From 97112665e8eca5eb1bf39d845a613961138daf90 Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Thu, 20 Aug 2015 17:47:17 -0700 Subject: [PATCH 1/2] Internally refactor Lease/LeaseGracePeriod into TTL/GracePeriod --- audit/hashstructure_test.go | 6 +-- builtin/credential/cert/backend_test.go | 2 +- builtin/credential/cert/path_certs.go | 4 +- builtin/credential/cert/path_login.go | 4 +- .../logical/cassandra/path_creds_create.go | 4 +- builtin/logical/mysql/path_role_create.go | 2 +- builtin/logical/pki/path_issue.go | 2 +- .../logical/postgresql/path_role_create.go | 2 +- builtin/logical/ssh/path_creds_create.go | 10 ++--- http/logical.go | 4 +- logical/framework/backend_test.go | 5 +-- logical/framework/lease.go | 9 +++- logical/framework/lease_test.go | 4 +- logical/framework/secret.go | 6 +-- logical/lease.go | 16 +++---- logical/lease_test.go | 30 ++++++------- logical/secret.go | 8 ++-- vault/audit_test.go | 5 ++- vault/core.go | 24 +++++----- vault/core_test.go | 12 ++--- vault/expiration_test.go | 44 +++++++++---------- vault/mount_test.go | 4 +- vault/token_store.go | 6 +-- vault/token_store_test.go | 8 ++-- 24 files changed, 113 insertions(+), 108 deletions(-) diff --git a/audit/hashstructure_test.go b/audit/hashstructure_test.go index b827310f0e..2fe274f89a 100644 --- a/audit/hashstructure_test.go +++ b/audit/hashstructure_test.go @@ -14,7 +14,7 @@ func TestCopy_auth(t *testing.T) { // Make a non-pointer one so that it can't be modified directly expected := logical.Auth{ LeaseOptions: logical.LeaseOptions{ - Lease: 1 * time.Hour, + TTL: 1 * time.Hour, LeaseIssue: time.Now().UTC(), }, @@ -121,7 +121,7 @@ func TestHash(t *testing.T) { { &logical.Auth{ LeaseOptions: logical.LeaseOptions{ - Lease: 1 * time.Hour, + TTL: 1 * time.Hour, LeaseIssue: now, }, @@ -129,7 +129,7 @@ func TestHash(t *testing.T) { }, &logical.Auth{ LeaseOptions: logical.LeaseOptions{ - Lease: 1 * time.Hour, + TTL: 1 * time.Hour, LeaseIssue: now, }, diff --git a/builtin/credential/cert/backend_test.go b/builtin/credential/cert/backend_test.go index 19c54fa2a3..ef0e939883 100644 --- a/builtin/credential/cert/backend_test.go +++ b/builtin/credential/cert/backend_test.go @@ -64,7 +64,7 @@ func testAccStepLogin(t *testing.T, connState tls.ConnectionState) logicaltest.T Unauthenticated: true, ConnState: &connState, Check: func(resp *logical.Response) error { - if resp.Auth.Lease != 1000*time.Second { + if resp.Auth.TTL != 1000*time.Second { t.Fatalf("bad lease length: %#v", resp.Auth) } diff --git a/builtin/credential/cert/path_certs.go b/builtin/credential/cert/path_certs.go index 0892d5123e..76325f2753 100644 --- a/builtin/credential/cert/path_certs.go +++ b/builtin/credential/cert/path_certs.go @@ -129,7 +129,7 @@ func (b *backend) pathCertWrite( Certificate: certificate, DisplayName: displayName, Policies: policies, - Lease: leaseDur, + TTL: leaseDur, }) if err != nil { return nil, err @@ -145,7 +145,7 @@ type CertEntry struct { Certificate string DisplayName string Policies []string - Lease time.Duration + TTL time.Duration } const pathCertHelpSyn = ` diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go index 16e8a14b38..7ad9885a23 100644 --- a/builtin/credential/cert/path_login.go +++ b/builtin/credential/cert/path_login.go @@ -66,7 +66,7 @@ func (b *backend) pathLogin( }, LeaseOptions: logical.LeaseOptions{ Renewable: true, - Lease: matched.Entry.Lease, + TTL: matched.Entry.TTL, }, }, } @@ -187,5 +187,5 @@ func (b *backend) pathLoginRenew( return nil, nil } - return framework.LeaseExtend(cert.Lease, 0, false)(req, d) + return framework.LeaseExtend(cert.TTL, 0, false)(req, d) } diff --git a/builtin/logical/cassandra/path_creds_create.go b/builtin/logical/cassandra/path_creds_create.go index 1049904a65..8dd1ff0646 100644 --- a/builtin/logical/cassandra/path_creds_create.go +++ b/builtin/logical/cassandra/path_creds_create.go @@ -77,8 +77,8 @@ func (b *backend) pathCredsCreateRead( "username": username, "role": name, }) - resp.Secret.Lease = role.Lease - resp.Secret.LeaseGracePeriod = role.LeaseGracePeriod + resp.Secret.TTL = role.Lease + resp.Secret.GracePeriod = role.LeaseGracePeriod return resp, nil } diff --git a/builtin/logical/mysql/path_role_create.go b/builtin/logical/mysql/path_role_create.go index 6a8e7406c5..71f8b6a577 100644 --- a/builtin/logical/mysql/path_role_create.go +++ b/builtin/logical/mysql/path_role_create.go @@ -101,7 +101,7 @@ func (b *backend) pathRoleCreateRead( }, map[string]interface{}{ "username": username, }) - resp.Secret.Lease = lease.Lease + resp.Secret.TTL = lease.Lease return resp, nil } diff --git a/builtin/logical/pki/path_issue.go b/builtin/logical/pki/path_issue.go index d1239c87dd..97b7ffd8d4 100644 --- a/builtin/logical/pki/path_issue.go +++ b/builtin/logical/pki/path_issue.go @@ -177,7 +177,7 @@ func (b *backend) pathIssueCert( "serial_number": cb.SerialNumber, }) - resp.Secret.Lease = lease + resp.Secret.TTL = lease err = req.Storage.Put(&logical.StorageEntry{ Key: "certs/" + cb.SerialNumber, diff --git a/builtin/logical/postgresql/path_role_create.go b/builtin/logical/postgresql/path_role_create.go index 6decbaabf1..716bff6f02 100644 --- a/builtin/logical/postgresql/path_role_create.go +++ b/builtin/logical/postgresql/path_role_create.go @@ -105,7 +105,7 @@ func (b *backend) pathRoleCreateRead( }, map[string]interface{}{ "username": username, }) - resp.Secret.Lease = lease.Lease + resp.Secret.TTL = lease.Lease return resp, nil } diff --git a/builtin/logical/ssh/path_creds_create.go b/builtin/logical/ssh/path_creds_create.go index 24a1acaa11..4a5f08570e 100644 --- a/builtin/logical/ssh/path_creds_create.go +++ b/builtin/logical/ssh/path_creds_create.go @@ -155,14 +155,14 @@ func (b *backend) pathCredsCreateWrite( // If the lease information is set, update it in secret. if lease != nil { - result.Secret.Lease = lease.Lease - result.Secret.LeaseGracePeriod = lease.LeaseMax + result.Secret.TTL = lease.Lease + result.Secret.GracePeriod = lease.LeaseMax } // If lease information is not set, set it to 10 minutes. if lease == nil { - result.Secret.Lease = 10 * time.Minute - result.Secret.LeaseGracePeriod = 2 * time.Minute + result.Secret.TTL = 10 * time.Minute + result.Secret.GracePeriod = 2 * time.Minute } return result, nil @@ -257,7 +257,7 @@ Creates a credential for establishing SSH connection with the remote host. const pathCredsCreateHelpDesc = ` This path will generate a new key for establishing SSH session with target host. The key can either be a long lived dynamic key or a One -Time Password (OTP), using 'key_type' parameter being 'dynamic' or +Time Password (OTP), using 'key_type' parameter being 'dynamic' or 'otp' respectively. For dynamic keys, a named key should be supplied. Create named key using the 'keys/' endpoint, and this represents the shared SSH key of target host. If this backend is mounted at 'ssh', diff --git a/http/logical.go b/http/logical.go index 7b1ba69290..36b91dadd2 100644 --- a/http/logical.go +++ b/http/logical.go @@ -101,7 +101,7 @@ func respondLogical(w http.ResponseWriter, r *http.Request, path string, dataOnl if resp.Secret != nil { logicalResp.LeaseID = resp.Secret.LeaseID logicalResp.Renewable = resp.Secret.Renewable - logicalResp.LeaseDuration = int(resp.Secret.Lease.Seconds()) + logicalResp.LeaseDuration = int(resp.Secret.TTL.Seconds()) } // If we have authentication information, then set the cookie @@ -129,7 +129,7 @@ func respondLogical(w http.ResponseWriter, r *http.Request, path string, dataOnl ClientToken: resp.Auth.ClientToken, Policies: resp.Auth.Policies, Metadata: resp.Auth.Metadata, - LeaseDuration: int(resp.Auth.Lease.Seconds()), + LeaseDuration: int(resp.Auth.TTL.Seconds()), Renewable: resp.Auth.Renewable, } } diff --git a/logical/framework/backend_test.go b/logical/framework/backend_test.go index 6ff02e72b1..b4cb86997a 100644 --- a/logical/framework/backend_test.go +++ b/logical/framework/backend_test.go @@ -105,7 +105,6 @@ func TestBackendHandleRequest_badwrite(t *testing.T) { Path: "foo/bar", Data: map[string]interface{}{"value": "3false3"}, }) - if err == nil { t.Fatalf("should have thrown a conversion error") @@ -269,8 +268,8 @@ func TestBackendHandleRequest_renewExtend(t *testing.T) { t.Fatal("should have secret") } - if resp.Secret.Lease < 60*time.Minute || resp.Secret.Lease > 70*time.Minute { - t.Fatalf("bad: %s", resp.Secret.Lease) + if resp.Secret.TTL < 60*time.Minute || resp.Secret.TTL > 70*time.Minute { + t.Fatalf("bad: %s", resp.Secret.TTL) } } diff --git a/logical/framework/lease.go b/logical/framework/lease.go index 4ba250d26f..d6206a97f1 100644 --- a/logical/framework/lease.go +++ b/logical/framework/lease.go @@ -27,7 +27,7 @@ func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc // Check if we should limit max if maxFromLease { - max = lease.Lease + max = lease.TTL } // Sanity check the desired increment @@ -67,7 +67,12 @@ func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc newLeaseDuration := requestedLease.Sub(now) // Set the lease - lease.Lease = newLeaseDuration + lease.TTL = newLeaseDuration + var zeroDur time.Duration + if lease.Lease != zeroDur { + lease.Lease = newLeaseDuration + } + return &logical.Response{Auth: req.Auth, Secret: req.Secret}, nil } } diff --git a/logical/framework/lease_test.go b/logical/framework/lease_test.go index f22ce798d6..47ac068c27 100644 --- a/logical/framework/lease_test.go +++ b/logical/framework/lease_test.go @@ -75,7 +75,7 @@ func TestLeaseExtend(t *testing.T) { req := &logical.Request{ Auth: &logical.Auth{ LeaseOptions: logical.LeaseOptions{ - Lease: 1 * time.Hour, + TTL: 1 * time.Hour, LeaseIssue: now, LeaseIncrement: tc.Request, }, @@ -92,7 +92,7 @@ func TestLeaseExtend(t *testing.T) { } // Round it to the nearest hour - lease := now.Add(resp.Auth.Lease).Round(time.Hour).Sub(now) + lease := now.Add(resp.Auth.TTL).Round(time.Hour).Sub(now) if lease != tc.Result { t.Fatalf("bad: %s\nlease: %s", name, lease) } diff --git a/logical/framework/secret.go b/logical/framework/secret.go index 8fb91e3921..4e9bd287d1 100644 --- a/logical/framework/secret.go +++ b/logical/framework/secret.go @@ -51,9 +51,9 @@ func (s *Secret) Response( return &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: s.DefaultDuration, - LeaseGracePeriod: s.DefaultGracePeriod, - Renewable: s.Renewable(), + TTL: s.DefaultDuration, + GracePeriod: s.DefaultGracePeriod, + Renewable: s.Renewable(), }, InternalData: internalData, }, diff --git a/logical/lease.go b/logical/lease.go index 996228598e..47cf2d1dac 100644 --- a/logical/lease.go +++ b/logical/lease.go @@ -7,9 +7,9 @@ import "time" type LeaseOptions struct { // Lease is the duration that this secret is valid for. Vault // will automatically revoke it after the duration + grace period. - Lease time.Duration `json:"lease,omitempty"` - TTL time.Duration `json:"ttl,omitempty"` - LeaseGracePeriod time.Duration `json:"lease_grace_period"` + Lease time.Duration `json:"lease,omitempty"` + TTL time.Duration `json:"ttl,omitempty"` + GracePeriod time.Duration `json:"grace_period"` // Renewable, if true, means that this secret can be renewed. Renewable bool `json:"renewable"` @@ -28,20 +28,20 @@ type LeaseOptions struct { // LeaseEnabled checks if leasing is enabled func (l *LeaseOptions) LeaseEnabled() bool { - return l.Lease > 0 + return l.TTL > 0 } // LeaseTotal is the total lease time including the grace period func (l *LeaseOptions) LeaseTotal() time.Duration { - if l.Lease <= 0 { + if l.TTL <= 0 { return 0 } - if l.LeaseGracePeriod < 0 { - return l.Lease + if l.GracePeriod < 0 { + return l.TTL } - return l.Lease + l.LeaseGracePeriod + return l.TTL + l.GracePeriod } // ExpirationTime computes the time until expiration including the grace period diff --git a/logical/lease_test.go b/logical/lease_test.go index 02916bc817..5dea4ab00d 100644 --- a/logical/lease_test.go +++ b/logical/lease_test.go @@ -7,10 +7,10 @@ import ( func TestLeaseOptionsLeaseTotal(t *testing.T) { var l LeaseOptions - l.Lease = 1 * time.Hour + l.TTL = 1 * time.Hour actual := l.LeaseTotal() - expected := l.Lease + expected := l.TTL if actual != expected { t.Fatalf("bad: %s", actual) } @@ -18,11 +18,11 @@ func TestLeaseOptionsLeaseTotal(t *testing.T) { func TestLeaseOptionsLeaseTotal_grace(t *testing.T) { var l LeaseOptions - l.Lease = 1 * time.Hour - l.LeaseGracePeriod = 30 * time.Minute + l.TTL = 1 * time.Hour + l.GracePeriod = 30 * time.Minute actual := l.LeaseTotal() - expected := l.Lease + l.LeaseGracePeriod + expected := l.TTL + l.GracePeriod if actual != expected { t.Fatalf("bad: %s", actual) } @@ -30,8 +30,8 @@ func TestLeaseOptionsLeaseTotal_grace(t *testing.T) { func TestLeaseOptionsLeaseTotal_negLease(t *testing.T) { var l LeaseOptions - l.Lease = -1 * 1 * time.Hour - l.LeaseGracePeriod = 30 * time.Minute + l.TTL = -1 * 1 * time.Hour + l.GracePeriod = 30 * time.Minute actual := l.LeaseTotal() expected := time.Duration(0) @@ -42,11 +42,11 @@ func TestLeaseOptionsLeaseTotal_negLease(t *testing.T) { func TestLeaseOptionsLeaseTotal_negGrace(t *testing.T) { var l LeaseOptions - l.Lease = 1 * time.Hour - l.LeaseGracePeriod = -1 * 30 * time.Minute + l.TTL = 1 * time.Hour + l.GracePeriod = -1 * 30 * time.Minute actual := l.LeaseTotal() - expected := l.Lease + expected := l.TTL if actual != expected { t.Fatalf("bad: %s", actual) } @@ -54,7 +54,7 @@ func TestLeaseOptionsLeaseTotal_negGrace(t *testing.T) { func TestLeaseOptionsExpirationTime(t *testing.T) { var l LeaseOptions - l.Lease = 1 * time.Hour + l.TTL = 1 * time.Hour limit := time.Now().UTC().Add(time.Hour) exp := l.ExpirationTime() @@ -65,8 +65,8 @@ func TestLeaseOptionsExpirationTime(t *testing.T) { func TestLeaseOptionsExpirationTime_grace(t *testing.T) { var l LeaseOptions - l.Lease = 1 * time.Hour - l.LeaseGracePeriod = 30 * time.Minute + l.TTL = 1 * time.Hour + l.GracePeriod = 30 * time.Minute limit := time.Now().UTC().Add(time.Hour + 30*time.Minute) actual := l.ExpirationTime() @@ -77,8 +77,8 @@ func TestLeaseOptionsExpirationTime_grace(t *testing.T) { func TestLeaseOptionsExpirationTime_graceNegative(t *testing.T) { var l LeaseOptions - l.Lease = 1 * time.Hour - l.LeaseGracePeriod = -1 * 30 * time.Minute + l.TTL = 1 * time.Hour + l.GracePeriod = -1 * 30 * time.Minute limit := time.Now().UTC().Add(time.Hour) actual := l.ExpirationTime() diff --git a/logical/secret.go b/logical/secret.go index 42ec523d71..1a88fa3584 100644 --- a/logical/secret.go +++ b/logical/secret.go @@ -18,11 +18,11 @@ type Secret struct { } func (s *Secret) Validate() error { - if s.Lease < 0 { - return fmt.Errorf("lease duration must not be less than zero") + if s.TTL < 0 { + return fmt.Errorf("ttl duration must not be less than zero") } - if s.LeaseGracePeriod < 0 { - return fmt.Errorf("lease grace period must not be less than zero") + if s.GracePeriod < 0 { + return fmt.Errorf("grace period must not be less than zero") } return nil diff --git a/vault/audit_test.go b/vault/audit_test.go index f4e484806b..d7c78ed62b 100644 --- a/vault/audit_test.go +++ b/vault/audit_test.go @@ -8,9 +8,10 @@ import ( "testing" "time" + "errors" + "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/logical" - "errors" ) type NoopAudit struct { @@ -261,7 +262,7 @@ func TestAuditBroker_LogResponse(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 1 * time.Hour, + TTL: 1 * time.Hour, }, }, Data: map[string]interface{}{ diff --git a/vault/core.go b/vault/core.go index 10c6c92140..53cd136bdb 100644 --- a/vault/core.go +++ b/vault/core.go @@ -452,13 +452,13 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r // We exclude renewal of a lease, since it does not need to be re-registered if resp != nil && resp.Secret != nil && !strings.HasPrefix(req.Path, "sys/renew/") { // Apply the default lease if none given - if resp.Secret.Lease == 0 { - resp.Secret.Lease = c.defaultLeaseDuration + if resp.Secret.TTL == 0 { + resp.Secret.TTL = c.defaultLeaseDuration } // Limit the lease duration - if resp.Secret.Lease > c.maxLeaseDuration { - resp.Secret.Lease = c.maxLeaseDuration + if resp.Secret.TTL > c.maxLeaseDuration { + resp.Secret.TTL = c.maxLeaseDuration } // Register the lease @@ -484,13 +484,13 @@ func (c *Core) handleRequest(req *logical.Request) (retResp *logical.Response, r } // Set the default lease if non-provided, root tokens are exempt - if resp.Auth.Lease == 0 && !strListContains(resp.Auth.Policies, "root") { - resp.Auth.Lease = c.defaultLeaseDuration + if resp.Auth.TTL == 0 && !strListContains(resp.Auth.Policies, "root") { + resp.Auth.TTL = c.defaultLeaseDuration } // Limit the lease duration - if resp.Auth.Lease > c.maxLeaseDuration { - resp.Auth.Lease = c.maxLeaseDuration + if resp.Auth.TTL > c.maxLeaseDuration { + resp.Auth.TTL = c.maxLeaseDuration } // Register with the expiration manager @@ -556,13 +556,13 @@ func (c *Core) handleLoginRequest(req *logical.Request) (*logical.Response, *log resp.Auth.ClientToken = te.ID // Set the default lease if non-provided, root tokens are exempt - if auth.Lease == 0 && !strListContains(auth.Policies, "root") { - auth.Lease = c.defaultLeaseDuration + if auth.TTL == 0 && !strListContains(auth.Policies, "root") { + auth.TTL = c.defaultLeaseDuration } // Limit the lease duration - if resp.Auth.Lease > c.maxLeaseDuration { - resp.Auth.Lease = c.maxLeaseDuration + if resp.Auth.TTL > c.maxLeaseDuration { + resp.Auth.TTL = c.maxLeaseDuration } // Register with the expiration manager diff --git a/vault/core_test.go b/vault/core_test.go index 194cdc98a8..f71ddecd6b 100644 --- a/vault/core_test.go +++ b/vault/core_test.go @@ -401,7 +401,7 @@ func TestCore_HandleRequest_Lease(t *testing.T) { if resp == nil || resp.Secret == nil || resp.Data == nil { t.Fatalf("bad: %#v", resp) } - if resp.Secret.Lease != time.Hour { + if resp.Secret.TTL != time.Hour { t.Fatalf("bad: %#v", resp.Secret) } if resp.Secret.LeaseID == "" { @@ -442,7 +442,7 @@ func TestCore_HandleRequest_Lease_MaxLength(t *testing.T) { if resp == nil || resp.Secret == nil || resp.Data == nil { t.Fatalf("bad: %#v", resp) } - if resp.Secret.Lease != c.maxLeaseDuration { + if resp.Secret.TTL != c.maxLeaseDuration { t.Fatalf("bad: %#v", resp.Secret) } if resp.Secret.LeaseID == "" { @@ -483,7 +483,7 @@ func TestCore_HandleRequest_Lease_DefaultLength(t *testing.T) { if resp == nil || resp.Secret == nil || resp.Data == nil { t.Fatalf("bad: %#v", resp) } - if resp.Secret.Lease != c.defaultLeaseDuration { + if resp.Secret.TTL != c.defaultLeaseDuration { t.Fatalf("bad: %#v", resp.Secret) } if resp.Secret.LeaseID == "" { @@ -829,7 +829,7 @@ func TestCore_HandleLogin_Token(t *testing.T) { } // Check that we have a lease with default duration - if lresp.Auth.Lease != c.defaultLeaseDuration { + if lresp.Auth.TTL != c.defaultLeaseDuration { t.Fatalf("bad: %#v", lresp.Auth) } } @@ -904,7 +904,7 @@ func TestCore_HandleLogin_AuditTrail(t *testing.T) { Response: &logical.Response{ Auth: &logical.Auth{ LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, }, Policies: []string{"foo", "bar"}, Metadata: map[string]string{ @@ -1016,7 +1016,7 @@ func TestCore_HandleRequest_CreateToken_Lease(t *testing.T) { } // Check that we have a lease with default duration - if resp.Auth.Lease != c.defaultLeaseDuration { + if resp.Auth.TTL != c.defaultLeaseDuration { t.Fatalf("bad: %#v", resp.Auth) } } diff --git a/vault/expiration_test.go b/vault/expiration_test.go index 8865a9b9d0..03d8d6834e 100644 --- a/vault/expiration_test.go +++ b/vault/expiration_test.go @@ -37,7 +37,7 @@ func TestExpiration_Restore(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, }, }, Data: map[string]interface{}{ @@ -92,7 +92,7 @@ func TestExpiration_Register(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, }, }, Data: map[string]interface{}{ @@ -125,7 +125,7 @@ func TestExpiration_RegisterAuth(t *testing.T) { auth := &logical.Auth{ ClientToken: root.ID, LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, }, } @@ -184,7 +184,7 @@ func TestExpiration_Revoke(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, }, }, Data: map[string]interface{}{ @@ -222,7 +222,7 @@ func TestExpiration_RevokeOnExpire(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, }, }, Data: map[string]interface{}{ @@ -277,7 +277,7 @@ func TestExpiration_RevokePrefix(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, }, }, Data: map[string]interface{}{ @@ -338,7 +338,7 @@ func TestExpiration_RevokeByToken(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, }, }, Data: map[string]interface{}{ @@ -389,7 +389,7 @@ func TestExpiration_RenewToken(t *testing.T) { auth := &logical.Auth{ ClientToken: root.ID, LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, Renewable: true, }, } @@ -420,7 +420,7 @@ func TestExpiration_RenewToken_NotRenewable(t *testing.T) { auth := &logical.Auth{ ClientToken: root.ID, LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, Renewable: false, }, } @@ -450,7 +450,7 @@ func TestExpiration_Renew(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, Renewable: true, }, }, @@ -468,7 +468,7 @@ func TestExpiration_Renew(t *testing.T) { noop.Response = &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, }, }, Data: map[string]interface{}{ @@ -512,7 +512,7 @@ func TestExpiration_Renew_NotRenewable(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, Renewable: false, }, }, @@ -554,7 +554,7 @@ func TestExpiration_Renew_RevokeOnExpire(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, Renewable: true, }, }, @@ -572,7 +572,7 @@ func TestExpiration_Renew_RevokeOnExpire(t *testing.T) { noop.Response = &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, }, }, Data: map[string]interface{}{ @@ -623,7 +623,7 @@ func TestExpiration_revokeEntry(t *testing.T) { }, Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: time.Minute, + TTL: time.Minute, }, }, IssueTime: time.Now(), @@ -662,7 +662,7 @@ func TestExpiration_revokeEntry_token(t *testing.T) { Auth: &logical.Auth{ ClientToken: root.ID, LeaseOptions: logical.LeaseOptions{ - Lease: time.Minute, + TTL: time.Minute, }, }, Path: "foo/bar", @@ -692,7 +692,7 @@ func TestExpiration_renewEntry(t *testing.T) { Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ Renewable: true, - Lease: time.Hour, + TTL: time.Hour, }, }, Data: map[string]interface{}{ @@ -712,7 +712,7 @@ func TestExpiration_renewEntry(t *testing.T) { }, Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: time.Minute, + TTL: time.Minute, }, }, IssueTime: time.Now(), @@ -757,7 +757,7 @@ func TestExpiration_renewAuthEntry(t *testing.T) { Auth: &logical.Auth{ LeaseOptions: logical.LeaseOptions{ Renewable: true, - Lease: time.Hour, + TTL: time.Hour, }, }, }, @@ -772,7 +772,7 @@ func