Upgrade Guardian services to Panda v7 - support key rotation

[rtyley]

Guardian services using Panda

• GitHub Search
• metrics.gutools.co.uk - Grafana dashboard using service catalogue

ELK logs for Settings.Refresher

Migration pathway

Best to jump straight to Panda v7, without stopping off on v5/v6 on the way, as the location of the private/public key fields has changed and is eventually removed in favour of the verification/signingAndVerification fields - so avoid multiple changes and jump straight to using those.

Necessary changes to code using Panda

• Panda v5:
  • Use java.security classes in preference to string-wrappers #147 removed the old PublicKey & PrivateKey classes in our com.gu.pandomainauth package, in favour of using the existing java.security classes. To create instances of those classes, we can use the SettingsReader.{privateKeyFor, publicKeyFor} methods.
• Panda v6:
  • Fix creation of superfluous PanDomainAuthSettingsRefresher instances, make panDomainSettings a val #155 requires panDomainSettings is a val, not a def
  • Refactor Settings loading-&-parsing #151 introduced the new S3BucketLoader abstraction, which simplifies constructing a PanDomainAuthSettingsRefresher and means that Panda is no longer tied to AWS SDK v1. Examples: tagmanager, login.gutools
  • Refactor Cookie generation-&-parsing #152 means the CookieUtils.generateCookieData() method now communicates errors with CookieResult values containing CookieIntegrityFailure, rather than exceptions.
• Panda v7:
  • Support accepting multiple public keys #150 means that code shouldn't directly reference private or public keys anymore (eg do not reference settings.signingKeyPair). Instead, use settings.signingAndVerification or publicSettings.verification. Note also that publicSettings.publicKey was previously optional, and publicSettings.verification is not.

Services using Panda

Content Production

Trello cards:

• Review initial Panda v7 PRs - Support key rotation
• Upgrade all apps to pan-domain-auth 7.0

PRs:

• Upgrade to Panda v7 - support key rotation atom-workshop#361
• Upgrade to Panda v7 - support key rotation login.gutools#81
  • Update to Panda v5 login.gutools#82
• Upgrade to Panda v7 - support key rotation s3-upload#58
• Upgrade to Panda v7 - support key rotation tagmanager#535
  • Update to Java 11 tagmanager#534
• Upgrade to Panda v7 - support key rotation grid#4330
  • Update to Java 11 grid#4329
• https://github.com/guardian/presence-indicator/pull/201
  • https://github.com/guardian/presence-indicator/pull/200

Newsroom Resilience

• https://github.com/guardian/crosswordv2
• https://github.com/guardian/birthdays
• https://github.com/guardian/editorial-wires
• https://github.com/guardian/newswires
• https://github.com/guardian/remote-machines

WebX

• Upgrade to Panda v7 - support key rotation frontend#27493

MSS

• https://github.com/guardian/mobile-apps-api/pull/3240 replaces https://github.com/guardian/mobile-apps-api/pull/3210
• https://github.com/guardian/mobile-entry/pull/99

Investigations & Reporting

• Upgrade to Panda v7 - support key rotation giant#247

Minimum subset of systems we'd want to have on Panda v7 before performing a rotation

• tagmanager - Upgrade to Panda v7 - support key rotation tagmanager#535
• grid - Upgrade to Panda v7 - support key rotation grid#4330
• flexible-content
• workflow-frontend
• facia-tool
• presence-indicator - https://github.com/guardian/presence-indicator/pull/201
• newswires & editorial-wires