Merge pull request #863 from openziti/process-cert-extension-requests

handle cert extension if requested by the network

Author: ekoby

inc_internal/internal_model.h

@@ -62,6 +62,8 @@ XX(posture_query_set, ziti_posture_query_set, array, postureQueries, __VA_ARGS__
 XX(is_mfa_required, model_bool, none, isMfaRequired, __VA_ARGS__) \
 XX(is_mfa_complete, model_bool, none, isMfaComplete, __VA_ARGS__) \
 XX(is_cert_extendable, model_bool, none, isCertExtendable, __VA_ARGS__) \
+XX(cert_extend_requested, model_bool, none, isCertExtendRequested, __VA_ARGS__) \
+XX(key_roll_requested, model_bool, none, isCertKeyRollRequested, __VA_ARGS__) \
 XX(auth_queries, ziti_auth_query_mfa, list, authQueries, __VA_ARGS__) \
 XX(authenticator_id, model_string, none, authenticatorId, __VA_ARGS__)
 

library/ziti.c

@@ -2137,28 +2137,38 @@ static void api_session_cb(ziti_api_session *api_sess, const ziti_error *err, vo
             goto done;
         }
 
-        struct tm exp;
-        ztx->id_creds.cert->get_expiration(ztx->id_creds.cert, &exp);
-        time_t now = time(0);
-        time_t exptime = mktime(&exp);
-
-        bool renew = exptime - now < ztx->opts.cert_extension_window * ONE_DAY;
-        if (!renew) {
+        if (!api_sess->is_cert_extendable) {
+            ZTX_LOG(DEBUG, "identity certificate is not renewable");
             goto done;
         }
 
-        if (!api_sess->is_cert_extendable) {
-            ZTX_LOG(WARN, "identity certificate is not renewable");
-            goto done;
+        struct tm exp;
+        if (api_sess->cert_extend_requested || api_sess->key_roll_requested) {
+            ZTX_LOG(INFO, "controller requested certificate renewal (%s key roll)",
+                    api_sess->key_roll_requested ? "with" : "without");
+        } else {
+            ztx->id_creds.cert->get_expiration(ztx->id_creds.cert, &exp);
+            time_t now = time(0);
+            time_t exptime = mktime(&exp);
+
+            bool renew = exptime - now < ztx->opts.cert_extension_window * ONE_DAY;
+            if (!renew) {
+                goto done;
+            }
+            ZTX_LOG(INFO, "renewing identity certificate exp[%04d-%02d-%02d %02d:%02d]",
+                    1900 + exp.tm_year, exp.tm_mon + 1, exp.tm_mday, exp.tm_hour, exp.tm_min);
         }
 
         if ((ztx->opts.events & ZitiConfigEvent) == 0) {
-            ZTX_LOG(WARN, "identity certificate needs to be renewed but application is not handling ZitiConfigEvent");
+            ZTX_LOG(WARN, "identity certificate needs to be renewed "
+                          "but application is not handling ZitiConfigEvent");
             goto done;
         }
 
-        ZTX_LOG(INFO, "renewing identity certificate exp[%04d-%02d-%02d %02d:%02d]",
-                1900 + exp.tm_year, exp.tm_mon + 1, exp.tm_mday, exp.tm_hour, exp.tm_min);
+        if (api_sess->key_roll_requested) {
+            ZTX_LOG(WARN, "key roll requested, but not yet supported");
+        }
+
         if (ztx->tlsCtx->generate_csr_to_pem(ztx->id_creds.key, &csr, &len, "O", "OpenZiti",
                                          "DC", ztx->config.controller_url,
                                          "CN", api_sess->identity_id,