diff --git a/cmd/spire-server/cli/entry/create.go b/cmd/spire-server/cli/entry/create.go index 31cc157991..7de2c66aa1 100644 --- a/cmd/spire-server/cli/entry/create.go +++ b/cmd/spire-server/cli/entry/create.go @@ -45,11 +45,6 @@ type createCommand struct { // Entry hint, used to disambiguate entries with the same SPIFFE ID hint string - // TTL for x509 and JWT SVIDs issued to this workload, unless type specific TTLs are set. - // This field is deprecated in favor of the x509SVIDTTL and jwtSVIDTTL fields and will be - // removed in a future release. - ttl int - // TTL for x509 SVIDs issued to this workload x509SVIDTTL int @@ -94,9 +89,8 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) { f.StringVar(&c.entryID, "entryID", "", "A custom ID for this registration entry (optional). If not set, a new entry ID will be generated") f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent") f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents") - f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version") - f.IntVar(&c.x509SVIDTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag") - f.IntVar(&c.jwtSVIDTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag") + f.IntVar(&c.x509SVIDTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.") + f.IntVar(&c.jwtSVIDTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.") f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.") f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once") f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once") @@ -158,10 +152,6 @@ func (c *createCommand) validate() (err error) { return errors.New("a SPIFFE ID is required") } - if c.ttl < 0 { - return errors.New("a positive TTL is required") - } - if c.x509SVIDTTL < 0 { return errors.New("a positive x509-SVID TTL is required") } @@ -170,10 +160,6 @@ func (c *createCommand) validate() (err error) { return errors.New("a positive JWT-SVID TTL is required") } - if c.ttl > 0 && (c.x509SVIDTTL > 0 || c.jwtSVIDTTL > 0) { - return errors.New("use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag") - } - return nil } @@ -202,18 +188,6 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) { Hint: c.hint, } - // c.ttl is deprecated but usable if the new c.x509Svid field is not used. - // c.ttl should not be used to set the jwtSVIDTTL value because the previous - // behavior was to have a hard-coded 5 minute JWT TTL no matter what the value - // of ttl was set to. - // validate(...) ensures that either the new fields or the deprecated field is - // used, but never a mixture. - // - // https://github.com/spiffe/spire/issues/2700 - if e.X509SvidTtl == 0 { - e.X509SvidTtl = int32(c.ttl) - } - selectors := []*types.Selector{} for _, s := range c.selectors { cs, err := util.ParseSelector(s) diff --git a/cmd/spire-server/cli/entry/create_test.go b/cmd/spire-server/cli/entry/create_test.go index 98009951b1..eef1f73f00 100644 --- a/cmd/spire-server/cli/entry/create_test.go +++ b/cmd/spire-server/cli/entry/create_test.go @@ -54,7 +54,7 @@ func TestCreate(t *testing.T) { }, } - fakeRespOKFromCmd2 := &entryv1.BatchCreateEntryResponse{ + fakeRespOKFromCmdWithoutJwtTtl := &entryv1.BatchCreateEntryResponse{ Results: []*entryv1.BatchCreateEntryResponse_Result{ { Entry: &types.Entry{ @@ -186,28 +186,16 @@ func TestCreate(t *testing.T) { expErrJSON: "Error: selector \"unix\" must be formatted as type:value\n", }, { - name: "Negative TTL", - args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"}, - expErrPretty: "Error: a positive TTL is required\n", - expErrJSON: "Error: a positive TTL is required\n", + name: "Negative X509SvidTtl", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-x509SVIDTTL", "-10"}, + expErrPretty: "Error: a positive x509-SVID TTL is required\n", + expErrJSON: "Error: a positive x509-SVID TTL is required\n", }, { - name: "Invalid TTL and X509SvidTtl", - args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"}, - expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - }, - { - name: "Invalid TTL and JwtSvidTtl", - args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"}, - expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - }, - { - name: "Invalid TTL and both X509SvidTtl and JwtSvidTtl", - args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"}, - expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", + name: "Negative jwtSVIDTTL", + args: []string{"-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-jwtSVIDTTL", "-10"}, + expErrPretty: "Error: a positive JWT-SVID TTL is required\n", + expErrJSON: "Error: a positive