luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity

Replace VaultID with LeaseID for terminology simplification

This commit is contained in:
Armon Dadgar 2015-04-08 13:35:32 -07:00
parent bbbd3b63ef
commit 466c7575d3
18 changed files with 110 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/SPEC.md
View File

@ -456,7 +456,7 @@ If the return value is a secret, then the return structure
is a mixture of arbitrary key/value along with the following
fields which are guaranteed to exist:
- `vault_id` (string) - A unique ID used for renewal and
- `lease_id` (string) - A unique ID used for renewal and
revocation.
- `renewable` (bool) - If true, then this key can be renewed.
@ -478,7 +478,7 @@ is an arbitrary JSON object.
+ Response 200 (application/json)
{
"vault_id": "UUID",
"lease_id": "UUID",
"lease_duration": 3600,
"key": "value"
}
@ -503,7 +503,7 @@ the logical backend.
## Renew Key [/sys/renew/{id}]
+ Parameters
+ id (required, string) ... The `vault_id` of the secret
+ id (required, string) ... The `lease_id` of the secret
to renew.
### Renew [PUT]
@ -511,7 +511,7 @@ the logical backend.
+ Response 200 (application/json)
{
"vault_id": "...",
"lease_id": "...",
"lease_duration": 3600,
"access_key": "foo",
"secret_key": "bar"
@ -520,7 +520,7 @@ the logical backend.
## Revoke Key [/sys/revoke/{id}]
+ Parameters
+ id (required, string) ... The `vault_id` of the secret
+ id (required, string) ... The `lease_id` of the secret
to revoke.
### Revoke [PUT]
@ -605,7 +605,7 @@ This generates a new keypair for the given policy.
+ Response 200 (application/json)
{
"vault_id": "...",
"lease_id": "...",
"lease_duration": 3600,
"access_key": "foo",
"secret_key": "bar"

2
api/secret.go
View File

@ -7,7 +7,7 @@ import (
// Secret is the structure returned for every secret within Vault.
type Secret struct {
VaultId string `json:"vault_id"`
LeaseID string `json:"lease_id"`
Renewable bool `json:"renewable"`
LeaseDuration int `json:"lease_duration"`
Data map[string]interface{} `json:"data"`

4
api/secret_test.go
View File

@ -9,7 +9,7 @@ import (
func TestParseSecret(t *testing.T) {
raw := strings.TrimSpace(`
{
"vault_id": "foo",
"lease_id": "foo",
"renewable": true,
"lease_duration": 10,
"data": {
@ -23,7 +23,7 @@ func TestParseSecret(t *testing.T) {
}
expected := &Secret{
VaultId: "foo",
LeaseID: "foo",
Renewable: true,
LeaseDuration: 10,
Data: map[string]interface{}{

4
command/read.go
View File

@ -81,8 +81,8 @@ func (c *ReadCommand) formatTable(s *api.Secret, whitespace bool) int {
input := make([]string, 0, 5)
input = append(input, fmt.Sprintf("Key %s Value", config.Delim))
if s.VaultId != "" {
input = append(input, fmt.Sprintf("vault_id %s %s", config.Delim, s.VaultId))
if s.LeaseID != "" {
input = append(input, fmt.Sprintf("lease_id %s %s", config.Delim, s.LeaseID))
}
for k, v := range s.Data {

2
command/revoke_test.go
View File

@ -37,7 +37,7 @@ func TestRevoke(t *testing.T) {
args := []string{
"-address", addr,
secret.VaultId,
secret.LeaseID,
}
if code := c.Run(args); code != 0 {
t.Fatalf("bad: %d\n\n%s", code, ui.ErrorWriter.String())

4
http/logical.go
View File

@ -84,7 +84,7 @@ func handleLogical(core *vault.Core) http.Handler {
logicalResp := &LogicalResponse{Data: resp.Data}
if resp.Secret != nil {
logicalResp.VaultId = resp.Secret.VaultID
logicalResp.LeaseID = resp.Secret.LeaseID
logicalResp.Renewable = resp.Secret.Renewable
logicalResp.LeaseDuration = int(resp.Secret.Lease.Seconds())
}
@ -123,7 +123,7 @@ func handleLogical(core *vault.Core) http.Handler {
}
type LogicalResponse struct {
VaultId string `json:"vault_id"`
LeaseID string `json:"lease_id"`
Renewable bool `json:"renewable"`
LeaseDuration int `json:"lease_duration"`
Data map[string]interface{} `json:"data"`

2
http/logical_test.go
View File

@ -38,7 +38,7 @@ func TestLogical(t *testing.T) {
}
testResponseStatus(t, resp, 200)
testResponseBody(t, resp, &actual)
delete(actual, "vault_id")
delete(actual, "lease_id")
if !reflect.DeepEqual(actual, expected) {
t.Fatalf("bad: %#v %#v", actual, expected)
}

4
logical/secret.go
View File

@ -25,10 +25,10 @@ type Secret struct {
// when returning a response.
LeaseIncrement time.Duration `json:"-"`
// VaultID is the ID returned to the user to represent this secret.
// LeaseID is the ID returned to the user to manage this secret.
// This is generated by Vault core. Any set value will be ignored.
// For requests, this will always be blank.
VaultID string
LeaseID string
}
func (s *Secret) Validate() error {

6
vault/core.go
View File

@ -139,7 +139,7 @@ type Core struct {
// systemView is the barrier view for the system backend
systemView *BarrierView
// expiration manager is used for managing vaultIDs,
// expiration manager is used for managing LeaseIDs,
// renewal, expiration and revocation
expiration *ExpirationManager
@ -269,14 +269,14 @@ func (c *Core) handleRequest(req *logical.Request) (*logical.Response, error) {
}
// Register the lease
vaultID, err := c.expiration.Register(req, resp)
leaseID, err := c.expiration.Register(req, resp)
if err != nil {
c.logger.Printf(
"[ERR] core: failed to register lease "+
"(request: %#v, response: %#v): %v", req, resp, err)
return nil, ErrInternalError
}
resp.Secret.VaultID = vaultID
resp.Secret.LeaseID = leaseID
}
// Only the token store is allowed to return an auth block, for any

8
vault/core_test.go
View File

@ -333,7 +333,7 @@ func TestCore_Seal_BadToken(t *testing.T) {
}
}
// Ensure we get a VaultID
// Ensure we get a LeaseID
func TestCore_HandleRequest_Lease(t *testing.T) {
c, _, root := TestCoreUnsealed(t)
@ -367,7 +367,7 @@ func TestCore_HandleRequest_Lease(t *testing.T) {
if resp.Secret.Lease != time.Hour {
t.Fatalf("bad: %#v", resp.Secret)
}
if resp.Secret.VaultID == "" {
if resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp.Secret)
}
if resp.Data["foo"] != "bar" {
@ -408,7 +408,7 @@ func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) {
if resp.Secret.Lease != maxLeaseDuration {
t.Fatalf("bad: %#v", resp.Secret)
}
if resp.Secret.VaultID == "" {
if resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp.Secret)
}
if resp.Data["foo"] != "bar" {
@ -449,7 +449,7 @@ func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) {
if resp.Secret.Lease != defaultLeaseDuration {
t.Fatalf("bad: %#v", resp.Secret)
}
if resp.Secret.VaultID == "" {
if resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp.Secret)
}
if resp.Data["foo"] != "bar" {

