From d64ef28c392853e539c958f33960fcf9397659f5 Mon Sep 17 00:00:00 2001
From: Alex Dadgar <alex.dadgar@gmail.com>
Date: Wed, 21 Sep 2016 17:30:57 -0700
Subject: [PATCH] Handle the various valid root cases

---
 nomad/vault.go | 36 +++++++++++++++++++++++++-----------
 1 file changed, 25 insertions(+), 11 deletions(-)

diff --git a/nomad/vault.go b/nomad/vault.go
index e61b193b0..73b71a02c 100644
--- a/nomad/vault.go
+++ b/nomad/vault.go
@@ -485,20 +485,34 @@ func (v *vaultClient) parseSelfToken() error {
 		}
 	}
 
-	if !data.Renewable && !root {
-		return fmt.Errorf("Vault token is not renewable or root")
-	}
+	if !root {
+		// All non-root tokens must be renewable
+		if !data.Renewable {
+			return fmt.Errorf("Vault token is not renewable or root")
+		}
 
-	if data.CreationTTL == 0 && !root {
-		return fmt.Errorf("invalid lease duration of zero")
-	}
+		// All non-root tokens must have a lease duration
+		if data.CreationTTL == 0 {
+			return fmt.Errorf("invalid lease duration of zero")
+		}
 
-	if data.TTL == 0 && !root {
-		return fmt.Errorf("token TTL is zero")
-	}
+		// The lease duration can not be expired
+		if data.TTL == 0 {
+			return fmt.Errorf("token TTL is zero")
+		}
 
-	if !root && data.Role == "" {
-		return fmt.Errorf("token role name must be set when not using a root token")
+		// There must be a valid role
+		if data.Role == "" {
+			return fmt.Errorf("token role name must be set when not using a root token")
+		}
+	} else if data.CreationTTL != 0 {
+		// If the root token has a TTL it must be renewable
+		if !data.Renewable {
+			return fmt.Errorf("Vault token has a TTL but is not renewable")
+		} else if data.TTL == 0 {
+			// If the token has a TTL make sure it has not expired
+			return fmt.Errorf("token TTL is zero")
+		}
 	}
 
 	data.Root = root