Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry #17066

Merged
merged 4 commits into from
Apr 28, 2023
Merged

Remove artificial ACLTokenMaxTTL limit for configuring acl token expiry #17066

merged 4 commits into from
Apr 28, 2023

Conversation

johnlanda
Copy link
Contributor

@johnlanda johnlanda commented Apr 20, 2023
edited
Loading

Description

The default expiry for an ACL token is never. Currently, when supplying an acl token ttl value the max allowed via the -expires-ttl flag is 24 hours.

This change sets the default max ttl value for ACL tokens to the max duration value.

Testing & Reproduction steps

  • command/acl/token/create/token_create_test.go
    • expires-ttl_short
    • expires-ttl_long

Links

-expires-ttl flag docs

PR Checklist

  • updated test coverage
  • external facing docs updated
  • appropriate backport labels added
  • not a security concern

@hashicorp-cla
Copy link

hashicorp-cla commented Apr 20, 2023
edited
Loading

CLA assistant check
All committers have signed the CLA.

@github-actions github-actions bot added the theme/cli Flags and documentation for the CLI interface label Apr 20, 2023
johnlanda
johnlanda commented Apr 21, 2023
View reviewed changes
test/integration/consul-container/test/consul_envoy_version/consul_envoy_version.go Outdated
@@ -34,7 +34,7 @@ func main() {
sort.Sort(sort.Reverse(sort.StringSlice(cev.EnvoyVersions)))

ceVersions := consulEnvoyVersions{
ConsulVersion: string(cVersion),
ConsulVersion: cVersion,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was causing issues with the linter.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this change has already been applied to main. You may need to merge/rebase.

johnlanda
johnlanda commented Apr 21, 2023
View reviewed changes
agent/consul/acl_endpoint_test.go
@@ -3261,21 +3261,6 @@ func TestACLEndpoint_AuthMethodSet(t *testing.T) {
err := aclEp.AuthMethodSet(&req, &resp)
testutil.RequireErrorContains(t, err, "MaxTokenTTL 1ms cannot be less than")
})

t.Run("Create with MaxTokenTTL too big", func(t *testing.T) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default max is now the max int64 value so removing this test.

@johnlanda johnlanda requested review from a team, eikenb and cthain and removed request for a team April 21, 2023 16:25
johnlanda
johnlanda commented Apr 21, 2023
View reviewed changes
agent/consul/config.go
ACLTokenMaxExpirationTTL: 24 * time.Hour,
// Duration is stored as an int64. Setting the default max
// to the max possible duration (approx 290 years).
ACLTokenMaxExpirationTTL: 1<<63 - 1,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alternatively, we could rework things so that this value is completely removed but I figured it makes sense to allow people to still configure their own max if they want. So just setting the default to the max time.Duration value.

cthain
cthain approved these changes Apr 21, 2023
View reviewed changes
Copy link
Contributor

@cthain cthain left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is awesome @johnlanda. Congrats on your first PR! I just had one non-blocking nitpick.

.changelog/17066.txt Outdated Show resolved Hide resolved
test/integration/consul-container/test/consul_envoy_version/consul_envoy_version.go Outdated
@@ -34,7 +34,7 @@ func main() {
sort.Sort(sort.Reverse(sort.StringSlice(cev.EnvoyVersions)))

ceVersions := consulEnvoyVersions{
ConsulVersion: string(cVersion),
ConsulVersion: cVersion,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this change has already been applied to main. You may need to merge/rebase.

@johnlanda johnlanda force-pushed the NET-3743 branch 2 times, most recently from aed1cce to d8b841e Compare April 24, 2023 14:13
@johnlanda johnlanda merged commit eded58b into main Apr 28, 2023
@johnlanda johnlanda deleted the NET-3743 branch April 28, 2023 15:57
@p-linnane p-linnane mentioned this pull request Jun 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkirschner-hashicorp jkirschner-hashicorp jkirschner-hashicorp left review comments

@cthain cthain cthain approved these changes

@eikenb eikenb Awaiting requested review from eikenb

Assignees
No one assigned
Labels
pr/no-backport theme/cli Flags and documentation for the CLI interface
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@johnlanda @hashicorp-cla @cthain @jkirschner-hashicorp