Add renewable flag to token store roles

vault/token_store.go

@@ -156,6 +156,12 @@ func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error)
 						Default:     0,
 						Description: tokenExplicitMaxTTLHelp,
 					},
+
+					"renewable": &framework.FieldSchema{
+						Type:        framework.TypeBool,
+						Default:     true,
+						Description: tokenRenewableHelp,
+					},
 				},
 
 				Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -444,6 +450,9 @@ type tsRoleEntry struct {
 	// revoke using 'revoke-prefix'
 	PathSuffix string `json:"path_suffix" mapstructure:"path_suffix" structs:"path_suffix"`
 
+	// If set, controls whether created tokens are marked as being renewable
+	Renewable bool `json:"renewable" mapstructure:"renewable" structs:"renewable"`
+
 	// If set, the token entry will have an explicit maximum TTL set, rather
 	// than deferring to role/mount values
 	ExplicitMaxTTL time.Duration `json:"explicit_max_ttl" mapstructure:"explicit_max_ttl" structs:"explicit_max_ttl"`
@@ -978,6 +987,12 @@ func (ts *TokenStore) handleCreateCommon(
 	if role != nil {
 		te.Role = role.Name
 
+		// If renewable hasn't been disabled in the call and the role has
+		// renewability disabled, set renewable false
+		if renewable && !role.Renewable {
+			renewable = false
+		}
+
 		if role.PathSuffix != "" {
 			te.Path = fmt.Sprintf("%s/%s", te.Path, role.PathSuffix)
 		}
@@ -1449,6 +1464,7 @@ func (ts *TokenStore) tokenStoreRoleRead(
 			"name":             role.Name,
 			"orphan":           role.Orphan,
 			"path_suffix":      role.PathSuffix,
+			"renewable":        role.Renewable,
 		},
 	}
 
@@ -1505,6 +1521,13 @@ func (ts *TokenStore) tokenStoreRoleCreateUpdate(
 		entry.Period = time.Second * time.Duration(data.Get("period").(int))
 	}
 
+	renewableInt, ok := data.GetOk("renewable")
+	if ok {
+		entry.Renewable = renewableInt.(bool)
+	} else if req.Operation == logical.CreateOperation {
+		entry.Renewable = data.Get("renewable").(bool)
+	}
+
 	var resp *logical.Response
 
 	explicitMaxTTLInt, ok := data.GetOk("explicit_max_ttl")
@@ -1610,4 +1633,7 @@ the current maximum TTL values of the role
 and the mount are not checked for changes,
 and any updates to these values will have
 no effect on the token being renewed.`
+	tokenRenewableHelp = `Tokens created via this role will be
+renewable or not according to this value.
+Defaults to "true".`
 )

vault/token_store_test.go

@@ -1275,6 +1275,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"allowed_policies": []string{"default", "test1", "test2"},
 		"path_suffix":      "happenin",
 		"explicit_max_ttl": int64(0),
+		"renewable":        true,
 	}
 
 	if !reflect.DeepEqual(expected, resp.Data) {
@@ -1288,6 +1289,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"period":           "79h",
 		"allowed_policies": "test3",
 		"path_suffix":      "happenin",
+		"renewable":        false,
 	}
 
 	resp, err = core.HandleRequest(req)
@@ -1316,6 +1318,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"allowed_policies": []string{"default", "test3"},
 		"path_suffix":      "happenin",
 		"explicit_max_ttl": int64(0),
+		"renewable":        false,
 	}
 
 	if !reflect.DeepEqual(expected, resp.Data) {
@@ -1363,6 +1366,7 @@ func TestTokenStore_RoleCRUD(t *testing.T) {
 		"allowed_policies": []string{"default", "test3"},
 		"path_suffix":      "happenin",
 		"period":           int64(0),
+		"renewable":        false,
 	}
 
 	if !reflect.DeepEqual(expected, resp.Data) {

website/source/docs/auth/token.html.md

@@ -603,6 +603,13 @@ of the header should be "X-Vault-Token" and the value should be the token.
         track updates to the role value; the new period takes effect upon next
         renew. This cannot be used in conjunction with `explicit_max_ttl`.
       </li>
+      <li>
+        <span class="param">renewable</span>
+        <span class="param-flags">optional</span>
+        Set to `false` to disable the ability of token created against this
+        role to be renewed past their initial TTL. Defaults to `true`, which
+        allows tokens to be renewed up to the system/mount maximum TTL.
+      </li>
       <li>
         <span class="param">path_suffix</span>
         <span class="param-flags">optional</span>