Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unexpected default X509 SVID TTL #3581

Closed
dennisgove opened this issue Nov 7, 2022 · 3 comments · Fixed by #3583
Closed

Unexpected default X509 SVID TTL #3581

dennisgove opened this issue Nov 7, 2022 · 3 comments · Fixed by #3583
Labels
priority/urgent Issue is approved and is must be completed in the assigned milestone
Milestone

Comments

@dennisgove
Copy link
Contributor

PR #3445 added support for X509 and JWT specific SVID TTLs. As part of this, the spire-server binary config arguments were updated to include all of

DefaultSVIDTTL string `hcl:"default_svid_ttl"`
DefaultX509SVIDTTL string `hcl:"default_x509_svid_ttl"`
DefaultJWTSVIDTTL string `hcl:"default_jwt_svid_ttl"`

The following lines set the config defaults for the X509 and JWT SVIDs

DefaultX509SVIDTTL: ca.DefaultX509SVIDTTL.String(),
DefaultJWTSVIDTTL: ca.DefaultJWTSVIDTTL.String(),

The result is that the values for DefaultX509SVIDTTL and DefaultJWTSVIDTTL are always set to some value even if the startup config file does not set those.

On face this seems reasonable, but an issue appears if the startup config instead sets DefaultSVIDTTL and neither of the new X509/JWT specific values.

In such a case the following blocks will always be executed and the desired DefaultSVIDTTL will be ignored.

if c.Server.DefaultX509SVIDTTL != "" {
ttl, err := time.ParseDuration(c.Server.DefaultX509SVIDTTL)
if err != nil {
return nil, fmt.Errorf("could not parse default X509 SVID ttl %q: %w", c.Server.DefaultX509SVIDTTL, err)
}
sc.X509SVIDTTL = ttl
if sc.X509SVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" {
logger.Warnf("both default_x509_svid_ttl and default_svid_ttl are configured; default_x509_svid_ttl (%s) will be used for X509-SVIDs", c.Server.DefaultX509SVIDTTL)
}

if c.Server.DefaultJWTSVIDTTL != "" {
ttl, err := time.ParseDuration(c.Server.DefaultJWTSVIDTTL)
if err != nil {
return nil, fmt.Errorf("could not parse default JWT SVID ttl %q: %w", c.Server.DefaultJWTSVIDTTL, err)
}
sc.JWTSVIDTTL = ttl
if sc.JWTSVIDTTL != 0 && c.Server.DefaultSVIDTTL != "" {
logger.Warnf("both default_jwt_svid_ttl and default_svid_ttl are configured; default_jwt_svid_ttl (%s) will be used for JWT-SVIDs", c.Server.DefaultJWTSVIDTTL)
}

The result is a breaking change if someone has set the DefaultSVIDTTL value and has now updated to version 1.5.0.

For example, with this config file

server {
	...
	default_svid_ttl = "15m"
	...
}

the following will appear in the logs on startup

time="2022-11-07T19:46:50Z" level=warning msg="both default_x509_svid_ttl and default_svid_ttl are configured; default_x509_svid_ttl (1h0m0s) will be used for X509-SVIDs"
time="2022-11-07T19:46:50Z" level=warning msg="both default_jwt_svid_ttl and default_svid_ttl are configured; default_jwt_svid_ttl (5m0s) will be used for JWT-SVIDs"
@dennisgove
Copy link
Contributor Author

@azdagron for visibility

@dennisgove
Copy link
Contributor Author

These two lines in the test appear to be why this wasn't caught during testing. It was an issue I ran into during initial testing and resolved it incorrectly.

c.Server.DefaultX509SVIDTTL = ""
c.Server.DefaultJWTSVIDTTL = ""

Removing those two lines shows the test now failing as it should.

time="2022-11-07T15:08:10-05:00" level=warning msg="both default_x509_svid_ttl and default_svid_ttl are configured; default_x509_svid_ttl (1h0m0s) will be used for X509-SVIDs"
time="2022-11-07T15:08:10-05:00" level=warning msg="both default_jwt_svid_ttl and default_svid_ttl are configured; default_jwt_svid_ttl (5m0s) will be used for JWT-SVIDs"
.....

--- FAIL: TestNewServerConfig (0.01s)
    --- FAIL: TestNewServerConfig/default_svid_ttl_is_correctly_parsed (0.00s)
        run_test.go:646:
            	Error Trace:	/Users/dgove1/dev/spire/spire/cmd/spire-server/cli/run/run_test.go:646
            	            				/Users/dgove1/dev/spire/spire/cmd/spire-server/cli/run/run_test.go:1074
            	Error:      	Not equal:
            	            	expected: 1m0s
            	            	actual  : 1h0m0s
            	Test:       	TestNewServerConfig/default_svid_ttl_is_correctly_parsed

@azdagron
Copy link
Member

azdagron commented Nov 7, 2022

Yikes. We should fix this.

dennisgove added a commit to dennisgove/spire that referenced this issue Nov 7, 2022
dennisgove added a commit to dennisgove/spire that referenced this issue Nov 7, 2022
…used

Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
@evan2645 evan2645 added the priority/urgent Issue is approved and is must be completed in the assigned milestone label Nov 8, 2022
MarcosDY pushed a commit that referenced this issue Nov 8, 2022
…3583)

Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
MarcosDY pushed a commit that referenced this issue Nov 8, 2022
@MarcosDY MarcosDY added this to the 1.5.1 milestone Nov 8, 2022
stevend-uber pushed a commit to stevend-uber/spire that referenced this issue Oct 16, 2023
…used (spiffe#3583)

Signed-off-by: Dennis Gove <dgove1@bloomberg.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority/urgent Issue is approved and is must be completed in the assigned milestone
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants