vault: Enforce non-renewability
This commit is contained in:
Armon Dadgar
parent
512b3d7afd
commit
82c5d9c478
|
|
@ -237,6 +237,11 @@ func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*log
|
|||
return nil, fmt.Errorf("lease expired")
|
||||
}
|
||||
|
||||
// Determine if the lease is renewable
|
||||
if !le.Secret.Renewable {
|
||||
return nil, fmt.Errorf("lease is not renewable")
|
||||
}
|
||||
|
||||
// Attempt to renew the entry
|
||||
resp, err := m.renewEntry(le, increment)
|
||||
if err != nil {
|
||||
|
|
@ -303,6 +308,11 @@ func (m *ExpirationManager) RenewToken(source string, token string) (*logical.Au
|
|||
return nil, fmt.Errorf("lease expired")
|
||||
}
|
||||
|
||||
// Determine if the lease is renewable
|
||||
if !le.Auth.Renewable {
|
||||
return nil, fmt.Errorf("lease is not renewable")
|
||||
}
|
||||
|
||||
// Update the lease entry
|
||||
var expireTime time.Time
|
||||
leaseTotal := le.Auth.Lease + le.Auth.LeaseGracePeriod
|
||||
|
|
|
|||
|
|
@ -326,6 +326,7 @@ func TestExpiration_RenewToken(t *testing.T) {
|
|||
auth := &logical.Auth{
|
||||
ClientToken: root.ID,
|
||||
Lease: time.Hour,
|
||||
Renewable: true,
|
||||
}
|
||||
err = exp.RegisterAuth("auth/github/login", auth)
|
||||
if err != nil {
|
||||
|
|
@ -342,6 +343,31 @@ func TestExpiration_RenewToken(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestExpiration_RenewToken_NotRenewable(t *testing.T) {
|
||||
exp := mockExpiration(t)
|
||||
root, err := exp.tokenStore.RootToken()
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
// Register a token
|
||||
auth := &logical.Auth{
|
||||
ClientToken: root.ID,
|
||||
Lease: time.Hour,
|
||||
Renewable: false,
|
||||
}
|
||||
err = exp.RegisterAuth("auth/github/login", auth)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
// Attempt to renew the token
|
||||
_, err = exp.RenewToken("auth/github/login", root.ID)
|
||||
if err.Error() != "lease is not renewable" {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExpiration_Renew(t *testing.T) {
|
||||
exp := mockExpiration(t)
|
||||
noop := &NoopBackend{}
|
||||
|
|
@ -355,7 +381,8 @@ func TestExpiration_Renew(t *testing.T) {
|
|||
}
|
||||
resp := &logical.Response{
|
||||
Secret: &logical.Secret{
|
||||
Lease: 20 * time.Millisecond,
|
||||
Lease: 20 * time.Millisecond,
|
||||
Renewable: true,
|
||||
},
|
||||
Data: map[string]interface{}{
|
||||
"access_key": "xyz",
|
||||
|
|
@ -396,6 +423,43 @@ func TestExpiration_Renew(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestExpiration_Renew_NotRenewable(t *testing.T) {
|
||||
exp := mockExpiration(t)
|
||||
noop := &NoopBackend{}
|
||||
_, barrier, _ := mockBarrier(t)
|
||||
view := NewBarrierView(barrier, "logical/")
|
||||
exp.router.Mount(noop, "prod/aws/", generateUUID(), view)
|
||||
|
||||
req := &logical.Request{
|
||||
Operation: logical.ReadOperation,
|
||||
Path: "prod/aws/foo",
|
||||
}
|
||||
resp := &logical.Response{
|
||||
Secret: &logical.Secret{
|
||||
Lease: 20 * time.Millisecond,
|
||||
Renewable: false,
|
||||
},
|
||||
Data: map[string]interface{}{
|
||||
"access_key": "xyz",
|
||||
"secret_key": "abcd",
|
||||
},
|
||||
}
|
||||
|
||||
id, err := exp.Register(req, resp)
|
||||
if err != nil {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
_, err = exp.Renew(id, 0)
|
||||
if err.Error() != "lease is not renewable" {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
if len(noop.Requests) != 0 {
|
||||
t.Fatalf("Bad: %#v", noop.Requests)
|
||||
}
|
||||
}
|
||||
|
||||
func TestExpiration_Renew_RevokeOnExpire(t *testing.T) {
|
||||
exp := mockExpiration(t)
|
||||
noop := &NoopBackend{}
|
||||
|
|
@ -409,7 +473,8 @@ func TestExpiration_Renew_RevokeOnExpire(t *testing.T) {
|
|||
}
|
||||
resp := &logical.Response{
|
||||
Secret: &logical.Secret{
|
||||
Lease: 20 * time.Millisecond,
|
||||
Lease: 20 * time.Millisecond,
|
||||
Renewable: true,
|
||||
},
|
||||
Data: map[string]interface{}{
|
||||
"access_key": "xyz",
|
||||
|
|
|
|||
|
|
@ -183,14 +183,12 @@ func TestSystemBackend_renew(t *testing.T) {
|
|||
req2 := logical.TestRequest(t, logical.WriteOperation, "renew/"+resp.Secret.LeaseID)
|
||||
req2.Data["increment"] = 100
|
||||
resp2, err := b.HandleRequest(req2)
|
||||
if err != nil {
|
||||
if err != logical.ErrInvalidRequest {
|
||||
t.Fatalf("err: %v", err)
|
||||
}
|
||||
|
||||
if resp2.Secret.LeaseID != resp.Secret.LeaseID {
|
||||
t.Fatalf("bad: %#v", resp)
|
||||
}
|
||||
if resp2.Data["foo"] != "bar" {
|
||||
// Should get error about non-renewability
|
||||
if resp2.Data["error"] != "lease is not renewable" {
|
||||
t.Fatalf("bad: %#v", resp)
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -624,6 +624,7 @@ func TestTokenStore_HandleRequest_Renew(t *testing.T) {
|
|||
auth := &logical.Auth{
|
||||
ClientToken: root.ID,
|
||||
Lease: time.Hour,
|
||||
Renewable: true,
|
||||
}
|
||||
err = exp.RegisterAuth("sys/root", auth)
|
||||
if err != nil {
|
||||
|
|
|
|||
Loading…
Reference in New Issue