JWT-SVID TTL is required\n", }, { name: "Federated node entries", @@ -346,7 +334,7 @@ StoreSvid : true "-parentID", "spiffe://example.org/parent", "-selector", "zebra:zebra:2000", "-selector", "alpha:alpha:2000", - "-ttl", "60", + "-x509SVIDTTL", "60", "-federatesWith", "spiffe://domaina.test", "-federatesWith", "spiffe://domainb.test", "-admin", @@ -376,111 +364,7 @@ StoreSvid : true }, }, }, - fakeResp: fakeRespOKFromCmd2, - expOutPretty: fmt.Sprintf(`Entry ID : entry-id -SPIFFE ID : spiffe://example.org/workload -Parent ID : spiffe://example.org/parent -Revision : 0 -Downstream : true -X509-SVID TTL : 60 -JWT-SVID TTL : default -Expiration time : %s -Selector : zebra:zebra:2000 -Selector : alpha:alpha:2000 -FederatesWith : spiffe://domaina.test -FederatesWith : spiffe://domainb.test -DNS name : unu1000 -DNS name : ung1000 -Admin : true -StoreSvid : true - -`, time.Unix(1552410266, 0).UTC()), - expOutJSON: `{ - "results": [ - { - "status": { - "code": 0, - "message": "OK" - }, - "entry": { - "id": "entry-id", - "spiffe_id": { - "trust_domain": "example.org", - "path": "/workload" - }, - "parent_id": { - "trust_domain": "example.org", - "path": "/parent" - }, - "selectors": [ - { - "type": "zebra", - "value": "zebra:2000" - }, - { - "type": "alpha", - "value": "alpha:2000" - } - ], - "x509_svid_ttl": 60, - "federates_with": [ - "spiffe://domaina.test", - "spiffe://domainb.test" - ], - "hint": "", - "admin": true, - "created_at": "1547583197", - "downstream": true, - "expires_at": "1552410266", - "dns_names": [ - "unu1000", - "ung1000" - ], - "revision_number": "0", - "store_svid": true, - "jwt_svid_ttl": 0 - } - } - ] -}`, - }, - { - name: "Create succeeds using deprecated command line arguments", - args: []string{ - "-spiffeID", "spiffe://example.org/workload", - "-parentID", "spiffe://example.org/parent", - "-selector", "zebra:zebra:2000", - "-selector", "alpha:alpha:2000", - "-ttl", "60", - "-federatesWith", "spiffe://domaina.test", - "-federatesWith", "spiffe://domainb.test", - "-admin", - "-entryExpiry", "1552410266", - "-dns", "unu1000", - "-dns", "ung1000", - "-downstream", - "-storeSVID", - }, - expReq: &entryv1.BatchCreateEntryRequest{ - Entries: []*types.Entry{ - { - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"}, - Selectors: []*types.Selector{ - {Type: "zebra", Value: "zebra:2000"}, - {Type: "alpha", Value: "alpha:2000"}, - }, - X509SvidTtl: 60, - FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"}, - Admin: true, - ExpiresAt: 1552410266, - DnsNames: []string{"unu1000", "ung1000"}, - Downstream: true, - StoreSvid: true, - }, - }, - }, - fakeResp: fakeRespOKFromCmd2, + fakeResp: fakeRespOKFromCmdWithoutJwtTtl, expOutPretty: fmt.Sprintf(`Entry ID : entry-id SPIFFE ID : spiffe://example.org/workload Parent ID : spiffe://example.org/parent diff --git a/cmd/spire-server/cli/entry/update.go b/cmd/spire-server/cli/entry/update.go index e2a22a5b92..4b1503819c 100644 --- a/cmd/spire-server/cli/entry/update.go +++ b/cmd/spire-server/cli/entry/update.go @@ -44,9 +44,6 @@ type updateCommand struct { // Whether or not the entry is for a downstream SPIRE server downstream bool - // TTL for certificates issued to this workload - ttl int - // TTL for x509 SVIDs issued to this workload x509SvidTTL int @@ -88,9 +85,8 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) { f.StringVar(&c.entryID, "entryID", "", "The Registration Entry ID of the record to update") f.StringVar(&c.parentID, "parentID", "", "The SPIFFE ID of this record's parent") f.StringVar(&c.spiffeID, "spiffeID", "", "The SPIFFE ID that this record represents") - f.IntVar(&c.ttl, "ttl", 0, "The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version") - f.IntVar(&c.x509SvidTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag") - f.IntVar(&c.jwtSvidTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag") + f.IntVar(&c.x509SvidTTL, "x509SVIDTTL", 0, "The lifetime, in seconds, for x509-SVIDs issued based on this registration entry.") + f.IntVar(&c.jwtSvidTTL, "jwtSVIDTTL", 0, "The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry.") f.StringVar(&c.path, "data", "", "Path to a file containing registration JSON (optional). If set to '-', read the JSON from stdin.") f.Var(&c.selectors, "selector", "A colon-delimited type:value selector. Can be used more than once") f.Var(&c.federatesWith, "federatesWith", "SPIFFE ID of a trust domain to federate with. Can be used more than once") @@ -151,10 +147,6 @@ func (c *updateCommand) validate() (err error) { return errors.New("a SPIFFE ID is required") } - if c.ttl < 0 { - return errors.New("a positive TTL is required") - } - if c.x509SvidTTL < 0 { return errors.New("a positive x509-SVID TTL is required") } @@ -163,10 +155,6 @@ func (c *updateCommand) validate() (err error) { return errors.New("a positive JWT-SVID TTL is required") } - if c.ttl > 0 && (c.x509SvidTTL > 0 || c.jwtSvidTTL > 0) { - return errors.New("use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag") - } - return nil } @@ -193,18 +181,6 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) { Hint: c.hint, } - // c.ttl is deprecated but usable if the new c.x509Svid field is not used. - // c.ttl should not be used to set the jwtSVIDTTL value because the previous - // behavior was to have a hard-coded 5 minute JWT TTL no matter what the value - // of ttl was set to. - // validate(...) ensures that either the new fields or the deprecated field is - // used, but never a mixture. - // - // https://github.com/spiffe/spire/issues/2700 - if e.X509SvidTtl == 0 { - e.X509SvidTtl = int32(c.ttl) - } - selectors := []*types.Selector{} for _, s := range c.selectors { cs, err := util.ParseSelector(s) diff --git a/cmd/spire-server/cli/entry/update_test.go b/cmd/spire-server/cli/entry/update_test.go index 767ff72e45..0befd96851 100644 --- a/cmd/spire-server/cli/entry/update_test.go +++ b/cmd/spire-server/cli/entry/update_test.go @@ -321,24 +321,6 @@ func TestUpdate(t *testing.T) { JwtSvidTtl: 300, } - entry5 := &types.Entry{ - Id: "entry-id", - SpiffeId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/workload"}, - ParentId: &types.SPIFFEID{TrustDomain: "example.org", Path: "/parent"}, - Selectors: []*types.Selector{ - {Type: "zebra", Value: "zebra:2000"}, - {Type: "alpha", Value: "alpha:2000"}, - }, - X509SvidTtl: 60, - JwtSvidTtl: 0, - FederatesWith: []string{"spiffe://domaina.test", "spiffe://domainb.test"}, - Admin: true, - ExpiresAt: 1552410266, - DnsNames: []string{"unu1000", "ung1000"}, - Downstream: true, - Hint: "external", - } - entry2Resp := proto.Clone(entry2).(*types.Entry) entry2Resp.CreatedAt = 1547583197 entry3Resp := proto.Clone(entry3).(*types.Entry) @@ -416,30 +398,6 @@ func TestUpdate(t *testing.T) { expErrPretty: "Error: selector \"unix\" must be formatted as type:value\n", expErrJSON: "Error: selector \"unix\" must be formatted as type:value\n", }, - { - name: "Negative TTL", - args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "-10"}, - expErrPretty: "Error: a positive TTL is required\n", - expErrJSON: "Error: a positive TTL is required\n", - }, - { - name: "Invalid TTL and X509SvidTtl", - args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20"}, - expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - }, - { - name: "Invalid TTL and JwtSvidTtl", - args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-jwtSVIDTTL", "20"}, - expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - }, - { - name: "Invalid TTL and both X509SvidTtl and JwtSvidTtl", - args: []string{"-entryID", "entry-id", "-selector", "unix", "-parentID", "spiffe://example.org/parent", "-spiffeID", "spiffe://example.org/workload", "-ttl", "10", "-x509SVIDTTL", "20", "-jwtSVIDTTL", "30"}, - expErrPretty: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - expErrJSON: "Error: use x509SVIDTTL and jwtSVIDTTL flags or the deprecated ttl flag\n", - }, { name: "Server error", args: []string{"-entryID", "entry-id", "-spiffeID", "spiffe://example.org/workload", "-parentID", "spiffe://example.org/parent", "-selector", "unix:uid:1"}, @@ -495,58 +453,6 @@ DNS name : ung1000 Admin : true Hint : external -`, time.Unix(1552410266, 0).UTC()), - expOutJSON: fmt.Sprintf(`{ - "results": [ - { - "status": { - "code": 0, - "message": "OK" - }, - "entry": %s - } - ] -}`, entry0AdminJSON), - }, - { - name: "Update succeeds using deprecated command line arguments", - args: []string{ - "-entryID", "entry-id", - "-spiffeID", "spiffe://example.org/workload", - "-parentID", "spiffe://example.org/parent", - "-selector", "zebra:zebra:2000", - "-selector", "alpha:alpha:2000", - "-ttl", "60", - "-federatesWith", "spiffe://domaina.test", - "-federatesWith", "spiffe://domainb.test", - "-admin", - "-entryExpiry", "1552410266", - "-dns", "unu1000", - "-dns", "ung1000", - "-downstream", - "-hint", "external", - }, - expReq: &entryv1.BatchUpdateEntryRequest{ - Entries: []*types.Entry{entry5}, - }, - fakeResp: fakeRespOKFromCmd, - expOutPretty: fmt.Sprintf(`Entry ID : entry-id -SPIFFE ID : spiffe://example.org/workload -Parent ID : spiffe://example.org/parent -Revision : 0 -Downstream : true -X509-SVID TTL : 60 -JWT-SVID