UID2-5673 Edit audit logging fields (#479)

* Remove operator_key_contact

* Remove operator_ prefix

* Change key_site_id to participant_id

* Add key_id

* Add Jti for token_id

* Handle cases where jti is not specified

* Fix typo

Author: cYKatherine

src/main/java/com/uid2/shared/attest/JwtService.java

@@ -73,14 +73,19 @@ public JwtValidationResponse validateJwt(String jwt, String audience, String iss
                 // verify checks that the token has not expired
                 JsonWebSignature signature = tokenVerifier.verify(jwt);
                 JsonWebToken.Payload webToken = signature.getPayload();
+                String jti = webToken.get("jti").toString();
+                if (jti == null) {
+                    jti = "unknown";
+                }
                 response = new JwtValidationResponse(true)
                         .withSubject(webToken.get("sub").toString())
                         .withRoles(webToken.get("roles").toString())
                         .withEnclaveId(webToken.get("enclaveId").toString())
                         .withEnclaveType(webToken.get("enclaveType").toString())
                         .withSiteId(Integer.valueOf(webToken.get("siteId").toString()))
                         .withOperatorVersion(webToken.get("operatorVersion").toString())
-                        .withAudience(webToken.get("aud").toString());
+                        .withAudience(webToken.get("aud").toString())
+                        .withJti(jti);
 
                 // return the first verified response
                 return response;

src/main/java/com/uid2/shared/attest/JwtValidationResponse.java

@@ -18,6 +18,7 @@ public class JwtValidationResponse {
 
     private String audience;
     private String subject;
+    private String jti;
 
     public JwtValidationResponse(boolean isValid) {
         this.isValid = isValid;
@@ -66,6 +67,11 @@ public JwtValidationResponse withSubject(String subject) {
         return this;
     }
 
+    public JwtValidationResponse withJti(String jti) {
+        this.jti = jti;
+        return this;
+    }
+
     public Set<Role> getRoles() {
         return this.roles;
     }
@@ -103,4 +109,6 @@ public String getAudience() {
     public String getSubject() {
         return subject;
     }
+
+    public String getJti() { return jti; }
 }

src/main/java/com/uid2/shared/middleware/AttestationMiddleware.java

@@ -99,6 +99,7 @@ public void handle(RoutingContext rc) {
                                 if (CollectionUtils.isNotEmpty(response.getRoles())) {
                                     auditLogUserDetails.put("jwt_roles", new ArrayList<>(response.getRoles()));
                                 }
+                                auditLogUserDetails.put("token_id", response.getJti());
 
                                 String subject = calculateSubject(operatorKey);
                                 auditLogUserDetails.put("jwt_subject", subject);

src/main/java/com/uid2/shared/middleware/AuthMiddleware.java

@@ -59,9 +59,9 @@ public static void setAuthClient(RoutingContext rc, IAuthorizable profile) {
             rc.data().put(API_CONTACT_PROP, profile.getContact());
             if (profile instanceof OperatorKey operatorKey) {
                 JsonObject auditLogUserDetails = new JsonObject();
-                auditLogUserDetails.put("operator_key_name", operatorKey.getName());
-                auditLogUserDetails.put("operator_key_contact", operatorKey.getContact());
-                auditLogUserDetails.put("operator_key_site_id", operatorKey.getSiteId());
+                auditLogUserDetails.put("key_id", operatorKey.getKeyId());
+                auditLogUserDetails.put("key_name", operatorKey.getName());
+                auditLogUserDetails.put("participant_id", operatorKey.getSiteId());
                 rc.put(Audit.USER_DETAILS, auditLogUserDetails);
             }
         }

src/test/java/com/uid2/shared/attest/JwtServiceTest.java

@@ -27,8 +27,9 @@
 import static org.mockito.Mockito.*;
 
