Change default TTL from 30 to 32 to accommodate monthly operations (#1942)

api/sys_mounts_test.go

@@ -37,13 +37,13 @@ func TestSysMountConfig(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	expectedDefaultTTL := 2592000
+	expectedDefaultTTL := 2764800
 	if mountConfig.DefaultLeaseTTL != expectedDefaultTTL {
 		t.Fatalf("Expected default lease TTL: %d, got %d",
 			expectedDefaultTTL, mountConfig.DefaultLeaseTTL)
 	}
 
-	expectedMaxTTL := 2592000
+	expectedMaxTTL := 2764800
 	if mountConfig.MaxLeaseTTL != expectedMaxTTL {
 		t.Fatalf("Expected default lease TTL: %d, got %d",
 			expectedMaxTTL, mountConfig.MaxLeaseTTL)

builtin/credential/app-id/backend_test.go

@@ -162,7 +162,7 @@ func testAccStepMapUserIdCidr(t *testing.T, cidr string) logicaltest.TestStep {
 
 func testAccLogin(t *testing.T, display string) logicaltest.TestStep {
 	checkTTL := func(resp *logical.Response) error {
-		if resp.Auth.LeaseOptions.TTL.String() != "720h0m0s" {
+		if resp.Auth.LeaseOptions.TTL.String() != "768h0m0s" {
 			return fmt.Errorf("invalid TTL")
 		}
 		return nil
@@ -186,7 +186,7 @@ func testAccLogin(t *testing.T, display string) logicaltest.TestStep {
 
 func testAccLoginAppIDInPath(t *testing.T, display string) logicaltest.TestStep {
 	checkTTL := func(resp *logical.Response) error {
-		if resp.Auth.LeaseOptions.TTL.String() != "720h0m0s" {
+		if resp.Auth.LeaseOptions.TTL.String() != "768h0m0s" {
 			return fmt.Errorf("invalid TTL")
 		}
 		return nil

builtin/credential/cert/test-fixtures/generate.txt

@@ -9,7 +9,7 @@ backend "inmem" {
 }
 disable_mlock = true
 default_lease_ttl = "700h"
-max_lease_ttl = "720h"
+max_lease_ttl = "768h"
 listener "tcp" {
   address = "127.0.0.1:8200"
   tls_cert_file = "./cacert.pem"

builtin/credential/github/backend_test.go

@@ -92,7 +92,7 @@ func testConfigWrite(t *testing.T, d map[string]interface{}) logicaltest.TestSte
 
 func TestBackend_basic(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{

builtin/credential/ldap/backend_test.go

@@ -29,7 +29,7 @@ import (
  */
 func factory(t *testing.T) logical.Backend {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{

builtin/logical/pki/backend_test.go

@@ -38,7 +38,7 @@ var (
 // Uses the RSA CA key
 func TestBackend_RSAKey(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -68,7 +68,7 @@ func TestBackend_RSAKey(t *testing.T) {
 // Uses the EC CA key
 func TestBackend_ECKey(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -96,7 +96,7 @@ func TestBackend_ECKey(t *testing.T) {
 
 func TestBackend_CSRValues(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -124,7 +124,7 @@ func TestBackend_CSRValues(t *testing.T) {
 
 func TestBackend_URLsCRUD(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -155,7 +155,7 @@ func TestBackend_URLsCRUD(t *testing.T) {
 // Uses the RSA CA key
 func TestBackend_RSARoles(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -197,7 +197,7 @@ func TestBackend_RSARoles(t *testing.T) {
 // Uses the RSA CA key
 func TestBackend_RSARoles_CSR(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -239,7 +239,7 @@ func TestBackend_RSARoles_CSR(t *testing.T) {
 // Uses the EC CA key
 func TestBackend_ECRoles(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{
@@ -281,7 +281,7 @@ func TestBackend_ECRoles(t *testing.T) {
 // Uses the EC CA key
 func TestBackend_ECRoles_CSR(t *testing.T) {
 	defaultLeaseTTLVal := time.Hour * 24
-	maxLeaseTTLVal := time.Hour * 24 * 30
+	maxLeaseTTLVal := time.Hour * 24 * 32
 	b, err := Factory(&logical.BackendConfig{
 		Logger: nil,
 		System: &logical.StaticSystemView{

command/rekey_test.go

@@ -174,7 +174,7 @@ func TestRekey_init_pgp(t *testing.T) {
 		Logger: nil,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 	sysBackend := vault.NewSystemBackend(core, bc)

command/server/config.go

@@ -62,8 +62,8 @@ func DevConfig(ha bool) *Config {
 
 		Telemetry: &Telemetry{},
 
-		MaxLeaseTTL:     30 * 24 * time.Hour,
+		MaxLeaseTTL:     32 * 24 * time.Hour,
-		DefaultLeaseTTL: 30 * 24 * time.Hour,
+		DefaultLeaseTTL: 32 * 24 * time.Hour,
 	}
 
 	if ha {

http/logical_test.go

@@ -38,7 +38,7 @@ func TestLogical(t *testing.T) {
 	var nilWarnings interface{}
 	expected := map[string]interface{}{
 		"renewable":      false,
-		"lease_duration": json.Number(strconv.Itoa(int((30 * 24 * time.Hour) / time.Second))),
+		"lease_duration": json.Number(strconv.Itoa(int((32 * 24 * time.Hour) / time.Second))),
 		"data": map[string]interface{}{
 			"data": "bar",
 		},

vault/core_test.go

@@ -878,7 +878,7 @@ func TestCore_HandleRequest_CreateToken_Lease(t *testing.T) {
 		Path:         "auth/token/create",
 		DisplayName:  "token",
 		CreationTime: te.CreationTime,
-		TTL:          time.Hour * 24 * 30,
+		TTL:          time.Hour * 24 * 32,
 	}
 	if !reflect.DeepEqual(te, expect) {
 		t.Fatalf("Bad: %#v expect: %#v", te, expect)
@@ -923,7 +923,7 @@ func TestCore_HandleRequest_CreateToken_NoDefaultPolicy(t *testing.T) {
 		Path:         "auth/token/create",
 		DisplayName:  "token",
 		CreationTime: te.CreationTime,
-		TTL:          time.Hour * 24 * 30,
+		TTL:          time.Hour * 24 * 32,
 	}
 	if !reflect.DeepEqual(te, expect) {
 		t.Fatalf("Bad: %#v expect: %#v", te, expect)

vault/expiration.go

@@ -37,7 +37,7 @@ const (
 	minRevokeDelay = 5 * time.Second
 
 	// maxLeaseDuration is the default maximum lease duration
-	maxLeaseTTL = 30 * 24 * time.Hour
+	maxLeaseTTL = 32 * 24 * time.Hour
 
 	// defaultLeaseDuration is the default lease duration used when no lease is specified
 	defaultLeaseTTL = maxLeaseTTL

vault/logical_cubbyhole_test.go

@@ -267,7 +267,7 @@ func testCubbyholeBackend() logical.Backend {
 		Logger: nil,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	})
 	return b

vault/logical_passthrough_test.go

@@ -190,7 +190,7 @@ func testPassthroughBackend() logical.Backend {
 		Logger: nil,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	})
 	return b
@@ -201,7 +201,7 @@ func testPassthroughLeasedBackend() logical.Backend {
 		Logger: nil,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	})
 	return b

vault/logical_system_test.go

@@ -506,7 +506,7 @@ func TestSystemBackend_revokePrefixAuth(t *testing.T) {
 		Logger: core.logger,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 	b := NewSystemBackend(core, bc)
@@ -1035,7 +1035,7 @@ func testSystemBackend(t *testing.T) logical.Backend {
 		Logger: c.logger,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 	return NewSystemBackend(c, bc)
@@ -1047,7 +1047,7 @@ func testCoreSystemBackend(t *testing.T) (*Core, logical.Backend, string) {
 		Logger: c.logger,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 	return c, NewSystemBackend(c, bc), root

