Skip to content

Commit

Permalink
Fixes spiffe#3581: Ensures that config default_svid_ttl can still be …
Browse files Browse the repository at this point in the history
…used

Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
  • Loading branch information
dennisgove committed Nov 7, 2022
1 parent d98577f commit bd56c20
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 12 deletions.
27 changes: 17 additions & 10 deletions cmd/spire-server/cli/run/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -469,7 +469,8 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
sc.AgentTTL = ttl
}

if c.Server.DefaultX509SVIDTTL != "" {
switch {
case c.Server.DefaultX509SVIDTTL != "":
ttl, err := time.ParseDuration(c.Server.DefaultX509SVIDTTL)
if err != nil {
return nil, fmt.Errorf("could not parse default X509 SVID ttl %q: %w", c.Server.DefaultX509SVIDTTL, err)
Expand All @@ -479,14 +480,18 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
if sc.X509SVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" {
logger.Warnf("both default_x509_svid_ttl and default_svid_ttl are configured; default_x509_svid_ttl (%s) will be used for X509-SVIDs", c.Server.DefaultX509SVIDTTL)
}
} else if c.Server.DefaultSVIDTTL != "" {
case c.Server.DefaultSVIDTTL != "":
logger.Warn("field default_svid_ttl is deprecated; consider using default_x509_svid_ttl and default_jwt_svid_ttl instead")

ttl, err := time.ParseDuration(c.Server.DefaultSVIDTTL)
if err != nil {
return nil, fmt.Errorf("could not parse default SVID ttl %q: %w", c.Server.DefaultSVIDTTL, err)
}
sc.X509SVIDTTL = ttl
default:
// If neither new nor deprecated config value is set, then use hard-coded default TTL
// Note, due to back-compat issues we cannot set this default inside defaultConfig() function
sc.X509SVIDTTL = ca.DefaultX509SVIDTTL
}

if c.Server.DefaultJWTSVIDTTL != "" {
Expand All @@ -499,6 +504,10 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
if sc.JWTSVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" {
logger.Warnf("both default_jwt_svid_ttl and default_svid_ttl are configured; default_jwt_svid_ttl (%s) will be used for JWT-SVIDs", c.Server.DefaultJWTSVIDTTL)
}
} else {
// If not set using new field then use hard-coded default TTL
// Note, due to back-compat issues we cannot set this default inside defaultConfig() function
sc.JWTSVIDTTL = ca.DefaultJWTSVIDTTL
}

if c.Server.CATTL != "" {
Expand Down Expand Up @@ -831,14 +840,12 @@ func checkForUnknownConfig(c *Config, l logrus.FieldLogger) (err error) {
func defaultConfig() *Config {
return &Config{
Server: &serverConfig{
BindAddress: "0.0.0.0",
BindPort: 8081,
CATTL: ca.DefaultCATTL.String(),
LogLevel: defaultLogLevel,
LogFormat: log.DefaultFormat,
DefaultX509SVIDTTL: ca.DefaultX509SVIDTTL.String(),
DefaultJWTSVIDTTL: ca.DefaultJWTSVIDTTL.String(),
Experimental: experimentalConfig{},
BindAddress: "0.0.0.0",
BindPort: 8081,
CATTL: ca.DefaultCATTL.String(),
LogLevel: defaultLogLevel,
LogFormat: log.DefaultFormat,
Experimental: experimentalConfig{},
},
}
}
Expand Down
2 changes: 0 additions & 2 deletions cmd/spire-server/cli/run/run_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -639,8 +639,6 @@ func TestNewServerConfig(t *testing.T) {
msg: "default_svid_ttl is correctly parsed",
input: func(c *Config) {
c.Server.DefaultSVIDTTL = "1m"
c.Server.DefaultX509SVIDTTL = ""
c.Server.DefaultJWTSVIDTTL = ""
},
test: func(t *testing.T, c *server.Config) {
require.Equal(t, time.Minute, c.X509SVIDTTL)
Expand Down

0 comments on commit bd56c20

Please sign in to comment.