open-vault/logical/lease.go

package logical

import (
	"time"
)

// LeaseOptions is an embeddable struct to capture common lease
// settings between a Secret and Auth
type LeaseOptions struct {
	// TTL is the duration that this secret is valid for. Vault
	// will automatically revoke it after the duration.
	TTL time.Duration `json:"lease"`

	// MaxTTL is the maximum duration that this secret is valid for.
	MaxTTL time.Duration `json:"max_ttl"`

	// Renewable, if true, means that this secret can be renewed.
	Renewable bool `json:"renewable"`

	// Increment will be the lease increment that the user requested.
	// This is only available on a Renew operation and has no effect
	// when returning a response.
	Increment time.Duration `json:"-"`

	// IssueTime is the time of issue for the original lease. This is
	// only available on Renew and Revoke operations and has no effect when returning
	// a response. It can be used to enforce maximum lease periods by
	// a logical backend.
	IssueTime time.Time `json:"-"`
}

// LeaseEnabled checks if leasing is enabled
func (l *LeaseOptions) LeaseEnabled() bool {
	return l.TTL > 0
}

// LeaseTotal is the lease duration with a guard against a negative TTL
func (l *LeaseOptions) LeaseTotal() time.Duration {
	if l.TTL <= 0 {
		return 0
	}

	return l.TTL
}

// ExpirationTime computes the time until expiration including the grace period
func (l *LeaseOptions) ExpirationTime() time.Time {
	var expireTime time.Time
	if l.LeaseEnabled() {
		expireTime = time.Now().Add(l.LeaseTotal())
	}
	return expireTime
}
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`package logical`

Sync over 2017-10-23 20:42:56 +00:00			`import (`
			`"time"`
			`)`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00
			`// LeaseOptions is an embeddable struct to capture common lease`
			`// settings between a Secret and Auth`
			`type LeaseOptions struct {`
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback 2018-04-03 16:20:20 +00:00			`// TTL is the duration that this secret is valid for. Vault`
Remove grace periods 2016-02-01 00:33:16 +00:00			`// will automatically revoke it after the duration.`
			TTL time.Duration `json:"lease"`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback 2018-04-03 16:20:20 +00:00			`// MaxTTL is the maximum duration that this secret is valid for.`
			MaxTTL time.Duration `json:"max_ttl"`

logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`// Renewable, if true, means that this secret can be renewed.`
			Renewable bool `json:"renewable"`

Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-21 05:27:01 +00:00			`// Increment will be the lease increment that the user requested.`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`// This is only available on a Renew operation and has no effect`
			`// when returning a response.`
Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-21 05:27:01 +00:00			Increment time.Duration `json:"-"`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00
Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-21 05:27:01 +00:00			`// IssueTime is the time of issue for the original lease. This is`
logical/aws: Harden WAL entry creation (#5202) * logical/aws: Harden WAL entry creation If AWS IAM user creation failed in any way, the WAL corresponding to the IAM user would get left around and Vault would try to roll it back. However, because the user never existed, the rollback failed. Thus, the WAL would essentially get "stuck" and Vault would continually attempt to roll it back, failing every time. A similar situation could arise if the IAM user that Vault created got deleted out of band, or if Vault deleted it but was unable to write the lease revocation back to storage (e.g., a storage failure). This attempts to harden it in two ways. One is by deleting the WAL log entry if the IAM user creation fails. However, the WAL deletion could still fail, and this wouldn't help where the user is deleted out of band, so second, consider the user rolled back if the user just doesn't exist, under certain circumstances. Fixes #5190 * Fix segfault in expiration unit tests TestExpiration_Tidy was passing in a leaseEntry that had a nil Secret, which then caused a segfault as the changes to revokeEntry didn't check whether Secret was nil; this is probably unlikely to occur in real life, but good to be extra cautious. * Fix potential segfault Missed the else... * Respond to PR feedback 2018-09-27 14:54:59 +00:00			`// only available on Renew and Revoke operations and has no effect when returning`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`// a response. It can be used to enforce maximum lease periods by`
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-07 21:44:14 +00:00			`// a logical backend.`
Rejig Lease terminology internally; also, put a few JSON names back to their original values 2015-08-21 05:27:01 +00:00			IssueTime time.Time `json:"-"`
logical: Refactor LeaseOptions to share between Secret and Auth 2015-04-09 19:14:04 +00:00			`}`
vault: Simplify common lease logic 2015-04-09 19:29:13 +00:00
			`// LeaseEnabled checks if leasing is enabled`
			`func (l *LeaseOptions) LeaseEnabled() bool {`
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-21 00:47:17 +00:00			`return l.TTL > 0`
vault: Simplify common lease logic 2015-04-09 19:29:13 +00:00			`}`

Remove grace periods 2016-02-01 00:33:16 +00:00			`// LeaseTotal is the lease duration with a guard against a negative TTL`
vault: Simplify common lease logic 2015-04-09 19:29:13 +00:00			`func (l *LeaseOptions) LeaseTotal() time.Duration {`
Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod 2015-08-21 00:47:17 +00:00			`if l.TTL <= 0 {`
vault: Simplify common lease logic 2015-04-09 19:29:13 +00:00			`return 0`
			`}`
logical: lease tests 2015-04-11 04:29:03 +00:00
Remove grace periods 2016-02-01 00:33:16 +00:00			`return l.TTL`
vault: Simplify common lease logic 2015-04-09 19:29:13 +00:00			`}`

			`// ExpirationTime computes the time until expiration including the grace period`
			`func (l *LeaseOptions) ExpirationTime() time.Time {`
			`var expireTime time.Time`
logical: remove IncrementedLease, simplify ExpirationTime calculation 2015-06-17 20:59:09 +00:00			`if l.LeaseEnabled() {`
Remove Unix() invocations on 'time.Time' objects and removed conversion of time to UTC 2016-07-07 21:44:14 +00:00			`expireTime = time.Now().Add(l.LeaseTotal())`
vault: Simplify common lease logic 2015-04-09 19:29:13 +00:00			`}`
			`return expireTime`
			`}`