TritonDataCenter · cneira · Oct 24, 2025 · Oct 27, 2025 · Oct 28, 2025 · Oct 28, 2025
diff --git a/Makefile b/Makefile
@@ -7,6 +7,7 @@
 #
 # Copyright 2021 Joyent, Inc.
 # Copyright 2023 MNX Cloud, Inc.
+# Copyright 2025 Edgecast Cloud LLC.
 #
 
 #
@@ -24,11 +25,6 @@
 #
 NAME		:= ufds
 
-#
-# Tools
-#
-ISTANBUL	:= ./node_modules/.bin/istanbul
-
 #
 # Files
 #
@@ -100,16 +96,11 @@ PATH	:= $(NODE_INSTALL)/bin:/opt/local/bin:${PATH}
 # Repo-specific targets
 #
 .PHONY: all
-all:  $(SMF_MANIFESTS) | $(ISTANBUL) $(REPO_DEPS) sdc-scripts
-	$(NPM) install
-
-$(ISTANBUL): | $(NPM_EXEC)
-	$(NPM) install
+all: $(SMF_MANIFESTS) | $(NPM_EXEC) $(REPO_DEPS) sdc-scripts
+	$(NPM) ci --include=dev
 
 .PHONY: test
-test: $(ISTANBUL)
-	# CAPI-461: disable istanbul
-	#$(ISTANBUL) cover --print none test/test.js
+test:
 	node test/test.js
 
 .PHONY: pkg
@@ -134,6 +125,7 @@ release: all docs
 		$(ROOT)/main.js \
 		$(ROOT)/node_modules \
 		$(ROOT)/package.json \
+		$(ROOT)/package-lock.json \
 		$(ROOT)/schema \
 		$(ROOT)/sapi_manifests \
 		$(ROOT)/smf \

diff --git a/README.md b/README.md
@@ -7,6 +7,7 @@
 <!--
     Copyright (c) 2014, Joyent, Inc.
     Copyright 2022 MNX Cloud, Inc.
+    Copyright 2025 Edgecast Cloud LLC.
 -->
 
 # SDC-UFDS
@@ -35,7 +36,7 @@ This assumes several things:
 
 - You've got a moray instance running exactly how it's specified on the
   config file `etc/config.coal.json`.
-- Your node version is greater than 0.8.
+- Your node version is greater than v6.7.1
 - You want to see debug output. If you don't, remove the `-d 2`, but it's
   strongly recommended while hacking.
 - You do have bunyan module installed globally. Given the `make all` command

