Skip to content

Drop deprecated default_svid_ttl configurable #3795

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jan 24, 2023
Merged

Drop deprecated default_svid_ttl configurable #3795

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
78aac48
Drop deprecated default_svid_ttl configurable
azdagron Jan 24, 2023
b46e782
Merge remote-tracking branch 'origin/main'
azdagron Jan 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 1 addition & 20 deletions cmd/spire-server/cli/run/run.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,9 +96,6 @@ type serverConfig struct {
ProfilingFreq int `hcl:"profiling_freq"`
ProfilingNames []string `hcl:"profiling_names"`

// Deprecated: remove in SPIRE 1.6.0
DefaultSVIDTTL string `hcl:"default_svid_ttl"`

UnusedKeys []string `hcl:",unusedKeys"`
}

Expand Down Expand Up @@ -479,18 +476,6 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
return nil, fmt.Errorf("could not parse default X509 SVID ttl %q: %w", c.Server.DefaultX509SVIDTTL, err)
}
sc.X509SVIDTTL = ttl

if sc.X509SVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" {
logger.Warnf("both default_x509_svid_ttl and default_svid_ttl are configured; default_x509_svid_ttl (%s) will be used for X509-SVIDs", c.Server.DefaultX509SVIDTTL)
}
case c.Server.DefaultSVIDTTL != "":
logger.Warn("field default_svid_ttl is deprecated; consider using default_x509_svid_ttl and default_jwt_svid_ttl instead")

ttl, err := time.ParseDuration(c.Server.DefaultSVIDTTL)
if err != nil {
return nil, fmt.Errorf("could not parse default SVID ttl %q: %w", c.Server.DefaultSVIDTTL, err)
}
sc.X509SVIDTTL = ttl
default:
// If neither new nor deprecated config value is set, then use hard-coded default TTL
// Note, due to back-compat issues we cannot set this default inside defaultConfig() function
Expand All @@ -503,10 +488,6 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
return nil, fmt.Errorf("could not parse default JWT SVID ttl %q: %w", c.Server.DefaultJWTSVIDTTL, err)
}
sc.JWTSVIDTTL = ttl

