credentialrequest: use safer approximation for ExpirationTimestamp
We want the value of time.Now() to be calculated before the call to IssueClientCertPEM to prevent the ExpirationTimestamp from being later than the notAfter timestamp on the issued certificate. Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Monis Khan
parent
73201ba575
commit
5ff2be973c
@ -106,6 +106,8 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
|
|||||||
return failureResponse(), nil
|
return failureResponse(), nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// this timestamp should be returned from IssueClientCertPEM but this is a safe approximation
|
||||||
|
expires := metav1.NewTime(time.Now().UTC().Add(clientCertificateTTL))
|
||||||
certPEM, keyPEM, err := r.issuer.IssueClientCertPEM(userInfo.GetName(), userInfo.GetGroups(), clientCertificateTTL)
|
certPEM, keyPEM, err := r.issuer.IssueClientCertPEM(userInfo.GetName(), userInfo.GetGroups(), clientCertificateTTL)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
traceFailureWithError(t, "cert issuer", err)
|
traceFailureWithError(t, "cert issuer", err)
|
||||||
@ -117,7 +119,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
|
|||||||
return &loginapi.TokenCredentialRequest{
|
return &loginapi.TokenCredentialRequest{
|
||||||
Status: loginapi.TokenCredentialRequestStatus{
|
Status: loginapi.TokenCredentialRequestStatus{
|
||||||
Credential: &loginapi.ClusterCredential{
|
Credential: &loginapi.ClusterCredential{
|
||||||
ExpirationTimestamp: metav1.NewTime(time.Now().UTC().Add(clientCertificateTTL)),
|
ExpirationTimestamp: expires,
|
||||||
ClientCertificateData: string(certPEM),
|
ClientCertificateData: string(certPEM),
|
||||||
ClientKeyData: string(keyPEM),
|
ClientKeyData: string(keyPEM),
|
||||||
},
|
},
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user