backport of commit 3a46ecc389e9096ccea6c6f847b68ada7f8068d7 (#21362)

Co-authored-by: Violet Hynes <violet.hynes@hashicorp.com>
This commit is contained in:
hc-github-team-secure-vault-core 2023-06-21 10:01:13 -04:00 committed by GitHub
parent c1e932ed20
commit 36365ed7f4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
20 changed files with 68 additions and 79 deletions

View file

@ -27,6 +27,7 @@ import (
cleanhttp "github.com/hashicorp/go-cleanhttp"
"github.com/hashicorp/go-retryablehttp"
"github.com/hashicorp/go-secure-stdlib/awsutil"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/go-secure-stdlib/strutil"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/builtin/credential/aws/pkcs7"
@ -1291,7 +1292,7 @@ func (b *backend) pathLoginRenewEc2(ctx context.Context, req *logical.Request, _
// If the login was made using the role tag, then max_ttl from tag
// is cached in internal data during login and used here to cap the
// max_ttl of renewal.
rTagMaxTTL, err := time.ParseDuration(req.Auth.Metadata["role_tag_max_ttl"])
rTagMaxTTL, err := parseutil.ParseDurationSecond(req.Auth.Metadata["role_tag_max_ttl"])
if err != nil {
return nil, err
}

View file

@ -14,6 +14,7 @@ import (
"strings"
"time"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/go-secure-stdlib/strutil"
uuid "github.com/hashicorp/go-uuid"
"github.com/hashicorp/vault/sdk/framework"
@ -347,7 +348,7 @@ func (b *backend) parseAndVerifyRoleTagValue(ctx context.Context, s logical.Stor
return nil, err
}
case strings.HasPrefix(tagItem, "t="):
rTag.MaxTTL, err = time.ParseDuration(fmt.Sprintf("%ss", strings.TrimPrefix(tagItem, "t=")))
rTag.MaxTTL, err = parseutil.ParseDurationSecond(fmt.Sprintf("%ss", strings.TrimPrefix(tagItem, "t=")))
if err != nil {
return nil, err
}

View file

@ -8,6 +8,7 @@ import (
"fmt"
"time"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
)
@ -82,12 +83,12 @@ func (b *backend) pathLeaseWrite(ctx context.Context, req *logical.Request, d *f
return logical.ErrorResponse("'lease_max' is a required parameter"), nil
}
lease, err := time.ParseDuration(leaseRaw)
lease, err := parseutil.ParseDurationSecond(leaseRaw)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf(
"Invalid lease: %s", err)), nil
}
leaseMax, err := time.ParseDuration(leaseMaxRaw)
leaseMax, err := parseutil.ParseDurationSecond(leaseMaxRaw)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf(
"Invalid lease_max: %s", err)), nil

View file

@ -12,13 +12,12 @@ import (
"testing"
"time"
"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/api"
vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/vault"
"github.com/stretchr/testify/require"
)
@ -1068,7 +1067,7 @@ func TestAutoRebuild(t *testing.T) {
thisCRLNumber := getCRLNumber(t, crl)
requireSerialNumberInCRL(t, crl, leafSerial) // But the old one should.
now := time.Now()
graceInterval, _ := time.ParseDuration(gracePeriod)
graceInterval, _ := parseutil.ParseDurationSecond(gracePeriod)
expectedUpdate := lastCRLExpiry.Add(-1 * graceInterval)
if requireSerialNumberInCRL(nil, crl, newLeafSerial) {
// If we somehow lagged and we ended up needing to rebuild

