From 82b3d136e6f8e0f62231db2cb25d655e0621bf69 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Fri, 5 Aug 2016 11:15:25 -0400 Subject: [PATCH] Don't mark never-expiring root tokens as renewable --- http/logical_test.go | 2 +- vault/token_store.go | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/http/logical_test.go b/http/logical_test.go index 51c686ca3..ebb8f82f0 100644 --- a/http/logical_test.go +++ b/http/logical_test.go @@ -192,7 +192,7 @@ func TestLogical_CreateToken(t *testing.T) { "policies": []interface{}{"root"}, "metadata": nil, "lease_duration": json.Number("0"), - "renewable": true, + "renewable": false, }, "warnings": nilWarnings, } diff --git a/vault/token_store.go b/vault/token_store.go index 5b31c0872..7a3bfa1b2 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -1296,6 +1296,11 @@ func (ts *TokenStore) handleCreateCommon( } } + // Don't advertise non-expiring root tokens as renewable, as attempts to renew them are denied + if te.TTL == 0 { + renewable = false + } + // Create the token if err := ts.create(&te); err != nil { return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest