)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"56f1b2ecc67fa77931842e96588ba485f8aa2c10","unresolved":true,"context_lines":[{"line_number":4,"context_line":"Commit:     Dave Wilde (d34dh0r53) \u003cdwilde@redhat.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2022-10-19 14:34:29 -0500"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Set token expiration to application credential expiration"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"If a token is issued with an application credential we need to check"},{"line_number":10,"context_line":"the expiration of the application credential to ensure that the token"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"692b0701_ccc8ab46","line":7,"range":{"start_line":7,"start_character":0,"end_line":7,"end_character":3},"updated":"2022-10-20 05:30:27.000000000","message":"Maybe \"Limit\" instead of \"Set\" would describe it better.","commit_id":"476794ad61402163bf6066f597f5f9333e9b8a4f"},{"author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"change_message_id":"be2928868b74ce1be6ce91f2c88c4979b714e078","unresolved":false,"context_lines":[{"line_number":4,"context_line":"Commit:     Dave Wilde (d34dh0r53) \u003cdwilde@redhat.com\u003e"},{"line_number":5,"context_line":"CommitDate: 2022-10-19 14:34:29 -0500"},{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Set token expiration to application credential expiration"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"If a token is issued with an application credential we need to check"},{"line_number":10,"context_line":"the expiration of the application credential to ensure that the token"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"e9bf3c3b_a42db3c8","line":7,"range":{"start_line":7,"start_character":0,"end_line":7,"end_character":3},"in_reply_to":"692b0701_ccc8ab46","updated":"2022-10-21 15:09:32.000000000","message":"Done","commit_id":"476794ad61402163bf6066f597f5f9333e9b8a4f"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"56f1b2ecc67fa77931842e96588ba485f8aa2c10","unresolved":true,"context_lines":[{"line_number":10,"context_line":"the expiration of the application credential to ensure that the token"},{"line_number":11,"context_line":"does not outlive the application credential. This ensures that if the"},{"line_number":12,"context_line":"token expiration is greaten than that of the application credential it"},{"line_number":13,"context_line":"is reset to the expiration of the application credential and a warning"},{"line_number":14,"context_line":"is logged. Please see CVE-2022-2447 for more information."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"- Not all application credentials have expirations, patch set 2 tests"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"d4b02404_00294659","line":13,"updated":"2022-10-20 05:30:27.000000000","message":"I don\u0027t think you need to keep the history of the patch in the commit message, that can be seen in gerrit if needed. So you can just s/warning/debug/ here and drop the update line below.","commit_id":"476794ad61402163bf6066f597f5f9333e9b8a4f"},{"author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"change_message_id":"be2928868b74ce1be6ce91f2c88c4979b714e078","unresolved":false,"context_lines":[{"line_number":10,"context_line":"the expiration of the application credential to ensure that the token"},{"line_number":11,"context_line":"does not outlive the application credential. This ensures that if the"},{"line_number":12,"context_line":"token expiration is greaten than that of the application credential it"},{"line_number":13,"context_line":"is reset to the expiration of the application credential and a warning"},{"line_number":14,"context_line":"is logged. Please see CVE-2022-2447 for more information."},{"line_number":15,"context_line":""},{"line_number":16,"context_line":"- Not all application credentials have expirations, patch set 2 tests"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":5,"id":"cb40e231_485c957d","line":13,"in_reply_to":"d4b02404_00294659","updated":"2022-10-21 15:09:32.000000000","message":"Done","commit_id":"476794ad61402163bf6066f597f5f9333e9b8a4f"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"6ab83ba53e9f79be31870dcf698c944184ccbfa0","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"612cd6fb_e8517de5","updated":"2022-10-21 17:41:28.000000000","message":"LGTM!","commit_id":"8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1"},{"author":{"_account_id":14250,"name":"Grzegorz