90
vault/expiration.go
View File

@ -107,9 +107,9 @@ func (m *ExpirationManager) Restore() error {
}
// Restore each key
for _, vaultID := range existing {
for _, leaseID := range existing {
// Load the entry
le, err := m.loadEntry(vaultID)
le, err := m.loadEntry(leaseID)
if err != nil {
return err
}
@ -131,8 +131,8 @@ func (m *ExpirationManager) Restore() error {
}
// Setup revocation timer
m.pending[le.VaultID] = time.AfterFunc(expires, func() {
m.expireID(le.VaultID)
m.pending[le.LeaseID] = time.AfterFunc(expires, func() {
m.expireID(le.LeaseID)
})
}
if len(m.pending) > 0 {
@ -154,10 +154,10 @@ func (m *ExpirationManager) Stop() error {
return nil
}
// Revoke is used to revoke a secret named by the given vaultID
func (m *ExpirationManager) Revoke(vaultID string) error {
// Revoke is used to revoke a secret named by the given LeaseID
func (m *ExpirationManager) Revoke(leaseID string) error {
// Load the entry
le, err := m.loadEntry(vaultID)
le, err := m.loadEntry(leaseID)
if err != nil {
return err
}
@ -173,15 +173,15 @@ func (m *ExpirationManager) Revoke(vaultID string) error {
}
// Delete the entry
if err := m.deleteEntry(vaultID); err != nil {
if err := m.deleteEntry(leaseID); err != nil {
return err
}
// Clear the expiration handler
m.pendingLock.Lock()
if timer, ok := m.pending[vaultID]; ok {
if timer, ok := m.pending[leaseID]; ok {
timer.Stop()
delete(m.pending, vaultID)
delete(m.pending, leaseID)
}
m.pendingLock.Unlock()
return nil
@ -205,20 +205,20 @@ func (m *ExpirationManager) RevokePrefix(prefix string) error {
// Revoke all the keys
for idx, suffix := range existing {
vaultID := prefix + suffix
if err := m.Revoke(vaultID); err != nil {
leaseID := prefix + suffix
if err := m.Revoke(leaseID); err != nil {
return fmt.Errorf("failed to revoke '%s' (%d / %d): %v",
vaultID, idx+1, len(existing), err)
leaseID, idx+1, len(existing), err)
}
}
return nil
}
// Renew is used to renew a secret using the given vaultID
// Renew is used to renew a secret using the given leaseID
// and a renew interval. The increment may be ignored.
func (m *ExpirationManager) Renew(vaultID string, increment time.Duration) (*logical.Response, error) {
func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*logical.Response, error) {
// Load the entry
le, err := m.loadEntry(vaultID)
le, err := m.loadEntry(leaseID)
if err != nil {
return nil, err
}
@ -249,8 +249,8 @@ func (m *ExpirationManager) Renew(vaultID string, increment time.Duration) (*log
return nil, err
}
// Attach the VaultID
resp.Secret.VaultID = vaultID
// Attach the LeaseID
resp.Secret.LeaseID = leaseID
// Update the lease entry
var expireTime time.Time
@ -267,7 +267,7 @@ func (m *ExpirationManager) Renew(vaultID string, increment time.Duration) (*log
// Update the expiration time
m.pendingLock.Lock()
if timer, ok := m.pending[vaultID]; ok {
if timer, ok := m.pending[leaseID]; ok {
timer.Reset(leaseTotal)
}
m.pendingLock.Unlock()
@ -279,11 +279,11 @@ func (m *ExpirationManager) Renew(vaultID string, increment time.Duration) (*log
// RenewToken is used to renew a token which does not need to
// invoke a logical backend.
func (m *ExpirationManager) RenewToken(source string, token string) (*logical.Auth, error) {
// Compute the Vault ID
vaultID := path.Join(source, m.tokenStore.SaltID(token))
// Compute the Lease ID
leaseID := path.Join(source, m.tokenStore.SaltID(token))
// Load the entry
le, err := m.loadEntry(vaultID)
le, err := m.loadEntry(leaseID)
if err != nil {
return nil, err
}
@ -311,7 +311,7 @@ func (m *ExpirationManager) RenewToken(source string, token string) (*logical.Au
// Update the expiration time
m.pendingLock.Lock()
if timer, ok := m.pending[vaultID]; ok {
if timer, ok := m.pending[leaseID]; ok {
timer.Reset(leaseTotal)
}
m.pendingLock.Unlock()
@ -319,7 +319,7 @@ func (m *ExpirationManager) RenewToken(source string, token string) (*logical.Au
}
// Register is used to take a request and response with an associated
// lease. The secret gets assigned a vaultId and the management of
// lease. The secret gets assigned a LeaseID and the management of
// of lease is assumed by the expiration manager.
func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Response) (string, error) {
// Ignore if there is no leased secret
@ -340,7 +340,7 @@ func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Respons
expireTime = now.Add(leaseTotal)
