CMSgov · laurenkrugen-navapbc · Sep 8, 2025 · Sep 3, 2025 · Sep 3, 2025 · Sep 3, 2025
@@ -0,0 +1,11 @@
+-- Revert rename table to denylist_entries
+
+BEGIN;
+
+ALTER TABLE denylist_entries 
+RENAME TO blacklist_entries;
+
+ALTER SEQUENCE denylist_entries_id_seq
+RENAME TO blacklist_entries_id_seq ;
+
+COMMIT;
@@ -0,0 +1,11 @@
+-- Rename table to denylist_entries
+
+BEGIN;
+
+ALTER TABLE blacklist_entries
+RENAME TO denylist_entries;
+
+ALTER SEQUENCE blacklist_entries_id_seq  
+RENAME TO denylist_entries_id_seq;
+
+COMMIT;
@@ -22,9 +22,9 @@ services:
       - SSAS_HASH_ITERATIONS=130000
       - SSAS_HASH_KEY_LENGTH=64
       - SSAS_HASH_SALT_SIZE=32
-      - SSAS_TOKEN_BLACKLIST_CACHE_CLEANUP_MINUTES=15
-      - SSAS_TOKEN_BLACKLIST_CACHE_TIMEOUT_MINUTES=1440
-      - SSAS_TOKEN_BLACKLIST_CACHE_REFRESH_MINUTES=5
+      - SSAS_TOKEN_DENYLIST_CACHE_CLEANUP_MINUTES=15
+      - SSAS_TOKEN_DENYLIST_CACHE_TIMEOUT_MINUTES=1440
+      - SSAS_TOKEN_DENYLIST_CACHE_REFRESH_MINUTES=5
       - SSAS_URL=http://ssas:3004
       - SSAS_PUBLIC_URL=http://ssas:3003
       - SSAS_CLIENT_ASSERTION_AUD=http://local.testing.cms.gov/api/v2/Token/auth

@@ -41,9 +41,9 @@ services:
       - SSAS_HASH_ITERATIONS=130000
       - SSAS_HASH_KEY_LENGTH=64
       - SSAS_HASH_SALT_SIZE=32
-      - SSAS_TOKEN_BLACKLIST_CACHE_CLEANUP_MINUTES=15
-      - SSAS_TOKEN_BLACKLIST_CACHE_TIMEOUT_MINUTES=1440
-      - SSAS_TOKEN_BLACKLIST_CACHE_REFRESH_MINUTES=5
+      - SSAS_TOKEN_DENYLIST_CACHE_CLEANUP_MINUTES=15
+      - SSAS_TOKEN_DENYLIST_CACHE_TIMEOUT_MINUTES=1440
+      - SSAS_TOKEN_DENYLIST_CACHE_REFRESH_MINUTES=5
       - SSAS_CLIENT_ASSERTION_AUD=http://local.testing.cms.gov/api/v2/Token/auth
     volumes:
       - ./shared_files:/usr/local/shared_files

@@ -8,20 +8,20 @@ import (
 	"gorm.io/gorm"
 )
 
-type BlacklistEntry struct {
+type DenylistEntry struct {
 	gorm.Model
 	Key             string `gorm:"not null" json:"key"`
 	EntryDate       int64  `gorm:"not null" json:"entry_date"`
 	CacheExpiration int64  `gorm:"not null" json:"cache_expiration"`
 }
 
-func CreateBlacklistEntry(ctx context.Context, key string, entryDate time.Time, cacheExpiration time.Time) (entry BlacklistEntry, err error) {
+func CreateDenylistEntry(ctx context.Context, key string, entryDate time.Time, cacheExpiration time.Time) (entry DenylistEntry, err error) {
 	if key == "" {
 		err = fmt.Errorf("key cannot be blank")
 		return
 	}
 
-	be := BlacklistEntry{
+	be := DenylistEntry{
 		Key:             key,
 		EntryDate:       entryDate.Unix(),
 		CacheExpiration: cacheExpiration.UnixNano(),
@@ -36,7 +36,7 @@ func CreateBlacklistEntry(ctx context.Context, key string, entryDate time.Time,
 	return
 }
 
