Fix SSO AuthRequest backwards compatibility. (#13589)

gravitational · Jun 17, 2022 · 6aa596d · 6aa596d
1 parent 77b35b8
commit 6aa596d
Show file tree

Hide file tree

Showing 14 changed files with 915 additions and 915 deletions.
diff --git a/api/types/github.go b/api/types/github.go
@@ -308,7 +308,7 @@ func (r *GithubAuthRequest) Check() error {
 		if err != nil {
 			return trace.BadParameter("bad PublicKey: %v", err)
 		}
-		if (r.CertTTL.Duration() > defaults.MaxCertDuration) || (r.CertTTL.Duration() < defaults.MinCertDuration) {
+		if (r.CertTTL > defaults.MaxCertDuration) || (r.CertTTL < defaults.MinCertDuration) {
 			return trace.BadParameter("wrong CertTTL")
 		}
 	}

diff --git a/api/types/oidc.go b/api/types/oidc.go
@@ -437,7 +437,7 @@ func (i *OIDCAuthRequest) Check() error {
 		if err != nil {
 			return trace.BadParameter("PublicKey: bad key: %v", err)
 		}
-		if (i.CertTTL.Duration() > defaults.MaxCertDuration) || (i.CertTTL.Duration() < defaults.MinCertDuration) {
+		if (i.CertTTL > defaults.MaxCertDuration) || (i.CertTTL < defaults.MinCertDuration) {
 			return trace.BadParameter("CertTTL: wrong certificate TTL")
 		}
 	}

diff --git a/api/types/saml.go b/api/types/saml.go
@@ -380,7 +380,7 @@ func (i *SAMLAuthRequest) Check() error {
 		if err != nil {
 			return trace.BadParameter("PublicKey: bad key: %v", err)
 		}
-		if (i.CertTTL.Duration() > defaults.MaxCertDuration) || (i.CertTTL.Duration() < defaults.MinCertDuration) {
+		if (i.CertTTL > defaults.MaxCertDuration) || (i.CertTTL < defaults.MinCertDuration) {
 			return trace.BadParameter("CertTTL: wrong certificate TTL")
 		}
 	}

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
diff --git a/api/types/types.proto b/api/types/types.proto
@@ -2712,7 +2712,7 @@ message OIDCAuthRequest {
     bytes PublicKey = 7 [ (gogoproto.jsontag) = "public_key" ];
 
     // CertTTL is the TTL of the certificate user wants to get
-    int64 CertTTL = 8 [ (gogoproto.jsontag) = "cert_ttl", (gogoproto.casttype) = "Duration" ];
+    int64 CertTTL = 8 [ (gogoproto.jsontag) = "cert_ttl", (gogoproto.casttype) = "time.Duration" ];
 
     // CreateWebSession indicates if user wants to generate a web
     // session after successful authentication
@@ -2824,7 +2824,7 @@ message SAMLAuthRequest {
     bytes PublicKey = 6 [ (gogoproto.jsontag) = "public_key" ];
 
     // CertTTL is the TTL of the certificate user wants to get.
-    int64 CertTTL = 7 [ (gogoproto.jsontag) = "cert_ttl", (gogoproto.casttype) = "Duration" ];
+    int64 CertTTL = 7 [ (gogoproto.jsontag) = "cert_ttl", (gogoproto.casttype) = "time.Duration" ];
 
     // CSRFToken is associated with user web session token.
     string CSRFToken = 8 [ (gogoproto.jsontag) = "csrf_token" ];
@@ -2926,7 +2926,7 @@ message GithubAuthRequest {
     // PublicKey is an optional public key to sign in case of successful auth.
     bytes PublicKey = 5 [ (gogoproto.jsontag) = "public_key" ];
     // CertTTL is TTL of the cert that's generated in case of successful auth.
-    int64 CertTTL = 6 [ (gogoproto.jsontag) = "cert_ttl", (gogoproto.casttype) = "Duration" ];
+    int64 CertTTL = 6 [ (gogoproto.jsontag) = "cert_ttl", (gogoproto.casttype) = "time.Duration" ];
     // CreateWebSession indicates that a user wants to generate a web session
     // after successful authentication.
     bool CreateWebSession = 7 [ (gogoproto.jsontag) = "create_web_session" ];

