secureCodeBox · the-simmon · Dec 13, 2022 · Sep 27, 2022 · Sep 27, 2022 · Sep 28, 2022
diff --git a/operator/controllers/execution/scans/hook_reconciler.go b/operator/controllers/execution/scans/hook_reconciler.go
@@ -197,13 +197,19 @@ func (r *ScanReconciler) processPendingHook(scan *executionv1.Scan, status *exec
 		return nil
 	}
 
+	urlExpirationDuration, err := util.GetUrlExpirationDuration(util.HookController)
+	if err != nil {
+		r.Log.Error(err, "Failed to parse hook url expiration")
+		panic(err)
+	}
+
 	var rawFileURL string
-	rawFileURL, err = r.PresignedGetURL(*scan, scan.Status.RawResultFile, defaultPresignDuration)
+	rawFileURL, err = r.PresignedGetURL(*scan, scan.Status.RawResultFile, urlExpirationDuration)
 	if err != nil {
 		return err
 	}
 	var findingsFileURL string
-	findingsFileURL, err = r.PresignedGetURL(*scan, "findings.json", defaultPresignDuration)
+	findingsFileURL, err = r.PresignedGetURL(*scan, "findings.json", urlExpirationDuration)
 	if err != nil {
 		return err
 	}
@@ -214,12 +220,12 @@ func (r *ScanReconciler) processPendingHook(scan *executionv1.Scan, status *exec
 	}
 	if hook.Spec.Type == executionv1.ReadAndWrite {
 		var rawFileUploadURL string
-		rawFileUploadURL, err = r.PresignedPutURL(*scan, scan.Status.RawResultFile, defaultPresignDuration)
+		rawFileUploadURL, err = r.PresignedPutURL(*scan, scan.Status.RawResultFile, urlExpirationDuration)
 		if err != nil {
 			return err
 		}
 		var findingsUploadURL string
-		findingsUploadURL, err = r.PresignedPutURL(*scan, "findings.json", defaultPresignDuration)
+		findingsUploadURL, err = r.PresignedPutURL(*scan, "findings.json", urlExpirationDuration)
 		if err != nil {
 			return err
 		}

diff --git a/operator/controllers/execution/scans/parse_reconciler.go b/operator/controllers/execution/scans/parse_reconciler.go
@@ -53,12 +53,18 @@ func (r *ScanReconciler) startParser(scan *executionv1.Scan) error {
 	}
 	log.Info("Matching ParseDefinition Found", "ParseDefinition", parseType)
 
-	findingsUploadURL, err := r.PresignedPutURL(*scan, "findings.json", defaultPresignDuration)
+	urlExpirationDuration, err := util.GetUrlExpirationDuration(util.ParserController)
+	if err != nil {
+		r.Log.Error(err, "Failed to parse parser url expiration")
+		panic(err)
+	}
+
+	findingsUploadURL, err := r.PresignedPutURL(*scan, "findings.json", urlExpirationDuration)
 	if err != nil {
 		r.Log.Error(err, "Could not get presigned url from s3 or compatible storage provider")
 		return err
 	}
-	rawResultDownloadURL, err := r.PresignedGetURL(*scan, scan.Status.RawResultFile, defaultPresignDuration)
+	rawResultDownloadURL, err := r.PresignedGetURL(*scan, scan.Status.RawResultFile, urlExpirationDuration)
 	if err != nil {
 		return err
 	}

diff --git a/operator/controllers/execution/scans/scan_controller.go b/operator/controllers/execution/scans/scan_controller.go
@@ -43,8 +43,6 @@ var (
 // https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/#finalizers
 var s3StorageFinalizer = "s3.storage.securecodebox.io"
 
-const defaultPresignDuration = 12 * time.Hour
-
 // +kubebuilder:rbac:groups=execution.securecodebox.io,resources=scans,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=execution.securecodebox.io,resources=scans/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=execution.securecodebox.io,resources=scantypes,verbs=get;list;watch

diff --git a/operator/controllers/execution/scans/scan_reconciler.go b/operator/controllers/execution/scans/scan_reconciler.go
@@ -95,6 +95,13 @@ func (r *ScanReconciler) startScan(scan *executionv1.Scan) error {
 	scan.Status.RawResultType = scanType.Spec.ExtractResults.Type
 	scan.Status.RawResultFile = filepath.Base(scanType.Spec.ExtractResults.Location)
 