Grasza","email":"xek@redhat.com","username":"xek"},"change_message_id":"2f64babcf68273f024d819e027249b4a5a93fe5b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"1ed9d27a_60ed0e3b","updated":"2022-10-24 07:12:15.000000000","message":"recheck","commit_id":"8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1"},{"author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"change_message_id":"a798d92e8698835998e3443ece5d45692027d227","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"f75b35e1_7a8ff17e","updated":"2022-10-21 19:29:26.000000000","message":"recheck - tempest test read timeout","commit_id":"8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"26852d6027743a8fdc07b3e5600edd9aabc9dca7","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"aa426c1a_a0ad50f7","updated":"2022-10-25 07:24:20.000000000","message":"thx","commit_id":"8f999d1c1f54a903c1da648ecaa2ce44acdb1fd1"}],"keystone/token/provider.py":[{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"958b9c0956b466b48130d6064734928e9e208c65","unresolved":true,"context_lines":[{"line_number":280,"context_line":"            if (app_cred[\u0027expires_at\u0027] is not None) and ("},{"line_number":281,"context_line":"                    token_time \u003e app_cred[\u0027expires_at\u0027]):"},{"line_number":282,"context_line":"                token.expires_at \u003d app_cred[\u0027expires_at\u0027].isoformat()"},{"line_number":283,"context_line":"                LOG.warning(\u0027Resetting token expiration to the application\u0027"},{"line_number":284,"context_line":"                            \u0027 credential expiration: %s\u0027,"},{"line_number":285,"context_line":"                            app_cred[\u0027expires_at\u0027].isoformat())"},{"line_number":286,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"76c80d6c_f95bc96e","line":283,"updated":"2022-10-19 15:29:59.000000000","message":"I don\u0027t think a warning is appropriate here, that will just blow up logs. From an operator perspective, this is a normal situation happening IMO and should at most log a debug message, if even that.","commit_id":"5300c8cc99a3b9446ece3630bbff68453ae9c8ca"},{"author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"change_message_id":"cdc82ae45822fb4244ff294884ecc61266a93323","unresolved":false,"context_lines":[{"line_number":280,"context_line":"            if (app_cred[\u0027expires_at\u0027] is not None) and ("},{"line_number":281,"context_line":"                    token_time \u003e app_cred[\u0027expires_at\u0027]):"},{"line_number":282,"context_line":"                token.expires_at \u003d app_cred[\u0027expires_at\u0027].isoformat()"},{"line_number":283,"context_line":"                LOG.warning(\u0027Resetting token expiration to the application\u0027"},{"line_number":284,"context_line":"                            \u0027 credential expiration: %s\u0027,"},{"line_number":285,"context_line":"                            app_cred[\u0027expires_at\u0027].isoformat())"},{"line_number":286,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"ccd9bbd6_3dea8b24","line":283,"in_reply_to":"039eea81_fee98d9f","updated":"2022-10-19 19:35:08.000000000","message":"Done","commit_id":"5300c8cc99a3b9446ece3630bbff68453ae9c8ca"},{"author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"change_message_id":"b4d6dcbfb880495e7146b41ad3e0d81297e10a00","unresolved":true,"context_lines":[{"line_number":280,"context_line":"            if (app_cred[\u0027expires_at\u0027] is not None) and ("},{"line_number":281,"context_line":"                    token_time \u003e app_cred[\u0027expires_at\u0027]):"},{"line_number":282,"context_line":"                token.expires_at \u003d app_cred[\u0027expires_at\u0027].isoformat()"},{"line_number":283,"context_line":"                LOG.warning(\u0027Resetting token expiration to the application\u0027"},{"line_number":284,"context_line":"                            \u0027 credential expiration: %s\u0027,"},{"line_number":285,"context_line":"                            app_cred[\u0027expires_at\u0027].isoformat())"},{"line_number":286,"context_line":""}],"source_content_type":"text/x-python","patch_set":3,"id":"039eea81_fee98d9f","line":283,"in_reply_to":"76c80d6c_f95bc96e","updated":"2022-10-19 15:51:58.000000000","message":"Thank you, I was wondering about that when I wrote it. I think I\u0027ll make it a debug level as it could be a nice breadcrumb in