View file

@ -14,12 +14,12 @@ import (
"sync"
"time"
atomic2 "go.uber.org/atomic"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/sdk/helper/certutil"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/helper/errutil"
"github.com/hashicorp/vault/sdk/logical"
atomic2 "go.uber.org/atomic"
)
const (
@ -248,12 +248,12 @@ func (cb *crlBuilder) checkForAutoRebuild(sc *storageContext) error {
// the grace period and act accordingly.
now := time.Now()
period, err := time.ParseDuration(cfg.AutoRebuildGracePeriod)
period, err := parseutil.ParseDurationSecond(cfg.AutoRebuildGracePeriod)
if err != nil {
// This may occur if the duration is empty; in that case
// assume the default. The default should be valid and shouldn't
// error.
defaultPeriod, defaultErr := time.ParseDuration(defaultCrlConfig.AutoRebuildGracePeriod)
defaultPeriod, defaultErr := parseutil.ParseDurationSecond(defaultCrlConfig.AutoRebuildGracePeriod)
if defaultErr != nil {
return fmt.Errorf("error checking for auto-rebuild status: unable to parse duration from both config's grace period (%v) and default grace period (%v):\n- config: %v\n- default: %w\n", cfg.AutoRebuildGracePeriod, defaultCrlConfig.AutoRebuildGracePeriod, err, defaultErr)
}
@ -436,7 +436,7 @@ func (cb *crlBuilder) rebuildDeltaCRLsIfForced(sc *storageContext, override bool
return nil, nil
}
deltaRebuildDuration, err := time.ParseDuration(cfg.DeltaRebuildInterval)
deltaRebuildDuration, err := parseutil.ParseDurationSecond(cfg.DeltaRebuildInterval)
if err != nil {
return nil, err
}
@ -2118,7 +2118,7 @@ func augmentWithRevokedIssuers(issuerIDEntryMap map[issuerID]*issuerEntry, issue
func buildCRL(sc *storageContext, crlInfo *crlConfig, forceNew bool, thisIssuerId issuerID, revoked []pkix.RevokedCertificate, identifier crlID, crlNumber int64, isUnified bool, isDelta bool, lastCompleteNumber int64) (*time.Time, error) {
var revokedCerts []pkix.RevokedCertificate
crlLifetime, err := time.ParseDuration(crlInfo.Expiry)
crlLifetime, err := parseutil.ParseDurationSecond(crlInfo.Expiry)
if err != nil {
return nil, errutil.InternalError{Err: fmt.Sprintf("error parsing CRL duration of %s", crlInfo.Expiry)}
}

View file

@ -7,8 +7,8 @@ import (
"context"
"fmt"
"net/http"
"time"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/helper/constants"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/errutil"
@ -291,7 +291,7 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra
if expiryRaw, ok := d.GetOk("expiry"); ok {
expiry := expiryRaw.(string)
_, err := time.ParseDuration(expiry)
_, err := parseutil.ParseDurationSecond(expiry)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("given expiry could not be decoded: %s", err)), nil
}
@ -309,7 +309,7 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra
if expiryRaw, ok := d.GetOk("ocsp_expiry"); ok {
expiry := expiryRaw.(string)
duration, err := time.ParseDuration(expiry)
duration, err := parseutil.ParseDurationSecond(expiry)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("given ocsp_expiry could not be decoded: %s", err)), nil
}
@ -326,7 +326,7 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra
if autoRebuildGracePeriodRaw, ok := d.GetOk("auto_rebuild_grace_period"); ok {
autoRebuildGracePeriod := autoRebuildGracePeriodRaw.(string)
if _, err := time.ParseDuration(autoRebuildGracePeriod); err != nil {
if _, err := parseutil.ParseDurationSecond(autoRebuildGracePeriod); err != nil {
return logical.ErrorResponse(fmt.Sprintf("given auto_rebuild_grace_period could not be decoded: %s", err)), nil
}
config.AutoRebuildGracePeriod = autoRebuildGracePeriod
@ -339,7 +339,7 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra
if deltaRebuildIntervalRaw, ok := d.GetOk("delta_rebuild_interval"); ok {
deltaRebuildInterval := deltaRebuildIntervalRaw.(string)
if _, err := time.ParseDuration(deltaRebuildInterval); err != nil {
if _, err := parseutil.ParseDurationSecond(deltaRebuildInterval); err != nil {
return logical.ErrorResponse(fmt.Sprintf("given delta_rebuild_interval could not be decoded: %s", err)), nil
}
config.DeltaRebuildInterval = deltaRebuildInterval
@ -362,16 +362,16 @@ func (b *backend) pathCRLWrite(ctx context.Context, req *logical.Request, d *fra
return logical.ErrorResponse("unified_crl_on_existing_paths cannot be enabled if unified_crl is disabled"), nil
}
expiry, _ := time.ParseDuration(config.Expiry)
expiry, _ := parseutil.ParseDurationSecond(config.Expiry)
if config.AutoRebuild {
gracePeriod, _ := time.ParseDuration(config.AutoRebuildGracePeriod)
gracePeriod, _ := parseutil.ParseDurationSecond(config.AutoRebuildGracePeriod)
if gracePeriod >= expiry {
return logical.ErrorResponse(fmt.Sprintf("CRL auto-rebuilding grace period (%v) must be strictly shorter than CRL expiry (%v) value when auto-rebuilding of CRLs is enabled", config.AutoRebuildGracePeriod, config.Expiry)), nil
}
}
if config.EnableDelta {
deltaRebuildInterval, _ := time.ParseDuration(config.DeltaRebuildInterval)
deltaRebuildInterval, _ := parseutil.ParseDurationSecond(config.DeltaRebuildInterval)
if deltaRebuildInterval >= expiry {
return logical.ErrorResponse(fmt.Sprintf("CRL delta rebuild window (%v) must be strictly shorter than CRL expiry (%v) value when delta CRLs are enabled", config.DeltaRebuildInterval, config.Expiry)), nil
}

