Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue #2700: Adds support for X509 and JWT specific SVID TTLs #3445

Merged
merged 6 commits into from
Oct 26, 2022
Merged

Issue #2700: Adds support for X509 and JWT specific SVID TTLs #3445

merged 6 commits into from
Oct 26, 2022

Commits on Oct 26, 2022

  1. Adds support for X509 and JWT specific SVID TTLs 

    Fixes spiffe#2700

This change adds support for X509 and JWT specific SVID TTLs in each of the following places
 * Default values in spire-server configuration. Similar to the existing TTL value, if provided then it must be >= 0. A value of 0 is considered 'unset', meaning there is no default.
 * Entry records in the database and API

During Entry creation and update
 * If the API call contains a non-zero X509SvidTtl value then that will be stored, else the config default x509SvidTtl value is used
 * If the API call contains a non-zero JWTSvidTtl value then that will stored, else the config default jwtSvidTtl value is used

During X509-SVID creation
 * If the API call contains a non-zero TTL value then that is used, else
 * If the stored record contains a non-zero X509SvidTtl value then that will be used, else
 * If the stored record contains a non-zero TTL value then that will be used,
 * The hard-coded default X509SvidTTL value will be used

During JWT-SVID creation
 * If the API call contains a non-zero TTL value then that is used, else
 * If the stored record contains a non-zero JWTSvidTtl value then that will be used, else
 * If the stored record contains a non-zero TTL value then that will be used,
 * The hard-coded default JWTSvidTTL value will be used

X509SvidTtl and JwtSvidTtl will be considered during the following cases
 * All must be valid with-respect-to the configured CA TTL - they are all part of the min/max validation checks
 * Entry sorting now includes each of X509SvidTtl and JwtSvidTtl

Signed-off-by: Dennis Gove <[email protected]>
    @dennisgove
    dennisgove committed Oct 26, 2022
    Configuration menu
    Copy the full SHA
    274ad17 View commit details
    Browse the repository at this point in the history

  2. Review feedback 

    Signed-off-by: Dennis Gove <[email protected]>
    @dennisgove
    dennisgove committed Oct 26, 2022
    Configuration menu
    Copy the full SHA
    1556e75 View commit details
    Browse the repository at this point in the history

  3. Reverts usage of new database column x509_svid_ttl in favor of existi… 

    …ng ttl

Signed-off-by: Dennis Gove <[email protected]>
    @dennisgove
    dennisgove committed Oct 26, 2022
    Configuration menu
    Copy the full SHA
    d3f9a58 View commit details
    Browse the repository at this point in the history

  4. Fixes failing windows-only test 

    Signed-off-by: Dennis Gove <[email protected]>
    @dennisgove
    dennisgove committed Oct 26, 2022
    Configuration menu
    Copy the full SHA
    cfda2e7 View commit details
    Browse the repository at this point in the history

  5. Another windows test fix 

    Signed-off-by: Dennis Gove <[email protected]>
    @dennisgove
    dennisgove committed Oct 26, 2022
    Configuration menu
    Copy the full SHA
    487974c View commit details
    Browse the repository at this point in the history

  6. Changes 'field' to 'flag' for CLI commands 

    Signed-off-by: Dennis Gove <[email protected]>
    @dennisgove
    dennisgove committed Oct 26, 2022
    Configuration menu
    Copy the full SHA
    ea8bd59 View commit details
    Browse the repository at this point in the history