feat(api, cli, ui): auth consumer token expiration and last authentication #5822
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fsamin
changed the title
Signed-off-by: francois samin <[email protected]>
Signed-off-by: francois samin <[email protected]>
Signed-off-by: francois samin <[email protected]>
Signed-off-by: francois samin <[email protected]>
Signed-off-by: francois samin <[email protected]>
Signed-off-by: francois samin <[email protected]>
Signed-off-by: francois samin <[email protected]>
fsamin
force-pushed
the
feat/api/auth_token_expiration
branch
from
ee1d0de to
639834c
Compare
Signed-off-by: francois samin <[email protected]>
Signed-off-by: francois samin <[email protected]>
yesnault
requested changes
May 24, 2021
richardlt
requested changes
May 31, 2021
cli/cdsctl/consumer.go
Outdated
| @@ -86,6 +87,9 @@ var authConsumerNewCmd = cli.Command{ | |||
| Name: "scopes", | |||
| Type: cli.FlagSlice, | |||
| Usage: "Define the list of scopes for the consumer", | |||
| }, { | |||
| Name: "duration", | |||
| Usage: "Validity period of the token generated for the consumer", | |||
There was a problem hiding this comment.
Suggested change
| Usage: "Validity period of the token generated for the consumer", | |
| Usage: "Validity period of the token generated for the consumer (in days)", |
| req.NewDuration = api.Config.Auth.TokenDefaultDuration | ||
| } | ||
| var overlapDuration time.Duration | ||
| if req.OverlapDuration != "" { |
There was a problem hiding this comment.
Maybe we should check that overlap duration is less than duration ?
| } | ||
| var overlapDuration time.Duration | ||
| if req.OverlapDuration != "" { | ||
| overlapDuration, err = time.ParseDuration(req.OverlapDuration) |
There was a problem hiding this comment.
Why not both overlap and validity duration in same format (string duration vs count of hours) ?
There was a problem hiding this comment.
because overlap should be in minutes or hours, and validity should be a matter of days
| @@ -24,7 +24,8 @@ func NewConsumerWorker(ctx context.Context, db gorpmapper.SqlExecutorWithTx, nam | |||
| sdk.AuthConsumerScopeRunExecution, | |||
| sdk.AuthConsumerScopeService, | |||
| ), | |||
| IssuedAt: time.Now(), | |||
| //IssuedAt: time.Now(), | |||
| @@ -46,7 +47,8 @@ func NewConsumerExternal(ctx context.Context, db gorpmapper.SqlExecutorWithTx, u | |||
| "username": userInfo.Username, | |||
| "email": userInfo.Email, | |||
| }, | |||
| IssuedAt: time.Now(), | |||
| //IssuedAt: time.Now(), | |||
| @@ -127,6 +128,7 @@ func InsertConsumer(ctx context.Context, db gorpmapper.SqlExecutorWithTx, ac *sd | |||
|
|
|||
| // UpdateConsumer in database. | |||
| func UpdateConsumer(ctx context.Context, db gorpmapper.SqlExecutorWithTx, ac *sdk.AuthConsumer) error { | |||
| ac.ValidityPeriods.Sort() | |||
There was a problem hiding this comment.
Could be nice to sort also on get.
| func checkSigninConsumerTokenIssuedAt(ctx context.Context, payload signinBuiltinConsumerToken, v sdk.AuthConsumerValidityPeriod) (string, error) { | ||
| var eqIAT = payload.IAT == v.IssuedAt.Unix() | ||
| var hasRevoke = v.Duration > 0 | ||
| var beforeRevoke = time.Now().Before(v.IssuedAt.Add(v.Duration)) |
There was a problem hiding this comment.
Maybe only one afterRevoke value should be clearer.
richardlt
requested changes
May 31, 2021
| } | ||
| return authentication.SignJWS(payload, 0) // 0 means no expiration time | ||
| return authentication.SignJWS(payload, latestValidityPeriod.Duration) |
There was a problem hiding this comment.
Add issued at value as parameter instead of using time.Now inside SignJWS func
engine/api/auth_local.go
Outdated
| @@ -150,7 +150,7 @@ func initBuiltinConsumersFromStartupConfig(ctx context.Context, tx gorpmapper.Sq | |||
| Data: map[string]string{}, | |||
| GroupIDs: []int64{group.SharedInfraGroup.ID}, | |||
| ScopeDetails: scopes, | |||
| IssuedAt: time.Unix(startupConfig.IAT, 0), | |||
| ValidityPeriods: sdk.NewAuthConsumerValidityPeriod(time.Unix(startupConfig.IAT, 0), 0), | |||
There was a problem hiding this comment.
Set a value for services consumers validity period that can be greater than other consumers. Maybe we should update doc for services setup where 'consumer new' command is used.
Signed-off-by: francois samin <[email protected]>
|
CDS Report build-all-cds#16086.0 ✘
|
Signed-off-by: francois samin <[email protected]>
|
CDS Report build-all-cds#16108.0 ✘
|
|
CDS Report build-all-cds#16108.1 ✘
|
|
CDS Report build-all-cds#16108.2 ✘
|
|
CDS Report build-all-cds#16108.3 ✘
|
yesnault
previously approved these changes
Jun 14, 2021
richardlt
previously approved these changes
Jun 14, 2021
Signed-off-by: francois samin <[email protected]>
sguiheux
approved these changes
Jun 14, 2021
|
CDS Report build-all-cds#16141.0 ✘
|
|
SonarCloud Quality Gate failed. |
yesnault
approved these changes
Jun 15, 2021
richardlt
approved these changes
Jun 15, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.