add hash of SALT to healthcheck, for change detection

java/core/src/main/java/co/worklytics/psoxy/HealthCheckResult.java

@@ -70,6 +70,14 @@ public void setVersion(String version) {
 
     String callerIp;
 
+    /**
+     *  A SHA-256 hash of the salt, to aid in detecting changes to the salt value.
+     *
+     *  If salt changes, client needs to know; as all subsequent pseudonyms produced by proxy instance from that point
+     *  will be inconsistent with the prior ones.
+     */
+    String saltSha256Hash;
+
     public boolean passed() {
         return getConfiguredSource() != null
             && getNonDefaultSalt()

java/core/src/main/java/co/worklytics/psoxy/gateway/impl/HealthCheckRequestHandler.java

@@ -1,6 +1,7 @@
 package co.worklytics.psoxy.gateway.impl;
 
 import co.worklytics.psoxy.ControlHeader;
+import co.worklytics.psoxy.HashUtils;
 import co.worklytics.psoxy.HealthCheckResult;
 import co.worklytics.psoxy.gateway.*;
 import co.worklytics.psoxy.gateway.impl.oauth.OAuthRefreshTokenSourceAuthStrategy;
@@ -33,6 +34,18 @@ public class HealthCheckRequestHandler {
 
     static final String JAVA_SOURCE_CODE_VERSION = "rc-v0.5.1";
 
+    /**
+     * a random UUID used to salt the hash of the salt.  Purpose of this is to invalidate any non-purpose built rainbow table solution.
+     *   (Eg, if we just directly hashed the salt, a general rainbow table of hashes could be used to determine the salt value)
+     *
+     *  That said, if salt is 20+ random characters, there is no *general* rainbow table of that length in existence and one is impossible to
+     *  build, as storing it requires ~10e25 petabytes - which is about 10e20 more storage than humanity actually has. So this additional
+     *  protection isn't so necessary, but whatever.
+     *
+     *  do NOT change this value. if you do, we won't be able to detect that proxy-side salts of changed.
+     */
+    static final String SALT_FOR_SALT = "f33c366c-ae91-4819-b221-f9794ebb8145";
+
     @Inject
     EnvVarsConfigService envVarsConfigService;
     @Inject
@@ -45,6 +58,8 @@ public class HealthCheckRequestHandler {
     ObjectMapper objectMapper;
     @Inject
     RulesUtils rulesUtils;
+    @Inject
+    HashUtils hashUtils;
 
     public Optional<HttpEventResponse> handleIfHealthCheck(HttpEventRequest request) {
         if (isHealthCheckRequest(request)) {
@@ -153,6 +168,12 @@ private HttpEventResponse handle(HttpEventRequest request) {
             logInDev("Failed to add rules to health check", e);
         }
 
+        // if SALT configured, as a hash of it to the health check, to enable detection of changes
+        // (if salt changes, client needs to know; as all subsequent pseudonyms produced by proxy instance from that point
+        // will be inconsistent with the prior ones)
+        config.getConfigPropertyAsOptional(ProxyConfigProperty.PSOXY_SALT)
+                .ifPresent(salt -> healthCheckResult.saltSha256Hash(hashUtils.hash(salt, SALT_FOR_SALT)));
+
         HttpEventResponse.HttpEventResponseBuilder responseBuilder = HttpEventResponse.builder();
 
         try {

java/core/src/test/java/co/worklytics/psoxy/HealthCheckResultTest.java

@@ -30,6 +30,7 @@ public void json() throws JsonProcessingException {
             "  \"nonDefaultSalt\" : true,\n" +
             "  \"pseudonymImplementation\" : null,\n" +
             "  \"pseudonymizeAppIds\" : null,\n" +
+            "  \"saltSha256Hash\" : null,\n" +
             "  \"sourceAuthGrantType\" : null,\n" +
             "  \"sourceAuthStrategy\" : null,\n" +
             "  \"version\" : \"rc-v0.1.15\"\n" +