service accounts are allowed to have no expiration (#17397)

This commit is contained in:
Harshavardhana 2023-06-11 10:34:59 -07:00 committed by GitHub
parent 43468f4d47
commit c9e87f0548
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -2343,11 +2343,17 @@ func extractJWTClaims(u UserIdentity) (*jwt.MapClaims, error) {
}
func validateSvcExpirationInUTC(expirationInUTC time.Time) error {
if expirationInUTC.IsZero() || expirationInUTC.Equal(timeSentinel) {
// Service accounts might not have expiration in older releases.
return nil
}
currentTime := time.Now().UTC()
minExpiration := currentTime.Add(minServiceAccountExpiry)
maxExpiration := currentTime.Add(maxServiceAccountExpiry)
if expirationInUTC.Before(minExpiration) || expirationInUTC.After(maxExpiration) {
return errInvalidSvcAcctExpiration
}
return nil
}