+	urlExpirationDuration, err := util.GetUrlExpirationDuration(util.ScanController)
+	if err != nil {
+		r.Log.Error(err, "Failed to parse scan url expiration")
+		panic(err)
+	}
+
+	// this time is hardcoded as its not used internally by the scb so it should be longer lasting
 	findingsDownloadURL, err := r.PresignedGetURL(*scan, "findings.json", 7*24*time.Hour)
 	if err != nil {
 		r.Log.Error(err, "Could not get presigned url from s3 or compatible storage provider")
@@ -107,14 +114,14 @@ func (r *ScanReconciler) startScan(scan *executionv1.Scan) error {
 	}
 	scan.Status.RawResultDownloadLink = rawResultDownloadURL
 
-	findingsHeadURL, err := r.PresignedHeadURL(*scan, "findings.json", 7*24*time.Hour)
+	findingsHeadURL, err := r.PresignedHeadURL(*scan, "findings.json", urlExpirationDuration)
 	if err != nil {
 		r.Log.Error(err, "Could not get presigned head url from s3 or compatible storage provider")
 		return err
 	}
 	scan.Status.FindingHeadLink = findingsHeadURL
 
-	rawResultsHeadURL, err := r.PresignedHeadURL(*scan, scan.Status.RawResultFile, 7*24*time.Hour)
+	rawResultsHeadURL, err := r.PresignedHeadURL(*scan, scan.Status.RawResultFile, urlExpirationDuration)
 	if err != nil {
 		r.Log.Error(err, "Could not get presigned head url from s3 or compatible storage provider")
 		return err
@@ -161,7 +168,13 @@ func (r *ScanReconciler) checkIfScanIsCompleted(scan *executionv1.Scan) error {
 
 func (r *ScanReconciler) constructJobForScan(scan *executionv1.Scan, scanType *executionv1.ScanType) (*batch.Job, error) {
 	filename := filepath.Base(scanType.Spec.ExtractResults.Location)
-	resultUploadURL, err := r.PresignedPutURL(*scan, filename, defaultPresignDuration)
+	urlExpirationDuration, err := util.GetUrlExpirationDuration(util.ScanController)
+	if err != nil {
+		r.Log.Error(err, "Failed to parse scan url expiration")
+		panic(err)
+	}
+
+	resultUploadURL, err := r.PresignedPutURL(*scan, filename, urlExpirationDuration)
 	if err != nil {
 		r.Log.Error(err, "Could not get presigned url from s3 or compatible storage provider")
 		return nil, err

diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml
@@ -128,6 +128,12 @@ spec:
             - name: S3_URL_TEMPLATE
               value: {{ .Values.s3UrlTemplate }}
             {{ end }}
+            - name: URL_EXPIRATION_SCAN
+              value: {{ .Values.presignedUrlExpirationTimes.scanners | quote }}
+            - name: URL_EXPIRATION_PARSER
+              value: {{ .Values.presignedUrlExpirationTimes.parsers | quote }}
+            - name: URL_EXPIRATION_HOOK
+              value: {{ .Values.presignedUrlExpirationTimes.hooks | quote }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:

diff --git a/operator/utils/url_expiration_duration.go b/operator/utils/url_expiration_duration.go
@@ -0,0 +1,42 @@
+package utils
+
+import (
+	"errors"
+	"os"
+	"time"
+)
+
+type ControllerType int
+
+const (
+	ScanController ControllerType = iota
+	HookController
+	ParserController
+)
+
+func (e ControllerType) String() string {
+	switch e {
+	case ScanController:
+		return "SCAN"
+	case HookController:
+		return "HOOK"
+	case ParserController:
+		return "PARSER"
+	default:
+		return "WRONG_ENUM_NUMBER"
+	}
+}
+
+func GetUrlExpirationDuration(controller ControllerType) (time.Duration, error) {
+	urlExpirationTimeString, envOk := os.LookupEnv("URL_EXPIRATION_" + controller.String())
+	if !envOk {
+		// env varible not set, use an hour as default
+		return time.Hour, nil
+	}
+
+	urlExpirationDuration, durationOk := time.ParseDuration(urlExpirationTimeString)
+	if durationOk != nil {
+		return time.Hour, errors.New("Cannot parse env variable: URL_EXPIRATION_" + controller.String())
+	}
+	return urlExpirationDuration, nil
+}
diff --git a/operator/values.yaml b/operator/values.yaml
@@ -109,4 +109,10 @@ resources:
     memory: 20Mi
 # s3FileUrlTemplate -- Template that generates the url to access the result files of a scan
 # @default -- scan-{{ .Scan.UID }}/{{ .Filename }}
-s3UrlTemplate: null
+s3UrlTemplate: null
+
+# presignedUrlExpirationTimes -- Duration how long presigned urls are valid
+presignedUrlExpirationTimes:
+    scanners: "12h"
+    parsers: "1h"
+    hooks: "1h"