mart-w/kanidm
1
0
Fork 0
mirror of https://github.com/kanidm/kanidm.git synced 2025-02-24 04:57:00 +01:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

fix credential update intent defaults (#2162)

Browse source
This commit is contained in:
Firstyear 2023-09-30 20:06:44 +10:00 committed by GitHub
parent 3e345174b6
commit cb985a2fd0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
server/lib/src/idm/credupdatesession.rs
View file

@ -26,7 +26,11 @@ use crate::utils::{backup_code_from_random, readable_password_from_random, uuid_
use crate::value::{CredUpdateSessionPerms, IntentTokenState}; use crate::value::{CredUpdateSessionPerms, IntentTokenState};
const MAXIMUM_CRED_UPDATE_TTL: Duration = Duration::from_secs(900); const MAXIMUM_CRED_UPDATE_TTL: Duration = Duration::from_secs(900);
// Default 1 hour.
const DEFAULT_INTENT_TTL: Duration = Duration::from_secs(3600);
// Default 1 day.
const MAXIMUM_INTENT_TTL: Duration = Duration::from_secs(86400); const MAXIMUM_INTENT_TTL: Duration = Duration::from_secs(86400);
// Minimum 5 minutes.
const MINIMUM_INTENT_TTL: Duration = Duration::from_secs(300); const MINIMUM_INTENT_TTL: Duration = Duration::from_secs(300);
#[derive(Debug)] #[derive(Debug)]
@ -552,30 +556,16 @@ impl<'a> IdmServerProxyWriteTransaction<'a> {
// ==== AUTHORISATION CHECKED === // ==== AUTHORISATION CHECKED ===
// Build the intent token. // Build the intent token. Previously this was using 0 and then
let mttl = event.max_ttl.unwrap_or_else(|| Duration::new(0, 0)); // relying on clamp to raise this to 5 minutes, but that led to
let max_ttl = ct + mttl.clamp(MINIMUM_INTENT_TTL, MAXIMUM_INTENT_TTL); // rapid timeouts that affected some users.
// let sessionid = uuid_from_duration(max_ttl, self.sid); let mttl = event.max_ttl.unwrap_or(DEFAULT_INTENT_TTL);
let clamped_mttl = mttl.clamp(MINIMUM_INTENT_TTL, MAXIMUM_INTENT_TTL);
debug!(?clamped_mttl, "clamped update intent validity");
let max_ttl = ct + clamped_mttl;
let intent_id = readable_password_from_random(); let intent_id = readable_password_from_random();
/*
let token = CredentialUpdateIntentTokenInner {
sessionid,
target,
intent_id,
max_ttl,
};
let token_data = serde_json::to_vec(&token).map_err(|e| {
admin_error!(err = ?e, "Unable to encode token data");
OperationError::SerdeJsonError
})?;
let token_enc = self
.token_enc_key
.encrypt_at_time(&token_data, ct.as_secs());
*/
// Mark that we have created an intent token on the user. // Mark that we have created an intent token on the user.
// ⚠️ -- remember, there is a risk, very low, but still a risk of collision of the intent_id. // ⚠️ -- remember, there is a risk, very low, but still a risk of collision of the intent_id.
// instead of enforcing unique, which would divulge that the collision occurred, we // instead of enforcing unique, which would divulge that the collision occurred, we