VOMS AA ignores expired AUP

[vokac]

Although this topic was already touched in #446 this issue still seems to be present, e.g.

$ curl -s -X GET -H "Authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" https://atlas-auth.web.cern.ch/iam/aup/ | jq .signatureValidityInDays
3650
$ curl -s -X GET -H "Authorization: Bearer $BEARER_TOKEN" -H "Content-Type: application/json" https://atlas-auth.web.cern.ch/iam/aup/signature/b41bd224-951e-47b9-8f86-c234e491d8b4 | jq .signatureTime
"2010-01-01T00:00:00.000Z"
$ voms-proxy-init -voms atlas
Enter GRID pass phrase for this identity:
Contacting voms-atlas-auth.app.cern.ch:443 [/DC=ch/DC=cern/OU=computers/CN=atlas-auth.web.cern.ch] "atlas"...
Remote VOMS server contacted succesfully.
Created proxy in /tmp/x509up_u8021.
Your proxy is valid until Tue Jan 16 13:29:13 CET 2024

AUP expiration is currently set to 10 years for our IAM instance, I used IAM API to set AUP expiration to the January 1st 2010, but I'm still able to get VOMS proxy with expired AUP.

[rmiccoli]

Hi, we think it is due to the fact that CERN IAM instances are using old images of voms-aa.

[vokac]

Discussed with CERN IAM Ops, they'll deploy updated voms-aa and also keep up-to-date version in future.