diff --git a/CHANGELOG.md b/CHANGELOG.md index e16cca098..2ba347008 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -36,6 +36,9 @@ generate them, leading to client errors. enabled [GH-694] * everywhere: Don't use http.DefaultClient, as it shares state implicitly and is a source of hard-to-track-down bugs [GH-700] + * secret/generic: Validate given duration at write time, not just read time; + if stored durations are not parseable, return a warning and the default + duration rather than an error [GH-718] MISC: diff --git a/vault/logical_passthrough.go b/vault/logical_passthrough.go index cd8cb71a1..eda8998e0 100644 --- a/vault/logical_passthrough.go +++ b/vault/logical_passthrough.go @@ -123,16 +123,17 @@ func (b *PassthroughBackend) handleRead( // Check if there is a ttl key var ttl string - ttl, _ = rawData["lease"].(string) + ttl, _ = rawData["ttl"].(string) if len(ttl) == 0 { - ttl, _ = rawData["ttl"].(string) + ttl, _ = rawData["lease"].(string) } - ttlDuration := b.System().DefaultLeaseTTL() if len(ttl) != 0 { - ttlDuration, err = time.ParseDuration(ttl) + parsedDuration, err := time.ParseDuration(ttl) if err != nil { - return logical.ErrorResponse("failed to parse ttl for entry"), nil + resp.AddWarning(fmt.Sprintf("failed to parse stored ttl '%s' for entry; using default", ttl)) + } else { + ttlDuration = parsedDuration } if b.generateLeases { resp.Secret.Renewable = true @@ -151,6 +152,23 @@ func (b *PassthroughBackend) handleWrite( return nil, fmt.Errorf("missing data fields") } + // Check if there is a ttl key; verify parseability if so + var ttl string + ttl = data.Get("ttl").(string) + if len(ttl) == 0 { + ttl = data.Get("lease").(string) + } + if len(ttl) != 0 { + _, err := time.ParseDuration(ttl) + if err != nil { + return logical.ErrorResponse("failed to parse ttl for entry"), nil + } + // Verify that ttl isn't the *only* thing we have + if len(req.Data) == 1 { + return nil, fmt.Errorf("missing data; only ttl found") + } + } + // JSON encode the data buf, err := json.Marshal(req.Data) if err != nil {