fix: enforce single expiration timestamp per storage credential bundle#4226
Closed
yushesp wants to merge 1 commit into
Closed
fix: enforce single expiration timestamp per storage credential bundle#4226yushesp wants to merge 1 commit into
yushesp wants to merge 1 commit into
Conversation
StorageAccessConfig.Builder.put() silently overwrites expiresAt when multiple expiration timestamp properties are set. Only a single expiration timestamp is valid per credential bundle. Multiple timestamps indicate incorrect behavior that should fail fast rather than silently picking one. This mirrors the same fix applied to ConnectionCredentials.of() in apache#4173. Also fixes AwsCredentialsStorageIntegration which was the only production caller setting two expiration timestamps (EXPIRATION_TIME and AWS_SESSION_TOKEN_EXPIRES_AT_MS) via put().
Contributor
Author
dimas-b
reviewed
Apr 17, 2026
| * calls to {@link Builder#put} with different expiration timestamp properties silently overwrite | ||
| * {@link StorageAccessConfig#expiresAt()}. | ||
| */ | ||
| class ValidatingBuilder implements Builder { |
Contributor
There was a problem hiding this comment.
Can @Value.Check work?
Cf.
|
|
||
| assertThat( | ||
| StorageAccessConfig.builder() | ||
| .put(GCS_ACCESS_TOKEN_EXPIRES_AT, "111") |
Contributor
There was a problem hiding this comment.
Maybe use @ParameterizedTest and also add coverage for AZURE_SAS_TOKEN_EXPIRES_AT_MS_PREFIX?
| .ifPresent( | ||
| i -> { | ||
| accessConfig.put( | ||
| StorageAccessProperty.EXPIRATION_TIME, String.valueOf(i.toEpochMilli())); |
Contributor
There was a problem hiding this comment.
Is the EXPIRATION_TIME property used anymore? Let's deprecate it.
Contributor
There was a problem hiding this comment.
Please also mention it in CHANGELOG that we're no longer emitting this property.
AFAIK, it is not used by clients, but let's also discuss this on dev to double check.
|
This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
github-project-automation
Bot
moved this from PRs In Progress
to Done
in Basic Kanban Board
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
StorageAccessConfig.Builder.put()silently overwritesexpiresAtwhen multiple expiration timestamp properties are set. Only a single expiration timestamp is valid per credential bundle. Multiple timestamps indicate incorrect behavior that should fail fast rather than silently picking one.This mirrors the same fix applied to
ConnectionCredentials.of()in #4173.Also fixes
AwsCredentialsStorageIntegrationwhich was the only production caller setting two expiration timestamps (EXPIRATION_TIMEandAWS_SESSION_TOKEN_EXPIRES_AT_MS).Checklist
CHANGELOG.md(if needed)site/content/in-dev/unreleased(if needed)