identity: do not allow a role's token_ttl to be longer than verification_ttl #12151
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When updating a key, ensure any roles referencing the key do not already have a token_ttl greater than the key's verification_ttl
fairclothjm
requested review from
jasonodonnell,
calvn,
vinay-gopalan and
austingebauer
fairclothjm
commented
Jul 22, 2021
calvn
reviewed
Jul 22, 2021
There was a problem hiding this comment.
We could also consider changing the line where we ultimately set on ID token's Expiry value during token generation by using the floor of the two.
In that case, would we want to add a warning if we are not using a value set by the user explicitly? It does seem like a simpler option. |
|
Yeah, a warning would be useful. I also didn't imply that we should remove the checks that you added. I was suggesting that we could do both :) |
calvn
reviewed
Jul 22, 2021
- remove make slice in favor of var delcaration - remove unneeded if check - validate expiry value during token generation - update changelog as bug
calvn
approved these changes
Jul 27, 2021
calvn
approved these changes
Jul 28, 2021
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
calvn
pushed a commit
that referenced
this pull request
Jul 29, 2021
…ion_ttl (#12151) * do not allow token_ttl to be longer than verification_ttl * add verification when updating an existing key When updating a key, ensure any roles referencing the key do not already have a token_ttl greater than the key's verification_ttl * add changelog * remove unneeded UT check and comment * refactor based on PR comments - remove make slice in favor of var delcaration - remove unneeded if check - validate expiry value during token generation - update changelog as bug * refactor get roles referencing target key names logic * add note about thread safety to helper func * update func comment * sort array and refactor func names * add warning to return response * remove unnecessary code from unit test * Update vault/identity_store_oidc.go Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
calvn
added a commit
that referenced
this pull request
Jul 30, 2021
…ion_ttl (#12151) (#12213) * do not allow token_ttl to be longer than verification_ttl * add verification when updating an existing key When updating a key, ensure any roles referencing the key do not already have a token_ttl greater than the key's verification_ttl * add changelog * remove unneeded UT check and comment * refactor based on PR comments - remove make slice in favor of var delcaration - remove unneeded if check - validate expiry value during token generation - update changelog as bug * refactor get roles referencing target key names logic * add note about thread safety to helper func * update func comment * sort array and refactor func names * add warning to return response * remove unnecessary code from unit test * Update vault/identity_store_oidc.go Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Co-authored-by: John-Michael Faircloth <fairclothjm@users.noreply.github.com> Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
jartek
pushed a commit
to jartek/vault
that referenced
this pull request
Sep 11, 2021
…ion_ttl (hashicorp#12151) * do not allow token_ttl to be longer than verification_ttl * add verification when updating an existing key When updating a key, ensure any roles referencing the key do not already have a token_ttl greater than the key's verification_ttl * add changelog * remove unneeded UT check and comment * refactor based on PR comments - remove make slice in favor of var delcaration - remove unneeded if check - validate expiry value during token generation - update changelog as bug * refactor get roles referencing target key names logic * add note about thread safety to helper func * update func comment * sort array and refactor func names * add warning to return response * remove unnecessary code from unit test * Update vault/identity_store_oidc.go Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes issue #11441 which reported that OIDC identity tokens can have a TTL longer than their signing key will be visible.
Tests
Test role invalid TTL
Test that an attempt to create a new role checks that the token
ttlis not greater than the key'sverification_ttlError:
Test key invalid TTL
Test that an update to an existing key that is referenced by a role cannot have its
verification_ttlexceed the role'sttlError: