From c386a7c0141cc12d5df8cc575343d919ee3bc5b0 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Wed, 11 May 2016 18:46:55 -0400 Subject: [PATCH] Fix bug around disallowing explicit max greater than sysview max --- vault/token_store.go | 18 +++++++++--------- vault/token_store_test.go | 25 ++++++++++++++++++++++++- 2 files changed, 33 insertions(+), 10 deletions(-) diff --git a/vault/token_store.go b/vault/token_store.go index 535dc2245c..48791d274e 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -1047,20 +1047,20 @@ func (ts *TokenStore) handleCreateCommon( sysView := ts.System() // Limit the lease duration - if sysView.MaxLeaseTTL() != time.Duration(0) && te.ExplicitMaxTTL > sysView.MaxLeaseTTL() { + if sysView.MaxLeaseTTL() != time.Duration(0) && role.ExplicitMaxTTL > sysView.MaxLeaseTTL() { return logical.ErrorResponse(fmt.Sprintf( "role explicit max TTL of %d is greater than system/mount allowed value of %d seconds", - te.ExplicitMaxTTL.Seconds(), sysView.MaxLeaseTTL().Seconds())), logical.ErrInvalidRequest + role.ExplicitMaxTTL.Seconds(), sysView.MaxLeaseTTL().Seconds())), logical.ErrInvalidRequest + } + + if te.TTL > role.ExplicitMaxTTL { + resp.AddWarning(fmt.Sprintf( + "Requested TTL higher than role explicit max TTL; value being capped to %d seconds", + role.ExplicitMaxTTL.Seconds())) + te.TTL = role.ExplicitMaxTTL } te.ExplicitMaxTTL = role.ExplicitMaxTTL - - if te.TTL > te.ExplicitMaxTTL { - resp.AddWarning(fmt.Sprintf( - "Requested TTL higher than role explicit max TTL; value being capped to %d seconds", - te.ExplicitMaxTTL.Seconds())) - te.TTL = te.ExplicitMaxTTL - } } // Create the token diff --git a/vault/token_store_test.go b/vault/token_store_test.go index 449875da19..8bd7f158ba 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -1673,13 +1673,36 @@ func TestTokenStore_RoleExplicitMaxTTL(t *testing.T) { // Note: these requests are sent to Core since Core handles registration // with the expiration manager and we need the storage to be consistent + // Make sure we can't make it larger than the system/mount max; we should get a warning on role write and an error on token creation req := logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test") req.ClientToken = root + req.Data = map[string]interface{}{ + "explicit_max_ttl": "100h", + } + + resp, err := core.HandleRequest(req) + if err != nil { + t.Fatalf("err: %v %v", err, resp) + } + if resp == nil { + t.Fatalf("expected a warning") + } + + req.Operation = logical.UpdateOperation + req.Path = "auth/token/create/test" + resp, err = core.HandleRequest(req) + if err == nil { + t.Fatalf("expected an error") + } + + // Reset to a good explicit max + req = logical.TestRequest(t, logical.UpdateOperation, "auth/token/roles/test") + req.ClientToken = root req.Data = map[string]interface{}{ "explicit_max_ttl": "6s", } - resp, err := core.HandleRequest(req) + resp, err = core.HandleRequest(req) if err != nil { t.Fatalf("err: %v %v", err, resp) }