TokenCredentialRequest uses actual cert expiry time instead of estimate

and also audit logs both the NotBefore and NotAfter of the issued cert. Implemented by changing the return type of the cert issuer helpers to make them also return the NotBefore and NotAfter values of the new cert, along with the key PEM and cert PEM.
2026-01-03 19:54:24 +00:00 · 2024-11-21 15:18:43 -08:00
parent 032160a85e
commit ae5aad178d
19 changed files with 199 additions and 159 deletions
--- a/test/integration/audit_test.go
+++ b/test/integration/audit_test.go
@@ -190,10 +190,10 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) {
 		timeBeforeLogin,
 	)
 	removeSomeKeysFromEachAuditLogEvent(allConciergeTCRLogs)
-	// Also remove issuedClientCertExpires, which is a timestamp that we can't easily predict for the assertions below.
+	// Also remove issuedClientCert, which contains timestamps that we can't easily predict for the assertions below.
 	for _, log := range allConciergeTCRLogs {
-		require.NotEmpty(t, log["issuedClientCertExpires"])
-		delete(log, "issuedClientCertExpires")
+		require.NotEmpty(t, log["issuedClientCert"])
+		delete(log, "issuedClientCert")
 	}

 	// All values in the personalInfo map should be redacted by default.
@@ -338,10 +338,10 @@ func TestAuditLogsDuringLogin_Disruptive(t *testing.T) {
 		timeBeforeLogin,
 	)
 	removeSomeKeysFromEachAuditLogEvent(allConciergeTCRLogs)
-	// Also remove issuedClientCertExpires, which is a timestamp that we can't easily predict for the assertions below.
+	// Also remove issuedClientCert, which contains timestamps that we can't easily predict for the assertions below.
 	for _, log := range allConciergeTCRLogs {
-		require.NotEmpty(t, log["issuedClientCertExpires"])
-		delete(log, "issuedClientCertExpires")
+		require.NotEmpty(t, log["issuedClientCert"])
+		delete(log, "issuedClientCert")
 	}

 	// All values in the personalInfo map should not be redacted anymore.