Honor DurationSeconds properly for WebIdentity (#8581)

Also cleanup code to add various constants for verbatim strings across the code base. Fixes #8482
2025-11-09 21:49:46 -05:00 · 2019-11-29 05:27:54 -08:00
parent c7844fb1fb
commit b21835f195
10 changed files with 194 additions and 95 deletions
--- a/pkg/auth/credentials.go
+++ b/pkg/auth/credentials.go
@@ -23,6 +23,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"strconv"
 	"strings"
 	"time"

@@ -136,25 +137,37 @@ func (cred Credentials) Equal(ccred Credentials) bool {

 var timeSentinel = time.Unix(0, 0).UTC()

-func expToInt64(expI interface{}) (expAt int64, err error) {
+// ErrInvalidDuration invalid token expiry
+var ErrInvalidDuration = errors.New("invalid token expiry")
+
+// ExpToInt64 - convert input interface value to int64.
+func ExpToInt64(expI interface{}) (expAt int64, err error) {
 	switch exp := expI.(type) {
+	case string:
+		expAt, err = strconv.ParseInt(exp, 10, 64)
 	case float64:
-		expAt = int64(exp)
+		expAt, err = int64(exp), nil
 	case int64:
-		expAt = exp
+		expAt, err = exp, nil
+	case int:
+		expAt, err = int64(exp), nil
+	case uint64:
+		expAt, err = int64(exp), nil
+	case uint:
+		expAt, err = int64(exp), nil
 	case json.Number:
 		expAt, err = exp.Int64()
-		if err != nil {
-			return 0, err
-		}
 	case time.Duration:
-		return time.Now().UTC().Add(exp).Unix(), nil
+		expAt, err = time.Now().UTC().Add(exp).Unix(), nil
 	case nil:
-		return 0, nil
+		expAt, err = 0, nil
 	default:
-		return 0, errors.New("invalid expiry value")
+		expAt, err = 0, ErrInvalidDuration
 	}
-	return expAt, nil
+	if expAt < 0 {
+		return 0, ErrInvalidDuration
+	}
+	return expAt, err
 }

 // GetNewCredentialsWithMetadata generates and returns new credential with expiry.
@@ -185,10 +198,11 @@ func GetNewCredentialsWithMetadata(m map[string]interface{}, tokenSecret string)
 	if err != nil {
 		return cred, err
 	}
-	cred.SecretKey = strings.Replace(string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen]), "/", "+", -1)
+	cred.SecretKey = strings.Replace(string([]byte(base64.StdEncoding.EncodeToString(keyBytes))[:secretKeyMaxLen]),
+		"/", "+", -1)
 	cred.Status = "on"

-	expiry, err := expToInt64(m["exp"])
+	expiry, err := ExpToInt64(m["exp"])
 	if err != nil {
 		return cred, err
 	}
--- a/pkg/auth/credentials_test.go
+++ b/pkg/auth/credentials_test.go
@@ -16,7 +16,43 @@

 package auth

-import "testing"
+import (
+	"encoding/json"
+	"testing"
+	"time"
+)
+
+func TestExpToInt64(t *testing.T) {
+	testCases := []struct {
+		exp             interface{}
+		expectedFailure bool
+	}{
+		{"", true},
+		{"-1", true},
+		{"1574812326", false},
+		{1574812326, false},
+		{int64(1574812326), false},
+		{int(1574812326), false},
+		{uint(1574812326), false},
+		{uint64(1574812326), false},
+		{json.Number("1574812326"), false},
+		{1574812326.000, false},
+		{time.Duration(3) * time.Minute, false},
+	}
+
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run("", func(t *testing.T) {
+			_, err := ExpToInt64(testCase.exp)
+			if err != nil && !testCase.expectedFailure {
+				t.Errorf("Expected success but got failure %s", err)
+			}
+			if err == nil && testCase.expectedFailure {
+				t.Error("Expected failure but got success")
+			}
+		})
+	}
+}

 func TestIsAccessKeyValid(t *testing.T) {
 	testCases := []struct {