 public class JwtServiceTest {
-    private final static String VALID_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjQ4NDgzNjAxNjgsImlhdCI6MTY5MjY4NjU3NCwic3ViIjoiS0FPUnhzUGRycDRqVnBQcWIwS2dwWWFsRjVSekJwZXAwZGR2UStsakYzdnltaFJYdjNDNkNJWERmaE5KV2RvYmN6bW9pZWU5R0kwMFZybHRMYm1xVUE9PSIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA5MCIsIm9wZXJhdG9yVmVyc2lvbiI6IlNwZWNpYWx8dWlkMi1vcGVyYXRvcnwyLjcuMTYtU05BUFNIT1QiLCJlbmNsYXZlVHlwZSI6InRydXN0ZWQiLCJyb2xlcyI6Ik9QVE9VVCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4OCIsIm5hbWUiOiJTcGVjaWFsIiwic2l0ZUlkIjoiOTk5IiwiZW5jbGF2ZUlkIjoiVHJ1c3RlZCJ9.ICbHPZnm25hIa69A06aNfduyh1xSdXDgxI0_ORGqdNdrop_6CCqk5HtM5uS2hJ_1opjNAjQdfE_CMaAfda13_bnOaZSPe-aQLQBx6vCEjYCRUaAvD7p4NgHnEz9u0nf-ijFBZh0MZR8MV2s3pcEcSbZ7rkSFYW73n2KuACDQxCRdl39wQ-Bs222pm0Q-BkCZlb6OFp6pd-SUT_VWHeSeWbSyXQpfald1WAmH1rHyUdWzfz005Jv8JCucgyorhInQZY0O7wQ-UPk5nuVqz0QkT7w2S4pa4gopLpsi0BM6gu5jDfQredy49v3wuuZRAiefw4ueGBevMA6RxAqtjGEAiA";
-    private final static String EXPIRED_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2OTIzODE2MzMsImlhdCI6MTY5MjY3OTg3NSwic3ViIjoiZ1k1b1hUNmZaeG5xcVZhdFNHVnE4dU9xOW1tcVEvc1A4cU9SRzZ5UStraUZyNHJCQWR6SFBORXpQTXFxK3JlNFEvb1ovaXFqa0IvL3dBLzAxT2w3RkE9PSIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA5MCIsIm9wZXJhdG9yVmVyc2lvbiI6IlNwZWNpYWwgKE9sZCwgUHJpdmF0ZSl8dWlkMi1vcGVyYXRvcnwyLjcuMTYtU05BUFNIT1QiLCJlbmNsYXZlVHlwZSI6InRydXN0ZWQiLCJyb2xlcyI6Ik9QVE9VVCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4OCIsIm5hbWUiOiJTcGVjaWFsIChPbGQsIFByaXZhdGUpIiwic2l0ZUlkIjoiOTk5IiwiZW5jbGF2ZUlkIjoiVHJ1c3RlZCJ9.gRdwQqNc7IHuPBSVjtjuBoEpr4n6vwZIFh0LbW1cqeYZd7uORYyizLyyPtG_Mh_A73LoiYQ4Rn0q1VnMdBqIqsDFYILP182XGNvsToTj_HlpP95DbKs7RfdZ7XTxKflG00M156xdJmieY_v1OQiOjw3vYt82F4QUOaIm5M_k7TAs6GgYPmhinILIJWWgljk7reGmEuWl_abU0wU4cQilwL9F9Byto5Ba8CHLAmv62PcsjbuU8LN-RrkCTYzgIqUUdRceIyrfnxP4UgKqijrjIMbeVvYyTY43anQHicoRYZCQXMaUQWk57xipFTCc-J6QKNPvh198PqtuBUBbg073Mw";
+    // The token was generated using the private key: https://github.com/IABTechLab/uid2-admin/blob/main/src/main/resources/localstack/kms/seed.yaml#L9
+    private final static String VALID_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjQ4NDgzNjAxNjgsImlhdCI6MTY5MjY4NjU3NCwic3ViIjoiS0FPUnhzUGRycDRqVnBQcWIwS2dwWWFsRjVSekJwZXAwZGR2UStsakYzdnltaFJYdjNDNkNJWERmaE5KV2RvYmN6bW9pZWU5R0kwMFZybHRMYm1xVUE9PSIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA5MCIsIm9wZXJhdG9yVmVyc2lvbiI6IlNwZWNpYWx8dWlkMi1vcGVyYXRvcnwyLjcuMTYtU05BUFNIT1QiLCJlbmNsYXZlVHlwZSI6InRydXN0ZWQiLCJyb2xlcyI6Ik9QVE9VVCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4OCIsIm5hbWUiOiJTcGVjaWFsIiwic2l0ZUlkIjoiOTk5IiwiZW5jbGF2ZUlkIjoiVHJ1c3RlZCIsImp0aSI6ImR1bW15SnRpIn0.MLfb17MtIay-RzDEmrzC4gUHyNAXpBIFJai1-aiFIOmrejInqKDbYZdgnSAbPwHWPgExvr68dyCf362SZqjw3YyUDx6snQ47o3gAqrc0_reizkmgQ_xaa5useayg-8b8Csu9C7XaCoCo0c_Lq9pid34Kmx_LtC6l8rDmyY78AbiecdN_H90BmfCgm1-4QM4gGfjfKxyvkdPioYziAEw4QQ6X2SFiPMl36PCrHkc8UE0jgaI1xCYFghZTBJ0BonIOVoGYEZld-s9OIWtMWx58HYFXygIRLMS0y5_bDq2JCiQx7KNJtckUh8E3PGkaQAHoWjHf9URSusrM_R06tJRxYQ";
+    private final static String EXPIRED_TOKEN = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTIzODE2MzMsImlhdCI6MTY5MjY3OTg3NSwic3ViIjoiZ1k1b1hUNmZaeG5xcVZhdFNHVnE4dU9xOW1tcVEvc1A4cU9SRzZ5UStraUZyNHJCQWR6SFBORXpQTXFxK3JlNFEvb1ovaXFqa0IvL3dBLzAxT2w3RkE9PSIsImF1ZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA5MCIsIm9wZXJhdG9yVmVyc2lvbiI6IlNwZWNpYWwgKE9sZCwgUHJpdmF0ZSl8dWlkMi1vcGVyYXRvcnwyLjcuMTYtU05BUFNIT1QiLCJlbmNsYXZlVHlwZSI6InRydXN0ZWQiLCJyb2xlcyI6Ik9QVE9VVCIsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4OCIsIm5hbWUiOiJTcGVjaWFsIChPbGQsIFByaXZhdGUpIiwic2l0ZUlkIjoiOTk5IiwiZW5jbGF2ZUlkIjoiVHJ1c3RlZCIsImp0aSI6ImR1bW15SnRpIn0.NMJPbN_hCGkxWK9ZEBhsHKHxdXvElCDsgph4NBiMNtGVe-Yw7nZxYDpyw9cvEws9EPckMgDXfOGo9SqOhHbsapB0-JDLVebHk2yXpzft1DRF7zoY7MLXdoV5-apZDeRmJyuCAtGVpKpP03CoJ-8Dd9FETmk8x4GE0JktkKi1O7WnyNv7g8bqI8IR-VCi83sjTeQrQSBj1sV0VCYPIcg5dFcgApiYt_b2u7ugM0B090IsKK-ChigC6jKHqKLlRT5OlvnR5y7q9D37MIgsDQQbqRNaAsWzFjk1HA1iHTodNO4FlWyYJsrpC_XBnZzqqu2YLQ00cSMO2i--Cycjgmvt5A";
     private final static String INVALID_TOKEN = "invalid_token";
     private final static String PUBLIC_KEY_STRING = "-----BEGIN PUBLIC KEY-----\n" +
             "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmvwB41qI5Fe41PDbXqcX\n" +
@@ -73,6 +74,7 @@ void validateTokenSucceeds() {
         assertEquals("trusted", validationResponse.getEnclaveType());
         assertEquals(999, validationResponse.getSiteId());
         assertEquals("Special|uid2-operator|2.7.16-SNAPSHOT", validationResponse.getOperatorVersion());
+        assertEquals("dummyJti", validationResponse.getJti());
     }
 
