From ba19b99f55568495638687e6ab7c741d639be0e9 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Fri, 15 Dec 2017 16:01:40 -0500 Subject: [PATCH 1/4] Update login logic for aws creds backend --- builtin/credential/aws/path_login.go | 57 ++++++++++++---------------- 1 file changed, 24 insertions(+), 33 deletions(-) diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index 30c69047e..2f4b006a0 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -786,23 +786,21 @@ func (b *backend) pathLoginUpdateEc2( resp.Auth.Metadata["nonce"] = clientNonce } - if roleEntry.Period > time.Duration(0) { - resp.Auth.TTL = roleEntry.Period - } else { - // Cap the TTL value. - shortestTTL := b.System().DefaultLeaseTTL() - if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL { - shortestTTL = roleEntry.TTL + if roleEntry.MaxTTL > time.Duration(0) { + // Cap maxTTL to the sysview's max TTL + maxTTL := b.System().MaxLeaseTTL() + if roleEntry.MaxTTL < maxTTL { + maxTTL = b.System().MaxLeaseTTL() } - if shortestMaxTTL < shortestTTL { - resp.AddWarning(fmt.Sprintf("Effective ttl of %q exceeded the effective max_ttl of %q; ttl value is capped appropriately", (shortestTTL / time.Second).String(), (shortestMaxTTL / time.Second).String())) - shortestTTL = shortestMaxTTL + + // Cap TTL to MaxTTL + if resp.Auth.TTL > maxTTL { + resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second))) + resp.Auth.TTL = roleEntry.MaxTTL } - resp.Auth.TTL = shortestTTL } return resp, nil - } // handleRoleTagLogin is used to fetch the role tag of the instance and @@ -1238,7 +1236,7 @@ func (b *backend) pathLoginUpdateIam( policies := roleEntry.Policies inferredEntityType := "" - inferredEntityId := "" + inferredEntityID := "" if roleEntry.InferredEntityType == ec2EntityType { instance, err := b.validateInstance(req.Storage, entity.SessionInfo, roleEntry.InferredAWSRegion, callerID.Account) if err != nil { @@ -1264,7 +1262,7 @@ func (b *backend) pathLoginUpdateIam( } inferredEntityType = ec2EntityType - inferredEntityId = entity.SessionInfo + inferredEntityID = entity.SessionInfo } resp := &logical.Response{ @@ -1277,7 +1275,7 @@ func (b *backend) pathLoginUpdateIam( "client_user_id": callerUniqueId, "auth_type": iamAuthType, "inferred_entity_type": inferredEntityType, - "inferred_entity_id": inferredEntityId, + "inferred_entity_id": inferredEntityID, "inferred_aws_region": roleEntry.InferredAWSRegion, "account_id": entity.AccountNumber, }, @@ -1295,25 +1293,18 @@ func (b *backend) pathLoginUpdateIam( }, } - if roleEntry.Period > time.Duration(0) { - resp.Auth.TTL = roleEntry.Period - } else { - shortestTTL := b.System().DefaultLeaseTTL() - if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL { - shortestTTL = roleEntry.TTL - } - + if roleEntry.MaxTTL > time.Duration(0) { + // Cap maxTTL to the sysview's max TTL maxTTL := b.System().MaxLeaseTTL() - if roleEntry.MaxTTL > time.Duration(0) && roleEntry.MaxTTL < maxTTL { - maxTTL = roleEntry.MaxTTL + if roleEntry.MaxTTL < maxTTL { + maxTTL = b.System().MaxLeaseTTL() } - if shortestTTL > maxTTL { - resp.AddWarning(fmt.Sprintf("Effective TTL of %q exceeded the effective max_ttl of %q; TTL value is capped accordingly", (shortestTTL / time.Second).String(), (maxTTL / time.Second).String())) - shortestTTL = maxTTL + // Cap TTL to MaxTTL + if resp.Auth.TTL > maxTTL { + resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second))) + resp.Auth.TTL = roleEntry.MaxTTL } - - resp.Auth.TTL = shortestTTL } return resp, nil @@ -1333,11 +1324,11 @@ func hasValuesForEc2Auth(data *framework.FieldData) (bool, bool) { func hasValuesForIamAuth(data *framework.FieldData) (bool, bool) { _, hasRequestMethod := data.GetOk("iam_http_request_method") - _, hasRequestUrl := data.GetOk("iam_request_url") + _, hasRequestURL := data.GetOk("iam_request_url") _, hasRequestBody := data.GetOk("iam_request_body") _, hasRequestHeaders := data.GetOk("iam_request_headers") - return (hasRequestMethod && hasRequestUrl && hasRequestBody && hasRequestHeaders), - (hasRequestMethod || hasRequestUrl || hasRequestBody || hasRequestHeaders) + return (hasRequestMethod && hasRequestURL && hasRequestBody && hasRequestHeaders), + (hasRequestMethod || hasRequestURL || hasRequestBody || hasRequestHeaders) } func parseIamArn(iamArn string) (*iamEntity, error) { From 643451d46aac0d95466f3330cd863db28c33b90b Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Fri, 15 Dec 2017 16:18:19 -0500 Subject: [PATCH 2/4] Update login logic for aws creds backend --- builtin/credential/aws/path_login.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index 2f4b006a0..57ce97d15 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -788,15 +788,15 @@ func (b *backend) pathLoginUpdateEc2( if roleEntry.MaxTTL > time.Duration(0) { // Cap maxTTL to the sysview's max TTL - maxTTL := b.System().MaxLeaseTTL() - if roleEntry.MaxTTL < maxTTL { + maxTTL := roleEntry.MaxTTL + if maxTTL > b.System().MaxLeaseTTL() { maxTTL = b.System().MaxLeaseTTL() } // Cap TTL to MaxTTL if resp.Auth.TTL > maxTTL { resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second))) - resp.Auth.TTL = roleEntry.MaxTTL + resp.Auth.TTL = maxTTL } } @@ -1295,15 +1295,15 @@ func (b *backend) pathLoginUpdateIam( if roleEntry.MaxTTL > time.Duration(0) { // Cap maxTTL to the sysview's max TTL - maxTTL := b.System().MaxLeaseTTL() - if roleEntry.MaxTTL < maxTTL { + maxTTL := roleEntry.MaxTTL + if maxTTL > b.System().MaxLeaseTTL() { maxTTL = b.System().MaxLeaseTTL() } // Cap TTL to MaxTTL if resp.Auth.TTL > maxTTL { resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second))) - resp.Auth.TTL = roleEntry.MaxTTL + resp.Auth.TTL = maxTTL } } From fe7ce434e4c758ae661a00bdc4da178c594c2574 Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Fri, 15 Dec 2017 16:26:42 -0500 Subject: [PATCH 3/4] Update logic on renew paths --- builtin/credential/aws/path_login.go | 33 +++++++++------------------- 1 file changed, 10 insertions(+), 23 deletions(-) diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index 57ce97d15..774e4ceea 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -983,13 +983,12 @@ func (b *backend) pathLoginRenewIam( } } - // If 'Period' is set on the role, then the token should never expire. - if roleEntry.Period > time.Duration(0) { - req.Auth.TTL = roleEntry.Period - return &logical.Response{Auth: req.Auth}, nil - } else { - return framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data) + resp, err := framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data) + if err != nil { + return nil, err } + resp.Auth.Period = roleEntry.Period + return resp, nil } func (b *backend) pathLoginRenewEc2( @@ -1070,24 +1069,12 @@ func (b *backend) pathLoginRenewEc2( return nil, err } - // If 'Period' is set on the role, then the token should never expire. Role - // tag does not have a 'Period' field. So, regarless of whether the token - // was issued using a role login or a role tag login, the period set on the - // role should take effect. - if roleEntry.Period > time.Duration(0) { - req.Auth.TTL = roleEntry.Period - return &logical.Response{Auth: req.Auth}, nil - } else { - // Cap the TTL value - shortestTTL := b.System().DefaultLeaseTTL() - if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL { - shortestTTL = roleEntry.TTL - } - if shortestMaxTTL < shortestTTL { - shortestTTL = shortestMaxTTL - } - return framework.LeaseExtend(shortestTTL, shortestMaxTTL, b.System())(req, data) + resp, err := framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data) + if err != nil { + return nil, err } + resp.Auth.Period = roleEntry.Period + return resp, nil } func (b *backend) pathLoginUpdateIam( From 997a1453e73198d8c61a79a2f247a9806737143d Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Fri, 15 Dec 2017 17:29:40 -0500 Subject: [PATCH 4/4] Use shortMaxTTL on Ec2 paths --- builtin/credential/aws/path_login.go | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index 774e4ceea..578575ca3 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -787,16 +787,10 @@ func (b *backend) pathLoginUpdateEc2( } if roleEntry.MaxTTL > time.Duration(0) { - // Cap maxTTL to the sysview's max TTL - maxTTL := roleEntry.MaxTTL - if maxTTL > b.System().MaxLeaseTTL() { - maxTTL = b.System().MaxLeaseTTL() - } - - // Cap TTL to MaxTTL - if resp.Auth.TTL > maxTTL { - resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second))) - resp.Auth.TTL = maxTTL + // Cap TTL to shortestMaxTTL + if resp.Auth.TTL > shortestMaxTTL { + resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (shortestMaxTTL / time.Second))) + resp.Auth.TTL = shortestMaxTTL } } @@ -1069,7 +1063,7 @@ func (b *backend) pathLoginRenewEc2( return nil, err } - resp, err := framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data) + resp, err := framework.LeaseExtend(roleEntry.TTL, shortestMaxTTL, b.System())(req, data) if err != nil { return nil, err }