open-vault/logical/framework/lease.go

84 lines
2.5 KiB
Go

package framework
import (
"fmt"
"time"
"github.com/hashicorp/vault/logical"
)
// LeaseExtend returns an OperationFunc that can be used to simply extend
// the lease of the auth/secret for the duration that was requested. Max
// is the max time past the _current_ time that a lease can be extended. i.e.
// setting it to 2 hours forces a renewal within the next 2 hours again.
//
// maxSession is the maximum session length allowed since the original
// issue time. If this is zero, it is ignored.
//
// maxFromLease controls if the maximum renewal period comes from the existing
// lease. This means the value of `max` will be replaced with the existing
// lease duration.
func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc {
return func(req *logical.Request, data *FieldData) (*logical.Response, error) {
leaseOpts := detectLease(req)
if leaseOpts == nil {
return nil, fmt.Errorf("no lease options for request")
}
// Check if we should limit max
if maxFromLease {
max = leaseOpts.TTL
}
// Sanity check the desired increment
switch {
// Protect against negative leases
case leaseOpts.Increment < 0:
return logical.ErrorResponse(
"increment must be greater than 0"), logical.ErrInvalidRequest
// If no lease increment, or too large of an increment, use the max
case max > 0 && leaseOpts.Increment == 0, max > 0 && leaseOpts.Increment > max:
leaseOpts.Increment = max
}
// Get the current time
now := time.Now().UTC()
// Check if we're passed the issue limit
var maxSessionTime time.Time
if maxSession > 0 {
maxSessionTime = leaseOpts.IssueTime.Add(maxSession)
if maxSessionTime.Before(now) {
return logical.ErrorResponse(fmt.Sprintf(
"lease can only be renewed up to %s past original issue",
maxSession)), logical.ErrInvalidRequest
}
}
// The new lease is the minimum of the requested Increment
// or the maxSessionTime
requestedLease := now.Add(leaseOpts.Increment)
if !maxSessionTime.IsZero() && requestedLease.After(maxSessionTime) {
requestedLease = maxSessionTime
}
// Determine the requested lease
newLeaseDuration := requestedLease.Sub(now)
// Set the lease
leaseOpts.TTL = newLeaseDuration
return &logical.Response{Auth: req.Auth, Secret: req.Secret}, nil
}
}
func detectLease(req *logical.Request) *logical.LeaseOptions {
if req.Auth != nil {
return &req.Auth.LeaseOptions
} else if req.Secret != nil {
return &req.Secret.LeaseOptions
}
return nil
}