Make "ttl" reflect the actual TTL of the token in lookup calls.

Add a new value "creation_ttl" which holds the value at creation time. Fixes #986
2016-02-01 11:16:32 -05:00 · 2016-02-01 11:16:32 -05:00 · ff3adce39e
parent 0f5db5da6c
commit ff3adce39e
4 changed files with 20 additions and 6 deletions
--- a/http/logical_test.go
+++ b/http/logical_test.go
@ -126,6 +126,7 @@ func TestLogical_StandbyRedirect(t *testing.T) {
 			"orphan":       true,
 			"id":           root,
 			"ttl":          float64(0),
+			"creation_ttl": float64(0),
 		},
 		"warnings": nilWarnings,
 		"auth":     nil,
--- a/http/sys_generate_root_test.go
+++ b/http/sys_generate_root_test.go
@ -262,6 +262,7 @@ func TestSysGenerateRoot_Update_OTP(t *testing.T) {
 		"num_uses":     float64(0),
 		"policies":     []interface{}{"root"},
 		"orphan":       true,
+		"creation_ttl": float64(0),
 		"ttl":          float64(0),
 		"path":         "auth/token/root",
 	}
@ -341,6 +342,7 @@ func TestSysGenerateRoot_Update_PGP(t *testing.T) {
 		"num_uses":     float64(0),
 		"policies":     []interface{}{"root"},
 		"orphan":       true,
+		"creation_ttl": float64(0),
 		"ttl":          float64(0),
 		"path":         "auth/token/root",
 	}
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -77,9 +77,6 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)

 	// Setup the framework endpoints
 	t.Backend = &framework.Backend{
-		// Allow a token lease to be extended indefinitely, but each time for only
-		// as much as the original lease allowed for. If the lease has a 1 hour expiration,
-		// it can only be extended up to another hour each time this means.
 		AuthRenew: t.authRenew,

 		PathsSpecial: &logical.Paths{
@ -841,7 +838,8 @@ func (ts *TokenStore) handleLookup(
 			"num_uses":      out.NumUses,
 			"orphan":        false,
 			"creation_time": int64(out.CreationTime),
-			"ttl":           int64(out.TTL.Seconds()),
+			"creation_ttl":  int64(out.TTL.Seconds()),
+			"ttl":           int64(0),
 		},
 	}

@ -854,8 +852,13 @@ func (ts *TokenStore) handleLookup(
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}
-	if leaseTimes != nil && !leaseTimes.LastRenewalTime.IsZero() {
-		resp.Data["last_renewal_time"] = leaseTimes.LastRenewalTime.Unix()
+	if leaseTimes != nil {
+		if !leaseTimes.LastRenewalTime.IsZero() {
+			resp.Data["last_renewal_time"] = leaseTimes.LastRenewalTime.Unix()
+		}
+		if !leaseTimes.ExpireTime.IsZero() {
+			resp.Data["ttl"] = int64(leaseTimes.ExpireTime.Sub(time.Now().Round(time.Second)).Seconds())
+		}
 	}

 	return resp, nil
--- a/vault/token_store_test.go
+++ b/vault/token_store_test.go
@ -837,6 +837,7 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
 		"display_name": "root",
 		"orphan":       true,
 		"num_uses":     0,
+		"creation_ttl": int64(0),
 		"ttl":          int64(0),
 	}

@ -868,6 +869,7 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
 		"display_name": "token",
 		"orphan":       false,
 		"num_uses":     0,
+		"creation_ttl": int64(3600),
 		"ttl":          int64(3600),
 	}

@ -876,6 +878,11 @@ func TestTokenStore_HandleRequest_Lookup(t *testing.T) {
 	}
 	delete(resp.Data, "creation_time")

+	// Depending on timing of the test this may have ticked down, so accept 3599
+	if resp.Data["ttl"].(int64) == 3599 {
+		resp.Data["ttl"] = int64(3600)
+	}
+
 	if !reflect.DeepEqual(resp.Data, exp) {
 		t.Fatalf("bad:\n%#v\nexp:\n%#v\n", resp.Data, exp)
 	}
@ -964,6 +971,7 @@ func TestTokenStore_HandleRequest_LookupSelf(t *testing.T) {
 		"display_name": "root",
 		"orphan":       true,
 		"num_uses":     0,
+		"creation_ttl": int64(0),
 		"ttl":          int64(0),
 	}