View file

@ -19,13 +19,12 @@ import (
"strings"
"time"
"github.com/hashicorp/vault/sdk/helper/errutil"
"golang.org/x/crypto/ocsp"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/certutil"
"github.com/hashicorp/vault/sdk/helper/errutil"
"github.com/hashicorp/vault/sdk/logical"
"golang.org/x/crypto/ocsp"
)
const (
@ -476,7 +475,7 @@ func doesRequestMatchIssuer(parsedBundle *certutil.ParsedCertBundle, req *ocsp.R
func genResponse(cfg *crlConfig, caBundle *certutil.ParsedCertBundle, info *ocspRespInfo, reqHash crypto.Hash, revSigAlg x509.SignatureAlgorithm) ([]byte, error) {
curTime := time.Now()
duration, err := time.ParseDuration(cfg.OcspExpiry)
duration, err := parseutil.ParseDurationSecond(cfg.OcspExpiry)
if err != nil {
return nil, err
}

View file

@ -15,14 +15,12 @@ import (
"strconv"
"strings"
"testing"
"time"
"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
"github.com/hashicorp/go-secure-stdlib/parseutil"
vaulthttp "github.com/hashicorp/vault/http"
"github.com/hashicorp/vault/vault"
"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
"github.com/hashicorp/vault/sdk/logical"
"github.com/hashicorp/vault/vault"
"github.com/stretchr/testify/require"
"golang.org/x/crypto/ocsp"
)
@ -581,7 +579,7 @@ func runOcspRequestTest(t *testing.T, requestType string, caKeyType string, caKe
require.True(t, thisUpdate.Before(nextUpdate),
fmt.Sprintf("thisUpdate %s, should have been before nextUpdate: %s", thisUpdate, nextUpdate))
nextUpdateDiff := nextUpdate.Sub(thisUpdate)
expectedDiff, err := time.ParseDuration(defaultCrlConfig.OcspExpiry)
expectedDiff, err := parseutil.ParseDurationSecond(defaultCrlConfig.OcspExpiry)
require.NoError(t, err, "failed to parse default ocsp expiry value")
require.Equal(t, expectedDiff, nextUpdateDiff,
fmt.Sprintf("the delta between thisUpdate %s and nextUpdate: %s should have been around: %s but was %s",

View file

@ -14,7 +14,7 @@ import (
"github.com/armon/go-metrics"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/helper/consts"
"github.com/hashicorp/vault/sdk/logical"
@ -768,7 +768,7 @@ func (b *backend) pathTidyWrite(ctx context.Context, req *logical.Request, d *fr
if pauseDurationStr != "" {
var err error
pauseDuration, err = time.ParseDuration(pauseDurationStr)
pauseDuration, err = parseutil.ParseDurationSecond(pauseDurationStr)
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("Error parsing pause_duration: %v", err)), nil
}
@ -1792,7 +1792,7 @@ func (b *backend) pathConfigAutoTidyWrite(ctx context.Context, req *logical.Requ
}
if pauseDurationRaw, ok := d.GetOk("pause_duration"); ok {
config.PauseDuration, err = time.ParseDuration(pauseDurationRaw.(string))
config.PauseDuration, err = parseutil.ParseDurationSecond(pauseDurationRaw.(string))
if err != nil {
return logical.ErrorResponse(fmt.Sprintf("unable to parse given pause_duration: %v", err)), nil
}

