.info("JWT validation has failed, but JWTs are not being enforced.");`
`124`	`118`	`}`
`125`	`119`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-package com.uid2.shared.store;`
	`1`	`+package com.uid2.shared.store.salt;`
`2`	`2`
`3`	`3`	`import com.uid2.shared.model.SaltEntry;`
`4`	`4`	`import org.slf4j.Logger;`