-func GetUnexpiredBlacklistEntries(ctx context.Context) (entries []BlacklistEntry, err error) {
+func GetUnexpiredDenylistEntries(ctx context.Context) (entries []DenylistEntry, err error) {
 	err = Connection.WithContext(ctx).Order("entry_date, cache_expiration").Where("cache_expiration > ?", time.Now().UnixNano()).Find(&entries).Error
 	if err != nil {
 		return

@@ -21,14 +21,14 @@ func (s *CacheEntriesTestSuite) SetupSuite() {
 }
 
 func (s *CacheEntriesTestSuite) TestGetUnexpiredCacheEntries() {
-	entries, err := GetUnexpiredBlacklistEntries(context.Background())
+	entries, err := GetUnexpiredDenylistEntries(context.Background())
 	require.Nil(s.T(), err)
 	origEntries := len(entries)
 
 	entryDate := time.Now().Add(time.Minute * -5).UnixNano()
 	expiration := time.Now().Add(time.Minute * 5).UnixNano()
-	e1 := BlacklistEntry{Key: "key1", EntryDate: entryDate, CacheExpiration: expiration}
-	e2 := BlacklistEntry{Key: "key2", EntryDate: entryDate, CacheExpiration: expiration}
+	e1 := DenylistEntry{Key: "key1", EntryDate: entryDate, CacheExpiration: expiration}
+	e2 := DenylistEntry{Key: "key2", EntryDate: entryDate, CacheExpiration: expiration}
 
 	if err = s.db.Save(&e1).Error; err != nil {
 		assert.FailNow(s.T(), err.Error())
@@ -37,7 +37,7 @@ func (s *CacheEntriesTestSuite) TestGetUnexpiredCacheEntries() {
 		assert.FailNow(s.T(), err.Error())
 	}
 
-	entries, err = GetUnexpiredBlacklistEntries(context.Background())
+	entries, err = GetUnexpiredDenylistEntries(context.Background())
 	assert.Nil(s.T(), err)
 	assert.True(s.T(), len(entries) == origEntries+2)
 
@@ -47,14 +47,14 @@ func (s *CacheEntriesTestSuite) TestGetUnexpiredCacheEntries() {
 	assert.Nil(s.T(), err)
 }
 
-func (s *CacheEntriesTestSuite) TestCreateBlacklistEntryEmptyKey() {
+func (s *CacheEntriesTestSuite) TestCreateDenylistEntryEmptyKey() {
 	entryDate := time.Now().Add(time.Minute * -5)
 	expiration := time.Now().Add(time.Minute * 5)
 
-	_, err := CreateBlacklistEntry(context.Background(), "", entryDate, expiration)
+	_, err := CreateDenylistEntry(context.Background(), "", entryDate, expiration)
 	assert.NotNil(s.T(), err)
 
-	e, err := CreateBlacklistEntry(context.Background(), "another_key", entryDate, expiration)
+	e, err := CreateDenylistEntry(context.Background(), "another_key", entryDate, expiration)
 	assert.Nil(s.T(), err)
 	assert.Equal(s.T(), "another_key", e.Key)
 

@@ -574,7 +574,7 @@ func deactivateSystemCredentials(w http.ResponseWriter, r *http.Request) {
 
 		Revoke token
 
-		Revokes the specified tokenID by placing it on a blacklist.  Will return an HTTP 200 status whether or not the tokenID has been issued.
+		Revokes the specified tokenID by placing it on a denylist.  Will return an HTTP 200 status whether or not the tokenID has been issued.
 
