From: Tobias Urdin <tobias.urdin@binero.se>
Date: Tue, 26 Apr 2022 09:05:07 +0000 (+0000)
Subject: rgw/auth: Update expires for allowed expired token before caching it
X-Git-Tag: v18.1.0~1023^2~18
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=e76a2e2124c170806b7e006c3494cc32624bd7d8;p=ceph.git

rgw/auth: Update expires for allowed expired token before caching it

Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
---

diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index 0b3dcbe03463..df0848d3c73b 100644
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -315,6 +315,16 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp,
   /* Check for necessary roles. */
   for (const auto& role : roles.plain) {
     if (t->has_role(role) == true) {
+      /* If this token was an allowed expired token because we got a
+       * service token we need to update the expiration before we cache it. */
+      if (allow_expired) {
+        /* TODO(tobias-urdin): Make an hour here configurable. */
+        uint64_t new_expires = ceph_clock_now().sec() + 3600;
+        ldpp_dout(dpp, 20) << "updating expiration of allowed expired token"
+                           << " from " << t->get_expires() << " to "
+                           << new_expires << dendl;
+        t->set_expires(new_expires);
+      }
       ldpp_dout(dpp, 0) << "validated token: " << t->get_project_name()
                     << ":" << t->get_user_name()
                     << " expires: " << t->get_expires() << dendl;