Merge pull request #2085 from CactuseSecurity/develop

Develop to Main v6.4.3 hotfix config subscription
CactuseSecurity · Jun 5, 2023 · 502e0ca · 502e0ca
2 parents 15fac96 + 73718b3
commit 502e0ca
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 4 deletions.
diff --git a/documentation/revision-history.md b/documentation/revision-history.md
@@ -312,5 +312,8 @@ adding report template format fk and permissions
 ### 6.4.2 05.06.2023 MAIN
 - Hotfix - log locking UI hangs on prod systems due to infrequent log entries
 
-### 6.4.3 xx.06.2023 DEVELOP
+### 6.4.3 05.06.2023 MAIN
+- Hotfix - global config subsription timout after 12h
+
+### 6.4.4 xx.06.2023 DEVELOP
 - CPR8x importer: basic support for inline layers
diff --git a/inventory/group_vars/all.yml b/inventory/group_vars/all.yml
@@ -1,5 +1,5 @@
 ### general settings
-product_version: "6.4.2"
+product_version: "6.4.3"
 ansible_user: "{{ lookup('env', 'USER') }}"
 ansible_become_method: sudo
 ansible_python_interpreter: /usr/bin/python3

diff --git a/roles/importer/files/importer/fortiosmanagementREST/fOS_rule.py b/roles/importer/files/importer/fortiosmanagementREST/fOS_rule.py
@@ -140,12 +140,13 @@ def normalize_access_rules(full_config, config2import, import_id, mgm_details={}
  rule_number += 1 # nat rules have their own numbering
  config2import.update({'rules': rules})
 
+
 def set_service_field_internet_service(rule, config2import, import_id):
  # check if dummy service "Internet Service" already exists and create if not
  found_internet_service_obj = next((item for item in config2import['service_objects'] if item["svc_name"] == "Internet Service"), None)
  if found_internet_service_obj is None:
  config2import['service_objects'].append({
- 'svc_name': 'Internet Service', 'svc_typ': 'group', 'svc_uid': 'Internet Service', 'control_id': import_id
+  'svc_name': 'Internet Service', 'svc_typ': 'group', 'svc_uid': 'Internet Service', 'control_id': import_id
  })
 
  # set service to "Internet Service"

diff --git a/roles/middleware/files/FWO.Middleware.Server/JwtWriter.cs b/roles/middleware/files/FWO.Middleware.Server/JwtWriter.cs
@@ -55,7 +55,8 @@ public async Task<string> CreateJWT(UiUser? user = null, TimeSpan? lifetime = nu
  subject: subject,
  notBefore: DateTime.UtcNow.AddMinutes(-1), // we currently allow for some deviation in timing of the systems
  issuedAt: DateTime.UtcNow.AddMinutes(-1),
- expires: DateTime.UtcNow.AddMinutes(jwtMinutesValid),
+ // Anonymous jwt is valid for ten years (does not violate security)
+ expires: DateTime.UtcNow.AddMinutes(user != null ? jwtMinutesValid : 60 * 24 * 365 * 10),
  signingCredentials: new SigningCredentials(jwtPrivateKey, SecurityAlgorithms.RsaSha256)
  );