Skip to content

Commit

Permalink
Truncate token store issued token periods when greater than tuned max…
Browse files Browse the repository at this point in the history 
… at (#4112)

issue time, not just renew time.
  • Loading branch information
@jefferai
jefferai authored Mar 9, 2018
1 parent d1c1a80 commit 1cd70cf
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 2 deletions.
4 changes: 2 additions & 2 deletions vault/expiration.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -768,14 +768,14 @@ func (m *ExpirationManager) RenewToken(req *logical.Request, source string, toke
// framework.LeaseExtend call against the request. Also, cap period value to
// the sys/mount max value.
if resp.Auth.Period > sysView.MaxLeaseTTL() {
retResp.AddWarning(fmt.Sprintf("Period of %s is greater than current mount/system default of %s, value will be truncated.", resp.Auth.TTL, sysView.MaxLeaseTTL()))
retResp.AddWarning(fmt.Sprintf("Period of %d seconds is greater than current mount/system default of %d seconds, value will be truncated.", int64(resp.Auth.TTL.Seconds()), int64(sysView.MaxLeaseTTL().Seconds())))
resp.Auth.Period = sysView.MaxLeaseTTL()
}
resp.Auth.TTL = resp.Auth.Period
case resp.Auth.TTL > time.Duration(0):
// Cap TTL value to the sys/mount max value
if resp.Auth.TTL > sysView.MaxLeaseTTL() {
retResp.AddWarning(fmt.Sprintf("TTL of %s is greater than current mount/system default of %s, value will be truncated.", resp.Auth.TTL, sysView.MaxLeaseTTL()))
retResp.AddWarning(fmt.Sprintf("TTL of %d seconds is greater than current mount/system default of %d seconds, value will be truncated.", int64(resp.Auth.TTL.Seconds()), int64(sysView.MaxLeaseTTL().Seconds())))
resp.Auth.TTL = sysView.MaxLeaseTTL()
}
}
Expand Down
6 changes: 6 additions & 0 deletions vault/token_store.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1893,6 +1893,12 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
sysView := ts.System()

if periodToUse > 0 {
// Cap period value to the sys/mount max value; this matches behavior
// in expiration manager for renewals
if periodToUse > sysView.MaxLeaseTTL() {
resp.AddWarning(fmt.Sprintf("Period of %d seconds is greater than current mount/system default of %d seconds, value will be truncated.", int64(periodToUse.Seconds()), int64(sysView.MaxLeaseTTL().Seconds())))
periodToUse = sysView.MaxLeaseTTL()
}
te.TTL = periodToUse
} else {
// Set the default lease if not provided, root tokens are exempt
Expand Down

0 comments on commit 1cd70cf

Please sign in to comment.