if sc.JWTSVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" {
logger.Warnf("both default_jwt_svid_ttl and default_svid_ttl are configured; default_jwt_svid_ttl (%s) will be used for JWT-SVIDs", c.Server.DefaultJWTSVIDTTL)
}
} else {
// If not set using new field then use hard-coded default TTL
// Note, due to back-compat issues we cannot set this default inside defaultConfig() function
Expand All @@ -528,7 +509,7 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
ttl time.Duration
}{
{
name: "default_x509_svid_ttl (or deprecated default_svid_ttl)",
name: "default_x509_svid_ttl",
ttl: sc.X509SVIDTTL,
},
{
Expand Down
119 changes: 1 addition & 118 deletions cmd/spire-server/cli/run/run_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,18 +351,6 @@ func TestMergeInput(t *testing.T) {
require.Equal(t, "DEBUG", c.Server.LogLevel)
},
},
{
msg: "default_svid_ttl should be configurable by file",
fileInput: func(c *Config) {
c.Server.DefaultSVIDTTL = "1h"
c.Server.DefaultX509SVIDTTL = ""
c.Server.DefaultJWTSVIDTTL = ""
},
cliFlags: []string{},
test: func(t *testing.T, c *Config) {
require.Equal(t, "1h", c.Server.DefaultSVIDTTL)
},
},
{
msg: "default_x509_svid_ttl should be configurable by file",
fileInput: func(c *Config) {
Expand Down Expand Up @@ -635,15 +623,6 @@ func TestNewServerConfig(t *testing.T) {
}, c.Federation.FederatesWith)
},
},
{
msg: "default_svid_ttl is correctly parsed",
input: func(c *Config) {
c.Server.DefaultSVIDTTL = "1m"
},
test: func(t *testing.T, c *server.Config) {
require.Equal(t, time.Minute, c.X509SVIDTTL)
},
},
{
msg: "default_x509_svid_ttl is correctly parsed",
input: func(c *Config) {
Expand All @@ -662,18 +641,6 @@ func TestNewServerConfig(t *testing.T) {
require.Equal(t, 3*time.Minute, c.JWTSVIDTTL)
},
},
{
msg: "invalid default_svid_ttl returns an error",
expectError: true,
input: func(c *Config) {
c.Server.DefaultSVIDTTL = "b"
c.Server.DefaultX509SVIDTTL = ""
c.Server.DefaultJWTSVIDTTL = ""
},
test: func(t *testing.T, c *server.Config) {
require.Nil(t, c)
},
},
{
msg: "invalid default_x509_svid_ttl returns an error",
expectError: true,
Expand Down Expand Up @@ -1407,7 +1374,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
cases := []struct {
msg string
caTTL time.Duration
svidTTL time.Duration
x509SvidTTL time.Duration
jwtSvidTTL time.Duration
hasCompatibleSvidTTL bool
Expand All @@ -1417,97 +1383,30 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "All values are default values",
caTTL: 0,
svidTTL: 0,
x509SvidTTL: 0,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
hasCompatibleX509SvidTTL: true,
hasCompatibleJwtSvidTTL: true,
},
{
msg: "ca_ttl is large enough for all default SVID TTL",
caTTL: time.Hour * 7,
svidTTL: 0,
x509SvidTTL: 0,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
hasCompatibleX509SvidTTL: true,
hasCompatibleJwtSvidTTL: true,
},
{
msg: "ca_ttl is not large enough for the default SVID TTL",
caTTL: time.Minute * 1,
svidTTL: 0,
x509SvidTTL: 0,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: false,
hasCompatibleX509SvidTTL: false,
hasCompatibleJwtSvidTTL: false,
},
{
msg: "default_svid_ttl is small enough for the default CA TTL",
caTTL: 0,
svidTTL: time.Hour * 3,
x509SvidTTL: 0,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
hasCompatibleX509SvidTTL: true,
hasCompatibleJwtSvidTTL: true,
},
{
msg: "default_svid_ttl is not small enough for the default CA TTL",
caTTL: 0,
svidTTL: time.Hour * 24,
x509SvidTTL: 0,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: false,
hasCompatibleX509SvidTTL: true,
hasCompatibleJwtSvidTTL: true,
},
{
msg: "default_svid_ttl is small enough for the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: time.Hour * 1,
x509SvidTTL: 0,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
hasCompatibleX509SvidTTL: true,
hasCompatibleJwtSvidTTL: true,
},
{
msg: "default_svid_ttl is not small enough for the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: time.Hour * 23,
x509SvidTTL: 0,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: false,
hasCompatibleX509SvidTTL: true,
hasCompatibleJwtSvidTTL: true,
},
{
msg: "default_svid_ttl is larger than the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: time.Hour * 25,
x509SvidTTL: 0,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: false,
hasCompatibleX509SvidTTL: true,
hasCompatibleJwtSvidTTL: true,
},
{
msg: "default_svid_ttl is small enough for the configured CA TTL but larger than the max",
caTTL: time.Hour * 24 * 7 * 4 * 6, // Six months
svidTTL: time.Hour * 24 * 7 * 2, // Two weeks
x509SvidTTL: 0,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: false,
hasCompatibleX509SvidTTL: true,
hasCompatibleJwtSvidTTL: true,
},
{
msg: "default_x509_svid_ttl is small enough for the default CA TTL",
caTTL: 0,
svidTTL: 0,
x509SvidTTL: time.Hour * 3,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
Expand All @@ -1517,7 +1416,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_x509_svid_ttl is not small enough for the default CA TTL",
caTTL: 0,
svidTTL: 0,
x509SvidTTL: time.Hour * 24,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
Expand All @@ -1527,7 +1425,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_x509_svid_ttl is small enough for the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: 0,
x509SvidTTL: time.Hour * 1,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
Expand All @@ -1537,7 +1434,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_x509_svid_ttl is not small enough for the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: 0,
x509SvidTTL: time.Hour * 23,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
Expand All @@ -1547,7 +1443,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_x509_svid_ttl is larger than the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: 0,
x509SvidTTL: time.Hour * 25,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
Expand All @@ -1557,8 +1452,7 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_x509_svid_ttl is small enough for the configured CA TTL but larger than the max",
caTTL: time.Hour * 24 * 7 * 4 * 6, // Six months
svidTTL: 0,
x509SvidTTL: time.Hour * 24 * 7 * 2, // Two weeks,
x509SvidTTL: time.Hour * 24 * 7 * 2, // Two weeks,
jwtSvidTTL: 0,
hasCompatibleSvidTTL: true,
hasCompatibleX509SvidTTL: false,
Expand All @@ -1567,7 +1461,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_jwt_svid_ttl is small enough for the default CA TTL",
caTTL: 0,
svidTTL: 0,
x509SvidTTL: 0,
jwtSvidTTL: time.Hour * 3,
hasCompatibleSvidTTL: true,
Expand All @@ -1577,7 +1470,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_jwt_svid_ttl is not small enough for the default CA TTL",
caTTL: 0,
svidTTL: 0,
x509SvidTTL: 0,
jwtSvidTTL: time.Hour * 24,
hasCompatibleSvidTTL: true,
Expand All @@ -1587,7 +1479,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_jwt_svid_ttl is small enough for the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: 0,
x509SvidTTL: 0,
jwtSvidTTL: time.Hour * 1,
hasCompatibleSvidTTL: true,
Expand All @@ -1597,7 +1488,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_jwt_svid_ttl is not small enough for the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: 0,
x509SvidTTL: 0,
jwtSvidTTL: time.Hour * 23,
hasCompatibleSvidTTL: true,
Expand All @@ -1607,7 +1497,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_jwt_svid_ttl is larger than the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: 0,
x509SvidTTL: 0,
jwtSvidTTL: time.Hour * 25,
hasCompatibleSvidTTL: true,
Expand All @@ -1617,7 +1506,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "default_jwt_svid_ttl is small enough for the configured CA TTL but larger than the max",
caTTL: time.Hour * 24 * 7 * 4 * 6, // Six months
svidTTL: 0,
x509SvidTTL: 0,
jwtSvidTTL: time.Hour * 24 * 7 * 2, // Two weeks,,
hasCompatibleSvidTTL: true,
Expand All @@ -1627,7 +1515,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
{
msg: "all default svid_ttls are small enough for the configured CA TTL",
caTTL: time.Hour * 24,
svidTTL: time.Hour * 1,
x509SvidTTL: time.Hour * 1,
jwtSvidTTL: time.Hour * 1,
hasCompatibleSvidTTL: true,
Expand All @@ -1641,9 +1528,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
if testCase.caTTL == 0 {
testCase.caTTL = ca.DefaultCATTL
}
if testCase.svidTTL == 0 {
testCase.svidTTL = ca.DefaultX509SVIDTTL
}
if testCase.x509SvidTTL == 0 {
testCase.x509SvidTTL = ca.DefaultX509SVIDTTL
}
Expand All @@ -1652,7 +1536,6 @@ func TestHasCompatibleTTLs(t *testing.T) {
}

