Merge pull request #334 from xmidt-org/denopink/feature/jwk-migration

FR: JWK Migration

CHANGELOG.md

@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+
+## [v0.6.7]
 - Added latency metric, which Tracks the time spent waiting on outbound client URLs to respond. [#312](https://github.com/xmidt-org/caduceus/pull/312)
 - Dependency update, note vulnerabilities
   - github.com/hashicorp/consul/api v1.13.1 // indirect
@@ -15,6 +17,15 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
       - https://nvd.nist.gov/vuln/detail/CVE-2021-44716
   - Introduces new vuln https://www.mend.io/vulnerability-database/CVE-2022-29526
   -  guardrails says github.com/gorilla/websocket v1.5.0 has a high vulnerability but no vulnerabilities have been filed
+- JWT Migration #331 
+  - updated to use clortho `Resolver` & `Refresher`
+  - updated to use clortho `metrics` & `logging`
+- Update ancla client initialization
+- Update Config
+  - Use [uber/zap](https://github.com/uber-go/zap) for clortho logging
+  - Use [xmidt-org/sallust](https://github.com/xmidt-org/sallust) for the zap config unmarshalling 
+  - Update auth config for clortho
+  - Update ancla config
 
 ## [v0.6.6]
 - Fix a missing return after an invalid utf8 string is handled.  [#315](https://github.com/xmidt-org/caduceus/pull/315)
@@ -194,7 +205,8 @@ fixed build upload
 ### Added
 - Initial creation
 
-[Unreleased]: https://github.com/xmidt-org/caduceus/compare/v0.6.6...HEAD
+[Unreleased]: https://github.com/xmidt-org/caduceus/compare/v0.6.7...HEAD
+[v0.6.6]: https://github.com/xmidt-org/caduceus/compare/v0.6.6...v0.6.7
 [v0.6.6]: https://github.com/xmidt-org/caduceus/compare/v0.6.5...v0.6.6
 [v0.6.5]: https://github.com/xmidt-org/caduceus/compare/v0.6.4...v0.6.5
 [v0.6.4]: https://github.com/xmidt-org/caduceus/compare/v0.6.3...v0.6.4

caduceus.yaml

@@ -117,6 +117,12 @@ metric:
     # (Optional)
     subsystem: "caduceus"
 
+touchstone:
+  # DefaultNamespace is the prometheus namespace to apply when a metric has no namespace
+  defaultNamespace: "xmidt"
+  # DefaultSubsystem is the prometheus subsystem to apply when a metric has no subsystem
+  defaultSubsystem: "caduceus"
+
 ########################################
 #   Service Discovery Configuration
 ########################################
@@ -206,6 +212,35 @@ log:
   # (Optional) defaults to false
   json: true
 
+zap:
+  # OutputPaths is a list of URLs or file paths to write logging output to.
+  outputPaths:
+    - stdout
+    # - /var/log/caduceus/caduceus.log
+
+  # Level is the minimum enabled logging level. Note that this is a dynamic
+  # level, so calling Config.Level.SetLevel will atomically change the log
+  # level of all loggers descended from this config.
+  level: debug
+
+  # EncoderConfig sets options for the chosen encoder. See
+  # zapcore.EncoderConfig for details.
+  errorOutputPaths:
+    - stderr
+    # - /var/log/caduceus/caduceus.log
+
+  # EncoderConfig sets options for the chosen encoder. See
+  # zapcore.EncoderConfig for details.
+  encoderConfig:
+    messageKey: message
+    levelKey: key
+    levelEncoder: lowercase
+
+  # Encoding sets the logger's encoding. Valid values are "json" and
+  # "console", as well as any third-party encodings registered via
+  # RegisterEncoder.
+  encoding: json
+
 ########################################
 #   Authorization Related Configuration
 ########################################
@@ -217,12 +252,21 @@ log:
 # kid values and their associated information (expiration, etc) for JWTs
 # used as authorization.
 # (Optional)
-# jwtValidator:
-#   keys:
-#     factory:
-#       uri: "https://jwt.example.com/keys/{keyId}"
-#     purpose: 0
-#     updateInterval: 604800000000000
+jwtValidator:
+  Config:
+    Resolve:
+      # Template is a URI template used to fetch keys.  This template may
+	    # use a single parameter named keyID, e.g. http://keys.com/{keyID}.
+      # This field is required and has no default.
+      Template: "http://localhost/{keyID}"
+    Refresh:
+      Sources:
+        # URI is the location where keys are served.  By default, clortho supports
+        # file://, http://, and https:// URIs, as well as standard file system paths
+        # such as /etc/foo/bar.jwk.
+        #
+        # This field is required and has no default.
+        - URI: "http://localhost"
 