     @Test

src/test/java/com/uid2/shared/middleware/AttestationMiddlewareTest.java

@@ -78,13 +78,15 @@ private void verifyAuditLogFilledWithJwt(JwtValidationResponse response) {
         }
         Assertions.assertEquals(expectedJwtRoles, auditLogUserDetailsActual.getJsonArray("jwt_roles"));
         Assertions.assertEquals(response.getSubject(), auditLogUserDetailsActual.getString("jwt_subject"));
+        Assertions.assertEquals(response.getJti(), auditLogUserDetailsActual.getString("token_id"));
 
     }
 
     @Test
-    void trustedValidJwtNoRolesReturnsSuccess() throws JwtService.ValidationException {
+    void trustedValidJwtNoJtiReturnsSuccess() throws JwtService.ValidationException {
         var attestationMiddleware = getAttestationMiddleware(true);
         JwtValidationResponse response = new JwtValidationResponse(true)
+                .withRoles(Role.OPERATOR, Role.SUPER_USER, Role.OPTOUT)
                 .withSubject(EXPECTED_OPERATOR_KEY_HASH_DIGEST);
         when(this.jwtService.validateJwt("dummy jwt", JWT_AUDIENCE, JWT_ISSUER)).thenReturn(response);
 
@@ -95,12 +97,28 @@ void trustedValidJwtNoRolesReturnsSuccess() throws JwtService.ValidationExceptio
         verifyAuditLogFilledWithJwt(response);
     }
 
