Add rotation harness and rotate token signing keys

builders/build.yaml

@@ -461,6 +461,56 @@ steps:
   - 'push-modeler'
 
 
+#
+# rotation
+#
+- id: 'build-rotation'
+  name: 'golang:1.15.2'
+  args:
+  - 'go'
+  - 'build'
+  - '-trimpath'
+  - '-ldflags=-s -w -X=${_REPO}/pkg/buildinfo.BuildID=${BUILD_ID} -X=${_REPO}/pkg/buildinfo.BuildTag=${_TAG} -extldflags=-static'
+  - '-o=./bin/rotation'
+  - './cmd/rotation'
+  waitFor:
+  - 'download-modules'
+
+- id: 'dockerize-rotation'
+  name: 'docker:19'
+  args:
+  - 'build'
+  - '--file=builders/service.dockerfile'
+  - '--tag=gcr.io/${PROJECT_ID}/${_REPO}/rotation:${_TAG}'
+  - '--build-arg=SERVICE=rotation'
+  - '.'
+  waitFor:
+  - 'build-rotation'
+
+- id: 'push-rotation'
+  name: 'docker:19'
+  args:
+  - 'push'
+  - 'gcr.io/${PROJECT_ID}/${_REPO}/rotation:${_TAG}'
+
+- id: 'attest-rotation'
+  name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:307.0.0'
+  args:
+  - 'bash'
+  - '-eEuo'
+  - 'pipefail'
+  - '-c'
+  - |-
+    ARTIFACT_URL=$(docker inspect gcr.io/${PROJECT_ID}/${_REPO}/rotation:${_TAG} --format='{{index .RepoDigests 0}}')
+    gcloud beta container binauthz attestations sign-and-create \
+      --project "${PROJECT_ID}" \
+      --artifact-url "$${ARTIFACT_URL}" \
+      --attestor "${_BINAUTHZ_ATTESTOR}" \
+      --keyversion "${_BINAUTHZ_KEY_VERSION}"
+  waitFor:
+  - 'push-rotation'
+
+
 #
 # server
 #

builders/deploy.yaml

@@ -169,6 +169,29 @@ steps:
   waitFor:
   - '-'
 
+
+#
+# rotation
+#
+- id: 'deploy-rotation'
+  name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:307.0.0-alpine'
+  args:
+  - 'bash'
+  - '-eEuo'
+  - 'pipefail'
+  - '-c'
+  - |-
+    gcloud run deploy "rotation" \
+      --quiet \
+      --project "${PROJECT_ID}" \
+      --platform "managed" \
+      --region "${_REGION}" \
+      --image "gcr.io/${PROJECT_ID}/${_REPO}/rotation:${_TAG}" \
+      --no-traffic
+  waitFor:
+  - '-'
+
+
 #
 # server
 #

builders/promote.yaml

@@ -162,6 +162,26 @@ steps:
   waitFor:
   - '-'
 
+#
+# rotation
+#
+- id: 'promote-rotation'
+  name: 'gcr.io/google.com/cloudsdktool/cloud-sdk:307.0.0-alpine'
+  args:
+  - 'bash'
+  - '-eEuo'
+  - 'pipefail'
+  - '-c'
+  - |-
+    gcloud run services update-traffic "rotation" \
+      --quiet \
+      --project "${PROJECT_ID}" \
+      --platform "managed" \
+      --region "${_REGION}" \
+      --to-revisions "${_REVISION}=${_PERCENTAGE}"
+  waitFor:
+  - '-'
+
 #
 # server
 #

cmd/cleanup/main.go

@@ -26,6 +26,7 @@ import (
 	"github.com/google/exposure-notifications-verification-server/pkg/controller/middleware"
 	"github.com/google/exposure-notifications-verification-server/pkg/render"
 
+	"github.com/google/exposure-notifications-server/pkg/keys"
 	"github.com/google/exposure-notifications-server/pkg/logging"
 	"github.com/google/exposure-notifications-server/pkg/observability"
 	"github.com/google/exposure-notifications-server/pkg/server"
@@ -96,6 +97,16 @@ func realMain(ctx context.Context) error {
 		return fmt.Errorf("failed to create renderer: %w", err)
 	}
 
+	// Get token key manager.
+	tokenSigner, err := keys.KeyManagerFor(ctx, &cfg.TokenSigning.Keys)
+	if err != nil {
+		return fmt.Errorf("failed to token signing key manager: %w", err)
+	}
+	tokenSignerTyp, ok := tokenSigner.(keys.SigningKeyManager)
+	if !ok {
+		return fmt.Errorf("token signing key manage is not a signing key manager (is %T)", tokenSigner)
+	}
+
 	// Create the router
 	r := mux.NewRouter()
 
@@ -110,10 +121,7 @@ func realMain(ctx context.Context) error {
 	populateLogger := middleware.PopulateLogger(logger)
 	r.Use(populateLogger)
 