diff --git a/e b/e
diff --git a/lib/auth/github.go b/lib/auth/github.go
@@ -470,7 +470,7 @@ func (a *Server) calculateGithubUser(connector types.GithubConnector, claims *ty
 		return nil, trace.Wrap(err)
 	}
 	roleTTL := roles.AdjustSessionTTL(apidefaults.MaxCertDuration)
-	p.sessionTTL = utils.MinTTL(roleTTL, request.CertTTL.Duration())
+	p.sessionTTL = utils.MinTTL(roleTTL, request.CertTTL)
 
 	return &p, nil
 }

diff --git a/lib/auth/oidc.go b/lib/auth/oidc.go
@@ -621,7 +621,7 @@ func (a *Server) calculateOIDCUser(diagCtx *ssoDiagContext, connector types.OIDC
 		return nil, trace.Wrap(err)
 	}
 	roleTTL := roles.AdjustSessionTTL(apidefaults.MaxCertDuration)
-	p.sessionTTL = utils.MinTTL(roleTTL, request.CertTTL.Duration())
+	p.sessionTTL = utils.MinTTL(roleTTL, request.CertTTL)
 
 	return &p, nil
 }

diff --git a/lib/auth/oidc_test.go b/lib/auth/oidc_test.go
@@ -221,7 +221,7 @@ func TestSSODiagnostic(t *testing.T) {
 	oidcRequest := types.OIDCAuthRequest{
 		ConnectorID:   "-sso-test-okta",
 		Type:          constants.OIDC,
-		CertTTL:       types.Duration(defaults.OIDCAuthRequestTTL),
+		CertTTL:       defaults.OIDCAuthRequestTTL,
 		SSOTestFlow:   true,
 		ConnectorSpec: &spec,
 	}

diff --git a/lib/auth/saml.go b/lib/auth/saml.go
@@ -221,7 +221,7 @@ func (a *Server) calculateSAMLUser(diagCtx *ssoDiagContext, connector types.SAML
 		return nil, trace.Wrap(err)
 	}
 	roleTTL := roles.AdjustSessionTTL(apidefaults.MaxCertDuration)
-	p.sessionTTL = utils.MinTTL(roleTTL, request.CertTTL.Duration())
+	p.sessionTTL = utils.MinTTL(roleTTL, request.CertTTL)
 
