Add share timeout configuration

brunorijsman · brunorijsman · commit 3e665e34ac50 · 2025-11-07T13:27:26.000+01:00
diff --git a/common/configuration.py b/common/configuration.py
@@ -40,6 +40,12 @@
 MIN_MIN_NR_SHARES = 1  # We allow 1, which really means the secret is not split at all.
 MAX_MIN_NR_SHARES = 128
 
+# Timeout for shares in seconds. Shares stored on hubs will be deleted if the responder SAE does
+# not retrieve them by invoking the Get key with key IDs API call within this timeout.
+DEFAULT_SHARE_TIMEOUT_SECS = 60  # 1 minute
+MIN_SHARE_TIMEOUT_SECS = 1
+MAX_SHARE_TIMEOUT_SECS = 86_400  # 1 day
+
 
 def fatal_error(message: str):
     """
@@ -60,6 +66,7 @@ class Configuration:
     stop_request_psrd_threshold: int
     get_psrd_block_size: int
     min_nr_shares: int
+    share_timeout_secs: int
 
     def __init__(
         self,
@@ -68,13 +75,15 @@ def __init__(
         stop_request_psrd_threshold,
         get_psrd_block_size,
         min_nr_shares,
+        share_timeout_secs,
         nodes,
     ):
         self.base_port = base_port
         self.start_request_psrd_threshold = start_request_psrd_threshold
         self.stop_request_psrd_threshold = stop_request_psrd_threshold
         self.get_psrd_block_size = get_psrd_block_size
         self.min_nr_shares = min_nr_shares
+        self.share_timeout_secs = share_timeout_secs
         # Sort nodes by type and name, so that clients are always before hubs (the order matters
         # for startup and shutdown).
         self.nodes = sorted(nodes)
@@ -144,6 +153,12 @@ def _assign_ports_and_urls(self):
         "min": MIN_MIN_NR_SHARES,
         "max": MAX_MIN_NR_SHARES,
     },
+    "share_timeout_secs": {
+        "type": "integer",
+        "default": DEFAULT_SHARE_TIMEOUT_SECS,
+        "min": MIN_SHARE_TIMEOUT_SECS,
+        "max": MAX_SHARE_TIMEOUT_SECS,
+    },
     "hubs": {
         "type": "list",
         "schema": HUB_SCHEMA,
@@ -199,5 +214,6 @@ def parse_configuration_file(filename: str) -> Configuration:
         parsed_config["stop_request_psrd_threshold"],
         parsed_config["get_psrd_block_size"],
         parsed_config["min_nr_shares"],
+        parsed_config["share_timeout_secs"],
         nodes,
     )
diff --git a/docs/user-guide.md b/docs/user-guide.md
@@ -59,6 +59,12 @@ $ <b>cat dske-config.yaml</b>
                                         # from the key shares using Shamir's Secret Sharing (SSS).
                                         # Optional; default value is 3.
 
+# share_timeout_secs: 60                # Timeout for shares in seconds. Shares stored on hubs are
+                                        # deleted if the responder SAE does not retrieve them by
+                                        # invoking the Get key with key IDs API call within this
+                                        # timeout.
+                                        # Optional; default value is 60 seconds.
+                                        
 hubs:                   # List of hubs (aka DSKE security hubs) in the DSKE topology.
   - name: hank          # Name of the hub.
   - name: helen
@@ -310,16 +316,18 @@ Use the `--help` option to see its usage:
 
 <pre>
 $ <b>python -m hub --help</b>
-usage: hub [-h] [-p PORT] name
+usage: hub [-h] [-p PORT] [--share-timeout-secs SHARE_TIMEOUT_SECS] name
 
 DSKE Hub
 
 positional arguments:
-  name             Hub name
+  name                  Hub name
 
 options:
-  -h, --help       show this help message and exit
-  -p, --port PORT  Port number
+  -h, --help            show this help message and exit
+  -p, --port PORT       Port number
+  --share-timeout-secs SHARE_TIMEOUT_SECS
+                        Share timeout in seconds (default: 60)
 </pre>
 
 The typical usage is to provide the hub name and the port number.
diff --git a/dske-config.yaml b/dske-config.yaml
@@ -24,6 +24,16 @@
                                         # from the key shares using Shamir's Secret Sharing (SSS).
                                         # Optional; default value is 3.
 
+# share_timeout_secs: 60                # Timeout for shares in seconds. Shares stored on hubs are
+                                        # deleted if the responder SAE does not retrieve them by
+                                        # invoking the Get key with key IDs API call within this
+                                        # timeout.
+                                        # Optional; default value is 60 seconds.
+
+# Timeout for shares in seconds. Shares stored on hubs will be deleted if the responder SAE does
+# not retrieve them by invoking the Get key with key IDs API call within this timeout.
+
+
 hubs:                   # List of hubs (aka DSKE security hubs) in the DSKE topology.
   - name: hank          # Name of the hub.
   - name: helen
diff --git a/hub/cli.py b/hub/cli.py
@@ -3,6 +3,22 @@
 """
 
 import argparse
+from common import configuration
+
+
+def _check_share_timeout_secs(value):
+    int_value = int(value)
+    if (
+        int_value <= configuration.MIN_SHARE_TIMEOUT_SECS
+        or int_value > configuration.MAX_SHARE_TIMEOUT_SECS
+    ):
+        raise argparse.ArgumentTypeError(
+            f"value {value} is invalid; "
+            f"it must be between "
+            f"{configuration.MIN_SHARE_TIMEOUT_SECS} and "
+            f"{configuration.MAX_SHARE_TIMEOUT_SECS}"
+        )
+    return int_value
 
 
 def parse_command_line_arguments():
@@ -17,5 +33,15 @@ def parse_command_line_arguments():
         type=int,
         help="Port number",
     )
+    parser.add_argument(
+        "--share-timeout-secs",
+        type=_check_share_timeout_secs,
+        default=configuration.DEFAULT_SHARE_TIMEOUT_SECS,
+        help=(
+            f"Share timeout in seconds "
+            f"(default: {configuration.DEFAULT_SHARE_TIMEOUT_SECS})"
+        ),
+    )
+
     args = parser.parse_args()
     return args
diff --git a/manager.py b/manager.py
@@ -219,6 +219,15 @@ def start_node(self, node: Node, extra_args: list | None = None):
                 ]
             if node.encryptor_names:
                 command += ["--encryptors"] + node.encryptor_names
+        else:
+            if (
+                self._config.share_timeout_secs
+                != configuration.DEFAULT_SHARE_TIMEOUT_SECS
+            ):
+                command += [
+                    "--share-timeout-secs",
+                    str(self._config.share_timeout_secs),
+                ]
         if extra_args is not None:
             command += extra_args
         _process = subprocess.Popen(command, stdout=out_file, stderr=out_file)
