diff options
author | Patrick Steinhardt <psteinhardt@gitlab.com> | 2020-12-17 11:08:53 +0300 |
---|---|---|
committer | Patrick Steinhardt <psteinhardt@gitlab.com> | 2020-12-17 19:20:27 +0300 |
commit | d61c9a1a5ed6caf0e2d68a1219e784b2dedb8bf8 (patch) | |
tree | 17bb2026cb2bdf9f41ca31a285aa8e8de9f67b1e /auth | |
parent | 5176ccc8189ebced42b358347504977095ab3224 (diff) |
auth: Rename `timestampThreshold` to `tokenValidityDuration`
The `timestampThreshold` records how long a token is going to stay valid
for authentication purposes. It's not quite obvious going by its name,
so let's rename it to `tokenValidityDuration` to hopefullymake its
purpose a bit more obvious.
Diffstat (limited to 'auth')
-rw-r--r-- | auth/extract_test.go | 6 | ||||
-rw-r--r-- | auth/token.go | 21 |
2 files changed, 14 insertions, 13 deletions
diff --git a/auth/extract_test.go b/auth/extract_test.go index e002762b3..cf70aa8eb 100644 --- a/auth/extract_test.go +++ b/auth/extract_test.go @@ -15,10 +15,10 @@ func TestCheckTokenV2(t *testing.T) { // to use the 30s number defer func(d time.Duration) { - timestampThresholdDuration = d - }(timestampThresholdDuration) + tokenValidityDuration = d + }(tokenValidityDuration) - timestampThresholdDuration = 30 * time.Second + tokenValidityDuration = 30 * time.Second targetTime := time.Unix(1535671600, 0) secret := []byte("foo") diff --git a/auth/token.go b/auth/token.go index 12c11740c..1c715a3d0 100644 --- a/auth/token.go +++ b/auth/token.go @@ -16,10 +16,10 @@ import ( "google.golang.org/grpc/status" ) -var timestampThresholdDuration time.Duration +var tokenValidityDuration time.Duration var ( - timestampThreshold = "30s" + tokenValidity = "30s" errUnauthenticated = status.Errorf(codes.Unauthenticated, "authentication required") errDenied = status.Errorf(codes.PermissionDenied, "permission denied") @@ -32,16 +32,17 @@ var ( ) ) -// TimestampThreshold is used by tests -func TimestampThreshold() time.Duration { - return timestampThresholdDuration +// TokenValidityDuration returns the duration for which any token will be +// valid. This is currently only used by our testing infrastructure. +func TokenValidityDuration() time.Duration { + return tokenValidityDuration } func init() { prometheus.MustRegister(authErrors) var err error - timestampThresholdDuration, err = time.ParseDuration(timestampThreshold) + tokenValidityDuration, err = time.ParseDuration(tokenValidity) if err != nil { panic(err) } @@ -68,7 +69,7 @@ func CheckToken(ctx context.Context, secret string, targetTime time.Time) error } if authInfo.Version == "v2" { - if v2HmacInfoValid(authInfo.Message, authInfo.SignedMessage, []byte(secret), targetTime, timestampThresholdDuration) { + if v2HmacInfoValid(authInfo.Message, authInfo.SignedMessage, []byte(secret), targetTime, tokenValidityDuration) { return nil } } @@ -101,7 +102,7 @@ func ExtractAuthInfo(ctx context.Context) (*AuthInfo, error) { func countV2Error(message string) { authErrors.WithLabelValues("v2", message).Inc() } -func v2HmacInfoValid(message string, signedMessage, secret []byte, targetTime time.Time, timestampThreshold time.Duration) bool { +func v2HmacInfoValid(message string, signedMessage, secret []byte, targetTime time.Time, tokenValidity time.Duration) bool { expectedHMAC := hmacSign(secret, message) if !hmac.Equal(signedMessage, expectedHMAC) { countV2Error("wrong hmac signature") @@ -115,8 +116,8 @@ func v2HmacInfoValid(message string, signedMessage, secret []byte, targetTime ti } issuedAt := time.Unix(timestamp, 0) - lowerBound := targetTime.Add(-timestampThreshold) - upperBound := targetTime.Add(timestampThreshold) + lowerBound := targetTime.Add(-tokenValidity) + upperBound := targetTime.Add(tokenValidity) if issuedAt.Before(lowerBound) { countV2Error("timestamp too old") |