Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enables WorkToDoTimeout for certificate request #433

Merged
merged 5 commits into from
Feb 28, 2024
Merged

Enables WorkToDoTimeout for certificate request #433

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cd0324a
enable WorkToDoTimeout for certificate request
luispresuelVenafi Feb 28, 2024
cffa6df
Adds test just to manually validate value is passed
luispresuelVenafi Feb 28, 2024
dd6dc94
fixes float issue
luispresuelVenafi Feb 28, 2024
21f6eb4
updates comments and filters out negative values for Timeout
luispresuelVenafi Feb 28, 2024
4864bc0
fixes typo in comment
luispresuelVenafi Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion pkg/certificate/request.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,18 @@ type Request struct {
FetchPrivateKey bool
/* Thumbprint is here because *Request is used in RetrieveCertificate().
Code should be refactored so that RetrieveCertificate() uses some abstract search object, instead of *Request{PickupID} */
Thumbprint string
Thumbprint string
// Timeout usage:
// TPP (a.k.a TLSPDC): we use it in order to set WorkToDoTimeout, that overrides TPP default timeout waiting time for the CA to finish
// if the value is more than the maximum value, TPP will automatically set the maximum value supported (as of the moment of this
// commit, 120 seconds).
// Cloud (a.k.a VaaS a.k.a TLSPC) : We use this timeout in our RetrieveCertificate function which handles a retry logic
// TPP SSH feature: We override the http client default timeout to perform http requests.
// Firefly: not usage at all
//
// Note:
// In VCert CLI we have hardcoded 180 seconds for retrieve certificate operation. For VaaS it will set retry logic for
// 180 seconds and TPP will override CA timeout as the hardcoded value
Timeout time.Duration
CustomFields []CustomField
Location *Location
Expand Down
11 changes: 11 additions & 0 deletions pkg/venafi/tpp/connector.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -653,6 +653,17 @@ func (c *Connector) prepareRequest(req *certificate.Request, zone string) (tppRe
// - true: Clear the Disabled attribute, reenable, and then renew the certificate (in this request). Reuse the same CertificateDN, that is also known as a Certificate object.
tppReq.Reenable = true

// If "Timeout" is defined by the user in the request, we use it in order to
// override API's timeout for the CA to finish issuance. In TLSPDC this means
// using WorkToDoTimeout attribute.
// We make sure to get the seconds from
// "Timeout" as it is a "TimeDuration" and remote (TLSPDC) only expects value in seconds.
if req.Timeout > 0 {
seconds := int64(req.Timeout.Seconds())
secondsString := strconv.FormatInt(seconds, 10)
tppReq.WorkToDoTimeout = secondsString
}

return tppReq, err
}

Expand Down
26 changes: 23 additions & 3 deletions pkg/venafi/tpp/connector_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -500,7 +500,7 @@ func TestRequestCertificateUserPassword(t *testing.T) {
t.Fatalf("err is not nil, err: %s", err)
}
}
DoRequestCertificate(t, tpp)
DoRequestCertificate(t, tpp, 0)
}

func TestRequestCertificateToken(t *testing.T) {
Expand All @@ -515,7 +515,24 @@ func TestRequestCertificateToken(t *testing.T) {
t.Fatalf("err is not nil, err: %s", err)
}
}
DoRequestCertificate(t, tpp)
DoRequestCertificate(t, tpp, 0)
}

func TestRequestCertificateTokenWithExtendedTimeout(t *testing.T) {
t.Skip("Skipping as we cannot make TPP to hold the amount of time we want to properly test this")
tpp, err := getTestConnector(ctx.TPPurl, ctx.TPPZone)
if err != nil {
t.Fatalf("err is not nil, err: %s url: %s", err, expectedURL)
}

if tpp.apiKey == "" {
err = tpp.Authenticate(&endpoint.Authentication{AccessToken: ctx.TPPaccessToken})
if err != nil {
t.Fatalf("err is not nil, err: %s", err)
}
}
timeout, _ := time.ParseDuration("45s")
DoRequestCertificate(t, tpp, timeout)
}

func TestRequestCertificateWithValidityHours(t *testing.T) {
Expand Down Expand Up @@ -1106,7 +1123,7 @@ func DoRequestCertificateWithValidityDuration(t *testing.T, tpp *Connector) {

}

func DoRequestCertificate(t *testing.T, tpp *Connector) {
func DoRequestCertificate(t *testing.T, tpp *Connector, timeout time.Duration) {
config, err := tpp.ReadZoneConfiguration()
if err != nil {
t.Fatalf("err is not nil, err: %s", err)
Expand All @@ -1126,6 +1143,9 @@ func DoRequestCertificate(t *testing.T, tpp *Connector) {
req.CustomFields = []certificate.CustomField{
{Name: "custom", Value: "2019-10-10"},
}
if timeout != 0 {
req.Timeout = timeout
}
err = tpp.GenerateRequest(config, req)
if err != nil {
t.Fatalf("err is not nil, err: %s", err)
Expand Down
1 change: 1 addition & 0 deletions pkg/venafi/tpp/tpp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,7 @@ type certificateRequest struct {
Devices []device `json:",omitempty"`
CertificateType string `json:",omitempty"`
Reenable bool `json:",omitempty"`
WorkToDoTimeout string `json:",omitempty"`
}

type certificateRetrieveRequest struct {
Expand Down