feat: add access expiration across relations with watchdog session cu…#681
Open
feat: add access expiration across relations with watchdog session cu…#681
Conversation
…toff Add expires_at DateTime fields on access relation tables (target_user, target_group, tgroup_user, tgroup_group) and include Alembic migration. Implement local-time expiration parsing with partial ISO-like inputs (year/month/day/time), and compute effective access per user by merging all access paths (direct, via usergroups, via targetgroups). Effective expiration is the latest valid date unless any path is unlimited. Expose expiration in passhportd: include it in accessible target lists, provide user/access_expiration endpoint, and show expiration details for targets and targetgroups. Extend passhport-admin CLI and prompts to accept --expires-at for adduser/addusergroup on targets and targetgroups, and forward it to the API. Update passhport and connection utils to request expiration, display it in the targets list, and pass it into the connection script. Add watchdog in passhport-connect.sh to terminate the local process group at expiration and notify passhportd; store a one-time notice so the user sees a detailed expiration message when returning to the passhport prompt.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…toff
Add expires_at DateTime fields on access relation tables (target_user, target_group, tgroup_user, tgroup_group) and include Alembic migration.
Implement local-time expiration parsing with partial ISO-like inputs (year/month/day/time), and compute effective access per user by merging all access paths (direct, via usergroups, via targetgroups). Effective expiration is the latest valid date unless any path is unlimited.
Expose expiration in passhportd: include it in accessible target lists, provide user/access_expiration endpoint, and show expiration details for targets and targetgroups.
Extend passhport-admin CLI and prompts to accept --expires-at for adduser/addusergroup on targets and targetgroups, and forward it to the API.
Update passhport and connection utils to request expiration, display it in the targets list, and pass it into the connection script.
Add watchdog in passhport-connect.sh to terminate the local process group at expiration and notify passhportd; store a one-time notice so the user sees a detailed expiration message when returning to the passhport prompt.