}
le := leaseEntry{
VaultID: path.Join(req.Path, generateUUID()),
LeaseID: path.Join(req.Path, generateUUID()),
Path: req.Path,
Data: resp.Data,
Secret: resp.Secret,
@ -356,25 +356,25 @@ func (m *ExpirationManager) Register(req *logical.Request, resp *logical.Respons
// Setup revocation timer if there is a lease
if !expireTime.IsZero() {
m.pendingLock.Lock()
m.pending[le.VaultID] = time.AfterFunc(leaseTotal, func() {
m.expireID(le.VaultID)
m.pending[le.LeaseID] = time.AfterFunc(leaseTotal, func() {
m.expireID(le.LeaseID)
})
m.pendingLock.Unlock()
}
// Done
return le.VaultID, nil
return le.LeaseID, nil
}
// RegisterAuth is used to take an Auth response with an associated lease.
// The token does not get a VaultID, but the lease management is handled by
// The token does not get a LeaseID, but the lease management is handled by
// the expiration manager.
func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) error {
// Create a lease entry
now := time.Now().UTC()
leaseTotal := auth.Lease + auth.LeaseGracePeriod
le := leaseEntry{
VaultID: path.Join(source, m.tokenStore.SaltID(auth.ClientToken)),
LeaseID: path.Join(source, m.tokenStore.SaltID(auth.ClientToken)),
Auth: auth,
Path: source,
IssueTime: now,
@ -388,30 +388,30 @@ func (m *ExpirationManager) RegisterAuth(source string, auth *logical.Auth) erro
// Setup revocation timer
m.pendingLock.Lock()
m.pending[le.VaultID] = time.AfterFunc(leaseTotal, func() {
m.expireID(le.VaultID)
m.pending[le.LeaseID] = time.AfterFunc(leaseTotal, func() {
m.expireID(le.LeaseID)
})
m.pendingLock.Unlock()
return nil
}
// expireID is invoked when a given ID is expired
func (m *ExpirationManager) expireID(vaultID string) {
func (m *ExpirationManager) expireID(leaseID string) {
// Clear from the pending expiration
m.pendingLock.Lock()
delete(m.pending, vaultID)
delete(m.pending, leaseID)
m.pendingLock.Unlock()
for attempt := uint(0); attempt < maxRevokeAttempts; attempt++ {
err := m.Revoke(vaultID)
err := m.Revoke(leaseID)
if err == nil {
m.logger.Printf("[INFO] expire: revoked '%s'", vaultID)
m.logger.Printf("[INFO] expire: revoked '%s'", leaseID)
return
}
m.logger.Printf("[ERR] expire: failed to revoke '%s': %v", vaultID, err)
m.logger.Printf("[ERR] expire: failed to revoke '%s': %v", leaseID, err)
time.Sleep((1 << attempt) * revokeRetryBase)
}
m.logger.Printf("[ERR] expire: maximum revoke attempts for '%s' reached", vaultID)
m.logger.Printf("[ERR] expire: maximum revoke attempts for '%s' reached", leaseID)
}
// revokeEntry is used to attempt revocation of an internal entry
@ -438,7 +438,7 @@ func (m *ExpirationManager) revokeEntry(le *leaseEntry) error {
func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) {
secret := *le.Secret
secret.LeaseIncrement = increment
secret.VaultID = ""
secret.LeaseID = ""
resp, err := m.router.Route(logical.RenewRequest(
le.Path, &secret, le.Data))
@ -449,8 +449,8 @@ func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration)
}
// loadEntry is used to read a lease entry
func (m *ExpirationManager) loadEntry(vaultID string) (*leaseEntry, error) {
out, err := m.view.Get(vaultID)
func (m *ExpirationManager) loadEntry(leaseID string) (*leaseEntry, error) {
out, err := m.view.Get(leaseID)
if err != nil {
return nil, fmt.Errorf("failed to read lease entry: %v", err)
}
@ -474,7 +474,7 @@ func (m *ExpirationManager) persistEntry(le *leaseEntry) error {
// Write out to the view
ent := logical.StorageEntry{
Key: le.VaultID,
Key: le.LeaseID,
Value: buf,
}
if err := m.view.Put(&ent); err != nil {
@ -484,8 +484,8 @@ func (m *ExpirationManager) persistEntry(le *leaseEntry) error {
}
// deleteEntry is used to delete a lease entry
func (m *ExpirationManager) deleteEntry(vaultID string) error {
if err := m.view.Delete(vaultID); err != nil {
func (m *ExpirationManager) deleteEntry(leaseID string) error {
if err := m.view.Delete(leaseID); err != nil {
return fmt.Errorf("failed to delete lease entry: %v", err)
}
return nil
@ -494,7 +494,7 @@ func (m *ExpirationManager) deleteEntry(vaultID string) error {
// leaseEntry is used to structure the values the expiration
// manager stores. This is used to handle renew and revocation.
type leaseEntry struct {
VaultID string `json:"vault_id"`
LeaseID string `json:"lease_id"`
Path string `json:"path"`
Data map[string]interface{} `json:"data"`
Secret *logical.Secret `json:"secret"`

