Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Machine ID: Warn when returned cert TTL is less than expected #52833

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Machine ID: Warn when returned cert TTL is less than expected #52833

wants to merge 1 commit into from
+43 −0

Conversation

timothyb89
Copy link
Contributor

This adds a warning when the returned certificate TTL is lower than requested, which can happen if max_session_ttl is set in a bot role.

Fixes #29579

@timothyb89
Machine ID: Warn when returned cert TTL is less than expected
2ddb748 
This adds a warning when the returned certificate TTL is lower than
requested, which can happen if `max_session_ttl` is set in a bot
role.

Fixes #29579
timothyb89
timothyb89 commented Mar 6, 2025
View reviewed changes
lib/tbot/output_utils.go
// Calculate a rough TTL, assuming this was called shortly after the
// identity was returned. We'll add a minute buffer to compensate and avoid
// superfluous warning messages.
effectiveTTL := ident.TLSIdentity.Expires.Sub(time.Now()) + time.Minute
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A bit janky and may have some minor false negatives due to the 1m buffer. Hopefully sane enough?

lib/tbot/output_utils.go
Comment on lines +432 to +435
l.WarnContext(ctx, "The server returned an identity shorter than "+
"the requested TTL, probably due to a `max_session_ttl` "+
"configured on a server-side role. It may not remain valid as "+
"long as expected.")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some experimenting and found that bots can always fetch their own roles, so technically we could make some queries and log exactly which role caused the shortened TTL. Any thoughts on whether or not that would be worth the effort?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@boxofrad boxofrad Awaiting requested review from boxofrad

@strideynet strideynet Awaiting requested review from strideynet

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Machine ID: Add warnings when max_session_ttl is exceeded in tbot configuration
1 participant
@timothyb89