Merge pull request hashicorp#1001 from hashicorp/lease-extend-systemview

Merge backend lease-extend changes from staging

builtin/credential/app-id/backend.go

@@ -77,6 +77,9 @@ func Backend(conf *logical.BackendConfig) (*framework.Backend, error) {
 			b.MapAppId.Paths(),
 			b.MapUserId.Paths(),
 		),
+
+		// Not enabled until we add verification logic to the renewal function
+		//		AuthRenew: b.pathLoginRenew,
 	}
 
 	// Since the salt is new in 0.2, we need to handle this by migrating

builtin/credential/app-id/path_login.go

@@ -129,10 +129,19 @@ func (b *backend) pathLogin(
 			DisplayName: displayName,
 			Policies:    policies,
 			Metadata:    metadata,
+			LeaseOptions: logical.LeaseOptions{
+				Renewable: true,
+			},
 		},
 	}, nil
 }
 
+func (b *backend) pathLoginRenew(
+	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+
+	return framework.LeaseExtend(0, 0, b.System())(req, d)
+}
+
 const pathLoginSyn = `
 Log in with an App ID and User ID.
 `

builtin/credential/cert/path_login.go

@@ -207,7 +207,7 @@ func validateConnState(roots *x509.CertPool, cs *tls.ConnectionState) ([][]*x509
 
 func (b *backend) pathLoginRenew(
 	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	// Get the cert and validate auth
+	// Get the cert and use its TTL
 	cert, err := b.Cert(req.Storage, req.Auth.Metadata["cert_name"])
 	if err != nil {
 		return nil, err
@@ -217,5 +217,5 @@ func (b *backend) pathLoginRenew(
 		return nil, nil
 	}
 
-	return framework.LeaseExtend(cert.TTL, 0, false)(req, d)
+	return framework.LeaseExtend(cert.TTL, 0, b.System())(req, d)
 }

builtin/credential/github/path_login.go

@@ -138,9 +138,8 @@ func (b *backend) pathLogin(
 			},
 			DisplayName: *user.Login,
 			LeaseOptions: logical.LeaseOptions{
-				TTL:         ttl,
-				GracePeriod: ttl / 10,
-				Renewable:   ttl > 0,
+				TTL:       ttl,
+				Renewable: true,
 			},
 		},
 	}, nil
@@ -152,5 +151,5 @@ func (b *backend) pathLoginRenew(
 	if err != nil {
 		return nil, err
 	}
-	return framework.LeaseExtend(config.MaxTTL, 0, false)(req, d)
+	return framework.LeaseExtend(config.TTL, config.MaxTTL, b.System())(req, d)
 }

builtin/credential/ldap/path_login.go

@@ -3,7 +3,6 @@ package ldap
 import (
 	"sort"
 	"strings"
-	"time"
 
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -56,6 +55,9 @@ func (b *backend) pathLogin(
 				"password": password,
 			},
 			DisplayName: username,
+			LeaseOptions: logical.LeaseOptions{
+				Renewable: true,
+			},
 		},
 	}, nil
 }
@@ -77,7 +79,7 @@ func (b *backend) pathLoginRenew(
 		return logical.ErrorResponse("policies have changed, revoking login"), nil
 	}
 
-	return framework.LeaseExtend(1*time.Hour, 0, false)(req, d)
+	return framework.LeaseExtend(0, 0, b.System())(req, d)
 }
 
 const pathLoginSyn = `

builtin/credential/userpass/backend_test.go

@@ -10,9 +10,12 @@ import (
 	"github.com/mitchellh/mapstructure"
 )
 
+const (
+	testSysTTL    = time.Hour * 10
+	testSysMaxTTL = time.Hour * 20
+)
+
 func TestBackend_TTLDurations(t *testing.T) {
-	sysTTL := time.Hour * 10
-	sysMaxTTL := time.Hour * 20
 	data1 := map[string]interface{}{
 		"password": "password",
 		"policies": "root",
@@ -43,8 +46,8 @@ func TestBackend_TTLDurations(t *testing.T) {
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
-			DefaultLeaseTTLVal: sysTTL,
-			MaxLeaseTTLVal:     sysMaxTTL,
+			DefaultLeaseTTLVal: testSysTTL,
+			MaxLeaseTTLVal:     testSysMaxTTL,
 		},
 	})
 	if err != nil {
@@ -64,8 +67,16 @@ func TestBackend_TTLDurations(t *testing.T) {
 }
 
 func TestBackend_basic(t *testing.T) {
-	b := Backend()
-
+	b, err := Factory(&logical.BackendConfig{
+		Logger: nil,
+		System: &logical.StaticSystemView{
+			DefaultLeaseTTLVal: testSysTTL,
+			MaxLeaseTTLVal:     testSysMaxTTL,
+		},
+	})
+	if err != nil {
+		t.Fatalf("Unable to create backend: %s", err)
+	}
 	logicaltest.Test(t, logicaltest.TestCase{
 		Backend: b,
 		Steps: []logicaltest.TestStep{
@@ -76,7 +87,16 @@ func TestBackend_basic(t *testing.T) {
 }
 
 func TestBackend_userCrud(t *testing.T) {
-	b := Backend()
+	b, err := Factory(&logical.BackendConfig{
+		Logger: nil,
+		System: &logical.StaticSystemView{
+			DefaultLeaseTTLVal: testSysTTL,
+			MaxLeaseTTLVal:     testSysMaxTTL,
+		},
+	})
+	if err != nil {
+		t.Fatalf("Unable to create backend: %s", err)
+	}
 
 	logicaltest.Test(t, logicaltest.TestCase{
 		Backend: b,

builtin/credential/userpass/path_login.go

@@ -68,17 +68,16 @@ func (b *backend) pathLogin(
 			},
 			DisplayName: username,
 			LeaseOptions: logical.LeaseOptions{
-				TTL:         user.TTL,
-				GracePeriod: user.TTL / 10,
-				Renewable:   user.TTL > 0,
+				TTL:       user.TTL,
+				Renewable: true,
 			},
 		},
 	}, nil
 }
 
 func (b *backend) pathLoginRenew(
 	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
-	// Get the user and validate auth
+	// Get the user
 	user, err := b.User(req.Storage, req.Auth.Metadata["username"])
 	if err != nil {
 		return nil, err
@@ -88,7 +87,7 @@ func (b *backend) pathLoginRenew(
 		return nil, nil
 	}
 
-	return framework.LeaseExtend(user.MaxTTL, 0, false)(req, d)
+	return framework.LeaseExtend(user.TTL, user.MaxTTL, b.System())(req, d)
 }
 
 const pathLoginSyn = `

builtin/logical/aws/secret_access_keys.go

@@ -6,12 +6,13 @@ import (
 	"regexp"
 	"time"
 
+	"strings"
+
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/sts"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
-	"strings"
 )
 
 const SecretAccessKeyType = "access_keys"
@@ -35,9 +36,6 @@ func secretAccessKeys(b *backend) *framework.Secret {
 			},
 		},
 
-		DefaultDuration:    1 * time.Hour,
-		DefaultGracePeriod: 10 * time.Minute,
-
 		Renew:  b.secretAccessKeysRenew,
 		Revoke: secretAccessKeysRevoke,
 	}
@@ -76,16 +74,20 @@ func (b *backend) secretAccessKeysAndTokenCreate(s logical.Storage,
 			"Error generating STS keys: %s", err)), nil
 	}
 
-	// Return the info!
-	return b.Secret(SecretAccessKeyType).Response(map[string]interface{}{
+	resp := b.Secret(SecretAccessKeyType).Response(map[string]interface{}{
 		"access_key":     *tokenResp.Credentials.AccessKeyId,
 		"secret_key":     *tokenResp.Credentials.SecretAccessKey,
 		"security_token": *tokenResp.Credentials.SessionToken,
 	}, map[string]interface{}{
 		"username": username,
 		"policy":   policy,
-		"is_sts": 	true,
-	}), nil
+		"is_sts":   true,
+	})
+
+	// Set the secret TTL to appropriately match the expiration of the token
+	resp.Secret.TTL = tokenResp.Credentials.Expiration.Sub(time.Now())
+
+	return resp, nil
 }
 
 func (b *backend) secretAccessKeysCreate(
@@ -159,28 +161,49 @@ func (b *backend) secretAccessKeysCreate(
 	}
 
 	// Return the info!
-	return b.Secret(SecretAccessKeyType).Response(map[string]interface{}{
+	resp := b.Secret(SecretAccessKeyType).Response(map[string]interface{}{
 		"access_key":     *keyResp.AccessKey.AccessKeyId,
 		"secret_key":     *keyResp.AccessKey.SecretAccessKey,
 		"security_token": nil,
 	}, map[string]interface{}{
 		"username": username,
 		"policy":   policy,
-		"is_sts": 	false,
-	}), nil
+		"is_sts":   false,
+	})
+
+	lease, err := b.Lease(s)
+	if err != nil || lease == nil {
+		lease = &configLease{}
+	}
+
+	resp.Secret.TTL = lease.Lease
+
+	return resp, nil
 }
 
 func (b *backend) secretAccessKeysRenew(
 	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+
+	// STS already has a lifetime, and we don't support renewing it
+	isSTSRaw, ok := req.Secret.InternalData["is_sts"]
+	if ok {
+		isSTS, ok := isSTSRaw.(bool)
+		if ok {
+			if isSTS {
+				return nil, nil
+			}
+		}
+	}
+
 	lease, err := b.Lease(req.Storage)
 	if err != nil {
 		return nil, err
 	}
 	if lease == nil {
-		lease = &configLease{Lease: 1 * time.Hour}
+		lease = &configLease{}
 	}
 
