From 97c8b2f14b66770c60acd3a9ced76f6df79a6da7 Mon Sep 17 00:00:00 2001
From: kmbae <kmbae@etri.re.kr>
Date: Tue, 19 Nov 2024 15:53:47 +0900
Subject: [PATCH] expiry settings

---
 config.yaml  | 10 ++++++++++
 src/charm.py |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/config.yaml b/config.yaml
index b46e5086..0f27c1b6 100644
--- a/config.yaml
+++ b/config.yaml
@@ -43,3 +43,13 @@ options:
       DEPRECATED - Please leave empty or use issuer-url instead. This configuration option will be removed soon.
       It has been preserved to avoid breaking compatibility with existing deployments.
       Publicly-accessible endpoint for cluster
+  enable-expiry:
+    type: boolean
+    default: false
+    description: Modify expiry settings for dex
+  expiry-settings:
+    type: string
+    default: ''
+    description: |
+      Expiry settings in YAML format, as shown
+      in https://dexidp.io/docs/configuration/tokens/#expiration-and-rotation-settings
diff --git a/src/charm.py b/src/charm.py
index de19b716..54297d33 100755
--- a/src/charm.py
+++ b/src/charm.py
@@ -226,6 +226,8 @@ def _generate_dex_auth_config(self) -> str:
             "staticPasswords": [],
         }
 
+        enable_expiry = self.model.config["enable-expiry"]
+
         # The dex-auth service cannot be started correctly when the static
         # login is disabled, but no connector configuration is provided.
         if not enable_password_db and not connectors:
@@ -250,6 +252,12 @@ def _generate_dex_auth_config(self) -> str:
                 ],
             }
 
+        # Add expiry settings for dex-auth
+        # This operation might modify the security level
+        if enable_expiry:
+            expiry_config = yaml.safe_load(self.model.config["expiry-settings"])
+            static_config["expiry"] = expiry_config
+
         config = yaml.dump(
             {
                 "issuer": self._issuer_url,