From 5ff2be973cb28dba2f97a0efb54bcbd2874c8b01 Mon Sep 17 00:00:00 2001
From: Monis Khan <i@monis.app>
Date: Wed, 23 Jun 2021 11:03:14 -0400
Subject: [PATCH] credentialrequest: use safer approximation for
 ExpirationTimestamp

We want the value of time.Now() to be calculated before the call to
IssueClientCertPEM to prevent the ExpirationTimestamp from being
later than the notAfter timestamp on the issued certificate.

Signed-off-by: Monis Khan <mok@vmware.com>
---
 internal/registry/credentialrequest/rest.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/registry/credentialrequest/rest.go b/internal/registry/credentialrequest/rest.go
index 6e5b44b4..4c258bdd 100644
--- a/internal/registry/credentialrequest/rest.go
+++ b/internal/registry/credentialrequest/rest.go
@@ -106,6 +106,8 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
 		return failureResponse(), nil
 	}
 
+	// this timestamp should be returned from IssueClientCertPEM but this is a safe approximation
+	expires := metav1.NewTime(time.Now().UTC().Add(clientCertificateTTL))
 	certPEM, keyPEM, err := r.issuer.IssueClientCertPEM(userInfo.GetName(), userInfo.GetGroups(), clientCertificateTTL)
 	if err != nil {
 		traceFailureWithError(t, "cert issuer", err)
@@ -117,7 +119,7 @@ func (r *REST) Create(ctx context.Context, obj runtime.Object, createValidation
 	return &loginapi.TokenCredentialRequest{
 		Status: loginapi.TokenCredentialRequestStatus{
 			Credential: &loginapi.ClusterCredential{
-				ExpirationTimestamp:   metav1.NewTime(time.Now().UTC().Add(clientCertificateTTL)),
+				ExpirationTimestamp:   expires,
 				ClientCertificateData: string(certPEM),
 				ClientKeyData:         string(keyPEM),
 			},