ticket: add comments about auth key mtime

[pve-access-control.git] / PVE / AccessControl.pm

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 512fcd2dddcd8844a5edf18cedb5d56411512739..6ac99ac28d716d321d2778bfd4e80f441701044d 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -47,9 +47,8 @@ my $pve_auth_key_files = {
 
 my $pve_auth_key_cache = {};
 
-my $ticket_lifetime = 3600*2; # 2 hours
-# TODO: set to 24h for PVE 6.0
-my $authkey_lifetime = 3600*0; # rotation disabled
+my $ticket_lifetime = 3600 * 2; # 2 hours
+my $authkey_lifetime = 3600 * 24; # rotate every 24 hours
 
 Crypt::OpenSSL::RSA->import_random_seed();
 
@@ -167,18 +166,21 @@ sub rotate_authkey {
        return if check_authkey();
 
        my $old = get_pubkey();
+       my $new = Crypt::OpenSSL::RSA->generate_key(2048);
 
        if ($old) {
            eval {
                my $pem = $old->get_public_key_x509_string();
+               # mtime is used for caching and ticket age range calculation
                PVE::Tools::file_set_contents($pve_auth_key_files->{pubold}, $pem);
            };
            die "Failed to store old auth key: $@\n" if $@;
        }
 
-       my $new = Crypt::OpenSSL::RSA->generate_key(2048);
        eval {
            my $pem = $new->get_public_key_x509_string();
+           # mtime is used for caching and ticket age range calculation,
+           # should be close to that of pubold above
            PVE::Tools::file_set_contents($pve_auth_key_files->{pub}, $pem);
        };
        if ($@) {
@@ -284,7 +286,7 @@ sub verify_ticket {
        return undef if !$rsa_pub;
 
        my ($min, $max) = $get_ticket_age_range->($now, $rsa_mtime, $old);
-       return undef if !$min;
+       return undef if !defined($min);
 
        return PVE::Ticket::verify_rsa_ticket(
            $rsa_pub, 'PVE', $ticket, undef, $min, $max, 1);