Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bugfix: Added base key validity period of 60 minutes. #765

Closed
wants to merge 5 commits into from
Closed

bugfix: Added base key validity period of 60 minutes. #765

wants to merge 5 commits into from

Conversation

ishanjain28
Copy link

  • read the CONTRIBUTING guidelines
  • raised a GitHub issue or discussed it on the projects chat beforehand
  • added unit tests
  • added integration tests
  • updated documentation if needed
  • updated CHANGELOG.md

Fixes #764

PR Description,

Currently headscale initializes machine key's expiry time with &time.Time{}. This is formatted to, 0001-01-01T00:00:00Z(in RFC3339 format).

This means, The keys expiry time will always be in the past and clients will be stuck in a loop renewing the key.

This PR addresses this problem by adding a minimum validity of 60 minutes to the generated keys.

@ishanjain28
bugfix: Added a base key validity period of 60 minutes.
49870c8 
1. This will ensure that the generated keys are valid for the next 60
minutes
2. Updated Changelog
@ishanjain28 ishanjain28 changed the title bugfix: Added a base key validity period of 60 minutes. bugfix: Added base key validity period of 60 minutes. Aug 24, 2022
@ishanjain28
Copy link
Author

This issue has not been fixed completely.

Android clients are working fine and are getting the correct expiry time but Linux clients are still getting,

expiry | 0001-01-01 05:53:28+05:53:28

@ishanjain28
Copy link
Author

Fixed.

  1. OIDC renewal code mentios that the function accepts current time but then passes, &time.Time{}. This has been changed to pass, time.Now().Add(DefaultKeyExpireTime).
  2. In protocol_common.go, In the refresh operation it was not renewing the key. expire field in database was being overwritten to 0001-01-01T00:00:00Z.

juanfont
juanfont reviewed Sep 4, 2022
View reviewed changes
protocol_common.go
@@ -26,6 +26,10 @@ const (
//
// See also https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go
NoiseCapabilityVersion = 39

// DefaultKeyExpireTime determines the valid period of a generated key
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment should end in a period

protocol_common.go
@@ -26,6 +26,10 @@ const (
//
// See also https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go
NoiseCapabilityVersion = 39

// DefaultKeyExpireTime determines the valid period of a generated key
// Keys of new machines are valid for this period
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment should end in a period

CHANGELOG.md
@@ -1,5 +1,9 @@
# CHANGELOG

## 0.17.1 (2022-XX-XX)
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
## 0.17.1 (2022-XX-XX)

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add this under 0.17.0 ?

protocol_common.go

// DefaultKeyExpireTime determines the valid period of a generated key
// Keys of new machines are valid for this period
DefaultKeyExpireTime = 60 * time.Minute
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any rationale behind 60 minutes?

@juanfont
Copy link
Owner

juanfont commented Sep 4, 2022

Digging into this, upstream only seems to say about key expiration this (in RegisterRequest)

// Expiry optionally specifies the requested key expiry.
// The server policy may override.
// As a special case, if Expiry is in the past and NodeKey is
// the node's current key, the key is expired.

Perhaps could be DefaultKeyExpireTime could be something configurable, with a default time of 60 minutes...

@Yxnt Yxnt mentioned this pull request May 29, 2023
Closed
@kradalby
Copy link
Collaborator

Hi! as part of #1473, we have reorganised a lot of the code.

To clear PRs that needs to be rebased or redone, we are closing open PRs that will require significant code change to be merged.

In addition, the issue of the PR might in some cases have been fixed, change or no longer relevant, so it would be great if this is considered as well.

Thank you for your contribution!

If it is still relevant and the PR is reopened, we will aim at getting the changes into the next release after the reorg if accepted.

@kradalby kradalby closed this Sep 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@juanfont juanfont juanfont left review comments

@kradalby kradalby Awaiting requested review from kradalby kradalby is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Headscale fails to activate clients with postgresql backend
3 participants
@ishanjain28 @juanfont @kradalby