 	return &p, nil
 }

diff --git a/lib/services/identity_test.go b/lib/services/identity_test.go
@@ -39,7 +39,7 @@ func TestSAMLAuthRequest_Check(t *testing.T) {
 			req: types.SAMLAuthRequest{
 				ConnectorID: "foo",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 			},
 			wantErr: false,
 		},
@@ -48,7 +48,7 @@ func TestSAMLAuthRequest_Check(t *testing.T) {
 			req: types.SAMLAuthRequest{
 				ConnectorID: "foo",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(1 * time.Second),
+				CertTTL:     1 * time.Second,
 			},
 			wantErr: true,
 		},
@@ -57,15 +57,15 @@ func TestSAMLAuthRequest_Check(t *testing.T) {
 			req: types.SAMLAuthRequest{
 				ConnectorID: "foo",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(1000 * time.Hour),
+				CertTTL:     1000 * time.Hour,
 			},
 			wantErr: true,
 		},
 		{
 			name: "TTL ignored without cert",
 			req: types.SAMLAuthRequest{
 				ConnectorID: "foo",
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 			},
 			wantErr: false,
 		},
@@ -74,7 +74,7 @@ func TestSAMLAuthRequest_Check(t *testing.T) {
 			req: types.SAMLAuthRequest{
 				ConnectorID: "foo",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 				SSOTestFlow: true,
 			},
 			wantErr: true,
@@ -84,7 +84,7 @@ func TestSAMLAuthRequest_Check(t *testing.T) {
 			req: types.SAMLAuthRequest{
 				ConnectorID:   "foo",
 				PublicKey:     []byte(exampleSSHCert),
-				CertTTL:       types.Duration(60 * time.Minute),
+				CertTTL:       60 * time.Minute,
 				ConnectorSpec: &types.SAMLConnectorSpecV2{Display: "dummy"},
 			},
 			wantErr: true,
@@ -94,7 +94,7 @@ func TestSAMLAuthRequest_Check(t *testing.T) {
 			req: types.SAMLAuthRequest{
 				ConnectorID:   "foo",
 				PublicKey:     []byte(exampleSSHCert),
-				CertTTL:       types.Duration(60 * time.Minute),
+				CertTTL:       60 * time.Minute,
 				SSOTestFlow:   true,
 				ConnectorSpec: &types.SAMLConnectorSpecV2{Display: "dummy"},
 			},
@@ -129,7 +129,7 @@ func TestOIDCAuthRequest_Check(t *testing.T) {
 				ConnectorID: "foo",
 				StateToken:  "bar",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 			},
 			wantErr: false,
 		},
@@ -138,7 +138,7 @@ func TestOIDCAuthRequest_Check(t *testing.T) {
 			req: types.OIDCAuthRequest{
 				ConnectorID: "foo",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 			},
 			wantErr: true,
 		},
@@ -148,7 +148,7 @@ func TestOIDCAuthRequest_Check(t *testing.T) {
 				ConnectorID: "foo",
 				StateToken:  "bar",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(1 * time.Second),
+				CertTTL:     1 * time.Second,
 			},
 			wantErr: true,
 		},
@@ -158,7 +158,7 @@ func TestOIDCAuthRequest_Check(t *testing.T) {
 				ConnectorID: "foo",
 				StateToken:  "bar",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(1000 * time.Hour),
+				CertTTL:     1000 * time.Hour,
 			},
 			wantErr: true,
 		},
@@ -167,7 +167,7 @@ func TestOIDCAuthRequest_Check(t *testing.T) {
 			req: types.OIDCAuthRequest{
 				ConnectorID: "foo",
 				StateToken:  "bar",
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 			},
 			wantErr: false,
 		},
@@ -177,7 +177,7 @@ func TestOIDCAuthRequest_Check(t *testing.T) {
 				ConnectorID: "foo",
 				StateToken:  "bar",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 				SSOTestFlow: true,
 			},
 			wantErr: true,
@@ -188,7 +188,7 @@ func TestOIDCAuthRequest_Check(t *testing.T) {
 				ConnectorID:   "foo",
 				StateToken:    "bar",
 				PublicKey:     []byte(exampleSSHCert),
-				CertTTL:       types.Duration(60 * time.Minute),
+				CertTTL:       60 * time.Minute,
 				ConnectorSpec: &types.OIDCConnectorSpecV3{Display: "dummy"},
 			},
 			wantErr: true,
@@ -199,7 +199,7 @@ func TestOIDCAuthRequest_Check(t *testing.T) {
 				ConnectorID:   "foo",
 				StateToken:    "bar",
 				PublicKey:     []byte(exampleSSHCert),
-				CertTTL:       types.Duration(60 * time.Minute),
+				CertTTL:       60 * time.Minute,
 				SSOTestFlow:   true,
 				ConnectorSpec: &types.OIDCConnectorSpecV3{Display: "dummy"},
 			},
@@ -234,7 +234,7 @@ func TestGithubAuthRequest_Check(t *testing.T) {
 				ConnectorID: "foo",
 				StateToken:  "bar",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 			},
 			wantErr: false,
 		},
@@ -243,7 +243,7 @@ func TestGithubAuthRequest_Check(t *testing.T) {
 			req: types.GithubAuthRequest{
 				ConnectorID: "foo",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 			},
 			wantErr: true,
 		},
@@ -253,7 +253,7 @@ func TestGithubAuthRequest_Check(t *testing.T) {
 				ConnectorID: "foo",
 				StateToken:  "bar",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(1 * time.Second),
+				CertTTL:     1 * time.Second,
 			},
 			wantErr: true,
 		},
@@ -263,7 +263,7 @@ func TestGithubAuthRequest_Check(t *testing.T) {
 				ConnectorID: "foo",
 				StateToken:  "bar",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(1000 * time.Hour),
+				CertTTL:     1000 * time.Hour,
 			},
 			wantErr: true,
 		},
@@ -272,7 +272,7 @@ func TestGithubAuthRequest_Check(t *testing.T) {
 			req: types.GithubAuthRequest{
 				ConnectorID: "foo",
 				StateToken:  "bar",
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 			},
 			wantErr: false,
 		},
@@ -282,7 +282,7 @@ func TestGithubAuthRequest_Check(t *testing.T) {
 				ConnectorID: "foo",
 				StateToken:  "bar",
 				PublicKey:   []byte(exampleSSHCert),
-				CertTTL:     types.Duration(60 * time.Minute),
+				CertTTL:     60 * time.Minute,
 				SSOTestFlow: true,
 			},
 			wantErr: true,
@@ -293,7 +293,7 @@ func TestGithubAuthRequest_Check(t *testing.T) {
 				ConnectorID:   "foo",
 				StateToken:    "bar",
 				PublicKey:     []byte(exampleSSHCert),
-				CertTTL:       types.Duration(60 * time.Minute),
+				CertTTL:       60 * time.Minute,
 				ConnectorSpec: &types.GithubConnectorSpecV3{Display: "dummy"},
 			},
 			wantErr: true,
@@ -304,7 +304,7 @@ func TestGithubAuthRequest_Check(t *testing.T) {
 				ConnectorID:   "foo",
 				StateToken:    "bar",
 				PublicKey:     []byte(exampleSSHCert),
-				CertTTL:       types.Duration(60 * time.Minute),
+				CertTTL:       60 * time.Minute,
 				SSOTestFlow:   true,
 				ConnectorSpec: &types.GithubConnectorSpecV3{Display: "dummy"},
 			},

diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go
@@ -1124,7 +1124,7 @@ func (h *Handler) githubLoginConsole(w http.ResponseWriter, r *http.Request, p h
 	response, err := h.cfg.ProxyClient.CreateGithubAuthRequest(r.Context(), types.GithubAuthRequest{
 		ConnectorID:       req.ConnectorID,
 		PublicKey:         req.PublicKey,
-		CertTTL:           types.Duration(req.CertTTL),
+		CertTTL:           req.CertTTL,
 		ClientRedirectURL: req.RedirectURL,
 		Compatibility:     req.Compatibility,
 		RouteToCluster:    req.RouteToCluster,
@@ -1225,7 +1225,7 @@ func (h *Handler) oidcLoginConsole(w http.ResponseWriter, r *http.Request, p htt
 		ConnectorID:       req.ConnectorID,
 		ClientRedirectURL: req.RedirectURL,
 		PublicKey:         req.PublicKey,
-		CertTTL:           types.Duration(req.CertTTL),
+		CertTTL:           req.CertTTL,
 		CheckUser:         true,
 		Compatibility:     req.Compatibility,
 		RouteToCluster:    req.RouteToCluster,

diff --git a/lib/web/saml.go b/lib/web/saml.go
@@ -73,7 +73,7 @@ func (h *Handler) samlSSOConsole(w http.ResponseWriter, r *http.Request, p httpr
 		ConnectorID:       req.ConnectorID,
 		ClientRedirectURL: req.RedirectURL,
 		PublicKey:         req.PublicKey,
-		CertTTL:           types.Duration(req.CertTTL),
+		CertTTL:           req.CertTTL,
 		Compatibility:     req.Compatibility,
 		RouteToCluster:    req.RouteToCluster,
 		KubernetesCluster: req.KubernetesCluster,

diff --git a/tool/tctl/sso/tester/github.go b/tool/tctl/sso/tester/github.go
@@ -45,7 +45,7 @@ func githubTest(c auth.ClientI, connector types.GithubConnector) (*AuthRequestIn
 			ConnectorID:       req.ConnectorID + "-" + connector.GetName(),
 			Type:              constants.Github,
 			PublicKey:         req.PublicKey,
-			CertTTL:           types.Duration(defaults.GithubAuthRequestTTL),
+			CertTTL:           defaults.GithubAuthRequestTTL,
 			CreateWebSession:  false,
 			ClientRedirectURL: req.RedirectURL,
 			RouteToCluster:    req.RouteToCluster,