10
vault/expiration_test.go
View File

@ -425,7 +425,7 @@ func TestExpiration_revokeEntry(t *testing.T) {
exp.router.Mount(noop, "", generateUUID(), view)
le := &leaseEntry{
VaultID: "foo/bar/1234",
LeaseID: "foo/bar/1234",
Path: "foo/bar",
Data: map[string]interface{}{
"testing": true,
@ -462,7 +462,7 @@ func TestExpiration_revokeEntry_token(t *testing.T) {
}
le := &leaseEntry{
VaultID: "foo/bar/1234",
LeaseID: "foo/bar/1234",
Auth: &logical.Auth{
ClientToken: root.ID,
Lease: time.Minute,
@ -505,7 +505,7 @@ func TestExpiration_renewEntry(t *testing.T) {
exp.router.Mount(noop, "", generateUUID(), view)
le := &leaseEntry{
VaultID: "foo/bar/1234",
LeaseID: "foo/bar/1234",
Path: "foo/bar",
Data: map[string]interface{}{
"testing": true,
@ -544,7 +544,7 @@ func TestExpiration_renewEntry(t *testing.T) {
func TestExpiration_PersistLoadDelete(t *testing.T) {
exp := mockExpiration(t)
le := &leaseEntry{
VaultID: "foo/bar/1234",
LeaseID: "foo/bar/1234",
Path: "foo/bar",
Data: map[string]interface{}{
"testing": true,
@ -583,7 +583,7 @@ func TestExpiration_PersistLoadDelete(t *testing.T) {
func TestLeaseEntry(t *testing.T) {
le := &leaseEntry{
VaultID: "foo/bar/1234",
LeaseID: "foo/bar/1234",
Path: "foo/bar",
Data: map[string]interface{}{
"testing": true,

2
vault/logical_passthrough_test.go
View File

@ -69,7 +69,7 @@ func TestPassthroughBackend_Read(t *testing.T) {
}
resp.Secret.InternalData = nil
resp.Secret.VaultID = ""
resp.Secret.LeaseID = ""
if !reflect.DeepEqual(resp, expected) {
t.Fatalf("bad response.\n\nexpected: %#v\n\nGot: %#v", expected, resp)
}

