UID2-3506 Add functionality on oncall page to list related keysets and rotate them #329
Conversation
cYKatherine
changed the title
cYKatherine
force-pushed
the
kcc-UID2-3506-list-keys-need-to-be-rotated
branch
2 times, most recently
from
f84c010 to
76379a2
Compare
cYKatherine
force-pushed
the
kcc-UID2-3506-list-keys-need-to-be-rotated
branch
from
76379a2 to
413f065
Compare
cYKatherine
force-pushed
the
kcc-UID2-3506-list-keys-need-to-be-rotated
branch
from
ef3020c to
837ddbb
Compare
cYKatherine
force-pushed
the
kcc-UID2-3506-list-keys-need-to-be-rotated
branch
from
ab04e93 to
d7515d8
Compare
cYKatherine
force-pushed
the
kcc-UID2-3506-list-keys-need-to-be-rotated
branch
from
d7515d8 to
9875b73
Compare
webroot/js/participantSummary.js
Outdated
| const ja = JSON.parse(keysets); | ||
| var rotateKeysetsMessage = ''; | ||
| ja.forEach((keyset) => { | ||
| var url = `/api/key/rotate_keyset_key?min_age_seconds=3600&keyset_id=${keyset.keyset_id}&force=true`; |
There was a problem hiding this comment.
I doublechecked the code, the min age seconds doesn't matter if we set force to true, maybe we can just set min_age_seconds=0 here
There was a problem hiding this comment.
Yes, I tried setting min_age_seconds=0 but it will return with 404 as it needs a positive integer 😢 I can change it to 1 if that makes more sense 🤷♀️
There was a problem hiding this comment.
should we make min_age_seconds=0 not return a 404 then and get rid of force?
There was a problem hiding this comment.
Lemme separate that to a new ticket as it's behaviour change 😢 and need some extra frontend work
There was a problem hiding this comment.
|
Just want to confirm, it looks like the Rotate All Keys will also rotate master keys and site keys for ID_READER? |
Technically speaking this shouldn't happen. master keys and site keys (with site id |
| // b. If this participant has a client key with ID_READER role, we want to rotate all the keysets where allowed_sites is set to null | ||
| // c. Keysets where allowed_sites include the leaked site | ||
| // d. Keysets belonging to the leaked site itself | ||
| if (containsAny(keyset.getValue().getAllowedTypes(), clientTypes) || |
There was a problem hiding this comment.
Btw there is a method canClientAccessKey which is the source of truth.
Would be great if we could use that here, although might not be feasible. If we can't use it, still worth mentioning it here as a comment.
| void RelatedKeysetSetsWithClientTypes(Vertx vertx, VertxTestContext testContext) { | ||
| fakeAuth(Role.MAINTAINER); | ||
|
|
||
| AdminKeyset adminKeyset1 = new AdminKeyset(3, 5, "test", Set.of(4,6,7), Instant.now().getEpochSecond(),true, true, new HashSet<>(Arrays.asList(ClientType.DSP, ClientType.PUBLISHER))); |
There was a problem hiding this comment.
might be worth checking out the test cases for canClientAccessKey
webroot/js/participantSummary.js
Outdated
| const ja = JSON.parse(keysets); | ||
| var rotateKeysetsMessage = ''; | ||
| ja.forEach((keyset) => { | ||
| var url = `/api/key/rotate_keyset_key?min_age_seconds=3600&keyset_id=${keyset.keyset_id}&force=true`; |
There was a problem hiding this comment.
should we make min_age_seconds=0 not return a 404 then and get rid of force?
|
did we add some text / warning about what will happen when you click Rotate? |
Done |
|
|
||
| <div class="col"> | ||
| <a href="#" class="btn btn-primary" id="doRotateKeysets">Rotate Keysets</a> | ||
| <div>Note: Once rotated, the participant will need to get a new refresh key to be able to decrypt data.</div> |
There was a problem hiding this comment.
Suggested wording:
"Normally, keys don't become active for 24 hours when rotated, which gives participants 24 hours before they need to call sdk.refresh().
However in this case, rotation will make the new keys active immediately. This means participants will not be able to decrypt newly created UID tokens until they have called sdk.refresh(). Note that we recommend calling sdk.refresh() once per hour".
UI looks below. It will highlight the reason why the keyset is related to the participant. Also tested the rotation works.