From 517571c04a8a3d02c3571509ceb7e18cebd0e2ea Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Wed, 8 Jun 2016 11:14:30 -0400
Subject: [PATCH] Add renewable flag and API setting for token creation

---
 api/auth_token.go       |  1 +
 api/auth_token_test.go  | 29 ++++++++++++++++++++++++++++-
 command/token_create.go | 12 +++++++++---
 vault/token_store.go    |  8 +++++++-
 4 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/api/auth_token.go b/api/auth_token.go
index 3f52f59a93..e69ce0f23b 100644
--- a/api/auth_token.go
+++ b/api/auth_token.go
@@ -173,4 +173,5 @@ type TokenCreateRequest struct {
 	NoDefaultPolicy bool              `json:"no_default_policy,omitempty"`
 	DisplayName     string            `json:"display_name"`
 	NumUses         int               `json:"num_uses"`
+	Renewable       *bool             `json:"renewable,omitempty"`
 }
diff --git a/api/auth_token_test.go b/api/auth_token_test.go
index cbb80ddcf2..faaefcc8df 100644
--- a/api/auth_token_test.go
+++ b/api/auth_token_test.go
@@ -28,10 +28,37 @@ func TestAuthTokenCreate(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-
 	if secret.Auth.LeaseDuration != 3600 {
 		t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
 	}
+
+	renewCreateRequest := &TokenCreateRequest{
+		TTL:       "1h",
+		Renewable: new(bool),
+	}
+
+	secret, err = client.Auth().Token().Create(renewCreateRequest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret.Auth.LeaseDuration != 3600 {
+		t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
+	}
+	if secret.Auth.Renewable {
+		t.Errorf("expected non-renewable token")
+	}
+
+	*renewCreateRequest.Renewable = true
+	secret, err = client.Auth().Token().Create(renewCreateRequest)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if secret.Auth.LeaseDuration != 3600 {
+		t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
+	}
+	if !secret.Auth.Renewable {
+		t.Errorf("expected renewable token")
+	}
 }
 
 func TestAuthTokenLookup(t *testing.T) {
diff --git a/command/token_create.go b/command/token_create.go
index 52fd250b8b..9d1cd1cb22 100644
--- a/command/token_create.go
+++ b/command/token_create.go
@@ -18,7 +18,7 @@ type TokenCreateCommand struct {
 func (c *TokenCreateCommand) Run(args []string) int {
 	var format string
 	var id, displayName, lease, ttl, role string
-	var orphan, noDefaultPolicy bool
+	var orphan, noDefaultPolicy, renewable bool
 	var metadata map[string]string
 	var numUses int
 	var policies []string
@@ -30,6 +30,7 @@ func (c *TokenCreateCommand) Run(args []string) int {
 	flags.StringVar(&ttl, "ttl", "", "")
 	flags.StringVar(&role, "role", "", "")
 	flags.BoolVar(&orphan, "orphan", false, "")
+	flags.BoolVar(&renewable, "renewable", true, "")
 	flags.BoolVar(&noDefaultPolicy, "no-default-policy", false, "")
 	flags.IntVar(&numUses, "use-limit", 0, "")
 	flags.Var((*kvFlag.Flag)(&metadata), "metadata", "")
@@ -67,7 +68,9 @@ func (c *TokenCreateCommand) Run(args []string) int {
 		NoDefaultPolicy: noDefaultPolicy,
 		DisplayName:     displayName,
 		NumUses:         numUses,
+		Renewable:       new(bool),
 	}
+	*tcr.Renewable = renewable
 
 	var secret *api.Secret
 	if role != "" {
@@ -121,11 +124,14 @@ Token Options:
                           is a non-security sensitive value used to help
                           identify created secrets, i.e. prefixes.
 
-  -lease="1h"             Deprecated; use "-ttl" instead.
-
   -ttl="1h"               Initial TTL to associate with the token; renewals can
                           extend this value.
 
+  -renewable=true         Whether or not the token is renewable to extend its
+                          TTL up to Vault's configured maximum TTL for tokens.
+                          This defaults to true; set to false to disable
+                          renewal of this token.
+
   -metadata="key=value"   Metadata to associate with the token. This shows
                           up in the audit log. This can be specified multiple
                           times.
diff --git a/vault/token_store.go b/vault/token_store.go
index b77d23d8d0..ee01573976 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -935,6 +935,7 @@ func (ts *TokenStore) handleCreateCommon(
 		NoDefaultPolicy bool              `mapstructure:"no_default_policy"`
 		Lease           string
 		TTL             string
+		Renewable       *bool
 		DisplayName     string `mapstructure:"display_name"`
 		NumUses         int    `mapstructure:"num_uses"`
 	}
@@ -964,6 +965,11 @@ func (ts *TokenStore) handleCreateCommon(
 		CreationTime: time.Now().Unix(),
 	}
 
+	renewable := true
+	if data.Renewable != nil {
+		renewable = *data.Renewable
+	}
+
 	// If the role is not nil, we add the role name as part of the token's
 	// path. This makes it much easier to later revoke tokens that were issued
 	// by a role (using revoke-prefix). Users can further specify a PathSuffix
@@ -1122,7 +1128,7 @@ func (ts *TokenStore) handleCreateCommon(
 		Metadata:    te.Meta,
 		LeaseOptions: logical.LeaseOptions{
 			TTL:       te.TTL,
-			Renewable: true,
+			Renewable: renewable,
 		},
 		ClientToken: te.ID,
 		Accessor:    te.Accessor,