t.Run(testCase.msg, func(t *testing.T) {
require.Equal(t, testCase.hasCompatibleSvidTTL, hasCompatibleTTL(testCase.caTTL, testCase.svidTTL))
require.Equal(t, testCase.hasCompatibleX509SvidTTL, hasCompatibleTTL(testCase.caTTL, testCase.x509SvidTTL))
require.Equal(t, testCase.hasCompatibleJwtSvidTTL, hasCompatibleTTL(testCase.caTTL, testCase.jwtSvidTTL))
})
Expand Down
9 changes: 6 additions & 3 deletions conf/server/server_full.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,11 +140,14 @@ server {

# agent_ttl: The TTL to use for agent SVIDs, and thus the longest an
# agent can survive without checking back in to the server.
# Default: Value of default_svid_ttl
# Default: Value of default_x509_svid_ttl
# agent_ttl = "72h"

# default_svid_ttl: The default SVID TTL. Default: 1h.
# default_svid_ttl = "1h"
# default_x509_svid_ttl: The default X509-SVID TTL. Default: 1h.
# default_x509_svid_ttl = "1h"

# default_jwt_svid_ttl: The default JWT-SVID TTL. Default: 5m.
# default_jwt_svid_ttl = "5m"

# trust_domain: The trust domain that this server belongs to.
trust_domain = "example.org"
Expand Down
Loading