34
vault/logical_system.go
View File

@ -92,12 +92,12 @@ func NewSystemBackend(core *Core) logical.Backend {
},
&framework.Path{
Pattern: "renew/(?P<vault_id>.+)",
Pattern: "renew/(?P<lease_id>.+)",
Fields: map[string]*framework.FieldSchema{
"vault_id": &framework.FieldSchema{
"lease_id": &framework.FieldSchema{
Type: framework.TypeString,
Description: strings.TrimSpace(sysHelp["vault_id"][0]),
Description: strings.TrimSpace(sysHelp["lease_id"][0]),
},
"increment": &framework.FieldSchema{
Type: framework.TypeInt,
@ -114,12 +114,12 @@ func NewSystemBackend(core *Core) logical.Backend {
},
&framework.Path{
Pattern: "revoke/(?P<vault_id>.+)",
Pattern: "revoke/(?P<lease_id>.+)",
Fields: map[string]*framework.FieldSchema{
"vault_id": &framework.FieldSchema{
"lease_id": &framework.FieldSchema{
Type: framework.TypeString,
Description: strings.TrimSpace(sysHelp["vault_id"][0]),
Description: strings.TrimSpace(sysHelp["lease_id"][0]),
},
},
@ -377,38 +377,38 @@ func (b *SystemBackend) handleRemount(
return nil, nil
}
// handleRenew is used to renew a lease with a given VaultID
// handleRenew is used to renew a lease with a given LeaseID
func (b *SystemBackend) handleRenew(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
// Get all the options
vaultID := data.Get("vault_id").(string)
leaseID := data.Get("lease_id").(string)
incrementRaw := data.Get("increment").(int)
// Convert the increment
increment := time.Duration(incrementRaw) * time.Second
// Invoke the expiration manager directly
resp, err := b.Core.expiration.Renew(vaultID, increment)
resp, err := b.Core.expiration.Renew(leaseID, increment)
if err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
return resp, err
}
// handleRevoke is used to revoke a given VaultID
// handleRevoke is used to revoke a given LeaseID
func (b *SystemBackend) handleRevoke(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
// Get all the options
vaultID := data.Get("vault_id").(string)
leaseID := data.Get("lease_id").(string)
// Invoke the expiration manager directly
if err := b.Core.expiration.Revoke(vaultID); err != nil {
if err := b.Core.expiration.Revoke(leaseID); err != nil {
return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
}
return nil, nil
}
// handleRevokePrefix is used to revoke a prefix with many VaultIDs
// handleRevokePrefix is used to revoke a prefix with many LeaseIDs
func (b *SystemBackend) handleRevokePrefix(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
// Get all the options
@ -726,8 +726,8 @@ lease and to prevent an automatic revocation.
`,
},
"vault_id": {
"The vault identifier to renew. This is included with a lease.",
"lease_id": {
"The lease identifier to renew. This is included with a lease.",
"",
},
@ -742,7 +742,7 @@ lease and to prevent an automatic revocation.
When a secret is generated with a lease, it is automatically revoked
at the end of the lease period if not renewed. However, in some cases
you may want to force an immediate revocation. This endpoint can be
used to revoke the secret with the given Vault ID.
used to revoke the secret with the given Lease ID.
`,
},
@ -753,7 +753,7 @@ Revokes all the secrets generated under a given mount prefix. As
an example, "prod/aws/" might be the AWS logical backend, and due to
a change in the "ops" policy, we may want to invalidate all the secrets
generated. We can do a revoke prefix at "prod/aws/ops" to revoke all
the ops secrets. This does a prefix match on the Vault IDs and revokes
the ops secrets. This does a prefix match on the Lease IDs and revokes
all matching leases.
`,
},

22
vault/logical_system_test.go
View File

@ -168,26 +168,26 @@ func TestSystemBackend_renew(t *testing.T) {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a VaultID
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
resp, err = core.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.VaultID == "" {
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Attempt renew
req2 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.VaultID)
req2 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.LeaseID)
req2.Data["increment"] = 100
resp2, err := b.HandleRequest(req2)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp2.Secret.VaultID != resp.Secret.VaultID {
if resp2.Secret.LeaseID != resp.Secret.LeaseID {
t.Fatalf("bad: %#v", resp)
}
if resp2.Data["foo"] != "bar" {
@ -225,19 +225,19 @@ func TestSystemBackend_revoke(t *testing.T) {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a VaultID
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
resp, err = core.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.VaultID == "" {
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
// Attempt revoke
req2 := logical.TestRequest(t, logical.WriteOperation, "revoke/"+resp.Secret.VaultID)
req2 := logical.TestRequest(t, logical.WriteOperation, "revoke/"+resp.Secret.LeaseID)
resp2, err := b.HandleRequest(req2)
if err != nil {
t.Fatalf("err: %v %#v", err, resp2)
@ -247,7 +247,7 @@ func TestSystemBackend_revoke(t *testing.T) {
}
// Attempt renew
req3 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.VaultID)
req3 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.LeaseID)
resp3, err := b.HandleRequest(req3)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)
@ -287,14 +287,14 @@ func TestSystemBackend_revokePrefix(t *testing.T) {
t.Fatalf("bad: %#v", resp)
}
// Read a key with a VaultID
// Read a key with a LeaseID
req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
req.ClientToken = root
resp, err = core.HandleRequest(req)
if err != nil {
t.Fatalf("err: %v", err)
}
if resp == nil || resp.Secret == nil || resp.Secret.VaultID == "" {
if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
@ -309,7 +309,7 @@ func TestSystemBackend_revokePrefix(t *testing.T) {
}
// Attempt renew
req3 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.VaultID)
req3 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.LeaseID)
resp3, err := b.HandleRequest(req3)
if err != logical.ErrInvalidRequest {
t.Fatalf("err: %v", err)

4
vault/mount_test.go
View File

@ -147,7 +147,7 @@ func TestCore_Unmount_Cleanup(t *testing.T) {
if err != nil {
t.Fatalf("err: %v", err)
}
if resp.Secret.VaultID == "" {
if resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}
@ -259,7 +259,7 @@ func TestCore_Remount_Cleanup(t *testing.T) {
if err != nil {
t.Fatalf("err: %v", err)
}
if resp.Secret.VaultID == "" {
if resp.Secret.LeaseID == "" {
t.Fatalf("bad: %#v", resp)
}

4
vault/token_store.go
View File

@ -529,7 +529,7 @@ func (ts *TokenStore) handleCreate(
}
// handleRevokeTree handles the auth/token/revoke/id path for revocation of tokens
// in a way that revokes all child tokens. Normally, using sys/revoke/vaultID will revoke
// in a way that revokes all child tokens. Normally, using sys/revoke/leaseID will revoke
// the token and all children anyways, but that is only available when there is a lease.
func (ts *TokenStore) handleRevokeTree(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
@ -546,7 +546,7 @@ func (ts *TokenStore) handleRevokeTree(
}
// handleRevokeOrphan handles the auth/token/revoke-orphan/id path for revocation of tokens
// in a way that leaves child tokens orphaned. Normally, using sys/revoke/vaultID will revoke
// in a way that leaves child tokens orphaned. Normally, using sys/revoke/leaseID will revoke
// the token and all children.
func (ts *TokenStore) handleRevokeOrphan(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {

6
website/source/intro/getting-started/dynamic-secrets.html.md
View File

@ -120,7 +120,7 @@ special path `aws/<NAME>` where `NAME` is the policy name:
```
$ vault read aws/deploy
Key Value
vault_id aws/deploy/0d042c53-aa8a-7ce7-9dfd-310351c465e5
lease_id aws/deploy/0d042c53-aa8a-7ce7-9dfd-310351c465e5
access_key AKIAJFN42DVCQWDHQYHQ
secret_key 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
```
@ -129,8 +129,8 @@ Success! The access and secret key can now be used to perform any EC2
operations within AWS. You can verify they work, if you want. Also notice
that these keys are new, they're not the keys you entered earlier.
The `vault_id` above is a special ID used for Vault for renewal,
revocation, etc. Copy and save your Vault ID now.
The `lease_id` above is a special ID used for Vault for renewal,
revocation, etc. Copy and save your Lease ID now.
## Revoking the Secret