luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Use durations for ID and access token TTLs (#12632)

This commit is contained in:
Austin Gebauer 2021-09-27 10:05:28 -07:00 committed by GitHub
parent 7ad62f5be4
commit 93f8d248d3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
vault/identity_store_oidc_provider.go
View File

@ -8,6 +8,7 @@ import (
"net/url"
"sort"
"strings"
"time"
"github.com/hashicorp/go-secure-stdlib/base62"
"github.com/hashicorp/go-secure-stdlib/strutil"
@ -29,11 +30,11 @@ type scope struct {
}
type client struct {
RedirectURIs []string `json:"redirect_uris"`
Assignments []string `json:"assignments"`
Key string `json:"key"`
IDTokenTTL int `json:"id_token_ttl"`
AccessTokenTTL int `json:"access_token_ttl"`
RedirectURIs []string `json:"redirect_uris"`
Assignments []string `json:"assignments"`
Key string `json:"key"`
IDTokenTTL time.Duration `json:"id_token_ttl"`
AccessTokenTTL time.Duration `json:"access_token_ttl"`
// used for OIDC endpoints
ClientID string `json:"client_id"`
@ -182,10 +183,12 @@ func oidcProviderPaths(i *IdentityStore) []*framework.Path {
"id_token_ttl": {
Type: framework.TypeDurationSecond,
Description: "The time-to-live for ID tokens obtained by the client.",
Default: "24h",
},
"access_token_ttl": {
Type: framework.TypeDurationSecond,
Description: "The time-to-live for access tokens obtained by the client.",
Default: "24h",
},
},
Operations: map[logical.Operation]framework.OperationHandler{
@ -920,15 +923,15 @@ func (i *IdentityStore) pathOIDCCreateUpdateClient(ctx context.Context, req *log
}
if idTokenTTLRaw, ok := d.GetOk("id_token_ttl"); ok {
client.IDTokenTTL = idTokenTTLRaw.(int)
client.IDTokenTTL = time.Duration(idTokenTTLRaw.(int)) * time.Second
} else if req.Operation == logical.CreateOperation {
client.IDTokenTTL = d.Get("id_token_ttl").(int)
client.IDTokenTTL = time.Duration(d.Get("id_token_ttl").(int)) * time.Second
}
if accessTokenTTLRaw, ok := d.GetOk("access_token_ttl"); ok {
client.AccessTokenTTL = accessTokenTTLRaw.(int)
client.AccessTokenTTL = time.Duration(accessTokenTTLRaw.(int)) * time.Second
} else if req.Operation == logical.CreateOperation {
client.AccessTokenTTL = d.Get("access_token_ttl").(int)
client.AccessTokenTTL = time.Duration(d.Get("access_token_ttl").(int)) * time.Second
}
if client.ClientID == "" {
@ -992,8 +995,8 @@ func (i *IdentityStore) pathOIDCReadClient(ctx context.Context, req *logical.Req
"redirect_uris": client.RedirectURIs,
"assignments": client.Assignments,
"key": client.Key,
"id_token_ttl": client.IDTokenTTL,
"access_token_ttl": client.AccessTokenTTL,
"id_token_ttl": int64(client.IDTokenTTL.Seconds()),
"access_token_ttl": int64(client.AccessTokenTTL.Seconds()),
"client_id": client.ClientID,
"client_secret": client.ClientSecret,
},

32
vault/identity_store_oidc_provider_test.go
View File

@ -332,8 +332,8 @@ func TestOIDC_Path_OIDC_ProviderClient(t *testing.T) {
"redirect_uris": []string{},
"assignments": []string{},
"key": "test-key",
"id_token_ttl": 0,
"access_token_ttl": 0,
"id_token_ttl": int64(86400),
"access_token_ttl": int64(86400),
"client_id": resp.Data["client_id"],
"client_secret": resp.Data["client_secret"],
}
@ -357,8 +357,8 @@ func TestOIDC_Path_OIDC_ProviderClient(t *testing.T) {
"redirect_uris": "http://localhost:3456/callback",
"assignments": "my-assignment",
"key": "test-key",
"id_token_ttl": 0,
"access_token_ttl": 0,
"id_token_ttl": "90s",
"access_token_ttl": "1m",
},
Storage: storage,
})
@ -375,8 +375,8 @@ func TestOIDC_Path_OIDC_ProviderClient(t *testing.T) {
"redirect_uris": []string{"http://localhost:3456/callback"},
"assignments": []string{"my-assignment"},
"key": "test-key",
"id_token_ttl": 0,
"access_token_ttl": 0,
"id_token_ttl": int64(90),
"access_token_ttl": int64(60),
"client_id": resp.Data["client_id"],
"client_secret": resp.Data["client_secret"],
}
@ -452,8 +452,8 @@ func TestOIDC_Path_OIDC_ProviderClient_Deduplication(t *testing.T) {
"redirect_uris": []string{"http://example.com", "http://notduplicate.com"},
"assignments": []string{"test-assignment1"},
"key": "test-key",
"id_token_ttl": 0,
"access_token_ttl": 0,
"id_token_ttl": int64(86400),
"access_token_ttl": int64(86400),
"client_id": resp.Data["client_id"],
"client_secret": resp.Data["client_secret"],
}
@ -496,8 +496,8 @@ func TestOIDC_Path_OIDC_ProviderClient_Update(t *testing.T) {
"redirect_uris": "http://localhost:3456/callback",
"assignments": "my-assignment",
"key": "test-key",
"id_token_ttl": 0,
"access_token_ttl": 0,
"id_token_ttl": "2m",
"access_token_ttl": "1h",
},
})
expectSuccess(t, resp, err)
@ -513,8 +513,8 @@ func TestOIDC_Path_OIDC_ProviderClient_Update(t *testing.T) {
"redirect_uris": []string{"http://localhost:3456/callback"},
"assignments": []string{"my-assignment"},
"key": "test-key",
"id_token_ttl": 0,
"access_token_ttl": 0,
"id_token_ttl": int64(120),
"access_token_ttl": int64(3600),
"client_id": resp.Data["client_id"],
"client_secret": resp.Data["client_secret"],
}
@ -527,7 +527,9 @@ func TestOIDC_Path_OIDC_ProviderClient_Update(t *testing.T) {
Path: "oidc/client/test-client",
Operation: logical.UpdateOperation,
Data: map[string]interface{}{
"redirect_uris": "http://localhost:3456/callback2",
"redirect_uris": "http://localhost:3456/callback2",
"id_token_ttl": "30",
"access_token_ttl": "1m",
},
Storage: storage,
})
@ -544,8 +546,8 @@ func TestOIDC_Path_OIDC_ProviderClient_Update(t *testing.T) {
"redirect_uris": []string{"http://localhost:3456/callback2"},
"assignments": []string{"my-assignment"},
"key": "test-key",
"id_token_ttl": 0,
"access_token_ttl": 0,
"id_token_ttl": int64(30),
"access_token_ttl": int64(60),
"client_id": resp.Data["client_id"],
"client_secret": resp.Data["client_secret"],
}