mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-23 20:47:01 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update mtls cert lifetime (#2886)

Browse source
This commit is contained in:
Firstyear 2024-07-11 07:35:24 +10:00 committed by GitHub
parent bad8e819e5
commit 5af33ade0a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 17 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
server/lib/src/constants/mod.rs
View file

@ -150,6 +150,10 @@ pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 15 * 60;
/// we warn about possible clock synchronisation issues. /// we warn about possible clock synchronisation issues.
pub const REPL_SUPPLIER_ADVANCE_WINDOW: Duration = Duration::from_secs(600); pub const REPL_SUPPLIER_ADVANCE_WINDOW: Duration = Duration::from_secs(600);
/// The number of days that the default replication MTLS cert lasts for when
/// configured manually. Defaults to 4 years (including 1 day for the leap year).
pub const REPL_MTLS_CERTIFICATE_DAYS: u32 = 1461;
/// The default number of entries that a user may retrieve in a search /// The default number of entries that a user may retrieve in a search
pub const DEFAULT_LIMIT_SEARCH_MAX_RESULTS: u64 = 1024; pub const DEFAULT_LIMIT_SEARCH_MAX_RESULTS: u64 = 1024;
/// The default number of entries than an api token may retrieve in a search; /// The default number of entries than an api token may retrieve in a search;

8
server/lib/src/repl/supplier.rs
View file

@ -15,11 +15,13 @@ impl<'a> QueryServerWriteTransaction<'a> {
domain_name: &str, domain_name: &str,
) -> Result<(PKey<Private>, X509), OperationError> { ) -> Result<(PKey<Private>, X509), OperationError> {
// Invalid, must need to re-generate. // Invalid, must need to re-generate.
let expiration_days = 180;
let s_uuid = self.get_server_uuid(); let s_uuid = self.get_server_uuid();
let (private, x509) = let (private, x509) = build_self_signed_server_and_client_identity(
build_self_signed_server_and_client_identity(s_uuid, domain_name, expiration_days) s_uuid,
domain_name,
REPL_MTLS_CERTIFICATE_DAYS,
)
.map_err(|err| { .map_err(|err| {
error!(?err, "Unable to generate self signed key/cert"); error!(?err, "Unable to generate self signed key/cert");
// What error? // What error?

9
tools/cli/src/cli/oauth2.rs
View file

@ -1,8 +1,8 @@
use crate::common::OpType;
use crate::{handle_client_error, Oauth2Opt, OutputMode};
use anyhow::{Context, Error}; use anyhow::{Context, Error};
use std::fs::read; use std::fs::read;
use std::process::exit; use std::process::exit;
use crate::common::OpType;
use crate::{handle_client_error, Oauth2Opt, OutputMode};
use crate::Oauth2ClaimMapJoin; use crate::Oauth2ClaimMapJoin;
use kanidm_proto::internal::{ImageValue, Oauth2ClaimMapJoin as ProtoOauth2ClaimMapJoin}; use kanidm_proto::internal::{ImageValue, Oauth2ClaimMapJoin as ProtoOauth2ClaimMapJoin};
@ -301,10 +301,7 @@ impl Oauth2Opt {
Oauth2Opt::RemoveImage(nopt) => { Oauth2Opt::RemoveImage(nopt) => {
let client = nopt.copt.to_client(OpType::Write).await; let client = nopt.copt.to_client(OpType::Write).await;
match client match client.idm_oauth2_rs_delete_image(nopt.name.as_str()).await {
.idm_oauth2_rs_delete_image(nopt.name.as_str())
.await
{
Ok(_) => println!("Success"), Ok(_) => println!("Success"),
Err(e) => handle_client_error(e, nopt.copt.output_mode), Err(e) => handle_client_error(e, nopt.copt.output_mode),
} }