troubleshooting.","commit_id":"5300c8cc99a3b9446ece3630bbff68453ae9c8ca"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"56f1b2ecc67fa77931842e96588ba485f8aa2c10","unresolved":true,"context_lines":[{"line_number":279,"context_line":"                timeutils.parse_isotime(token.expires_at))"},{"line_number":280,"context_line":"            if (app_cred[\u0027expires_at\u0027] is not None) and ("},{"line_number":281,"context_line":"                    token_time \u003e app_cred[\u0027expires_at\u0027]):"},{"line_number":282,"context_line":"                token.expires_at \u003d app_cred[\u0027expires_at\u0027].isoformat()"},{"line_number":283,"context_line":"                LOG.debug(\u0027Resetting token expiration to the application\u0027"},{"line_number":284,"context_line":"                          \u0027 credential expiration: %s\u0027,"},{"line_number":285,"context_line":"                          app_cred[\u0027expires_at\u0027].isoformat())"}],"source_content_type":"text/x-python","patch_set":5,"id":"6f07ef59_86a2d04c","line":282,"updated":"2022-10-20 05:30:27.000000000","message":"From reading the logic it seems plausible to me that it will work as expected, but how about adding a pair of unit tests to make sure of it?","commit_id":"476794ad61402163bf6066f597f5f9333e9b8a4f"},{"author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"change_message_id":"be2928868b74ce1be6ce91f2c88c4979b714e078","unresolved":false,"context_lines":[{"line_number":279,"context_line":"                timeutils.parse_isotime(token.expires_at))"},{"line_number":280,"context_line":"            if (app_cred[\u0027expires_at\u0027] is not None) and ("},{"line_number":281,"context_line":"                    token_time \u003e app_cred[\u0027expires_at\u0027]):"},{"line_number":282,"context_line":"                token.expires_at \u003d app_cred[\u0027expires_at\u0027].isoformat()"},{"line_number":283,"context_line":"                LOG.debug(\u0027Resetting token expiration to the application\u0027"},{"line_number":284,"context_line":"                          \u0027 credential expiration: %s\u0027,"},{"line_number":285,"context_line":"                          app_cred[\u0027expires_at\u0027].isoformat())"}],"source_content_type":"text/x-python","patch_set":5,"id":"c1cd3256_7291d8a4","line":282,"in_reply_to":"6f07ef59_86a2d04c","updated":"2022-10-21 15:09:32.000000000","message":"Done","commit_id":"476794ad61402163bf6066f597f5f9333e9b8a4f"}],"releasenotes/notes/token_expiration_to_match_application_credential-56d058355a9f240d.yaml":[{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"56f1b2ecc67fa77931842e96588ba485f8aa2c10","unresolved":true,"context_lines":[{"line_number":5,"context_line":"    validated against that of the application credential. If the application"},{"line_number":6,"context_line":"    credential expires before the token the token\u0027s expiration will be set to"},{"line_number":7,"context_line":"    the same expiration as the application credential.  Otherwise the application"},{"line_number":8,"context_line":"    credential will use the configured value. Please see CVE-2022-2447 for more"},{"line_number":9,"context_line":"    information."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"9e5ab87a_c51188eb","line":8,"updated":"2022-10-20 05:30:27.000000000","message":"\"Otherwise the token will use the configured defaul lifetime.\"?\n\nAlso add a link to the CVE? At least the LP bug should be mentioned and linked to.","commit_id":"476794ad61402163bf6066f597f5f9333e9b8a4f"},{"author":{"_account_id":7414,"name":"David Wilde","email":"dwilde@redhat.com","username":"d34dh0r53"},"change_message_id":"be2928868b74ce1be6ce91f2c88c4979b714e078","unresolved":false,"context_lines":[{"line_number":5,"context_line":"    validated against that of the application credential. If the application"},{"line_number":6,"context_line":"    credential expires before the token the token\u0027s expiration will be set to"},{"line_number":7,"context_line":"    the same expiration as the application credential.  Otherwise the application"},{"line_number":8,"context_line":"    credential will use the configured value. Please see CVE-2022-2447 for more"},{"line_number":9,"context_line":"    information."}],"source_content_type":"text/x-yaml","patch_set":5,"id":"04c592c5_93133a7f","line":8,"in_reply_to":"9e5ab87a_c51188eb","updated":"2022-10-21 15:09:32.000000000","message":"Done","commit_id":"476794ad61402163bf6066f597f5f9333e9b8a4f"}]}