diff --git a/management/cmd/management.go b/management/cmd/management.go index f05de4e4e..54f672f51 100644 --- a/management/cmd/management.go +++ b/management/cmd/management.go @@ -83,7 +83,10 @@ var ( if err != nil { return fmt.Errorf("failed reading provided config file: %s: %v", mgmtConfig, err) } - config.HttpConfig.IdpSignKeyRefreshEnabled = idpSignKeyRefreshEnabled + + if cmd.Flag(idpSignKeyRefreshEnabledFlagName).Changed { + config.HttpConfig.IdpSignKeyRefreshEnabled = idpSignKeyRefreshEnabled + } tlsEnabled := false if mgmtLetsencryptDomain != "" || (config.HttpConfig.CertFile != "" && config.HttpConfig.CertKey != "") { diff --git a/management/cmd/root.go b/management/cmd/root.go index 1c9b95bfd..f5c533969 100644 --- a/management/cmd/root.go +++ b/management/cmd/root.go @@ -12,7 +12,8 @@ import ( const ( // ExitSetupFailed defines exit code - ExitSetupFailed = 1 + ExitSetupFailed = 1 + idpSignKeyRefreshEnabledFlagName = "idp-sign-key-refresh-enabled" ) var ( @@ -62,7 +63,7 @@ func init() { mgmtCmd.Flags().StringVar(&certKey, "cert-key", "", "Location of your SSL certificate private key. Can be used when you have an existing certificate and don't want a new certificate be generated automatically. If letsencrypt-domain is specified this property has no effect") mgmtCmd.Flags().BoolVar(&disableMetrics, "disable-anonymous-metrics", false, "disables push of anonymous usage metrics to NetBird") mgmtCmd.Flags().StringVar(&dnsDomain, "dns-domain", defaultSingleAccModeDomain, fmt.Sprintf("Domain used for peer resolution. This is appended to the peer's name, e.g. pi-server. %s. Max length is 192 characters to allow appending to a peer name with up to 63 characters.", defaultSingleAccModeDomain)) - mgmtCmd.Flags().BoolVar(&idpSignKeyRefreshEnabled, "idp-sign-key-refresh-enabled", false, "Enable cache headers evaluation to determine signing key rotation period. This will refresh the signing key upon expiry.") + mgmtCmd.Flags().BoolVar(&idpSignKeyRefreshEnabled, idpSignKeyRefreshEnabledFlagName, false, "Enable cache headers evaluation to determine signing key rotation period. This will refresh the signing key upon expiry.") mgmtCmd.Flags().BoolVar(&userDeleteFromIDPEnabled, "user-delete-from-idp", false, "Allows to delete user from IDP when user is deleted from account") rootCmd.MarkFlagRequired("config") //nolint diff --git a/management/server/jwtclaims/jwtValidator.go b/management/server/jwtclaims/jwtValidator.go index b564e4f4e..f218c1aa9 100644 --- a/management/server/jwtclaims/jwtValidator.go +++ b/management/server/jwtclaims/jwtValidator.go @@ -108,6 +108,8 @@ func NewJWTValidator(issuer string, audienceList []string, keysLocation string, refreshedKeys = keys } + log.Debugf("keys refreshed, new UTC expiration time: %s", refreshedKeys.expiresInTime.UTC()) + keys = refreshedKeys } } @@ -179,7 +181,7 @@ func (m *JWTValidator) ValidateAndParse(token string) (*jwt.Token, error) { // stillValid returns true if the JSONWebKey still valid and have enough time to be used func (jwks *Jwks) stillValid() bool { - return jwks.expiresInTime.IsZero() && time.Now().Add(5*time.Second).Before(jwks.expiresInTime) + return !jwks.expiresInTime.IsZero() && time.Now().Add(5*time.Second).Before(jwks.expiresInTime) } func getPemKeys(keysLocation string) (*Jwks, error) {