+    @Test
+    void trustedValidJwtNoRolesReturnsSuccess() throws JwtService.ValidationException {
+        var attestationMiddleware = getAttestationMiddleware(true);
+        JwtValidationResponse response = new JwtValidationResponse(true)
+                .withSubject(EXPECTED_OPERATOR_KEY_HASH_DIGEST)
+                .withJti("dummyJti");
+        when(this.jwtService.validateJwt("dummy jwt", JWT_AUDIENCE, JWT_ISSUER)).thenReturn(response);
+
+        var handler = attestationMiddleware.handle(nextHandler);
+        handler.handle(this.routingContext);
+
+        verify(nextHandler).handle(routingContext);
+        verifyAuditLogFilledWithJwt(response);
+    }
+
     @Test
     void trustedValidJwtHasRequiredRoleReturnsSuccess() throws JwtService.ValidationException {
         var attestationMiddleware = getAttestationMiddleware(true);
         JwtValidationResponse response = new JwtValidationResponse(true)
                 .withRoles(Role.OPERATOR, Role.SUPER_USER, Role.OPTOUT)
-                .withSubject(EXPECTED_OPERATOR_KEY_HASH_DIGEST);
+                .withSubject(EXPECTED_OPERATOR_KEY_HASH_DIGEST)
+                .withJti("dummyJti");
         when(this.jwtService.validateJwt("dummy jwt", JWT_AUDIENCE, JWT_ISSUER)).thenReturn(response);
 
         var handler = attestationMiddleware.handle(nextHandler, Role.OPERATOR);
@@ -115,7 +133,8 @@ void trustedValidJwtHasMultipleRolesReturnsSuccess() throws JwtService.Validatio
         var attestationMiddleware = getAttestationMiddleware(true);
         JwtValidationResponse response = new JwtValidationResponse(true)
                 .withRoles(Role.OPERATOR, Role.SUPER_USER, Role.OPTOUT)
-                .withSubject(EXPECTED_OPERATOR_KEY_HASH_DIGEST);
+                .withSubject(EXPECTED_OPERATOR_KEY_HASH_DIGEST)
+                .withJti("dummyJti");
         when(this.jwtService.validateJwt("dummy jwt", JWT_AUDIENCE, JWT_ISSUER)).thenReturn(response);
 
         var handler = attestationMiddleware.handle(nextHandler, Role.OPERATOR, Role.SUPER_USER);
@@ -130,7 +149,8 @@ void trustedValidJwtMissingRequiredRoleReturns401() throws JwtService.Validation
         var attestationMiddleware = getAttestationMiddleware(true);
         JwtValidationResponse response = new JwtValidationResponse(true)
                 .withRoles(Role.OPTOUT)
-                .withSubject(EXPECTED_OPERATOR_KEY_HASH_DIGEST);
+                .withSubject(EXPECTED_OPERATOR_KEY_HASH_DIGEST)
+                .withJti("dummyJti");
         when(this.jwtService.validateJwt("dummy jwt", JWT_AUDIENCE, JWT_ISSUER)).thenReturn(response);
 
         var handler = attestationMiddleware.handle(nextHandler, Role.OPERATOR);

src/test/java/com/uid2/shared/middleware/AuthMiddlewareTest.java

@@ -115,9 +115,9 @@ private void verifyAuditLogFilled() {
         verify(routingContext).put(keyArgumentCaptor.capture(), jsonObjectArgumentCaptor.capture());
         JsonObject auditLogUserDetailsActual = jsonObjectArgumentCaptor.getValue();
         Assertions.assertEquals(Audit.USER_DETAILS, keyArgumentCaptor.getValue());
-        Assertions.assertEquals(operatorKey.getName(), auditLogUserDetailsActual.getString("operator_key_name"));
-        Assertions.assertEquals(operatorKey.getContact(), auditLogUserDetailsActual.getString("operator_key_contact"));
-        Assertions.assertEquals(operatorKey.getSiteId().toString(), auditLogUserDetailsActual.getString("operator_key_site_id"));
+        Assertions.assertEquals(operatorKey.getKeyId(), auditLogUserDetailsActual.getString("key_id"));
+        Assertions.assertEquals(operatorKey.getName(), auditLogUserDetailsActual.getString("key_name"));
+        Assertions.assertEquals(operatorKey.getSiteId().toString(), auditLogUserDetailsActual.getString("participant_id"));
     }
 
     @Test