diff --git a/bin/cleanup-expired-creds b/bin/cleanup-expired-creds
@@ -0,0 +1,161 @@
+#!/opt/smartdc/ufds/build/node/bin/node
+// -*- mode: js -*-
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+/*
+ * Copyright 2025 Edgecast Cloud LLC.
+ */
+
+/*
+ * Tool to manually run cleanup of expired temporary credentials.
+ *
+ * Usage:
+ *   ./bin/cleanup-expired-creds [-c config] [-d] [-h]
+ *
+ * Options:
+ *   -c, --config   Path to config file (default: etc/config.coal.json)
+ *   -d, --debug    Enable debug logging
+ *   -h, --help     Show this help
+ */
+
+var fs = require('fs');
+var path = require('path');
+var util = require('util');
+
+var bunyan = require('bunyan');
+var ldapjs = require('ldapjs');
+var nopt = require('nopt');
+
+var cleanup = require('../lib/cleanup-expired-credentials');
+
+///--- Globals
+
+var opts = {
+    'config': String,
+    'debug': Boolean,
+    'help': Boolean
+};
+
+var shortOpts = {
+    'c': ['--config'],
+    'd': ['--debug'],
+    'h': ['--help']
+};
+
+///--- Internal Functions
+
+function usage(code, message) {
+    var msg = (message ? message + '\n' : '') +
+        'usage: ' + path.basename(process.argv[1]) +
+        ' [-c config_file] [-d] [-h]\n\n' +
+        'Options:\n' +
+        '  -c, --config   Path to config file (default: etc/config.coal.json)\n' +
+        '  -d, --debug    Enable debug logging\n' +
+        '  -h, --help     Show this help message';
+
+    if (code === 0) {
+        console.log(msg);
+    } else {
+        console.error(msg);
+    }
+
+    process.exit(code);
+}
+
+function loadConfig(configPath) {
+    try {
+        var content = fs.readFileSync(configPath, 'utf8');
+        return JSON.parse(content);
+    } catch (e) {
+        console.error('Unable to load config file %s: %s', configPath, e.message);
+        process.exit(1);
+    }
+}
+
+function createClient(config, log, callback) {
+    var proto = (config.port === 636) ? 'ldaps' : 'ldap';
+    var host = config.host || '127.0.0.1';
+    var port = config.port || 1389;
+    var url = util.format('%s://%s:%s', proto, host, port);
+
+    log.debug({url: url}, 'Connecting to UFDS');
+
+    var client = ldapjs.createClient({
+        connectTimeout: 5000,
+        log: log,
+        url: url,
+        tlsOptions: {
+            rejectUnauthorized: false
+        }
+    });
+
+    client.once('error', function (err) {
+        return callback(err);
+    });
+
+    client.once('connect', function () {
+        var dn = config.rootDN || 'cn=root';
+        var pw = config.rootPassword || 'secret';
+
+        log.debug({dn: dn}, 'Binding to UFDS');
+
+        client.bind(dn, pw, function (err) {
+            if (err) {
+                return callback(err);
+            }
+            return callback(null, client);
+        });
+    });
+}
+
+///--- Mainline
+
+var parsed = nopt(opts, shortOpts, process.argv, 2);
+
+if (parsed.help) {
+    usage(0);
+}
+
+var configPath = parsed.config ||
+    path.normalize(__dirname + '/../etc/config.json');
+
+if (!fs.existsSync(configPath)) {
+    console.error('Config file not found: %s', configPath);
+    process.exit(1);
+}
+
+var config = loadConfig(configPath);
+
+var log = bunyan.createLogger({
+    name: 'cleanup-expired-creds',
+    level: parsed.debug ? 'debug' : 'info',
+    stream: process.stderr,
+    serializers: bunyan.stdSerializers
+});
+
+log.info({config: configPath}, 'Starting expired credentials cleanup');
+
+createClient(config, log, function (err, client) {
+    if (err) {
+        log.fatal(err, 'Failed to connect to UFDS');
+        process.exit(1);
+    }
+
+    log.info('Connected to UFDS, running cleanup...');
+
+    cleanup.cleanupExpiredCredentials(client, log, function (cleanupErr) {
+        if (cleanupErr) {
+            log.error(cleanupErr, 'Cleanup failed');
+            client.unbind();
+            process.exit(1);
+        }
+
+        log.info('Cleanup completed successfully');
+        client.unbind();
+        process.exit(0);
+    });
+});
diff --git a/boot/setup.sh b/boot/setup.sh
@@ -9,6 +9,7 @@
 #
 # Copyright (c) 2014, Joyent, Inc.
 # Copyright 2024 MNX Cloud, Inc.
+# Copyright 2025 Edgecast Cloud LLC.
 #
 
 export PS4='[\D{%FT%TZ}] ${BASH_SOURCE}:${LINENO}: ${FUNCNAME[0]:+${FUNCNAME[0]}(): }'
@@ -208,6 +209,13 @@ sdc_log_rotation_add ufds-capi /var/svc/log/*ufds-capi*.log 1g
 sdc_log_rotation_add ufds-replicator /var/svc/log/*ufds-replicator*.log 1g
 sdc_log_rotation_setup_end
 
+# Setup crontab for expired credentials cleanup 
+echo "Setting up crontab for expired credentials cleanup"
+crontab -l 2>/dev/null | grep -v cleanup-expired-creds > /tmp/crontab.$$ || true
+echo "0 */12 * * * /opt/smartdc/$role/bin/cleanup-expired-creds -c /opt/smartdc/$role/etc/config.json >> /var/log/ufds-cleanup.log 2>&1" >> /tmp/crontab.$$
+crontab /tmp/crontab.$$
+rm -f /tmp/crontab.$$
+
 # Add build/node/bin and node_modules/.bin to PATH
 echo "" >>/root/.profile
 echo "export PATH=/opt/smartdc/$role/build/node/bin:/opt/smartdc/$role/node_modules/.bin:\$PATH" >>/root/.profile

