adminrpc: add per-service timeout field for TTL caveat support#234
Open
maml wants to merge 1 commit into
Open
Conversation
maml
force-pushed
the
adminrpc-timeout-field
branch
from
63a3e43 to
2b4f3a8
Compare
Admin-API-registered services previously had Timeout=0 after the mergeServicesFromDB merge, because the proto's Service message lacked a timeout field. As a result staticServiceLimiter.ServiceTimeouts never added a _valid_until caveat for admin-API-sourced services, silently disabling the TTL expiry mechanism documented in sample-conf.yaml. This commit adds int64 timeout to: - Service - CreateServiceRequest - UpdateServiceRequest and wires it through: - aperturedb services table (schema + migration 000008) - aperturedb/sqlc: models, query, generated services.sql.go - aperturedb/services.go ServiceParams - admin/server.go CreateService, UpdateService, ListServices - aperture.go mergeServicesFromDB (copy Timeout to proxy.Service) No changes to staticServiceLimiter.ServiceTimeouts or the mint pipeline -- they already check proxyService.Timeout > 0. This commit surfaces the existing mechanism through the admin API surface. Other per-service fields (capabilities, constraints, ratelimits, authwhitelistpaths, headers, rewrite, tlscertpath) have the same gap and are intentionally deferred to follow-up PRs to keep this change focused.
maml
force-pushed
the
adminrpc-timeout-field
branch
from
2b4f3a8 to
1861b68
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
timeoutfield to the admin-APIService,CreateServiceRequest, andUpdateServiceRequestmessages so operators can configure a per-service TTL. Whentimeout > 0the minter includes a_valid_untilcaveat in the L402 macaroon, expiring access after that many seconds.Changes
Proto / generated code
adminrpc/admin.proto: addint64 timeout = 9toServiceandCreateServiceRequest;optional int64 timeout = 9toUpdateServiceRequest(proto3 optional preserves the "not-set vs zero" distinction needed for partial updates).admin.pb.go,admin_grpc.pb.go,admin.swagger.json.Database
000008_services_timeout:ALTER TABLE services ADD COLUMN timeout BIGINT NOT NULL DEFAULT 0.sqlcmodels, query, and generated Go code to include thetimeoutcolumn.Admin server (
admin/server.go)ListServices: populateTimeouton each returnedService.CreateService: validateTimeout >= 0; store and return it.UpdateService: honour the optionalTimeoutfield; validate and update.Proxy wiring (
aperture.go,services.go)mergeServicesFromDB: propagateTimeoutfrom DB row →proxy.Service.staticServiceLimiter: updated struct comment; addedsync.RWMutexand arefresh(services)method that atomically rebuildscapabilities,constraints, andtimeoutsmaps under write lock. All threeService*read methods acquire a read lock.newStaticServiceLimiterdelegates torefreshto eliminate duplication.createProxy: returns*staticServiceLimiteralongside the proxy.Aperture: storeslimiter *staticServiceLimiter. TheUpdateServicesclosure callsa.limiter.refresh(s)before routing is updated — this ensures that on delete the limiter stops minting caveats for a service before the proxy stops routing to it.Without the
refreshwiring,staticServiceLimiterwas a startup-time snapshot — admin-API mutations updated the DB and proxy routing but the minter continued using stale caveat maps for the lifetime of the process.Tests
admin/server_test.go:TestCreateServiceWithTimeout,TestUpdateServiceTimeout,TestUpdateServiceCanSetTimeoutToZero,TestCreateServiceRejectsNegativeTimeout,TestUpdateServiceRejectsNegativeTimeout.aperturedb/services_test.go:TestUpsertServiceTimeout.services_test.go:TestRefreshRebuildsTimeouts,TestRefreshConcurrentReads(race-detector clean),TestRefreshCreateDelete.Docs (
docs/admin-api.md): document thetimeoutfield and theAUTH_SCHEME_*enum.Test plan
go test ./...passesgo test -race ./...passes (no data races)timeout: 60; mint an L402; verify_valid_untilcaveat is present and ~60 s in the future._valid_untilcaveat.mergeServicesFromDB).