 		Produces:
 		- application/json
@@ -595,12 +595,12 @@ func revokeToken(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ssas.SetCtxEntry(r, "Op", "TokenBlacklist")
+	ssas.SetCtxEntry(r, "Op", "TokenDenylist")
 	logger := ssas.GetCtxLogger(r.Context())
 	logger.Infof("Operation Called: admin.revokeToken()")
 
-	if err := service.TokenBlacklist.BlacklistToken(r.Context(), tokenID, service.TokenCacheLifetime); err != nil {
-		logger.Errorf("failed to blacklist token; %s", err)
+	if err := service.TokenDenylist.DenylistToken(r.Context(), tokenID, service.TokenCacheLifetime); err != nil {
+		logger.Errorf("failed to denylist token; %s", err)
 		service.JSONError(w, http.StatusInternalServerError, http.StatusText(http.StatusInternalServerError), "")
 	}
 

@@ -70,7 +70,7 @@ type APITestSuite struct {
 
 func (s *APITestSuite) SetupSuite() {
 	s.db = ssas.Connection
-	service.StartBlacklist()
+	service.StartDenylist()
 	ssas.MaxIPs = 3
 	s.logEntry = MakeTestStructuredLoggerEntry(logrus.Fields{"cms_id": "A9999", "request_id": uuid.NewUUID().String()})
 
@@ -291,8 +291,8 @@ func (s *APITestSuite) TestRevokeToken() {
 	handler.ServeHTTP(rr, req)
 	assert.Equal(s.T(), http.StatusOK, rr.Result().StatusCode)
 
-	assert.True(s.T(), service.TokenBlacklist.IsTokenBlacklisted(tokenID))
-	assert.False(s.T(), service.TokenBlacklist.IsTokenBlacklisted("this_key_should_not_exist"))
+	assert.True(s.T(), service.TokenDenylist.IsTokenDenylisted(tokenID))
+	assert.False(s.T(), service.TokenDenylist.IsTokenDenylisted("this_key_should_not_exist"))
 }
 
 func (s *APITestSuite) TestRevokeTokenNoToken() {
@@ -1722,7 +1722,7 @@ func TestSGAAdmin_NoAuth(t *testing.T) {
 	os.Setenv("SGA_ADMIN_FEATURE", newFF)
 
 	db := ssas.Connection
-	service.StartBlacklist()
+	service.StartDenylist()
 	ssas.MaxIPs = 3
 
 	ctx := context.Background()

@@ -193,7 +193,7 @@ func start(ps *service.Server, as *service.Server, forwarder *http.Server) {
 
 	ps.Serve()
 	as.Serve()
-	service.StartBlacklist()
+	service.StartDenylist()
 	ssas.Logger.Fatal(forwarder.ListenAndServe())
 }
 

@@ -48,7 +48,7 @@ func (s *APITestSuite) SetupSuite() {
 	s.server = Server()
 	s.badSigningKeyPath = "../../../shared_files/ssas/admin_test_signing_key.pem"
 	s.assertAud = "http://local.testing.cms.gov/api/v2/Token/auth"
-	service.StartBlacklist()
+	service.StartDenylist()
 	s.logEntry = MakeTestStructuredLoggerEntry(logrus.Fields{"cms_id": "A9999", "request_id": uuid.NewUUID().String()})
 
 	if os.Getenv("SGA_ADMIN_FEATURE") == "true" {

@@ -177,9 +177,9 @@ func (s *PublicMiddlewareTestSuite) TestRequireRegTokenAuthRevoked() {
 	assert.Nil(s.T(), err)
 
 	claims := token.Claims.(*service.CommonClaims)
-	err = service.TokenBlacklist.BlacklistToken(req.Context(), claims.Id, service.TokenCacheLifetime)
+	err = service.TokenDenylist.DenylistToken(req.Context(), claims.Id, service.TokenCacheLifetime)
 	assert.Nil(s.T(), err)
-	assert.True(s.T(), service.TokenBlacklist.IsTokenBlacklisted(claims.Id))
+	assert.True(s.T(), service.TokenDenylist.IsTokenDenylisted(claims.Id))
 
 	assert.NotNil(s.T(), token)
 

@@ -113,7 +113,7 @@ func tokenValidity(ctx context.Context, tokenString string, requiredTokenType st
 		return err
 	}
 
-	if service.TokenBlacklist.IsTokenBlacklisted(c.Id) {
+	if service.TokenDenylist.IsTokenDenylisted(c.Id) {
 		err = fmt.Errorf("token has been revoked")
 		logger.Error(err)
 		return err