Merge pull request #1740 from hashicorp/fix-upgrade-periodic-roles
Ensure we don't use a token entry period of 0 in role comparisons.
This commit is contained in:
Jeff Mitchell
GitHub
commit
e7261bc31f
|
|
@ -1243,6 +1243,7 @@ func (ts *TokenStore) handleCreateCommon(
|
||||||
te.ExplicitMaxTTL = dur
|
te.ExplicitMaxTTL = dur
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var periodToUse time.Duration
|
||||||
if data.Period != "" {
|
if data.Period != "" {
|
||||||
if !isSudo {
|
if !isSudo {
|
||||||
return logical.ErrorResponse("root or sudo privileges required to create periodic token"),
|
return logical.ErrorResponse("root or sudo privileges required to create periodic token"),
|
||||||
|
|
@ -1256,6 +1257,7 @@ func (ts *TokenStore) handleCreateCommon(
|
||||||
return logical.ErrorResponse("period must be positive"), logical.ErrInvalidRequest
|
return logical.ErrorResponse("period must be positive"), logical.ErrInvalidRequest
|
||||||
}
|
}
|
||||||
te.Period = dur
|
te.Period = dur
|
||||||
|
periodToUse = dur
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse the TTL/lease if any
|
// Parse the TTL/lease if any
|
||||||
|
|
@ -1295,21 +1297,21 @@ func (ts *TokenStore) handleCreateCommon(
|
||||||
}
|
}
|
||||||
if role.Period != 0 {
|
if role.Period != 0 {
|
||||||
switch {
|
switch {
|
||||||
case te.Period == 0:
|
case periodToUse == 0:
|
||||||
te.Period = role.Period
|
periodToUse = role.Period
|
||||||
default:
|
default:
|
||||||
if role.Period < te.Period {
|
if role.Period < periodToUse {
|
||||||
te.Period = role.Period
|
periodToUse = role.Period
|
||||||
}
|
}
|
||||||
resp.AddWarning(fmt.Sprintf("Period specified both during creation call and in role; using the lesser value of %d seconds", int64(te.Period.Seconds())))
|
resp.AddWarning(fmt.Sprintf("Period specified both during creation call and in role; using the lesser value of %d seconds", int64(periodToUse.Seconds())))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
sysView := ts.System()
|
sysView := ts.System()
|
||||||
|
|
||||||
if te.Period > 0 {
|
if periodToUse > 0 {
|
||||||
te.TTL = te.Period
|
te.TTL = periodToUse
|
||||||
} else {
|
} else {
|
||||||
// Set the default lease if not provided, root tokens are exempt
|
// Set the default lease if not provided, root tokens are exempt
|
||||||
if te.TTL == 0 && !strutil.StrListContains(te.Policies, "root") {
|
if te.TTL == 0 && !strutil.StrListContains(te.Policies, "root") {
|
||||||
|
|
@ -1326,7 +1328,7 @@ func (ts *TokenStore) handleCreateCommon(
|
||||||
// period as it's defined to escape the max TTL
|
// period as it's defined to escape the max TTL
|
||||||
if te.ExplicitMaxTTL > 0 {
|
if te.ExplicitMaxTTL > 0 {
|
||||||
// Limit the lease duration, except for periodic tokens -- in that case the explicit max limits the period, which itself can escape normal max
|
// Limit the lease duration, except for periodic tokens -- in that case the explicit max limits the period, which itself can escape normal max
|
||||||
if sysView.MaxLeaseTTL() != 0 && te.ExplicitMaxTTL > sysView.MaxLeaseTTL() && te.Period == 0 {
|
if sysView.MaxLeaseTTL() != 0 && te.ExplicitMaxTTL > sysView.MaxLeaseTTL() && periodToUse == 0 {
|
||||||
resp.AddWarning(fmt.Sprintf(
|
resp.AddWarning(fmt.Sprintf(
|
||||||
"Explicit max TTL of %d seconds is greater than system/mount allowed value; value is being capped to %d seconds",
|
"Explicit max TTL of %d seconds is greater than system/mount allowed value; value is being capped to %d seconds",
|
||||||
int64(te.ExplicitMaxTTL.Seconds()), int64(sysView.MaxLeaseTTL().Seconds())))
|
int64(te.ExplicitMaxTTL.Seconds()), int64(sysView.MaxLeaseTTL().Seconds())))
|
||||||
|
|
@ -1514,7 +1516,8 @@ func (ts *TokenStore) handleLookup(
|
||||||
|
|
||||||
if out.Role != "" {
|
if out.Role != "" {
|
||||||
resp.Data["role"] = out.Role
|
resp.Data["role"] = out.Role
|
||||||
} else if out.Period != 0 {
|
}
|
||||||
|
if out.Period != 0 {
|
||||||
resp.Data["period"] = int64(out.Period.Seconds())
|
resp.Data["period"] = int64(out.Period.Seconds())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -1643,7 +1646,7 @@ func (ts *TokenStore) authRenew(
|
||||||
// Same deal here, but using the role period
|
// Same deal here, but using the role period
|
||||||
if role.Period != 0 {
|
if role.Period != 0 {
|
||||||
periodToUse := role.Period
|
periodToUse := role.Period
|
||||||
if te.Period < role.Period {
|
if te.Period > 0 && te.Period < role.Period {
|
||||||
periodToUse = te.Period
|
periodToUse = te.Period
|
||||||
}
|
}
|
||||||
if te.ExplicitMaxTTL == 0 {
|
if te.ExplicitMaxTTL == 0 {
|
||||||
|
|
|
||||||
|
|
@ -1967,7 +1967,7 @@ func TestTokenStore_RolePeriod(t *testing.T) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Let the TTL go down a bit to 3 seconds
|
// Let the TTL go down a bit to 3 seconds
|
||||||
time.Sleep(2 * time.Second)
|
time.Sleep(3 * time.Second)
|
||||||
|
|
||||||
req.Operation = logical.UpdateOperation
|
req.Operation = logical.UpdateOperation
|
||||||
req.Path = "auth/token/renew-self"
|
req.Path = "auth/token/renew-self"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue