From cb95c0fd551d8a7ba73f43900c090e37bf750cfe Mon Sep 17 00:00:00 2001 From: alesstimec Date: Wed, 2 Aug 2023 12:47:58 +0200 Subject: [PATCH] Adds jwt expiry config option to both charms. JIMM_JWT_EXPIRY is a required parameter for JIMM. --- charms/jimm-k8s/config.yaml | 5 +++++ charms/jimm-k8s/src/charm.py | 1 + charms/jimm-k8s/tests/unit/test_charm.py | 1 + charms/jimm/config.yaml | 5 +++++ charms/jimm/src/charm.py | 1 + charms/jimm/templates/jimm.env | 3 +++ charms/jimm/tests/test_charm.py | 27 ++++++++++++++++++------ 7 files changed, 36 insertions(+), 7 deletions(-) diff --git a/charms/jimm-k8s/config.yaml b/charms/jimm-k8s/config.yaml index 2ab14cb54..f057af49f 100644 --- a/charms/jimm-k8s/config.yaml +++ b/charms/jimm-k8s/config.yaml @@ -81,3 +81,8 @@ options: The source address for the connection to Vault. This should be a single IP with no CIDR. E.g. 10.1.2.123 + jwt-expiry: + type: string + description: | + Duration for the JWT expiry (defaults to 5 minutes). + default: 5m diff --git a/charms/jimm-k8s/src/charm.py b/charms/jimm-k8s/src/charm.py index 57148f368..36b842614 100755 --- a/charms/jimm-k8s/src/charm.py +++ b/charms/jimm-k8s/src/charm.py @@ -265,6 +265,7 @@ def _update_workload(self, event): "OPENFGA_PORT": self._state.openfga_port, "PRIVATE_KEY": self.config.get("private-key", ""), "PUBLIC_KEY": self.config.get("public-key", ""), + "JIMM_JWT_EXPIRY": self.config.get("jwt-expiry", "5m"), } if self._state.dsn: config_values["JIMM_DSN"] = self._state.dsn diff --git a/charms/jimm-k8s/tests/unit/test_charm.py b/charms/jimm-k8s/tests/unit/test_charm.py index d0af7eada..288f19dc3 100644 --- a/charms/jimm-k8s/tests/unit/test_charm.py +++ b/charms/jimm-k8s/tests/unit/test_charm.py @@ -28,6 +28,7 @@ "JIMM_DASHBOARD_LOCATION": "https://jaas.ai/models", "JIMM_DNS_NAME": "juju-jimm-k8s-0.juju-jimm-k8s-endpoints.None.svc.cluster.local", "JIMM_ENABLE_JWKS_ROTATOR": "1", + "JIMM_JWT_EXPIRY": "5m", "JIMM_LISTEN_ADDR": ":8080", "JIMM_LOG_LEVEL": "info", "JIMM_UUID": "1234567890", diff --git a/charms/jimm/config.yaml b/charms/jimm/config.yaml index f8a105f77..7aae1a735 100644 --- a/charms/jimm/config.yaml +++ b/charms/jimm/config.yaml @@ -72,3 +72,8 @@ options: private-key: type: string description: The private part of JIMM's macaroon bakery keypair. + jwt-expiry: + type: string + description: | + Duration for the JWT expiry (defaults to 5 minutes). + default: 5m diff --git a/charms/jimm/src/charm.py b/charms/jimm/src/charm.py index 235ae85de..81509d8cf 100755 --- a/charms/jimm/src/charm.py +++ b/charms/jimm/src/charm.py @@ -133,6 +133,7 @@ def _on_config_changed(self, _): "public_key": self.config.get("public-key"), "private_key": self.config.get("private-key"), "audit_retention_period": self.config.get("audit-log-retention-period-in-days", ""), + "jwt_expiry": self.config.get("jwt-expiry", "5m"), } if self.config.get("postgres-secret-storage", False): diff --git a/charms/jimm/templates/jimm.env b/charms/jimm/templates/jimm.env index 83bf03953..945c9538f 100644 --- a/charms/jimm/templates/jimm.env +++ b/charms/jimm/templates/jimm.env @@ -19,3 +19,6 @@ JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS={{audit_retention_period}} {%- if insecure_secret_storage %} INSECURE_SECRET_STORAGE=enabled {% endif %} +{%- if jwt_expiry %} +JIMM_JWT_EXPIRY={{jwt_expiry}} +{% endif %} \ No newline at end of file diff --git a/charms/jimm/tests/test_charm.py b/charms/jimm/tests/test_charm.py index 3ffe9579f..58eaa2b9c 100644 --- a/charms/jimm/tests/test_charm.py +++ b/charms/jimm/tests/test_charm.py @@ -118,13 +118,14 @@ def test_config_changed(self): "public-key": "izcYsQy3TePp6bLjqOo3IRPFvkQd2IKtyODGqC6SdFk=", "private-key": "ly/dzsI9Nt/4JxUILQeAX79qZ4mygDiuYGqc2ZEiDEc=", "audit-log-retention-period-in-days": "10", + "jwt-expiry": "10m", } ) self.assertTrue(os.path.exists(config_file)) with open(config_file) as f: lines = f.readlines() os.unlink(config_file) - self.assertEqual(len(lines), 18) + self.assertEqual(len(lines), 19) self.assertEqual(lines[0].strip(), "BAKERY_AGENT_FILE=") self.assertEqual(lines[1].strip(), "CANDID_URL=https://candid.example.com") self.assertEqual(lines[2].strip(), "JIMM_ADMINS=user1 user2 group1") @@ -147,6 +148,10 @@ def test_config_changed(self): lines[17].strip(), "JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS=10", ) + self.assertEqual( + lines[18].strip(), + "JIMM_JWT_EXPIRY=10m", + ) def test_config_changed_redirect_to_dashboard(self): config_file = os.path.join(self.harness.charm.charm_dir, "juju-jimm.env") @@ -167,7 +172,7 @@ def test_config_changed_redirect_to_dashboard(self): with open(config_file) as f: lines = f.readlines() os.unlink(config_file) - self.assertEqual(len(lines), 18) + self.assertEqual(len(lines), 19) self.assertEqual(lines[0].strip(), "BAKERY_AGENT_FILE=") self.assertEqual(lines[1].strip(), "CANDID_URL=https://candid.example.com") self.assertEqual(lines[2].strip(), "JIMM_ADMINS=user1 user2 group1") @@ -190,6 +195,10 @@ def test_config_changed_redirect_to_dashboard(self): lines[17].strip(), "JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS=10", ) + self.assertEqual( + lines[18].strip(), + "JIMM_JWT_EXPIRY=5m", + ) def test_config_changed_ready(self): config_file = os.path.join(self.harness.charm.charm_dir, "juju-jimm.env") @@ -209,7 +218,7 @@ def test_config_changed_ready(self): with open(config_file) as f: lines = f.readlines() os.unlink(config_file) - self.assertEqual(len(lines), 16) + self.assertEqual(len(lines), 17) self.assertEqual(lines[0].strip(), "BAKERY_AGENT_FILE=") self.assertEqual(lines[1].strip(), "CANDID_URL=https://candid.example.com") self.assertEqual(lines[2].strip(), "JIMM_ADMINS=user1 user2 group1") @@ -231,6 +240,10 @@ def test_config_changed_ready(self): lines[15].strip(), "JIMM_AUDIT_LOG_RETENTION_PERIOD_IN_DAYS=10", ) + self.assertEqual( + lines[16].strip(), + "JIMM_JWT_EXPIRY=5m", + ) def test_config_changed_with_agent(self): config_file = os.path.join(self.harness.charm.charm_dir, "juju-jimm.env") @@ -257,7 +270,7 @@ def test_config_changed_with_agent(self): with open(config_file) as f: lines = f.readlines() - self.assertEqual(len(lines), 16) + self.assertEqual(len(lines), 17) self.assertEqual( lines[0].strip(), "BAKERY_AGENT_FILE=" + self.harness.charm._agent_filename, @@ -283,7 +296,7 @@ def test_config_changed_with_agent(self): ) with open(config_file) as f: lines = f.readlines() - self.assertEqual(len(lines), 16) + self.assertEqual(len(lines), 17) self.assertEqual(lines[0].strip(), "BAKERY_AGENT_FILE=") self.assertEqual(lines[1].strip(), "CANDID_URL=https://candid.example.com") self.assertEqual(lines[2].strip(), "JIMM_ADMINS=user1 user2 group1") @@ -570,14 +583,14 @@ def test_insecure_secret_storage(self): with open(config_file) as f: lines = f.readlines() os.unlink(config_file) - self.assertEqual(len(lines), 18) + self.assertEqual(len(lines), 19) self.assertEqual(len([match for match in lines if "INSECURE_SECRET_STORAGE" in match]), 0) self.harness.update_config({"postgres-secret-storage": True}) self.assertTrue(os.path.exists(config_file)) with open(config_file) as f: lines = f.readlines() os.unlink(config_file) - self.assertEqual(len(lines), 19) + self.assertEqual(len(lines), 21) self.assertEqual(len([match for match in lines if "INSECURE_SECRET_STORAGE" in match]), 1)