From fb76383afd55a118e4adc9bc0ce0e96d29daafc8 Mon Sep 17 00:00:00 2001 From: Joseph Shearer Date: Wed, 6 Sep 2023 16:28:59 -0400 Subject: [PATCH] Azure AD: fix when to refresh user delegation credentials (#349) * We must refresh whenever the credential expires _before_ 1 minute from now, not after. * Significantly expand UDC lifetime and refresh window --- broker/fragment/store_azure.go | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/broker/fragment/store_azure.go b/broker/fragment/store_azure.go index 308d94a9..cc55005f 100644 --- a/broker/fragment/store_azure.go +++ b/broker/fragment/store_azure.go @@ -325,10 +325,18 @@ func (a *azureBackend) buildBlobURL(cfg AzureStoreConfig, client pipeline.Pipeli // Cache UserDelegationCredentials and refresh them when needed func (a *azureBackend) getUserDelegationCredential() (*service.UserDelegationCredential, error) { - // We want to make sure we create a new credential well before the existing one expires - // So this gives us a 60 second buffer before the credential expires to make a new one. - if a.udc == nil || (a.udcExp != nil && a.udcExp.After(time.Now().Add(time.Minute))) { - var expTime = time.Now().Add(time.Hour * 24) + // https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-user-delegation-sas-create-cli#use-azure-ad-credentials-to-secure-a-sas + // According to the above docs, signed URLs generated with a UDC are invalid after + // that UDC expires. In addition, a UDC can live up to 7 days. So let's ensure that + // we always sign URLs with a UDC that has at least 5 days of useful life left in it. + + // ----| NOW |------|NOW+5Day|-----| udcExp |---- No need to refresh + // ----| NOW |-----| udcExp |-----|NOW+5Day|---- Need to refresh + // ----|udcExp|-----| NOW | ------------------ Need to refresh + if a.udc == nil || (a.udcExp != nil && a.udcExp.Before(time.Now().Add(time.Hour*24*5))) { + // Generate UDCs that expire 6 days from now, and refresh them after they + // have less than 5 days left until they expire. + var expTime = time.Now().Add(time.Hour * 24 * 6) var info = service.KeyInfo{ Start: to.Ptr(time.Now().Add(time.Second * -10).UTC().Format(sas.TimeFormat)), Expiry: to.Ptr(expTime.UTC().Format(sas.TimeFormat)),