Merge pull request #212 from enj/enj/i/restore_cert_ttl

Reduce client cert TTL back to 5 mins
This commit is contained in:
Matt Moyer 2020-11-13 14:11:44 -06:00 committed by GitHub
commit f4dfc22f8e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 8 additions and 8 deletions

View File

@ -27,7 +27,7 @@ import (
// This could certainly be made configurable by an installer of pinniped, but we
// will see if we can save adding a configuration knob with a reasonable default
// here.
const certBackdate = 5 * time.Minute
const certBackdate = 10 * time.Second
type env struct {
// secure random number generators for various steps (usually crypto/rand.Reader, but broken out here for tests).

View File

@ -94,7 +94,7 @@ func TestNew(t *testing.T) {
caCert, err := x509.ParseCertificate(got.caCertBytes)
require.NoError(t, err)
require.Equal(t, "Test CA", caCert.Subject.CommonName)
require.WithinDuration(t, now.Add(-5*time.Minute), caCert.NotBefore, 10*time.Second)
require.WithinDuration(t, now.Add(-10*time.Second), caCert.NotBefore, 10*time.Second)
require.WithinDuration(t, now.Add(time.Minute), caCert.NotAfter, 10*time.Second)
}
@ -149,7 +149,7 @@ func TestNewInternal(t *testing.T) {
},
wantCommonName: "Test CA",
wantNotAfter: now.Add(time.Minute),
wantNotBefore: now.Add(-5 * time.Minute),
wantNotBefore: now.Add(-10 * time.Second),
},
}
for _, tt := range tests {

View File

@ -22,7 +22,7 @@ import (
)
// clientCertificateTTL is the TTL for short-lived client certificates returned by this API.
const clientCertificateTTL = 1 * time.Hour
const clientCertificateTTL = 5 * time.Minute
type Storage interface {
rest.Creater

View File

@ -69,7 +69,7 @@ func TestCreate(t *testing.T) {
CommonName: "test-user",
Organization: []string{"test-group-1", "test-group-2"}},
[]string{},
1*time.Hour,
5*time.Minute,
).Return([]byte("test-cert"), []byte("test-key"), nil)
storage := NewREST(requestAuthenticator, issuer)
@ -81,7 +81,7 @@ func TestCreate(t *testing.T) {
expires := response.(*loginapi.TokenCredentialRequest).Status.Credential.ExpirationTimestamp
r.NotNil(expires)
r.InDelta(time.Now().Add(1*time.Hour).Unix(), expires.Unix(), 5)
r.InDelta(time.Now().Add(5*time.Minute).Unix(), expires.Unix(), 5)
response.(*loginapi.TokenCredentialRequest).Status.Credential.ExpirationTimestamp = metav1.Time{}
r.Equal(response, &loginapi.TokenCredentialRequest{

View File

@ -78,7 +78,7 @@ func TestClient(t *testing.T) {
require.NoError(t, err)
require.NotNil(t, resp.Status.ExpirationTimestamp)
require.InDelta(t, time.Until(resp.Status.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
require.InDelta(t, 5*time.Minute, time.Until(resp.Status.ExpirationTimestamp.Time), float64(time.Minute))
// Create a client using the certificate and key returned by the token exchange.
validClient := library.NewClientsetWithCertAndKey(t, resp.Status.ClientCertificateData, resp.Status.ClientKeyData)

View File

@ -64,7 +64,7 @@ func TestSuccessfulCredentialRequest(t *testing.T) {
require.ElementsMatch(t, env.TestUser.ExpectedGroups, getOrganizations(t, response.Status.Credential.ClientCertificateData))
require.NotEmpty(t, response.Status.Credential.ClientKeyData)
require.NotNil(t, response.Status.Credential.ExpirationTimestamp)
require.InDelta(t, time.Until(response.Status.Credential.ExpirationTimestamp.Time), 1*time.Hour, float64(3*time.Minute))
require.InDelta(t, 5*time.Minute, time.Until(response.Status.Credential.ExpirationTimestamp.Time), float64(time.Minute))
// Create a client using the admin kubeconfig.
adminClient := library.NewClientset(t)