From 0bd806a5860aef787da9a0dd39c5830bbf5b0c83 Mon Sep 17 00:00:00 2001
From: Armon Dadgar <armon.dadgar@gmail.com>
Date: Wed, 17 Jun 2015 15:22:50 -0700
Subject: [PATCH] vault: ensure token renew does not double register

---
 vault/core.go      |  5 +++--
 vault/core_test.go | 49 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/vault/core.go b/vault/core.go
index 723fe23796..9791412c08 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -413,8 +413,9 @@ func (c *Core) handleRequest(req *logical.Request) (*logical.Response, error) {
 	}
 
 	// Only the token store is allowed to return an auth block, for any
-	// other request this is an internal error
-	if resp != nil && resp.Auth != nil {
+	// other request this is an internal error. We exclude renewal of a token,
+	// since it does not need to be re-registered
+	if resp != nil && resp.Auth != nil && !strings.HasPrefix(req.Path, "auth/token/renew/") {
 		if !strings.HasPrefix(req.Path, "auth/token/") {
 			c.logger.Printf(
 				"[ERR] core: unexpected Auth response for non-token backend "+
diff --git a/vault/core_test.go b/vault/core_test.go
index c27f03460d..25cebf1943 100644
--- a/vault/core_test.go
+++ b/vault/core_test.go
@@ -1368,6 +1368,55 @@ func TestCore_RenewSameLease(t *testing.T) {
 	}
 }
 
+// Renew of a token should not create a new lease
+func TestCore_RenewToken_SingleRegister(t *testing.T) {
+	c, _, root := TestCoreUnsealed(t)
+
+	// Create a new token
+	req := &logical.Request{
+		Operation: logical.WriteOperation,
+		Path:      "auth/token/create",
+		Data: map[string]interface{}{
+			"lease": "1h",
+		},
+		ClientToken: root,
+	}
+	resp, err := c.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	newClient := resp.Auth.ClientToken
+
+	// Renew the token
+	req = logical.TestRequest(t, logical.WriteOperation, "auth/token/renew/"+newClient)
+	req.ClientToken = newClient
+	resp, err = c.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Revoke using the renew prefix
+	req = logical.TestRequest(t, logical.WriteOperation, "sys/revoke-prefix/auth/token/renew/")
+	req.ClientToken = root
+	resp, err = c.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify our token is still valid (e.g. we did not get invalided by the revoke)
+	req = logical.TestRequest(t, logical.ReadOperation, "auth/token/lookup/"+newClient)
+	req.ClientToken = newClient
+	resp, err = c.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+
+	// Verify the token exists
+	if resp.Data["id"] != newClient {
+		t.Fatalf("bad: %#v", resp.Data)
+	}
+}
+
 // Based on bug GH-203, attempt to disable a credential backend with leased secrets
 func TestCore_EnableDisableCred_WithLease(t *testing.T) {
 	// Create a badass credential backend that always logs in as armon