From 5421b12d363b9a455fabd8111df6562b3b116fc8 Mon Sep 17 00:00:00 2001
From: Travis Paul <tpaul@edgecast.io>
Date: Fri, 5 Dec 2025 17:03:20 -0500
Subject: [PATCH 1/3] Update status of expired access keys

---
 lib/index.js      | 45 ++++++++++++++++++++++++++++-----------------
 package-lock.json |  2 +-
 package.json      |  2 +-
 3 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/lib/index.js b/lib/index.js
index ac21971..6dc6f19 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -332,7 +332,33 @@ function assertStrictOptions(funcname, opts, expected) {
     }
 }
 
+/*
+ * AccessKeys created before UFDS v7.5.0 may not have status
+ * or created fields. Patch those fields in here so clients
+ * can rely on them being defined.
+ */
+function patchUpAccessKey(accesskey) {
+    if (!accesskey.status) {
+        accesskey.status = 'Inactive';
+    }
+
+    if (!accesskey.updated) {
+        accesskey.updated = accesskey.created;
+    }
+
+    // If a temporary credential is expired, but not yet purged
+    // from UFDS, update the status to reflect that it is expired.
+    if (accesskey.credentialtype &&
+        accesskey.credentialtype === 'temporary') {
+        var now = new Date();
+        var exp = new Date(accesskey.expiration);
+        if (isNaN(exp) || now >= exp) {
+            accesskey.status = 'Expired';
+        }
+    }
 
+    return accesskey;
+}
 
 // --- Exported API
 
@@ -3249,7 +3275,7 @@ function getAccessKey(user, accesskeyid, account, cb, noCache) {
                 return;
             }
             if (keys.length) {
-                cb(null, keys[0]);
+                cb(null, patchUpAccessKey(keys[0]));
                 return;
             }
             cb(new ResourceNotFoundError(accesskeyid + ' does not exist'));
@@ -3309,22 +3335,7 @@ function listAccessKeys(user, account, cb, noCache) {
                 if (err) {
                     next(err);
                 } else {
-
-                    // AccessKeys created before UFDS v7.5.0 may not have status
-                    // or created fields. Patch those fields in here so clients
-                    // can rely on them being defined.
-                    var keys = entries.map(function _mapEntries(entry) {
-                        if (!entry.status) {
-                            entry.status = 'Inactive';
-                        }
-
-                        if (!entry.updated) {
-                            entry.updated = entry.created;
-                        }
-
-                        return entry;
-                    });
-
+                    var keys = entries.map(patchUpAccessKey);
                     next(null, keys);
                 }
             }, noCache);
diff --git a/package-lock.json b/package-lock.json
index 6bdf757..f6ee71e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,6 +1,6 @@
 {
   "name": "ufds",
-  "version": "1.9.0",
+  "version": "1.9.1",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {
diff --git a/package.json b/package.json
index bfafb51..b051e08 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "name": "ufds",
   "author": "Edgecast Cloud (edgecast.io)",
   "description": "Triton UFDS Client API",
-  "version": "1.9.0",
+  "version": "1.9.1",
   "homepage": "https://github.com/TritonDataCenter/triton",
   "repository": {
     "type": "git",

From f70401926cc199ad88f97d140606011c1f0bb5a3 Mon Sep 17 00:00:00 2001
From: Travis Paul <tpaul@edgecast.io>
Date: Mon, 8 Dec 2025 14:45:41 +0000
Subject: [PATCH 2/3] Populate credentialtype for permanent keys

---
 lib/index.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/index.js b/lib/index.js
index 6dc6f19..19cbbbb 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -355,6 +355,9 @@ function patchUpAccessKey(accesskey) {
         if (isNaN(exp) || now >= exp) {
             accesskey.status = 'Expired';
         }
+    } else if (!accesskey.credentialtype) {
+        // Absence of credentialtype makes this a permanent key
+        accesskey.credentialtype = 'permanent';
     }
 
     return accesskey;
@@ -3204,6 +3207,7 @@ UFDS.prototype.addAccessKey = function addAccessKey(user, account, attrs, cb) {
 
             entry.accesskeyid = context.id;
             entry.accesskeysecret = context.secret;
+            entry.credentialtype = 'permanent';
 
             var userUuid = context.user.uuid;
             var dn = (account) ?

From 62f646a3d04f3703310564d8920857731d291058 Mon Sep 17 00:00:00 2001
From: Travis Paul <tpaul@edgecast.io>
Date: Tue, 9 Dec 2025 18:03:36 +0000
Subject: [PATCH 3/3] Ignore modification of most attrs for temporary access
 keys

---
 lib/index.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/index.js b/lib/index.js
index 19cbbbb..04b9779 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -3559,9 +3559,18 @@ function updateAccessKey(user, account, accesskey, cb) {
                 'accesskeysecret',
                 'created',
                 'objectclass',
-                'updated'
+                'updated',
+                'credentialtype',
+                'principaluuid',
+                'sessiontoken',
+                'expiration'
             ];
 
+            // Ignore status changes on non-permanent accesskeys
+            if (context.accesskey.credentialtype !== 'permanent') {
+                ignoreAttrs.push('status');
+            }
+
             Object.keys(accesskey).forEach(function _keys(key) {
                 var change = {modification: {}};