TestExpiration_renewAuthEntry(t *testing.T) { Auth: &logical.Auth{ LeaseOptions: logical.LeaseOptions{ Renewable: true, - Lease: time.Minute, + TTL: time.Minute, }, InternalData: map[string]interface{}{ "MySecret": "secret", @@ -822,7 +822,7 @@ func TestExpiration_PersistLoadDelete(t *testing.T) { }, Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: time.Minute, + TTL: time.Minute, }, }, IssueTime: time.Now().UTC(), @@ -863,7 +863,7 @@ func TestLeaseEntry(t *testing.T) { }, Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: time.Minute, + TTL: time.Minute, }, }, IssueTime: time.Now().UTC(), diff --git a/vault/mount_test.go b/vault/mount_test.go index b08c58bf4f..683282b42c 100644 --- a/vault/mount_test.go +++ b/vault/mount_test.go @@ -139,7 +139,7 @@ func TestCore_Unmount_Cleanup(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, }, }, Data: map[string]interface{}{ @@ -256,7 +256,7 @@ func TestCore_Remount_Cleanup(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, }, }, Data: map[string]interface{}{ diff --git a/vault/token_store.go b/vault/token_store.go index f27f5450d7..37e22f7f71 100644 --- a/vault/token_store.go +++ b/vault/token_store.go @@ -554,9 +554,9 @@ func (ts *TokenStore) handleCreate( Policies: te.Policies, Metadata: te.Meta, LeaseOptions: logical.LeaseOptions{ - Lease: leaseDuration, - LeaseGracePeriod: leaseDuration / 10, - Renewable: leaseDuration > 0, + TTL: leaseDuration, + GracePeriod: leaseDuration / 10, + Renewable: leaseDuration > 0, }, ClientToken: te.ID, }, diff --git a/vault/token_store_test.go b/vault/token_store_test.go index 2abea5cbf9..bda3cd415a 100644 --- a/vault/token_store_test.go +++ b/vault/token_store_test.go @@ -235,7 +235,7 @@ func TestTokenStore_Revoke_Leases(t *testing.T) { resp := &logical.Response{ Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ - Lease: 20 * time.Millisecond, + TTL: 20 * time.Millisecond, }, }, Data: map[string]interface{}{ @@ -633,7 +633,7 @@ func TestTokenStore_HandleRequest_CreateToken_Lease(t *testing.T) { if resp.Auth.ClientToken == "" { t.Fatalf("bad: %#v", resp) } - if resp.Auth.Lease != time.Hour { + if resp.Auth.TTL != time.Hour { t.Fatalf("bad: %#v", resp) } if !resp.Auth.Renewable { @@ -743,7 +743,7 @@ func TestTokenStore_HandleRequest_RevokePrefix(t *testing.T) { auth := &logical.Auth{ ClientToken: root.ID, LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, }, } err = exp.RegisterAuth("auth/github/login", auth) @@ -808,7 +808,7 @@ func TestTokenStore_HandleRequest_Renew(t *testing.T) { auth := &logical.Auth{ ClientToken: root.ID, LeaseOptions: logical.LeaseOptions{ - Lease: time.Hour, + TTL: time.Hour, Renewable: true, }, } From e7f2a54720fabc4b0a5aa9b45d38d0fa2eed729a Mon Sep 17 00:00:00 2001 From: Jeff Mitchell Date: Thu, 20 Aug 2015 22:27:01 -0700 Subject: [PATCH 2/2] Rejig Lease terminology internally; also, put a few JSON names back to their original values --- audit/hashstructure_test.go | 12 ++++----- logical/framework/backend_test.go | 4 +-- logical/framework/lease.go | 26 ++++++++----------- logical/framework/lease_test.go | 6 ++--- logical/lease.go | 13 +++++----- vault/expiration.go | 10 +++---- vault/expiration_test.go | 8 +++--- vault/logical_passthrough.go | 20 +++++--------- vault/logical_passthrough_test.go | 1 - .../source/docs/secrets/generic/index.html.md | 3 +-- 10 files changed, 45 insertions(+), 58 deletions(-) diff --git a/audit/hashstructure_test.go b/audit/hashstructure_test.go index 2fe274f89a..7dbc8e9ce5 100644 --- a/audit/hashstructure_test.go +++ b/audit/hashstructure_test.go @@ -14,8 +14,8 @@ func TestCopy_auth(t *testing.T) { // Make a non-pointer one so that it can't be modified directly expected := logical.Auth{ LeaseOptions: logical.LeaseOptions{ - TTL: 1 * time.Hour, - LeaseIssue: time.Now().UTC(), + TTL: 1 * time.Hour, + IssueTime: time.Now().UTC(), }, ClientToken: "foo", @@ -121,16 +121,16 @@ func TestHash(t *testing.T) { { &logical.Auth{ LeaseOptions: logical.LeaseOptions{ - TTL: 1 * time.Hour, - LeaseIssue: now, + TTL: 1 * time.Hour, + IssueTime: now, }, ClientToken: "foo", }, &logical.Auth{ LeaseOptions: logical.LeaseOptions{ - TTL: 1 * time.Hour, - LeaseIssue: now, + TTL: 1 * time.Hour, + IssueTime: now, }, ClientToken: "sha1:0beec7b5ea3f0fdbc95d0dd47f3c5bc275da8a33", diff --git a/logical/framework/backend_test.go b/logical/framework/backend_test.go index b4cb86997a..a110f8455b 100644 --- a/logical/framework/backend_test.go +++ b/logical/framework/backend_test.go @@ -258,8 +258,8 @@ func TestBackendHandleRequest_renewExtend(t *testing.T) { } req := logical.RenewRequest("/foo", secret.Response(nil, nil).Secret, nil) - req.Secret.LeaseIssue = time.Now().UTC() - req.Secret.LeaseIncrement = 1 * time.Hour + req.Secret.IssueTime = time.Now().UTC() + req.Secret.Increment = 1 * time.Hour resp, err := b.HandleRequest(req) if err != nil { t.Fatalf("err: %s", err) diff --git a/logical/framework/lease.go b/logical/framework/lease.go index d6206a97f1..353962648f 100644 --- a/logical/framework/lease.go +++ b/logical/framework/lease.go @@ -20,26 +20,26 @@ import ( // lease duration. func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc { return func(req *logical.Request, data *FieldData) (*logical.Response, error) { - lease := detectLease(req) - if lease == nil { + leaseOpts := detectLease(req) + if leaseOpts == nil { return nil, fmt.Errorf("no lease options for request") } // Check if we should limit max if maxFromLease { - max = lease.TTL + max = leaseOpts.TTL } // Sanity check the desired increment switch { // Protect against negative leases - case lease.LeaseIncrement < 0: + case leaseOpts.Increment < 0: return logical.ErrorResponse( "increment must be greater than 0"), logical.ErrInvalidRequest - // If no lease increment, or too large of an increment, use the max - case max > 0 && lease.LeaseIncrement == 0, max > 0 && lease.LeaseIncrement > max: - lease.LeaseIncrement = max + // If no lease increment, or too large of an increment, use the max + case max > 0 && leaseOpts.Increment == 0, max > 0 && leaseOpts.Increment > max: + leaseOpts.Increment = max } // Get the current time @@ -48,7 +48,7 @@ func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc // Check if we're passed the issue limit var maxSessionTime time.Time if maxSession > 0 { - maxSessionTime = lease.LeaseIssue.Add(maxSession) + maxSessionTime = leaseOpts.IssueTime.Add(maxSession) if maxSessionTime.Before(now) { return logical.ErrorResponse(fmt.Sprintf( "lease can only be renewed up to %s past original issue", @@ -56,9 +56,9 @@ func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc } } - // The new lease is the minimum of the requested LeaseIncrement + // The new lease is the minimum of the requested Increment // or the maxSessionTime - requestedLease := now.Add(lease.LeaseIncrement) + requestedLease := now.Add(leaseOpts.Increment) if !maxSessionTime.IsZero() && requestedLease.After(maxSessionTime) { requestedLease = maxSessionTime } @@ -67,11 +67,7 @@ func LeaseExtend(max, maxSession time.Duration, maxFromLease bool) OperationFunc newLeaseDuration := requestedLease.Sub(now) // Set the lease - lease.TTL = newLeaseDuration - var zeroDur time.Duration - if lease.Lease != zeroDur { - lease.Lease = newLeaseDuration - } + leaseOpts.TTL = newLeaseDuration return &logical.Response{Auth: req.Auth, Secret: req.Secret}, nil } diff --git a/logical/framework/lease_test.go b/logical/framework/lease_test.go index 47ac068c27..d7c40c12ce 100644 --- a/logical/framework/lease_test.go +++ b/logical/framework/lease_test.go @@ -75,9 +75,9 @@ func TestLeaseExtend(t *testing.T) { req := &logical.Request{ Auth: &logical.Auth{ LeaseOptions: logical.LeaseOptions{ - TTL: 1 * time.Hour, - LeaseIssue: now, - LeaseIncrement: tc.Request, + TTL: 1 * time.Hour, + IssueTime: now, + Increment: tc.Request, }, }, } diff --git a/logical/lease.go b/logical/lease.go index 47cf2d1dac..f7b15006d4 100644 --- a/logical/lease.go +++ b/logical/lease.go @@ -7,23 +7,22 @@ import "time" type LeaseOptions struct { // Lease is the duration that this secret is valid for. Vault // will automatically revoke it after the duration + grace period. - Lease time.Duration `json:"lease,omitempty"` - TTL time.Duration `json:"ttl,omitempty"` - GracePeriod time.Duration `json:"grace_period"` + TTL time.Duration `json:"lease"` + GracePeriod time.Duration `json:"lease_grace_period"` // Renewable, if true, means that this secret can be renewed. Renewable bool `json:"renewable"` - // LeaseIncrement will be the lease increment that the user requested. + // Increment will be the lease increment that the user requested. // This is only available on a Renew operation and has no effect // when returning a response. - LeaseIncrement time.Duration `json:"-"` + Increment time.Duration `json:"-"` - // LeaseIssue is the time of issue for the original lease. This is + // IssueTime is the time of issue for the original lease. This is // only available on a Renew operation and has no effect when returning // a response. It can be used to enforce maximum lease periods by // a