service accounts are allowed to have no expiration (#17397)

2023-06-11 10:34:59 -07:00 · 2023-06-11 10:34:59 -07:00 · c9e87f0548
parent 43468f4d47
commit c9e87f0548
1 changed files with 6 additions and 0 deletions
--- a/cmd/iam-store.go
+++ b/cmd/iam-store.go
@ -2343,11 +2343,17 @@ func extractJWTClaims(u UserIdentity) (*jwt.MapClaims, error) {
 }

 func validateSvcExpirationInUTC(expirationInUTC time.Time) error {
+	if expirationInUTC.IsZero() || expirationInUTC.Equal(timeSentinel) {
+		// Service accounts might not have expiration in older releases.
+		return nil
+	}
+
 	currentTime := time.Now().UTC()
 	minExpiration := currentTime.Add(minServiceAccountExpiry)
 	maxExpiration := currentTime.Add(maxServiceAccountExpiry)
 	if expirationInUTC.Before(minExpiration) || expirationInUTC.After(maxExpiration) {
 		return errInvalidSvcAcctExpiration
 	}
+
 	return nil
 }