vault/router_test.go

@@ -49,7 +49,7 @@ func (n *NoopBackend) SpecialPaths() *logical.Paths {
 func (n *NoopBackend) System() logical.SystemView {
 	return logical.StaticSystemView{
 		DefaultLeaseTTLVal: time.Hour * 24,
-		MaxLeaseTTLVal:     time.Hour * 24 * 30,
+		MaxLeaseTTLVal:     time.Hour * 24 * 32,
 	}
 }
 

vault/testing.go

@@ -369,7 +369,7 @@ func (n *rawHTTP) SpecialPaths() *logical.Paths {
 func (n *rawHTTP) System() logical.SystemView {
 	return logical.StaticSystemView{
 		DefaultLeaseTTLVal: time.Hour * 24,
-		MaxLeaseTTLVal:     time.Hour * 24 * 30,
+		MaxLeaseTTLVal:     time.Hour * 24 * 32,
 	}
 }
 

vault/token_store_test.go

@@ -183,7 +183,7 @@ func getBackendConfig(c *Core) *logical.BackendConfig {
 		Logger: c.logger,
 		System: logical.StaticSystemView{
 			DefaultLeaseTTLVal: time.Hour * 24,
-			MaxLeaseTTLVal:     time.Hour * 24 * 30,
+			MaxLeaseTTLVal:     time.Hour * 24 * 32,
 		},
 	}
 }

website/source/docs/auth/cert.html.md

@@ -175,7 +175,7 @@ of the header should be "X-Vault-Token" and the value should be the token.
         "certificate": "-----BEGIN CERTIFICATE-----\nMIIEtzCCA5+.......ZRtAfQ6r\nwlW975rYa1ZqEdA=\n-----END CERTIFICATE-----",
         "display_name": "test",
         "policies": "",
-        "ttl": 2592000
+        "ttl": 2764800
       },
       "warnings": null,
       "auth": null

website/source/docs/auth/token.html.md

@@ -318,7 +318,7 @@ of the header should be "X-Vault-Token" and the value should be the token.
       "lease_duration": 0,
       "data": {
         "creation_time": 1457533232,
-        "creation_ttl": 2592000,
+        "creation_ttl": 2764800,
         "display_name": "token",
         "id": "",
         "meta": null,

