Update mtls cert lifetime (#2886)

2025-02-23 20:47:01 +01:00 · 2024-07-11 07:35:24 +10:00 · 2024-07-11 07:35:24 +10:00 · 5af33ade0a
parent bad8e819e5
commit 5af33ade0a
3 changed files with 17 additions and 14 deletions
--- a/server/lib/src/constants/mod.rs
+++ b/server/lib/src/constants/mod.rs
@ -150,6 +150,10 @@ pub const OAUTH2_ACCESS_TOKEN_EXPIRY: u32 = 15 * 60;
 /// we warn about possible clock synchronisation issues.
 pub const REPL_SUPPLIER_ADVANCE_WINDOW: Duration = Duration::from_secs(600);

+/// The number of days that the default replication MTLS cert lasts for when
+/// configured manually. Defaults to 4 years (including 1 day for the leap year).
+pub const REPL_MTLS_CERTIFICATE_DAYS: u32 = 1461;
+
 /// The default number of entries that a user may retrieve in a search
 pub const DEFAULT_LIMIT_SEARCH_MAX_RESULTS: u64 = 1024;
 /// The default number of entries than an api token may retrieve in a search;
--- a/server/lib/src/repl/supplier.rs
+++ b/server/lib/src/repl/supplier.rs
@ -15,16 +15,18 @@ impl<'a> QueryServerWriteTransaction<'a> {
        domain_name: &str,
    ) -> Result<(PKey<Private>, X509), OperationError> {
        // Invalid, must need to re-generate.
-        let expiration_days = 180;
        let s_uuid = self.get_server_uuid();

-        let (private, x509) =
-            build_self_signed_server_and_client_identity(s_uuid, domain_name, expiration_days)
-                .map_err(|err| {
-                    error!(?err, "Unable to generate self signed key/cert");
-                    // What error?
-                    OperationError::CryptographyError
-                })?;
+        let (private, x509) = build_self_signed_server_and_client_identity(
+            s_uuid,
+            domain_name,
+            REPL_MTLS_CERTIFICATE_DAYS,
+        )
+        .map_err(|err| {
+            error!(?err, "Unable to generate self signed key/cert");
+            // What error?
+            OperationError::CryptographyError
+        })?;

        let kh = KeyHandle::X509Key {
            private: private.clone(),
--- a/tools/cli/src/cli/oauth2.rs
+++ b/tools/cli/src/cli/oauth2.rs
@ -1,8 +1,8 @@
+use crate::common::OpType;
+use crate::{handle_client_error, Oauth2Opt, OutputMode};
 use anyhow::{Context, Error};
 use std::fs::read;
 use std::process::exit;
-use crate::common::OpType;
-use crate::{handle_client_error, Oauth2Opt, OutputMode};

 use crate::Oauth2ClaimMapJoin;
 use kanidm_proto::internal::{ImageValue, Oauth2ClaimMapJoin as ProtoOauth2ClaimMapJoin};
@ -301,10 +301,7 @@ impl Oauth2Opt {
            Oauth2Opt::RemoveImage(nopt) => {
                let client = nopt.copt.to_client(OpType::Write).await;

-                match client
-                    .idm_oauth2_rs_delete_image(nopt.name.as_str())
-                    .await
-                {
+                match client.idm_oauth2_rs_delete_image(nopt.name.as_str()).await {
                    Ok(_) => println!("Success"),
                    Err(e) => handle_client_error(e, nopt.copt.output_mode),
                }