Merge 2473c98 into c9f4b6e

cerberus-auth-connector-okta/src/main/java/com/nike/cerberus/auth/connector/config/OktaConfiguration.java

@@ -14,12 +14,12 @@
 
 @Slf4j
 @Configuration
-@ConditionalOnProperty("cerberus.userAuth.connector.okta.enabled")
+@ConditionalOnProperty("cerberus.auth.user.connector.okta.enabled")
 @ComponentScan({"com.nike.cerberus.auth.connector.okta"})
 public class OktaConfiguration {
 
   @Bean
-  @ConfigurationProperties("cerberus.user-auth.connector.okta")
+  @ConfigurationProperties("cerberus.auth.user.connector.okta")
   public OktaConfigurationProperties oktaConfigurationProperties() {
     return new OktaConfigurationProperties();
   }

cerberus-auth-connector-onelogin/src/main/java/com/nike/cerberus/auth/connector/config/OneLoginConfiguration.java

@@ -10,12 +10,12 @@
 
 @Slf4j
 @Configuration
-@ConditionalOnProperty("cerberus.userAuth.connector.oneLogin.enabled")
+@ConditionalOnProperty("cerberus.auth.user.connector.oneLogin.enabled")
 @ComponentScan({"com.nike.cerberus.auth.connector.onelogin"})
 public class OneLoginConfiguration {
 
   @Bean
-  @ConfigurationProperties("cerberus.user-auth.connector.one-login")
+  @ConfigurationProperties("cerberus.auth.user.connector.one-login")
   public OneLoginConfigurationProperties oneLoginConfigurationProperties() {
     return new OneLoginConfigurationProperties();
   }

cerberus-web/src/main/java/com/nike/cerberus/config/ApplicationConfiguration.java

@@ -107,7 +107,7 @@ public Validator getJsr303Validator() { // todo is this already available as a b
   @Bean
   public Cache<AwsIamKmsAuthRequest, EncryptedAuthDataWrapper> kmsAuthCache(
       MetricsService metricsService,
-      @Value("${cms.iam.token.cache.maxAgeInSeconds:10}") int maxAge) {
+      @Value("${cerberus.auth.iam.kms.cache.maxAgeInSeconds:10}") int maxAge) {
 
     return new MetricReportingCache<>("auth.kms", maxAge, metricsService, null);
   }

cerberus-web/src/main/java/com/nike/cerberus/jobs/DataKeyRotationJob.java

@@ -20,10 +20,12 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Component;
 
 @Slf4j
+@ConditionalOnProperty("cerberus.jobs.dataKeyRotationJob.enabled")
 @Component
 public class DataKeyRotationJob extends LockingJob {
 

cerberus-web/src/main/java/com/nike/cerberus/jobs/ExpiredTokenCleanUpJob.java

@@ -20,10 +20,12 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Component;
 
 @Slf4j
+@ConditionalOnProperty("cerberus.jobs.expiredTokenCleanUpJob.enabled")
 @Component
 public class ExpiredTokenCleanUpJob extends LockingJob {
 

cerberus-web/src/main/java/com/nike/cerberus/jobs/HystrixMetricsProcessingJob.java

@@ -24,11 +24,13 @@
 import java.util.Map;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Component;
 
 /** Periodically print Hystrix metrics to the log. */
 @Slf4j
+@ConditionalOnProperty("cerberus.jobs.hystrixMetricsProcessingJob.enabled")
 @Component
 public class HystrixMetricsProcessingJob {
   private final MetricsService metricsService;

cerberus-web/src/main/java/com/nike/cerberus/jobs/InactiveKmsKeyCleanUpJob.java

@@ -21,11 +21,13 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Component;
 
 /** Scans through the data store and deletes in-active KMS CMKs */
 @Slf4j
+@ConditionalOnProperty("cerberus.jobs.inactiveKmsKeyCleanUpJob.enabled")
 @Component
 public class InactiveKmsKeyCleanUpJob extends LockingJob {
 

cerberus-web/src/main/java/com/nike/cerberus/jobs/KpiMetricsProcessingJob.java

@@ -25,11 +25,13 @@
 import java.util.Map;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Component;
 
 /** Periodically send KPI metrics to the enabled metrics services. */
 @Slf4j
+@ConditionalOnProperty("cerberus.jobs.kpiMetricsProcessingJob.enabled")
 @Component
 public class KpiMetricsProcessingJob {
 

cerberus-web/src/main/java/com/nike/cerberus/jobs/OrphanedKmsKeyCleanUpJob.java

@@ -12,6 +12,7 @@
 import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.scheduling.annotation.Scheduled;
 import org.springframework.stereotype.Component;
 
@@ -25,6 +26,7 @@
  * <p>Orphaned keys can be created due to a race condition from lazily creating KMS CMKs for auth.
  */
 @Slf4j
+@ConditionalOnProperty("cerberus.jobs.orphanedKmsKeyCleanUpJob.enabled")
 @Component
 public class OrphanedKmsKeyCleanUpJob extends LockingJob {
 

cerberus-web/src/main/java/com/nike/cerberus/service/AuthenticationService.java

@@ -115,12 +115,12 @@ public AuthenticationService(
       ObjectMapper objectMapper,
       @Value("${cerberus.admin.roles:#{null}}") String adminRoleArns,
       @Value("${cerberus.admin.group}") String adminGroup,
-      @Value("${cerberus.user.token.maxRefreshCount:#{0}}") int maxTokenRefreshCount,
+      @Value("${cerberus.auth.user.token.maxRefreshCount:#{0}}") int maxTokenRefreshCount,
       DateTimeSupplier dateTimeSupplier,
       AwsIamRoleArnParser awsIamRoleArnParser,
       AuthTokenService authTokenService,
-      @Value("${cerberus.user.token.ttl}") String userTokenTTL,
-      @Value("${cerberus.iam.token.ttl}") String iamTokenTTL,
+      @Value("${cerberus.auth.user.token.ttl}") String userTokenTTL,
+      @Value("${cerberus.auth.iam.token.ttl}") String iamTokenTTL,
       AwsIamRoleService awsIamRoleService,
       @Value("${cerberus.auth.iam.kms.cache.enabled:#{false}}") boolean cacheEnabled,
       Cache<AwsIamKmsAuthRequest, EncryptedAuthDataWrapper> kmsAuthCache) {

cerberus-web/src/main/java/com/nike/cerberus/service/KmsService.java

@@ -80,7 +80,7 @@ public KmsService(
       KmsPolicyService kmsPolicyService,
       DateTimeSupplier dateTimeSupplier,
       AwsIamRoleArnParser awsIamRoleArnParser,
-      @Value("${cerberus.kms.policy.validation.interval.millis:300000}")
+      @Value("${cerberus.auth.kms.policy.validation.interval.millis:300000}")
           int kmsKeyPolicyValidationInterval,
       @Value("${cerberus.environmentName}") String environmentName,
       Slugger slugger,

cerberus-web/src/main/java/com/nike/cerberus/service/PermissionValidationService.java

@@ -46,7 +46,8 @@
 @Component("permissionValidationService")
 public class PermissionValidationService {
 
-  public static final String USER_GROUPS_CASE_SENSITIVE = "${cerberus.user.groups.caseSensitive}";
+  public static final String USER_GROUPS_CASE_SENSITIVE =
+      "${cerberus.auth.user.groups.caseSensitive}";
 
   private final UserGroupPermissionService userGroupPermissionService;
   private final PermissionsDao permissionsDao;

cerberus-web/src/main/resources/cerberus.yaml

@@ -24,11 +24,12 @@ flyway:
   schemas: cms
   locations: classpath:com/nike/cerberus/migration/*.sql
 
