Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add max duration option to access request (#29042) * "Add 'persist' attribute to time-limited access requests A 'persist' attribute was added to access requests, specifying how long the access will be granted for. * Add comments Remove unused code * Add new role and refactor testing for persist durations Included a new role, 'requestedRole2' to increase the diversity of the tests. Also refactored the testing descriptions for 'persist can exceed maxTTL' and 'persist shorter than maxTTL' to the user 'bob'. Added new test situations considering the role's maximum time to live. The purpose of these edits is to ensure that only the required roles are taken into account for persist duration, and this needs to be properly reflected in our tests. * Initialize role persist cache This change allows the initialization of the role persist cache under the local user role map. This is necessary because previously, if the map was not initialized, it could result in null pointer exceptions when attempting to add entries. Now, the map is guaranteed to be initialized prior to adding any roles. * Replace "Persist" with "MaxDuration" in various files Renamed the "Persist" field in a number of auth and tsh related files to "MaxDuration". This name change more accurately reflects the nature of these fields, namely how long certain types of access should be granted for. * "Rename 'persist' to 'maxDuration' in access request logic" This commit renames all variables, parameters, and functions called 'persist' to 'maxDuration' and modifies the relevant comments and error messages in the access request logic in the services library. The aim is to make the naming more descriptive and meaningful, which could lead to more maintainable code. Specifically, 'maxDuration' is a more accurate description of the maximum duration an access request can be active and granted for. 'persist' may be easily misconstrued as relating to data persistence, which is not the intention. * Refactor 'persist' to 'maxDuration' in access request code Changes have been made to the variable name 'persist' in the access request code, renaming it to 'maxDuration'. This change is aimed towards improving code readability and determining the function of the variable more clearly. The adjusted name 'maxDuration' reflects its actual purpose - limiting the maximum duration of access requests. This change affects the 'access_request.go' file and the respective tests in 'tsh_test.go'. * Apply code review suggestions * Refactor max duration calculation in access requests Add more tests * Add SessionTTL to the Access Request object (#29658) * Add SessionTTL to the Access Request object New field Session TTL holds information on how long a generated certificate will be valid for when the max duration is used. The newly implemented V2 API endpoint is to be used for this purpose, to ensure backwards compatibility. The V1 API usage marked for deprecation in version 15.0.0. * Update session TTL handling and fix access request string representation Modified the access request logic to consider the maxDuration flag while setting the sessionTTL. Instead of simply replacing sessionTTL with the maxDuration (when maxDuration is set), the minimum value of sessionTTL and maxDuration is now used. This change has been reflected in the unit test as well. Also, the string representation of AccessRequest is fixed to accurately represent the user and roles. The changes improve the handling of sessionTTL, providing a more accurate session duration that considers both session TTL and max duration. Furthermore, this improves AccessRequest debugging by providing a more descriptive string representation. * Deprecate old CreateAccessRequest method The old CreateAccessRequest method is marked as deprecated in the proto files. This commit indicates it will be deleted in v15.0.0. Users are urged to use CreateAccessRequestV2 instead to create new access requests. * Fix test * Fix test * Add 'max_duration' to role operator configuration files A 'max_duration' field has been added to the role configuration files. This field specifies the amount of time for which access is granted. If set to zero, the default duration will be used.
- Loading branch information