Fix bug around disallowing explicit max greater than sysview max
This commit is contained in:
Jeff Mitchell
parent
aecc3ad824
commit
6ec1ca05c8
|
|
@ -1047,20 +1047,20 @@ func (ts *TokenStore) handleCreateCommon(
|
|||
sysView := ts.System()
|
||||
|
||||
// Limit the lease duration
|
||||
if sysView.MaxLeaseTTL() != time.Duration(0) && te.ExplicitMaxTTL > sysView.MaxLeaseTTL() {
|
||||
if sysView.MaxLeaseTTL() != time.Duration(0) && role.ExplicitMaxTTL > sysView.MaxLeaseTTL() {
|
||||
return logical.ErrorResponse(fmt.Sprintf(
|
||||
"role explicit max TTL of %d is greater than system/mount allowed value of %d seconds",
|
||||
te.ExplicitMaxTTL.Seconds(), sysView.MaxLeaseTTL().Seconds())), logical.ErrInvalidRequest
|
||||
role.ExplicitMaxTTL.Seconds(), sysView.MaxLeaseTTL().Seconds())), logical.ErrInvalidRequest
|
||||
}
|
||||
|
||||
if te.TTL > role.ExplicitMaxTTL {
|
||||
resp.AddWarning(fmt.Sprintf(
|
||||
"Requested TTL higher than role explicit max TTL; value being capped to %d seconds",
|
||||
role.ExplicitMaxTTL.Seconds()))
|
||||
te.TTL = role.ExplicitMaxTTL
|
||||
}
|
||||
|
||||
te.ExplicitMaxTTL = role.ExplicitMaxTTL
|
||||
|
||||
if te.TTL > te.ExplicitMaxTTL {
|
||||
resp.AddWarning(fmt.Sprintf(
|
||||
"Requested TTL higher than role explicit max TTL; value being capped to %d seconds",
|
||||
te.ExplicitMaxTTL.Seconds()))
|
||||
te.TTL = te.ExplicitMaxTTL
|
||||
}
|
||||
}
|
||||
|
||||
// Create the token
|
||||
|
|
|
|||
|
|
@ -1673,13 +1673,36 @@ func TestTokenStore_RoleExplicitMaxTTL(t *testing.T) {
|
|||
// Note: these requests are sent to Core since Core handles registration
|
||||
// with the expiration manager and we need the storage to be consistent
|
||||
|
||||
// Make sure we can't make it larger than the system/mount max; we should get a warning on role write and an error on token creation
|
||||
req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
|
||||
req.ClientToken = root
|
||||
req.Data = map[string]interface{}{
|
||||
"explicit_max_ttl": "100h",
|
||||
}
|
||||
|
||||
resp, err := core.HandleRequest(req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v %v", err, resp)
|
||||
}
|
||||
if resp == nil {
|
||||
t.Fatalf("expected a warning")
|
||||
}
|
||||
|
||||
req.Operation = logical.UpdateOperation
|
||||
req.Path = "auth/token/create/test"
|
||||
resp, err = core.HandleRequest(req)
|
||||
if err == nil {
|
||||
t.Fatalf("expected an error")
|
||||
}
|
||||
|
||||
// Reset to a good explicit max
|
||||
req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test")
|
||||
req.ClientToken = root
|
||||
req.Data = map[string]interface{}{
|
||||
"explicit_max_ttl": "6s",
|
||||
}
|
||||
|
||||
resp, err := core.HandleRequest(req)
|
||||
resp, err = core.HandleRequest(req)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v %v", err, resp)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue