vault: Adding LeaseIssue for renew to allow limiting maximum lease length

logical/secret.go

@@ -25,6 +25,12 @@ type Secret struct {
 	// when returning a response.
 	LeaseIncrement time.Duration `json:"-"`
 
+	// LeaseIssue is the time of issue for the original lease. This is
+	// only available on a Renew operation and has no effect when returning
+	// a response. It can be used to enforce maximum lease periods by
+	// a logical backend.
+	LeaseIssue time.Time `json:"-"`
+
 	// LeaseID is the ID returned to the user to manage this secret.
 	// This is generated by Vault core. Any set value will be ignored.
 	// For requests, this will always be blank.

vault/expiration.go

@@ -462,6 +462,7 @@ func (m *ExpirationManager) revokeEntry(le *leaseEntry) error {
 // renewEntry is used to attempt renew of an internal entry
 func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) {
 	secret := *le.Secret
+	secret.LeaseIssue = le.IssueTime
 	secret.LeaseIncrement = increment
 	secret.LeaseID = ""
 

vault/expiration_test.go

@@ -639,6 +639,9 @@ func TestExpiration_renewEntry(t *testing.T) {
 	if req.Secret.LeaseIncrement != time.Second {
 		t.Fatalf("Bad: %v", req)
 	}
+	if req.Secret.LeaseIssue.IsZero() {
+		t.Fatalf("Bad: %v", req)
+	}
 }
 
 func TestExpiration_PersistLoadDelete(t *testing.T) {