-	f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, false)
+	f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, b.System())
 	return f(req, d)
 }
 

builtin/logical/cassandra/path_creds_create.go

@@ -85,7 +85,6 @@ func (b *backend) pathCredsCreateRead(
 		"role":     name,
 	})
 	resp.Secret.TTL = role.Lease
-	resp.Secret.GracePeriod = role.LeaseGracePeriod
 
 	return resp, nil
 }

builtin/logical/cassandra/path_roles.go

@@ -56,16 +56,15 @@ template values are '{{username}}' and
 			},
 
 			"lease_grace_period": &framework.FieldSchema{
-				Type:    framework.TypeString,
-				Default: "1h",
-				Description: `Grace period for secret renewal; defaults to
-one hour`,
+				Type:        framework.TypeString,
+				Default:     "1h",
+				Description: `DEPRECATED: this has no effect`,
 			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.ReadOperation:   b.pathRoleRead,
-			logical.UpdateOperation:  b.pathRoleCreate,
+			logical.UpdateOperation: b.pathRoleCreate,
 			logical.DeleteOperation: b.pathRoleDelete,
 		},
 
@@ -194,6 +193,5 @@ instance of Cassandra:
 
 ` + defaultRollbackCQL + `
 
-"lease" and "lease_grace_period" control the lease time and the allowed grace
-period past lease expiration, respectively.
+"lease" the lease time; if not set the mount/system defaults are used.
 `

builtin/logical/cassandra/secret_creds.go

@@ -2,7 +2,6 @@ package cassandra
 
 import (
 	"fmt"
-	"time"
 
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -26,9 +25,6 @@ func secretCreds(b *backend) *framework.Secret {
 			},
 		},
 
-		DefaultDuration:    1 * time.Hour,
-		DefaultGracePeriod: 10 * time.Minute,
-
 		Renew:  b.secretCredsRenew,
 		Revoke: b.secretCredsRevoke,
 	}
@@ -51,7 +47,7 @@ func (b *backend) secretCredsRenew(
 		return nil, fmt.Errorf("Unable to load role: %s", err)
 	}
 
-	return framework.LeaseExtend(role.Lease, 0, false)(req, d)
+	return framework.LeaseExtend(role.Lease, 0, b.System())(req, d)
 }
 
 func (b *backend) secretCredsRevoke(

builtin/logical/consul/backend.go

@@ -25,7 +25,7 @@ func Backend() *framework.Backend {
 		},
 
 		Secrets: []*framework.Secret{
-			secretToken(),
+			secretToken(&b),
 		},
 	}
 

builtin/logical/consul/backend_test.go

@@ -60,7 +60,7 @@ func TestBackend_crud(t *testing.T) {
 		Backend:  b,
 		Steps: []logicaltest.TestStep{
 			testAccStepWritePolicy(t, "test", testPolicy, ""),
-			testAccStepReadPolicy(t, "test", testPolicy, DefaultLeaseDuration),
+			testAccStepReadPolicy(t, "test", testPolicy, 0),
 			testAccStepDeletePolicy(t, "test"),
 		},
 	})

builtin/logical/consul/path_roles.go

@@ -41,7 +41,7 @@ Defaults to 'client'.`,
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
 			logical.ReadOperation:   pathRolesRead,
-			logical.UpdateOperation:  pathRolesWrite,
+			logical.UpdateOperation: pathRolesWrite,
 			logical.DeleteOperation: pathRolesDelete,
 		},
 	}
@@ -108,9 +108,15 @@ func pathRolesWrite(
 				"Error decoding policy base64: %s", err)), nil
 		}
 	}
-	lease, err := time.ParseDuration(d.Get("lease").(string))
-	if err != nil || lease == time.Duration(0) {
-		lease = DefaultLeaseDuration
+
+	var lease time.Duration
+	leaseParam := d.Get("lease").(string)
+	if leaseParam != "" {
+		lease, err = time.ParseDuration(leaseParam)
+		if err != nil {
+			return logical.ErrorResponse(fmt.Sprintf(
+				"error parsing given lease of %s: %s", leaseParam, err)), nil
+		}
 	}
 
 	entry, err := logical.StorageEntryJSON("policy/"+name, roleConfig{