3
changelog/21357.txt Normal file
View file

@ -0,0 +1,3 @@
```release-note:bug
core: Fixed issue with some durations not being properly parsed to include days.
```

View file

@ -989,33 +989,3 @@ func (d *timeValue) Get() interface{} { return *d.target }
func (d *timeValue) String() string { return (*d.target).String() }
func (d *timeValue) Example() string { return "time" }
func (d *timeValue) Hidden() bool { return d.hidden }
// -- helpers
func envDefault(key, def string) string {
if v, exist := os.LookupEnv(key); exist {
return v
}
return def
}
func envBoolDefault(key string, def bool) bool {
if v, exist := os.LookupEnv(key); exist {
b, err := strconv.ParseBool(v)
if err != nil {
panic(err)
}
return b
}
return def
}
func envDurationDefault(key string, def time.Duration) time.Duration {
if v, exist := os.LookupEnv(key); exist {
d, err := time.ParseDuration(v)
if err != nil {
panic(err)
}
return d
}
return def
}

View file

@ -23,6 +23,7 @@ import (
log "github.com/hashicorp/go-hclog"
wrapping "github.com/hashicorp/go-kms-wrapping/v2"
"github.com/hashicorp/go-raftchunking"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/go-secure-stdlib/tlsutil"
"github.com/hashicorp/go-uuid"
goversion "github.com/hashicorp/go-version"
@ -371,7 +372,7 @@ func NewRaftBackend(conf map[string]string, logger log.Logger) (physical.Backend
}
if delayRaw, ok := conf["apply_delay"]; ok {
delay, err := time.ParseDuration(delayRaw)
delay, err := parseutil.ParseDurationSecond(delayRaw)
if err != nil {
return nil, fmt.Errorf("apply_delay does not parse as a duration: %w", err)
}
@ -428,7 +429,7 @@ func NewRaftBackend(conf map[string]string, logger log.Logger) (physical.Backend
}
if delayRaw, ok := conf["snapshot_delay"]; ok {
delay, err := time.ParseDuration(delayRaw)
delay, err := parseutil.ParseDurationSecond(delayRaw)
if err != nil {
return nil, fmt.Errorf("snapshot_delay does not parse as a duration: %w", err)
}
@ -447,7 +448,7 @@ func NewRaftBackend(conf map[string]string, logger log.Logger) (physical.Backend
var reconcileInterval time.Duration
if interval := conf["autopilot_reconcile_interval"]; interval != "" {
interval, err := time.ParseDuration(interval)
interval, err := parseutil.ParseDurationSecond(interval)
if err != nil {
return nil, fmt.Errorf("autopilot_reconcile_interval does not parse as a duration: %w", err)
}
@ -456,7 +457,7 @@ func NewRaftBackend(conf map[string]string, logger log.Logger) (physical.Backend
var updateInterval time.Duration
if interval := conf["autopilot_update_interval"]; interval != "" {
interval, err := time.ParseDuration(interval)
interval, err := parseutil.ParseDurationSecond(interval)
if err != nil {
return nil, fmt.Errorf("autopilot_update_interval does not parse as a duration: %w", err)
}
@ -817,7 +818,7 @@ func (b *RaftBackend) applyConfigSettings(config *raft.Config) error {
snapshotIntervalRaw, ok := b.conf["snapshot_interval"]
if ok {
var err error
snapshotInterval, err := time.ParseDuration(snapshotIntervalRaw)
snapshotInterval, err := parseutil.ParseDurationSecond(snapshotIntervalRaw)
if err != nil {
return err
}

