Merge pull request #1020 from alesstimec/charms-add-jwt-expiry

Charms add jwt expiry
canonical · Aug 3, 2023 · 6fee82c · 6fee82c
2 parents a4e58e2 + f227770
commit 6fee82c
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 7 deletions.
diff --git a/charms/jimm-k8s/config.yaml b/charms/jimm-k8s/config.yaml
@@ -81,3 +81,8 @@ options:
       The source address for the connection to Vault. 
       This should be a single IP with no CIDR.
       E.g. 10.1.2.123
+  jwt-expiry:
+    type: string
+    description: |
+      Duration for the JWT expiry (defaults to 5 minutes).
+    default: 5m
diff --git a/charms/jimm-k8s/src/charm.py b/charms/jimm-k8s/src/charm.py
@@ -265,6 +265,7 @@ def _update_workload(self, event):
             "OPENFGA_PORT": self._state.openfga_port,
             "PRIVATE_KEY": self.config.get("private-key", ""),
             "PUBLIC_KEY": self.config.get("public-key", ""),
+            "JIMM_JWT_EXPIRY": self.config.get("jwt-expiry", "5m"),
         }
         if self._state.dsn:
             config_values["JIMM_DSN"] = self._state.dsn

diff --git a/charms/jimm-k8s/tests/unit/test_charm.py b/charms/jimm-k8s/tests/unit/test_charm.py
@@ -28,6 +28,7 @@
     "JIMM_DASHBOARD_LOCATION": "https://jaas.ai/models",
     "JIMM_DNS_NAME": "juju-jimm-k8s-0.juju-jimm-k8s-endpoints.None.svc.cluster.local",
     "JIMM_ENABLE_JWKS_ROTATOR": "1",
+    "JIMM_JWT_EXPIRY": "5m",
     "JIMM_LISTEN_ADDR": ":8080",
     "JIMM_LOG_LEVEL": "info",
     "JIMM_UUID": "1234567890",

diff --git a/charms/jimm/config.yaml b/charms/jimm/config.yaml
@@ -72,3 +72,8 @@ options:
   private-key:
     type: string
     description: The private part of JIMM's macaroon bakery keypair.
+  jwt-expiry:
+    type: string
+    description: |
+      Duration for the JWT expiry (defaults to 5 minutes).
+    default: 5m
diff --git a/charms/jimm/src/charm.py b/charms/jimm/src/charm.py
@@ -133,6 +133,7 @@ def _on_config_changed(self, _):
             "public_key": self.config.get("public-key"),
             "private_key": self.config.get("private-key"),
             "audit_retention_period": self.config.get("audit-log-retention-period-in-days", ""),
+            "jwt_expiry": self.config.get("jwt-expiry", "5m"),
         }
 
         if self.config.get("postgres-secret-storage", False):

diff --git a/charms/jimm/templates/jimm.env b/charms/jimm/templates/jimm.env
@@ -19,3 +19,6 @@ JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS={{audit_retention_period}}
 {%- if insecure_secret_storage %}
 INSECURE_SECRET_STORAGE=enabled
 {% endif %}
+{%- if jwt_expiry %}
+JIMM_JWT_EXPIRY={{jwt_expiry}}
+{% endif %}
diff --git a/charms/jimm/tests/test_charm.py b/charms/jimm/tests/test_charm.py
@@ -118,13 +118,14 @@ def test_config_changed(self):
                 "public-key": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=",
                 "private-key": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=",
                 "audit-log-retention-period-in-days": "10",
+                "jwt-expiry": "10m",
             }
         )
         self.assertTrue(os.path.exists(config_file))
         with open(config_file) as f:
             lines = f.readlines()
         os.unlink(config_file)
-        self.assertEqual(len(lines), 18)
+        self.assertEqual(len(lines), 19)
         self.assertEqual(lines[0].strip(), "BAKERY_AGENT_FILE=")
         self.assertEqual(lines[1].strip(), "CANDID_URL=https://candid.example.com")
         self.assertEqual(lines[2].strip(), "JIMM_ADMINS=user1 user2 group1")
@@ -147,6 +148,10 @@ def test_config_changed(self):
             lines[17].strip(),
             "JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS=10",
         )
+        self.assertEqual(
+            lines[18].strip(),
+            "JIMM_JWT_EXPIRY=10m",
+        )
 
     def test_config_changed_redirect_to_dashboard(self):
         config_file = os.path.join(self.harness.charm.charm_dir, "juju-jimm.env")
@@ -167,7 +172,7 @@ def test_config_changed_redirect_to_dashboard(self):
         with open(config_file) as f:
             lines = f.readlines()
         os.unlink(config_file)
-        self.assertEqual(len(lines), 18)
+        self.assertEqual(len(lines), 19)
         self.assertEqual(lines[0].strip(), "BAKERY_AGENT_FILE=")
         self.assertEqual(lines[1].strip(), "CANDID_URL=https://candid.example.com")
         self.assertEqual(lines[2].strip(), "JIMM_ADMINS=user1 user2 group1")
@@ -190,6 +195,10 @@ def test_config_changed_redirect_to_dashboard(self):
             lines[17].strip(),
             "JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS=10",
         )
+        self.assertEqual(
+            lines[18].strip(),
+            "JIMM_JWT_EXPIRY=5m",
+        )
 
     def test_config_changed_ready(self):
         config_file = os.path.join(self.harness.charm.charm_dir, "juju-jimm.env")
@@ -209,7 +218,7 @@ def test_config_changed_ready(self):
         with open(config_file) as f:
             lines = f.readlines()
         os.unlink(config_file)
-        self.assertEqual(len(lines), 16)
+        self.assertEqual(len(lines), 17)
         self.assertEqual(lines[0].strip(), "BAKERY_AGENT_FILE=")
         self.assertEqual(lines[1].strip(), "CANDID_URL=https://candid.example.com")
         self.assertEqual(lines[2].strip(), "JIMM_ADMINS=user1 user2 group1")
@@ -231,6 +240,10 @@ def test_config_changed_ready(self):
             lines[15].strip(),
             "JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS=10",
         )
+        self.assertEqual(
+            lines[16].strip(),
+            "JIMM_JWT_EXPIRY=5m",
+        )
 
     def test_config_changed_with_agent(self):
         config_file = os.path.join(self.harness.charm.charm_dir, "juju-jimm.env")
@@ -257,7 +270,7 @@ def test_config_changed_with_agent(self):
 
         with open(config_file) as f:
             lines = f.readlines()
-        self.assertEqual(len(lines), 16)
+        self.assertEqual(len(lines), 17)
         self.assertEqual(
             lines[0].strip(),
             "BAKERY_AGENT_FILE=" + self.harness.charm._agent_filename,
@@ -283,7 +296,7 @@ def test_config_changed_with_agent(self):
         )
         with open(config_file) as f:
             lines = f.readlines()
-        self.assertEqual(len(lines), 16)
+        self.assertEqual(len(lines), 17)
         self.assertEqual(lines[0].strip(), "BAKERY_AGENT_FILE=")
         self.assertEqual(lines[1].strip(), "CANDID_URL=https://candid.example.com")
         self.assertEqual(lines[2].strip(), "JIMM_ADMINS=user1 user2 group1")
@@ -570,14 +583,14 @@ def test_insecure_secret_storage(self):
         with open(config_file) as f:
             lines = f.readlines()
         os.unlink(config_file)
-        self.assertEqual(len(lines), 18)
+        self.assertEqual(len(lines), 19)
         self.assertEqual(len([match for match in lines if "INSECURE_SECRET_STORAGE" in match]), 0)
         self.harness.update_config({"postgres-secret-storage": True})
         self.assertTrue(os.path.exists(config_file))
         with open(config_file) as f:
             lines = f.readlines()
         os.unlink(config_file)
-        self.assertEqual(len(lines), 19)
+        self.assertEqual(len(lines), 21)
         self.assertEqual(len([match for match in lines if "INSECURE_SECRET_STORAGE" in match]), 1)