Merge pull request #82 from atlanhq/APP-5003

APP-5003 : Fixes maximum token TTE to 5 years
atlanhq · Jan 27, 2025 · 7450911 · 7450911
2 parents c8f68c8 + 6ae5240
commit 7450911
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/atlan/assets/token_client_test.go b/atlan/assets/token_client_test.go
@@ -13,7 +13,7 @@ import (
 var (
 	TestDisplayName    = atlan.MakeUnique("test-api-token")
 	TestDescription    = atlan.MakeUnique("Test API Token Description")
-	MaxValiditySeconds = 409968000
+	MaxValiditySeconds = 157680000
 )
 
 func TestIntegrationTokenClient(t *testing.T) {

diff --git a/atlan/model/structs/api_tokens.go b/atlan/model/structs/api_tokens.go
@@ -3,9 +3,16 @@ package structs
 import (
 	"encoding/json"
 	"fmt"
+	"math"
 )
 
-const ServiceAccount = "SERVICE_ACCOUNT_"
+const (
+	ServiceAccount = "SERVICE_ACCOUNT_"
+	// The value was previously set to 13 years (409968000 secs).
+	// It has been reverted to 5 years due to an integer overflow issue in Keycloak.
+	// https://github.com/keycloak/keycloak/issues/19671
+	MaxValidity = 157680000 // 5 years in seconds
+)
 
 // ApiTokenPersona represents a linked persona in the API token model.
 type ApiTokenPersona struct {
@@ -135,9 +142,10 @@ type ApiTokenRequest struct {
 func (r *ApiTokenRequest) SetMaxValidity() {
 	if r.ValiditySeconds != nil {
 		if *r.ValiditySeconds < 0 {
-			*r.ValiditySeconds = 409968000
-		} else if *r.ValiditySeconds > 409968000 {
-			*r.ValiditySeconds = 409968000
+			*r.ValiditySeconds = MaxValidity // Treat negative numbers as "infinite" (never expire)
+		} else if *r.ValiditySeconds > MaxValidity {
+			// Otherwise use "infinite" as the ceiling for values
+			*r.ValiditySeconds = int(math.Min(float64(*r.ValiditySeconds), MaxValidity))
 		}
 	}
 	if r.Personas == nil {