View file

@ -702,7 +702,7 @@ func (d *ReadableDuration) UnmarshalJSON(raw []byte) (err error) {
str := string(raw)
if len(str) >= 2 && str[0] == '"' && str[len(str)-1] == '"' {
// quoted string
dur, err = time.ParseDuration(str[1 : len(str)-1])
dur, err = parseutil.ParseDurationSecond(str[1 : len(str)-1])
if err != nil {
return err
}

View file

@ -9,6 +9,7 @@ import (
"testing"
"time"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/sdk/database/dbplugin/v5"
)
@ -22,7 +23,7 @@ func getRequestTimeout(t *testing.T) time.Duration {
return 10 * time.Second
}
dur, err := time.ParseDuration(rawDur)
dur, err := parseutil.ParseDurationSecond(rawDur)
if err != nil {
t.Fatalf("Failed to parse custom request timeout %q: %s", rawDur, err)
}

View file

@ -12,6 +12,7 @@ import (
"time"
"github.com/hashicorp/errwrap"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/sdk/logical"
)
@ -330,7 +331,7 @@ func performTemplating(input string, p *PopulateStringInput) (string, error) {
return "", errors.New("missing time operand")
case 3:
duration, err := time.ParseDuration(opsSplit[2])
duration, err := parseutil.ParseDurationSecond(opsSplit[2])
if err != nil {
return "", errwrap.Wrapf("invalid duration: {{err}}", err)
}

View file

@ -6,6 +6,8 @@ package pointerutil
import (
"os"
"time"
"github.com/hashicorp/go-secure-stdlib/parseutil"
)
// StringPtr returns a pointer to a string value
@ -20,7 +22,7 @@ func BoolPtr(b bool) *bool {
// TimeDurationPtr returns a pointer to a time duration value
func TimeDurationPtr(duration string) *time.Duration {
d, _ := time.ParseDuration(duration)
d, _ := parseutil.ParseDurationSecond(duration)
return &d
}

View file

@ -0,0 +1,10 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
rules:
- id: time-parse-duration
patterns:
- pattern: time.ParseDuration
message: "Usage of time.ParseDuration. Use parseutil.ParseDurationSeconds, instead!"
languages: [go]
severity: ERROR

View file

@ -14,6 +14,7 @@ import (
"time"
"github.com/go-test/deep"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
@ -2253,8 +2254,8 @@ func TestOIDC_Path_OIDC_Client_List_KeyInfo(t *testing.T) {
expected := clients[name].(map[string]interface{})
require.Contains(t, keys, name)
idTokenTTL, _ := time.ParseDuration(expected["id_token_ttl"].(string))
accessTokenTTL, _ := time.ParseDuration(expected["access_token_ttl"].(string))
idTokenTTL, _ := parseutil.ParseDurationSecond(expected["id_token_ttl"].(string))
accessTokenTTL, _ := parseutil.ParseDurationSecond(expected["access_token_ttl"].(string))
require.EqualValues(t, idTokenTTL.Seconds(), actual["id_token_ttl"])
require.EqualValues(t, accessTokenTTL.Seconds(), actual["access_token_ttl"])
require.Equal(t, expected["redirect_uris"], actual["redirect_uris"])

View file

@ -12,6 +12,7 @@ import (
"strings"
"time"
"github.com/hashicorp/go-secure-stdlib/parseutil"
"github.com/hashicorp/vault/helper/timeutil"
"github.com/hashicorp/vault/sdk/framework"
"github.com/hashicorp/vault/sdk/logical"
@ -222,7 +223,7 @@ func (b *SystemBackend) handleClientExport(ctx context.Context, req *logical.Req
// This is to avoid the default 90s context timeout.
timeout := 10 * time.Minute
if durationRaw := os.Getenv("VAULT_ACTIVITY_EXPORT_DURATION"); durationRaw != "" {
d, err := time.ParseDuration(durationRaw)
d, err := parseutil.ParseDurationSecond(durationRaw)
if err == nil {
timeout = d
}

View file

@ -3207,7 +3207,7 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
te.TTL = dur
} else if data.Lease != "" {
// This block is compatibility
dur, err := time.ParseDuration(data.Lease)
dur, err := parseutil.ParseDurationSecond(data.Lease)
if err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}