TTL : 30 -Expiration time : %s -Selector : zebra:zebra:2000 -Selector : alpha:alpha:2000 -FederatesWith : spiffe://domaina.test -FederatesWith : spiffe://domainb.test -DNS name : unu1000 -DNS name : ung1000 -Admin : true -Hint : external - `, time.Unix(1552410266, 0).UTC()), expOutJSON: fmt.Sprintf(`{ "results": [ diff --git a/cmd/spire-server/cli/entry/util_posix_test.go b/cmd/spire-server/cli/entry/util_posix_test.go index 7b04cb3f96..2ac9598873 100644 --- a/cmd/spire-server/cli/entry/util_posix_test.go +++ b/cmd/spire-server/cli/entry/util_posix_test.go @@ -21,7 +21,7 @@ const ( -hint string The entry hint, used to disambiguate entries with the same SPIFFE ID -jwtSVIDTTL int - The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag + The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. -node If set, this entry will be applied to matching nodes rather than workloads -output value @@ -36,10 +36,8 @@ const ( The SPIFFE ID that this record represents -storeSVID A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin - -ttl int - The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version -x509SVIDTTL int - The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag + The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. ` showUsage = `Usage of entry show: -downstream @@ -83,7 +81,7 @@ const ( -hint string The entry hint, used to disambiguate entries with the same SPIFFE ID -jwtSVIDTTL int - The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. Overrides ttl flag + The lifetime, in seconds, for JWT-SVIDs issued based on this registration entry. -output value Desired output format (pretty, json); default: pretty. -parentID string @@ -96,10 +94,8 @@ const ( The SPIFFE ID that this record represents -storeSVID A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin - -ttl int - The lifetime, in seconds, for SVIDs issued based on this registration entry. This flag is deprecated in favor of x509SVIDTTL and jwtSVIDTTL and will be removed in a future version -x509SVIDTTL int - The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. Overrides ttl flag + The lifetime, in seconds, for x509-SVIDs issued based on this registration entry. ` deleteUsage = `Usage of entry delete: -entryID string diff --git a/doc/spire_server.md b/doc/spire_server.md index d3949494ba..79852c5f21 100644 --- a/doc/spire_server.md +++ b/doc/spire_server.md @@ -387,8 +387,8 @@ Creates registration entries. | `-selector` | A colon-delimited type:value selector used for attestation. This parameter can be used more than once, to specify multiple selectors that must be satisfied. | | | `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | | `-spiffeID` | The SPIFFE ID that this record represents and will be set to the SVID issued. | | -| `-x509SVIDTTL` | A TTL, in seconds, for any X509-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_x509_svid_ttl` | -| `-jwtSVIDTTL` | A TTL, in seconds, for any JWT-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_jwt_svid_ttl` | +| `-x509SVIDTTL` | A TTL, in seconds, for any X509-SVID issued as a result of this record. | The TTL configured with `default_x509_svid_ttl` | +| `-jwtSVIDTTL` | A TTL, in seconds, for any JWT-SVID issued as a result of this record. | The TTL configured with `default_jwt_svid_ttl` | | `-storeSVID` | A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin | ### `spire-server entry update` @@ -408,8 +408,8 @@ Updates registration entries. | `-selector` | A colon-delimited type:value selector used for attestation. This parameter can be used more than once, to specify multiple selectors that must be satisfied. | | | `-socketPath` | Path to the SPIRE Server API socket | /tmp/spire-server/private/api.sock | | `-spiffeID` | The SPIFFE ID that this record represents and will be set to the SVID issued. | | -| `-x509SVIDTTL` | A TTL, in seconds, for any X509-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_x509_svid_ttl` | -| `-jwtSVIDTTL` | A TTL, in seconds, for any JWT-SVID issued as a result of this record. Overrides `-ttl` value. | The TTL configured with `default_jwt_svid_ttl` | +| `-x509SVIDTTL` | A TTL, in seconds, for any X509-SVID issued as a result of this record. | The TTL configured with `default_x509_svid_ttl` | +| `-jwtSVIDTTL` | A TTL, in seconds, for any JWT-SVID issued as a result of this record. | The TTL configured with `default_jwt_svid_ttl` | | `storeSVID` | A boolean value that, when set, indicates that the resulting issued SVID from this entry must be stored through an SVIDStore plugin | ### `spire-server entry count`