+# Configure the mysql settings here
 jdbc:
   driver: com.mysql.jdbc.Driver
-#  url: jdbc:mysql://localhost:3306/cms?useUnicode=true&characterEncoding=utf8&useLegacyDatetimeCode=false&serverTimezone=UTC&useSSL=false
-#  username: yourDbUsername
-#  password: yourDbPassword
+  url: jdbc:mysql://localhost:3306/cms?useUnicode=true&characterEncoding=utf8&useLegacyDatetimeCode=false&serverTimezone=UTC&useSSL=false
+  username: encrypted:secrets-manager!r:some-region!s:some-secret!k:some-key
+  password: encrypted:secrets-manager!r:some-region!s:some-secret!k:some-key
 
 c3p0:
   initialPoolSize: 40
@@ -45,31 +46,51 @@ c3p0:
 cerberus:
   environmentName: TODO
   admin:
-#    roles: yourCommaDelimentatedListOfAdminArns
-#    group: yourAdminUserGroup
-  encryption.cache.enabled: false
-  auth:
-    iam:
-      kms:
-        rootUserArn:
-        adminRoleArn:
-        cmsRoleArn:
-        cache.enabled: false
-    token:
-      generate:
-        length: 64
-      hash:
-        iterations: 100
-        keyLength: 256
-        algorithm: PBKDF2WithHmacSHA512
-  user:
+    # These are aws principal that you want to allow to use the admin API
+    roles: ~
+    # The user group that the Cerberus operators belong to, this unlocks admin API perms
+    group: ~
+
+  encryption:
+    # comma delimited list of the CMKs for a KMS key that the iam role that Cerberus runs as has access to.
+    # These are normally generated by the lifecycle cli, you should have at least 2 from 2 different regions
+    cms.arns: ~
+    # Data Key Caching for the SDK Crypto Client
+    # Why you would want to enable this:
+    # KMS has an account wide API limit for KMS of 1200 RPS.
+    # Cerberus uses KMS to encrypt and decrypt its data, and by default will make an API call to KMS at least 1 per request.
+    # Enabling this cache will allow CMS to to skip calls to KMS for repeat reads of the same data.
+    cache:
+      enabled: false
+      encrypt:
+        maxSize: 1000
+        maxAgeInSecods: 60
+        messageUseLimit: 100
+      decrypt:
+        maxSize: 1000
+        maxAgeInSecods: 60
+
+  # Settings for the generation of auth tokens, these are the tokens that are issued to
+  # principals and are used to interact with the API
+  auth.token:
+    generate.length: 64
+    hash:
+      iterations: 100
+      keyLength: 256
+      algorithm: PBKDF2WithHmacSHA512
+      # This is the salt to use in the hashing algo, normally generated by the lifecycle cli
+      salt: encrypted:secrets-manager!r:some-region!s:some-secret!k:some-key
+
+  auth.iam:
+    token.ttl: 1h
+
+  auth.user:
+    # Toggles whether or not user groups are case sensitive in your Auth Connector impl.
     groups.caseSensitive: true
     token:
-      maxRefreshCount: 0
-      ttl: 1h
-  iam.token.ttl: 1h
-  kms.policy.validation.interval.millis: 300000
-  userAuth:
+      maxRefreshCount: 0 # How often User Principals are allowed to refresh there auth token
+      ttl: 1h # How long user tokens are valid for.
+    # You can configure which User Authentication Connector to use here, you must enable one and only one.
     connector:
       okta:
         enabled: false
@@ -80,60 +101,98 @@ cerberus:
 #        clientId: yourClientId
 #        clientSecret: yourClientSecret
 #        subdomain: yourSubDomain
+
+
+  auth.iam.kms:
+    # This should be the root user for the account that this service will be ran in, so that KMS keys can be managed by that user
+    rootUserArn: ~
+    # This should be some sort of roll that your team can assume, its ok to re-use the cms role arn here. This will be used when created the kms keys for auth to allow your team to manage them
+    adminRoleArn: ~
+    # This should be the role that this service will have as its instance profile when running, this will be used when created the kms keys for auth to allow cerberus to manage them
+    cmsRoleArn: ~
+    # When an IAM Principal is deleted externally this makes the KMS key policy invalid, this controls how often Cerberus should check that a policy is valid and attempt to fix it.
+    policy.validation.interval.millis: 300000
+
+    # Enable caching the generated encrypted AWS IAM KMS Auth object, so that burst authentication of the same
+    # principal do not result in repeat KMS encrypt calls
+    # Why you would want to enable this:
+    # KMS has an account wide API limit for KMS of 1200 RPS.
+    # Cerberus uses KMS to encrypt the auth payload, and by default will make an API call to KMS at least 1 per request.
+    # Enabling this cache will allow CMS to to skip calls to KMS for repeat authenticates of the same IAM principal.
+    cache:
+      enabled: false
+      maxAgeInSeconds: 10
+
   metricsService:
     # If you do not supply your own impl of com.nike.cerberus.metrics.MetricsService on the classpath then the LoggingMetricsService is used.
-    # You can configure what log level and how frequently to log custom metrics at here.
+    # You can configure what log level and how frequently to log custom metrics at here. Feel free to contribute a generic impl!
     loggingMetricsService:
       level: INFO
       period: 1
       timeUnit: MINUTES
 