website/source/docs/commands/read-write.html.md

@@ -103,7 +103,7 @@ Data can be read using `vault read`. This command is very simple:
 $ vault read secret/password
 Key             Value
 lease_id        secret/password/76c844fb-aeba-a766-0a50-2b907072233a
-lease_duration  2592000
+lease_duration  2764800
 value           itsasecret
 ```
 

website/source/docs/concepts/tokens.html.md

@@ -146,7 +146,7 @@ compared to the maximum TTL. This maximum TTL value is dynamically generated
 and can change from renewal to renewal, so the value cannot be displayed when a
 token's information is looked up. It is based on a combination of factors:
 
-1. The system max TTL, which is 30 days but can be changed in Vault's
+1. The system max TTL, which is 32 days but can be changed in Vault's
    configuration file
 2. The max TTL set on a mount using [mount
    tuning](https://www.vaultproject.io/docs/http/sys-mounts.html). This value

website/source/docs/config/index.html.md

@@ -66,12 +66,12 @@ sending a SIGHUP to the server process. These are denoted below.
   (see below).
 
 * `default_lease_ttl` (optional) - Configures the default lease duration
-  for tokens and secrets. This is a string value using a suffix, e.g. "720h".
+  for tokens and secrets. This is a string value using a suffix, e.g. "768h".
-  Default value is 30 days. This value cannot be larger than `max_lease_ttl`.
+  Default value is 32 days. This value cannot be larger than `max_lease_ttl`.
 
 * `max_lease_ttl` (optional) - Configures the maximum possible
   lease duration for tokens and secrets. This is a string value using a suffix,
-  e.g. "720h". Default value is 30 days.
+  e.g. "768h". Default value is 32 days.
 
 In production it is a risk to run Vault on systems where `mlock` is
 unavailable or the setting has been disabled via the `disable_mlock`.

website/source/docs/secrets/cubbyhole/index.html.md

@@ -159,7 +159,7 @@ As expected, the value previously set is returned to us.
     "data": {
       "keys": ["foo", "foo/"]
     },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
     "lease_id": "",
     "renewable": false
   }

website/source/docs/secrets/generic/index.html.md

@@ -98,7 +98,7 @@ seconds (one hour) as specified.
     "data": {
       "foo": "bar"
     },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
     "lease_id": "",
     "renewable": false
   }
@@ -142,7 +142,7 @@ seconds (one hour) as specified.
     "data": {
       "keys": ["foo", "foo/"]
     },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
     "lease_id": "",
     "renewable": false
   }

website/source/docs/secrets/mssql/index.html.md

@@ -299,7 +299,7 @@ allowed to read.
     "data": {
       "keys": ["dev", "prod"]
     },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
     "lease_id": "",
     "renewable": false
   }

website/source/docs/secrets/mysql/index.html.md

@@ -346,7 +346,7 @@ the default on versions prior to that.
     "data": {
       "keys": ["dev", "prod"]
     },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
     "lease_id": "",
     "renewable": false
   }

website/source/docs/secrets/pki/index.html.md

@@ -1304,7 +1304,7 @@ subpath for interactive help output.
     "data": {
       "keys": ["dev", "prod"]
     },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
     "lease_id": "",
     "renewable": false
   }

website/source/docs/secrets/postgresql/index.html.md

@@ -317,7 +317,7 @@ subpath for interactive help output.
     "data": {
       "keys": ["dev", "prod"]
     },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
     "lease_id": "",
     "renewable": false
   }

website/source/docs/secrets/ssh/index.html.md

@@ -536,7 +536,7 @@ username@<IP of remote host>:~$
     "data": {
       "keys": ["dev", "prod"]
     },
-    "lease_duration": 2592000,
+    "lease_duration": 2764800,
     "lease_id": "",
     "renewable": false
   }
@@ -728,7 +728,7 @@ username@<IP of remote host>:~$
 {
   "lease_id": "sshs/creds/c3c2e60c-5a48-415a-9d5a-a41e0e6cdec5/3ee6ad28-383f-d482-2427-70498eba4d96",
   "renewable": false,
-  "lease_duration": 2592000,
+  "lease_duration": 2764800,
   "data": {
             "ip": "127.0.0.1",
             "key": "6d6411fd-f622-ea0a-7e2c-989a745cbbb2",

website/source/intro/getting-started/acl.html.md

@@ -80,7 +80,7 @@ $ vault token-create -policy="secret"
 Key            	Value
 token           d97ef000-48cf-45d9-1907-3ea6ce298a29
 token_accessor  71770cc5-14da-f0af-c6ce-17a0ae398d67
-token_duration  2592000
+token_duration  2764800
 token_renewable true
 token_policies  [default secret]
 

website/source/intro/getting-started/apis.html.md

@@ -189,7 +189,7 @@ This should return a response like this:
 {
   "lease_id": "secret/foo/cc529d06-36c8-be27-31f5-2390e1f6e2ae",
   "renewable": false,
-  "lease_duration": 2592000,
+  "lease_duration": 2764800,
   "data": {
     "bar": "baz"
   },

website/source/intro/getting-started/first-secret.html.md

@@ -63,7 +63,7 @@ As you might expect, secrets can be read with `vault read`:
 ```
 $ vault read secret/hello
 Key             Value
-lease_duration  2592000
+lease_duration  2764800
 excited         yes
 value           world
 ```