diff --git a/deps/eng b/deps/eng
diff --git a/docs/temporary-credentials.md b/docs/temporary-credentials.md
@@ -0,0 +1,132 @@
+# Temporary Credentials (STS)
+
+UFDS supports temporary security credentials for AWS STS (Security Token Service)
+compatibility. These credentials have a limited lifespan and automatically expire.
+
+## Overview
+
+Temporary credentials are stored as `accesskey` entries with `credentialtype=temporary`.
+They include:
+
+- **accesskeyid**: The access key identifier
+- **accesskeysecret**: The secret access key
+- **sessiontoken**: Token required for API authentication
+- **expiration**: ISO timestamp when the credential expires
+- **principaluuid**: UUID of the user who owns the credential
+- **credentialtype**: Set to `temporary` (vs `permanent` for regular keys)
+
+## Automatic Cleanup
+
+Expired temporary credentials are automatically cleaned up by UFDS. The cleanup job
+runs periodically and removes credentials where `expiration <= now`.
+
+### How It Works
+
+1. Searches for entries matching:
+   ```
+   (&(objectclass=accesskey)(credentialtype=temporary)(expiration<=<current_time>))
+   ```
+
+2. Deletes each expired entry with rate limiting (5 concurrent deletes) to avoid
+   overloading Moray.
+
+3. Logs results showing count of deleted credentials.
+
+## Manual Cleanup Tool
+
+A CLI tool is provided for manually triggering cleanup of expired credentials.
+
+### Location
+
+```
+/opt/smartdc/ufds/bin/cleanup-expired-creds
+```
+
+### Usage
+
+```bash
+./bin/cleanup-expired-creds [-c config_file] [-d] [-h]
+```
+
+### Options
+
+| Option | Description |
+|--------|-------------|
+| `-c, --config` | Path to config file (default: `etc/config.coal.json`) |
+| `-d, --debug` | Enable debug logging (shows each credential deleted) |
+| `-h, --help` | Show help message |
+
+### Examples
+
+**Basic cleanup (production config):**
+```bash
+cd /opt/smartdc/ufds
+./bin/cleanup-expired-creds -c etc/config.json
+```
+
+**With debug output to see each deletion:**
+```bash
+./bin/cleanup-expired-creds -c etc/config.json -d
+```
+
+**Using COAL development config:**
+```bash
+./bin/cleanup-expired-creds -c etc/config.coal.json
+```
+
+### Sample Output
+
+Normal output:
+```json
+{"level":30,"msg":"Starting expired credentials cleanup"...}
+{"level":30,"msg":"Connected to UFDS, running cleanup..."...}
+{"level":30,"count":994,"msg":"Found expired temporary credentials to delete"...}
+{"level":30,"deleted":994,"msg":"Successfully deleted expired credentials"...}
+{"level":30,"msg":"Cleanup completed successfully"...}
+```
+
+Debug output (with `-d` flag) includes each deletion:
+```json
+{"level":20,"dn":"accesskeyid=abc123..., uuid=user-uuid, ou=users, o=smartdc",
+ "accesskeyid":"abc123...","expiration":"2025-11-26T17:00:00.000Z",
+ "msg":"Deleting expired temporary credential"...}
+```
+
+### Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| 0 | Success - all expired credentials deleted |
+| 1 | Failure - connection error or some deletions failed |
+
+## Configuration
+
+The cleanup interval can be configured when starting the cleanup service
+programmatically:
+
+```javascript
+var cleanup = require('./lib/cleanup-expired-credentials');
+
+// Start with custom interval (default is 5 minutes)
+var intervalMs = 10 * 60 * 1000; // 10 minutes
+cleanup.startCleanupInterval(ufdsClient, log, intervalMs);
+```
+
+## Troubleshooting
+
+### "Moray failure: unable to acquire backend connection"
+
+This occurs when too many parallel operations overwhelm Moray. The cleanup tool
+uses rate limiting (5 concurrent deletes) to prevent this. If you still see this
+error, Moray may be under heavy load from other operations.
+
+### No credentials found
+
+If no expired credentials are found, either:
+- All temporary credentials are still valid (not yet expired)
+- No temporary credentials exist in the system
+- Previous cleanup already removed them
+
+### Permission denied
+
+Ensure the config file has correct `rootDN` and `rootPassword` for UFDS bind.
+13 −12		README.md
+10 −10		docs/hybridimages.md
+57 −62		docs/index.md
+1 −1		package.json
+6 −6		tools/buildimage/bin/buildimage
+3 −2		tools/buildimage/lib/imgadm/lib/errors.js
+1 −1		tools/buildimage/package.json
+17 −15		tools/check-copyright
+3 −2		tools/create-hybrid-image
+8 −7		tools/mk/Makefile.agent_prebuilt.defs
+2 −2		tools/mk/Makefile.defs
+2 −1		tools/mk/Makefile.node.targ
+2 −2		tools/mk/Makefile.node_prebuilt.defs
+7 −6		tools/mkrepo
+3 −2		tools/runtests.in
+15 −7		tools/validate-buildenv.sh