-	cleanupController, err := cleanup.New(ctx, cfg, db, h)
-	if err != nil {
-		return fmt.Errorf("failed to create cleanup controller: %w", err)
-	}
+	cleanupController := cleanup.New(cfg, db, tokenSignerTyp, h)
 	r.Handle("/", cleanupController.HandleCleanup()).Methods("GET")
 
 	srv, err := server.New(cfg.Port)

cmd/rotation/main.go

@@ -0,0 +1,133 @@
+// Copyright 2021 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// This server implements the database cleanup. The server itself is unauthenticated
+// and should not be deployed as a public service.
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/google/exposure-notifications-verification-server/pkg/buildinfo"
+	"github.com/google/exposure-notifications-verification-server/pkg/config"
+	"github.com/google/exposure-notifications-verification-server/pkg/controller/middleware"
+	"github.com/google/exposure-notifications-verification-server/pkg/controller/rotation"
+	"github.com/google/exposure-notifications-verification-server/pkg/render"
+
+	"github.com/google/exposure-notifications-server/pkg/keys"
+	"github.com/google/exposure-notifications-server/pkg/logging"
+	"github.com/google/exposure-notifications-server/pkg/observability"
+	"github.com/google/exposure-notifications-server/pkg/server"
+
+	"github.com/gorilla/mux"
+	"github.com/sethvargo/go-signalcontext"
+)
+
+func main() {
+	ctx, done := signalcontext.OnInterrupt()
+
+	logger := logging.NewLoggerFromEnv().
+		With("build_id", buildinfo.BuildID).
+		With("build_tag", buildinfo.BuildTag)
+	ctx = logging.WithLogger(ctx, logger)
+
+	defer func() {
+		done()
+		if r := recover(); r != nil {
+			logger.Fatalw("application panic", "panic", r)
+		}
+	}()
+
+	err := realMain(ctx)
+	done()
+
+	if err != nil {
+		logger.Fatal(err)
+	}
+	logger.Info("successful shutdown")
+}
+
+func realMain(ctx context.Context) error {
+	logger := logging.FromContext(ctx)
+
+	cfg, err := config.NewRotationConfig(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to process config: %w", err)
+	}
+
+	// Setup monitoring
+	logger.Info("configuring observability exporter")
+	oeConfig := cfg.ObservabilityExporterConfig()
+	oe, err := observability.NewFromEnv(oeConfig)
+	if err != nil {
+		return fmt.Errorf("unable to create ObservabilityExporter provider: %w", err)
+	}
+	if err := oe.StartExporter(ctx); err != nil {
+		return fmt.Errorf("error initializing observability exporter: %w", err)
+	}
+	defer oe.Close()
+	ctx, obs := middleware.WithObservability(ctx)
+	logger.Infow("observability exporter", "config", oeConfig)
+
+	// Setup database
+	db, err := cfg.Database.Load(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to load database config: %w", err)
+	}
+	if err := db.Open(ctx); err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer db.Close()
+
+	// Create the renderer
+	h, err := render.New(ctx, "", cfg.DevMode)
+	if err != nil {
+		return fmt.Errorf("failed to create renderer: %w", err)
+	}
+
+	// Get token key manager.
+	tokenSigner, err := keys.KeyManagerFor(ctx, &cfg.TokenSigning.Keys)
+	if err != nil {
+		return fmt.Errorf("failed to token signing key manager: %w", err)
+	}
+	tokenSignerTyp, ok := tokenSigner.(keys.SigningKeyManager)
+	if !ok {
+		return fmt.Errorf("token signing key manage is not a signing key manager (is %T)", tokenSigner)
+	}
+
+	// Create the router
+	r := mux.NewRouter()
+
+	// Common observability context
+	r.Use(obs)
+
+	// Request ID injection
+	populateRequestID := middleware.PopulateRequestID(h)
+	r.Use(populateRequestID)
+
+	// Logger injection
+	populateLogger := middleware.PopulateLogger(logger)
+	r.Use(populateLogger)
+
+	rotationController := rotation.New(cfg, db, tokenSignerTyp, h)
+	r.Handle("/", rotationController.HandleRotate()).Methods("GET")
+
+	srv, err := server.New(cfg.Port)
+	if err != nil {
+		return fmt.Errorf("failed to create server: %w", err)
+	}
+	logger.Infow("server listening", "port", cfg.Port)
+	return srv.ServeHTTPHandler(ctx, r)
+}

pkg/config/cleanup_server_config.go

@@ -31,20 +31,28 @@ type CleanupConfig struct {
 	Database      database.Config
 	Observability observability.Config
 
+	// TokenSigning is the token signing configuration to purge old keys in the
+	// key manager when they are cleaned.
+	TokenSigning TokenSigningConfig
+
 	// DevMode produces additional debugging information. Do not enable in
 	// production environments.
 	DevMode bool `env:"DEV_MODE"`
 
+	// Port is the port on which to bind.
 	Port string `env:"PORT,default=8080"`
 
-	RateLimit uint64 `env:"RATE_LIMIT,default=60"`
-
 	// Cleanup config
 	AuditEntryMaxAge    time.Duration `env:"AUDIT_ENTRY_MAX_AGE, default=720h"`
 	AuthorizedAppMaxAge time.Duration `env:"AUTHORIZED_APP_MAX_AGE, default=336h"`
 	CleanupPeriod       time.Duration `env:"CLEANUP_PERIOD, default=15m"`
 	MobileAppMaxAge     time.Duration `env:"MOBILE_APP_MAX_AGE, default=168h"`
-	UserPurgeMaxAge     time.Duration `env:"USER_PURGE_MAX_AGE, default=720h"`
+
+	// SigningTokenKeyMaxAge is the maximum amount of time that a rotated signing
+	// token key should remain unpurged.
+	SigningTokenKeyMaxAge time.Duration `env:"SIGNING_TOKEN_KEY_MAX_AGE, default=36h"`
+
+	UserPurgeMaxAge time.Duration `env:"USER_PURGE_MAX_AGE, default=720h"`
 	// VerificationCodeMaxAge is the period in which the full code should be available.
 	// After this time it will be recycled. The code will be zeroed out, but its status persist.
 	VerificationCodeMaxAge time.Duration `env:"VERIFICATION_CODE_MAX_AGE, default=48h"`