 # authHeader provides the list of basic auth headers that caduceus will accept
 # as authorization
@@ -274,7 +318,7 @@ webhook:
   # Raw: parser assumes all of the token payload == JWT token
   # (Optional). Defaults to 'simple'.
   JWTParserType: "raw"
-  argus: 
+  BasicClientConfig: 
     # listen is the subsection that configures the listening feature of the argus client
     # (Optional)
     listen:

caduceus_type.go

@@ -36,6 +36,7 @@ type CaduceusConfig struct {
 	Sender           SenderConfig
 	JWTValidators    []JWTValidator
 	Webhook          ancla.Config
+	Listener         ancla.ListenerConfig
 	AllowInsecureTLS bool
 }
 

go.mod

@@ -3,53 +3,29 @@ module github.com/xmidt-org/caduceus
 go 1.14
 
 require (
-	emperror.dev/errors v0.8.1 // indirect
-	github.com/armon/go-metrics v0.4.0 // indirect
-	github.com/c9s/goprocinfo v0.0.0-20210130143923-c95fcf8c64a8 // indirect
+	emperror.dev/emperror v0.33.0
 	github.com/davecgh/go-spew v1.1.1
 	github.com/go-kit/kit v0.12.0
-	github.com/go-zookeeper/zk v1.0.3 // indirect
-	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/gorilla/mux v1.8.0
-	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/hashicorp/consul/api v1.13.1 // indirect
-	github.com/hashicorp/go-hclog v1.2.2 // indirect
-	github.com/hashicorp/serf v0.9.8 // indirect
-	github.com/influxdata/influxdb1-client v0.0.0-20220302092344-a9ab5670611c // indirect
 	github.com/justinas/alice v1.2.0
-	github.com/pelletier/go-toml/v2 v2.0.2 // indirect
-	github.com/prometheus/client_golang v1.13.0 // indirect
-	github.com/samuel/go-zookeeper v0.0.0-20201211165307-7117e9ea2414 // indirect
+	github.com/prometheus/client_golang v1.13.0
 	github.com/satori/go.uuid v1.2.0
-	github.com/segmentio/ksuid v1.0.4 // indirect
-	github.com/spaolacci/murmur3 v1.1.0 // indirect
-	github.com/spf13/afero v1.9.2 // indirect
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.12.0
 	github.com/stretchr/testify v1.8.0
-	github.com/subosito/gotenv v1.4.0 // indirect
-	github.com/ugorji/go v1.2.7 // indirect
-	github.com/xmidt-org/ancla v0.3.9
-	github.com/xmidt-org/bascule v0.10.2
+	github.com/xmidt-org/ancla v0.3.10
+	github.com/xmidt-org/bascule v0.11.0
 	github.com/xmidt-org/candlelight v0.0.10
+	github.com/xmidt-org/clortho v0.0.4
 	github.com/xmidt-org/httpaux v0.3.2
-	github.com/xmidt-org/sallust v0.1.6 // indirect
-	github.com/xmidt-org/themis v0.4.8 // indirect
-	github.com/xmidt-org/touchstone v0.1.1 // indirect
-	github.com/xmidt-org/webpa-common v1.11.9 // indirect
-	github.com/xmidt-org/webpa-common/v2 v2.0.6
-	github.com/xmidt-org/wrp-go/v3 v3.1.3
+	github.com/xmidt-org/sallust v0.1.6
+	github.com/xmidt-org/touchstone v0.1.2
+	github.com/xmidt-org/webpa-common/v2 v2.0.7
+	github.com/xmidt-org/wrp-go/v3 v3.1.4
 	go.opentelemetry.io/contrib v1.8.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/github.com/gorilla/mux/otelmux v0.34.0
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.34.0
-	go.opentelemetry.io/otel/exporters/jaeger v1.9.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout v0.20.0 // indirect
-	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.9.0 // indirect
-	go.opentelemetry.io/otel/exporters/zipkin v1.9.0 // indirect
-	go.uber.org/dig v1.15.0 // indirect
-	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
-	golang.org/x/sys v0.0.0-20220804214406-8e32c043e418 // indirect
-	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
-	gopkg.in/ini.v1 v1.66.6 // indirect
+	go.uber.org/zap v1.23.0
+
 )