-  audit:
-    athena:
-      enabled: true
+  # If you have used the life cycle CLI to generate the S3 bucket and Athena table you can use this engine to have a
+  # robust audit system that supports sql lookups on SDBs, IP Addresses and principals, etc.
+  audit.athena:
+      enabled: false
       #  bucket: yourS3Bucket
       #  bucketRegion: yourBucketRegion
-    logger:
+
+  # The default audit engine, logs audit events using an regular slf4j logger that goes to the stdout.
+  audit.logger:
       enabled: true
 
   jobs:
     initialDelay: 0
     initialDelayTimeUnits: minutes
 
+    # Ensures that the KMS datakeys that are used to encrypt data get rotated and that secrets are decrypted
+    # and re-encrypted with new data-key
     dataKeyRotationJob:
+      enabled: true
       numberOfDataKeyToRotatePerJobRun: 120
       dataKeyRotationPauseTimeInMillis: 1000
       dataKeyRotationIntervalInDays: 90
       # Every hour
       cronExpression: "0 0 * ? * *"
 
+    # Removes expired auth tokens from the database
     expiredTokenCleanUpJob:
+      enabled: true
       maxNumberOfTokensToDeletePerJobRun: 2500
       numberOfTokensToDeletePerBatch: 1000
       batchPauseTimeInMillis: 0
       # Every ten minutes
       cronExpression: "0 */10 * ? * *"
 
+    # Generates drop wizard metrics on the status of Hystrix for monitoring and alerting
     hystrixMetricsProcessingJob:
+      enabled: true
       # Every ten seconds
       cronExpression: "0/10 * * ? * *"
 
+    # When a principal uses the legacy KMS authentication, a KMS key is lazily created for it. This job will
+    # delete keys that have become in-active, this job is safe as if the principal authenticates again a new key will be lazily created.
     inactiveKmsCleanUpJob:
+      enabled: true
       batchPauseTimeInSeconds: 10
       deleteKmsKeysOlderThanNDays: 30
       # Every day at noon
       cronExpression: "0 0 12 * * ?"
 
+    # This job will generate Key Performance Indicator Metrics (KPIs) for the Cerberus environment and use Drop Wizard to report these Metrics
+    # By default unless you provide your own reporter impl, these metrics are just logged via an SLF4j Logger.
+    # Types of metrics that it generates: numberOfUniqueIamRoles, numberOfUniqueOwnerGroups, numberOfUniqueNonOwnerGroups, totalUniqueUserGroups, etcy
     kpiMetricsProcessingJob:
+      enabled: true
       # Every hour
       cronExpression: "0 0 * ? * *"
 
+    # Deletes orphaned KMS keys, when an principal that has authenticated with Cerberus has been deleted and is
+    # no longer associated with andy SDB any keys that were created for it become orphaned.
+    # This job will clean those up
     orphanedKmsKeyCleanUpJob:
-      dryMode: true
+      enabled: true
+      dryMode: false
       # Every 15 days at noon
       cronExpression: "0 0 12 */15 * ?"
-
-management.endpoints.web.basePath: /
-management.endpoints.enabledByDefault: false
-management.endpoint.info.enabled: true
-management.endpoint.health.enabled: true