Fix for using ExplicitMaxTTL in auth method plugins. (#5379)

* Fix for using ExplicitMaxTTL in auth method plugins. * Reverted pb.go files for readability of PR. * Fixed indenting of comment. * Reverted unintended change by go test.
2018-09-21 23:31:29 +02:00 · 2018-09-21 23:31:29 +02:00 · dc6ea9ecbb
parent b37b8b7edf
commit dc6ea9ecbb
4 changed files with 18 additions and 11 deletions
--- a/logical/auth.go
+++ b/logical/auth.go
@ -62,7 +62,7 @@ type Auth struct {

 	// ExplicitMaxTTL is the max TTL that constrains periodic tokens. For normal
 	// tokens, this value is constrained by the configured max ttl.
-	ExplicitMaxTTL time.Duration `json:"-" mapstructure:"-" structs:"-"`
+	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`

 	// Number of allowed uses of the issued token
 	NumUses int `json:"num_uses" mapstructure:"num_uses" structs:"num_uses"`
--- a/logical/plugin/pb/backend.proto
+++ b/logical/plugin/pb/backend.proto
@ -203,6 +203,10 @@ message Auth {
 	// help determine where a policy was sourced
 	repeated string token_policies = 14;
 	repeated string identity_policies = 15;
+
+	// Explicit maximum lifetime for the token. Unlike normal TTLs, the maximum
+	// TTL is a hard limit and cannot be exceeded, also counts for periodic tokens.
+	int64 explicit_max_ttl = 16;
 }

 message TokenEntry {
--- a/logical/plugin/pb/translation.go
+++ b/logical/plugin/pb/translation.go
@ -500,6 +500,7 @@ func LogicalAuthToProtoAuth(a *logical.Auth) (*Auth, error) {
 		Alias:            a.Alias,
 		GroupAliases:     a.GroupAliases,
 		BoundCIDRs:       boundCIDRs,
+		ExplicitMaxTTL:   int64(a.ExplicitMaxTTL),
 	}, nil
 }

@ -545,6 +546,7 @@ func ProtoAuthToLogicalAuth(a *Auth) (*logical.Auth, error) {
 		Alias:            a.Alias,
 		GroupAliases:     a.GroupAliases,
 		BoundCIDRs:       boundCIDRs,
+		ExplicitMaxTTL:   time.Duration(a.ExplicitMaxTTL),
 	}, nil
 }

--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -1072,16 +1072,17 @@ func (c *Core) RegisterAuth(ctx context.Context, tokenTTL time.Duration, path st
 		return err
 	}
 	te := logical.TokenEntry{
-		Path:         path,
-		Meta:         auth.Metadata,
-		DisplayName:  auth.DisplayName,
-		CreationTime: time.Now().Unix(),
-		TTL:          tokenTTL,
-		NumUses:      auth.NumUses,
-		EntityID:     auth.EntityID,
-		BoundCIDRs:   auth.BoundCIDRs,
-		Policies:     auth.TokenPolicies,
-		NamespaceID:  ns.ID,
+		Path:           path,
+		Meta:           auth.Metadata,
+		DisplayName:    auth.DisplayName,
+		CreationTime:   time.Now().Unix(),
+		TTL:            tokenTTL,
+		NumUses:        auth.NumUses,
+		EntityID:       auth.EntityID,
+		BoundCIDRs:     auth.BoundCIDRs,
+		Policies:       auth.TokenPolicies,
+		NamespaceID:    ns.ID,
+		ExplicitMaxTTL: auth.ExplicitMaxTTL,
 	}

 	if err := c.tokenStore.create(ctx, &te); err != nil {