From 7df486482b90b57992e078f62ba8278642178e6f Mon Sep 17 00:00:00 2001 From: Armon Dadgar Date: Thu, 9 Apr 2015 11:54:32 -0700 Subject: [PATCH] vault: Adding LeaseIssue for renew to allow limiting maximum lease length --- logical/secret.go | 6 ++++++ vault/expiration.go | 1 + vault/expiration_test.go | 3 +++ 3 files changed, 10 insertions(+) diff --git a/logical/secret.go b/logical/secret.go index b460f252f..44676438a 100644 --- a/logical/secret.go +++ b/logical/secret.go @@ -25,6 +25,12 @@ type Secret struct { // when returning a response. LeaseIncrement time.Duration `json:"-"` + // LeaseIssue is the time of issue for the original lease. This is + // only available on a Renew operation and has no effect when returning + // a response. It can be used to enforce maximum lease periods by + // a logical backend. + LeaseIssue time.Time `json:"-"` + // LeaseID is the ID returned to the user to manage this secret. // This is generated by Vault core. Any set value will be ignored. // For requests, this will always be blank. diff --git a/vault/expiration.go b/vault/expiration.go index 05b715192..4c4e91769 100644 --- a/vault/expiration.go +++ b/vault/expiration.go @@ -462,6 +462,7 @@ func (m *ExpirationManager) revokeEntry(le *leaseEntry) error { // renewEntry is used to attempt renew of an internal entry func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) { secret := *le.Secret + secret.LeaseIssue = le.IssueTime secret.LeaseIncrement = increment secret.LeaseID = "" diff --git a/vault/expiration_test.go b/vault/expiration_test.go index 053a2227b..76717d26c 100644 --- a/vault/expiration_test.go +++ b/vault/expiration_test.go @@ -639,6 +639,9 @@ func TestExpiration_renewEntry(t *testing.T) { if req.Secret.LeaseIncrement != time.Second { t.Fatalf("Bad: %v", req) } + if req.Secret.LeaseIssue.IsZero() { + t.Fatalf("Bad: %v", req) + } } func TestExpiration_PersistLoadDelete(t *testing.T) {