logical backend. This time will always be in UTC. - LeaseIssue time.Time `json:"-"` + IssueTime time.Time `json:"-"` } // LeaseEnabled checks if leasing is enabled diff --git a/vault/expiration.go b/vault/expiration.go index 69dca6f84b..525779088d 100644 --- a/vault/expiration.go +++ b/vault/expiration.go @@ -337,7 +337,7 @@ func (m *ExpirationManager) RenewToken(source string, token string, // Attach the ClientToken resp.Auth.ClientToken = token - resp.Auth.LeaseIncrement = 0 + resp.Auth.Increment = 0 // Update the lease entry le.Auth = resp.Auth @@ -492,8 +492,8 @@ func (m *ExpirationManager) revokeEntry(le *leaseEntry) error { // renewEntry is used to attempt renew of an internal entry func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) { secret := *le.Secret - secret.LeaseIssue = le.IssueTime - secret.LeaseIncrement = increment + secret.IssueTime = le.IssueTime + secret.Increment = increment secret.LeaseID = "" req := logical.RenewRequest(le.Path, &secret, le.Data) @@ -507,8 +507,8 @@ func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration) // renewAuthEntry is used to attempt renew of an auth entry func (m *ExpirationManager) renewAuthEntry(le *leaseEntry, increment time.Duration) (*logical.Response, error) { auth := *le.Auth - auth.LeaseIssue = le.IssueTime - auth.LeaseIncrement = increment + auth.IssueTime = le.IssueTime + auth.Increment = increment auth.ClientToken = "" req := logical.RenewAuthRequest(le.Path, &auth, nil) diff --git a/vault/expiration_test.go b/vault/expiration_test.go index 03d8d6834e..4c89dc9a55 100644 --- a/vault/expiration_test.go +++ b/vault/expiration_test.go @@ -741,10 +741,10 @@ func TestExpiration_renewEntry(t *testing.T) { if !reflect.DeepEqual(req.Data, le.Data) { t.Fatalf("Bad: %v", req) } - if req.Secret.LeaseIncrement != time.Second { + if req.Secret.Increment != time.Second { t.Fatalf("Bad: %v", req) } - if req.Secret.LeaseIssue.IsZero() { + if req.Secret.IssueTime.IsZero() { t.Fatalf("Bad: %v", req) } } @@ -801,10 +801,10 @@ func TestExpiration_renewAuthEntry(t *testing.T) { if req.Path != "login" { t.Fatalf("Bad: %v", req) } - if req.Auth.LeaseIncrement != time.Second { + if req.Auth.Increment != time.Second { t.Fatalf("Bad: %v", req) } - if req.Auth.LeaseIssue.IsZero() { + if req.Auth.IssueTime.IsZero() { t.Fatalf("Bad: %v", req) } if req.Auth.InternalData["MySecret"] != "secret" { diff --git a/vault/logical_passthrough.go b/vault/logical_passthrough.go index dfe13b219f..5ab91b282e 100644 --- a/vault/logical_passthrough.go +++ b/vault/logical_passthrough.go @@ -93,21 +93,15 @@ func (b *PassthroughBackend) handleRead( resp := b.Secret("generic").Response(rawData, nil) resp.Secret.Renewable = false - // Check if there is a lease key - leaseVal, ok := rawData["lease"].(string) - if ok { - leaseDuration, err := time.ParseDuration(leaseVal) - if err == nil { - resp.Secret.Renewable = true - resp.Secret.Lease = leaseDuration - resp.Secret.TTL = leaseDuration - } + // Check if there is a ttl key + var ttl string + ttl, _ = rawData["lease"].(string) + if len(ttl) == 0 { + ttl, _ = rawData["ttl"].(string) } - // Check if there is a ttl key - ttlVal, ok := rawData["ttl"].(string) - if ok { - ttlDuration, err := time.ParseDuration(ttlVal) + if len(ttl) != 0 { + ttlDuration, err := time.ParseDuration(ttl) if err == nil { resp.Secret.Renewable = true resp.Secret.TTL = ttlDuration diff --git a/vault/logical_passthrough_test.go b/vault/logical_passthrough_test.go index a578563203..7c3b58dde0 100644 --- a/vault/logical_passthrough_test.go +++ b/vault/logical_passthrough_test.go @@ -61,7 +61,6 @@ func TestPassthroughBackend_Read_Lease(t *testing.T) { Secret: &logical.Secret{ LeaseOptions: logical.LeaseOptions{ Renewable: true, - Lease: time.Hour, TTL: time.Hour, }, }, diff --git a/website/source/docs/secrets/generic/index.html.md b/website/source/docs/secrets/generic/index.html.md index cf4df6943d..704d27fd17 100644 --- a/website/source/docs/secrets/generic/index.html.md +++ b/website/source/docs/secrets/generic/index.html.md @@ -32,8 +32,7 @@ Also note that setting `ttl` does not actually expire the data; it is informational only. N.B.: Prior to version 0.3, the `ttl` parameter was called `lease`. Both will -work for 0.3, but in 0.4 `lease` will be removed. When providing a `lease` value -in 0.3, both `lease` and `ttl` will be returned with the same data. +work for 0.3, but in 0.4 `lease` will be removed. As an example, we can write a new key "foo" to the generic backend mounted at "secret/" by default: