Skip to content

Commit

Permalink
Fix max_ttl not being honored in database backend when default_ttl is…
Browse files Browse the repository at this point in the history
… zero (#3814)

Fixes #3812
  • Loading branch information
jefferai authored Jan 18, 2018
1 parent b907a2e commit 69eca11
Show file tree
Hide file tree
Showing 7 changed files with 112 additions and 11 deletions.
74 changes: 71 additions & 3 deletions builtin/logical/database/backend_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"reflect"
"sync"
"testing"
"time"

"github.com/hashicorp/vault/builtin/logical/database/dbplugin"
"github.com/hashicorp/vault/helper/pluginutil"
Expand Down Expand Up @@ -270,7 +271,6 @@ func TestBackend_basic(t *testing.T) {
data = map[string]interface{}{
"db_name": "plugin-test",
"creation_statements": testRole,
"default_ttl": "5m",
"max_ttl": "10m",
}
req = &logical.Request{
Expand All @@ -283,7 +283,6 @@ func TestBackend_basic(t *testing.T) {
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%s resp:%#v\n", err, resp)
}

// Get creds
data = map[string]interface{}{}
req = &logical.Request{
Expand All @@ -296,7 +295,76 @@ func TestBackend_basic(t *testing.T) {
if err != nil || (credsResp != nil && credsResp.IsError()) {
t.Fatalf("err:%s resp:%#v\n", err, credsResp)
}

// Test for #3812
if credsResp.Secret.TTL != 10*time.Minute {
t.Fatalf("unexpected TTL of %d", credsResp.Secret.TTL)
}
// Update the role with no max ttl
data = map[string]interface{}{
"db_name": "plugin-test",
"creation_statements": testRole,
"default_ttl": "5m",
"max_ttl": 0,
}
req = &logical.Request{
Operation: logical.UpdateOperation,
Path: "roles/plugin-role-test",
Storage: config.StorageView,
Data: data,
}
resp, err = b.HandleRequest(context.Background(), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%s resp:%#v\n", err, resp)
}
// Get creds
data = map[string]interface{}{}
req = &logical.Request{
Operation: logical.ReadOperation,
Path: "creds/plugin-role-test",
Storage: config.StorageView,
Data: data,
}
credsResp, err = b.HandleRequest(context.Background(), req)
if err != nil || (credsResp != nil && credsResp.IsError()) {
t.Fatalf("err:%s resp:%#v\n", err, credsResp)
}
// Test for #3812
if credsResp.Secret.TTL != 5*time.Minute {
t.Fatalf("unexpected TTL of %d", credsResp.Secret.TTL)
}
// Update the role with a max ttl
data = map[string]interface{}{
"db_name": "plugin-test",
"creation_statements": testRole,
"default_ttl": "5m",
"max_ttl": "10m",
}
req = &logical.Request{
Operation: logical.UpdateOperation,
Path: "roles/plugin-role-test",
Storage: config.StorageView,
Data: data,
}
resp, err = b.HandleRequest(context.Background(), req)
if err != nil || (resp != nil && resp.IsError()) {
t.Fatalf("err:%s resp:%#v\n", err, resp)
}
// Get creds
data = map[string]interface{}{}
req = &logical.Request{
Operation: logical.ReadOperation,
Path: "creds/plugin-role-test",
Storage: config.StorageView,
Data: data,
}
credsResp, err = b.HandleRequest(context.Background(), req)
if err != nil || (credsResp != nil && credsResp.IsError()) {
t.Fatalf("err:%s resp:%#v\n", err, credsResp)
}
// Test for #3812
if credsResp.Secret.TTL != 5*time.Minute {
t.Fatalf("unexpected TTL of %d", credsResp.Secret.TTL)
}
if !testCredsExist(t, credsResp, connURL) {
t.Fatalf("Creds should exist")
}
Expand Down
9 changes: 7 additions & 2 deletions builtin/logical/database/path_creds_create.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,12 @@ func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
}
}

expiration := time.Now().Add(role.DefaultTTL)
ttl := role.DefaultTTL
if ttl == 0 || (role.MaxTTL > 0 && ttl > role.MaxTTL) {
ttl = role.MaxTTL
}

expiration := time.Now().Add(ttl)

usernameConfig := dbplugin.UsernameConfig{
DisplayName: req.DisplayName,
Expand All @@ -96,7 +101,7 @@ func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
"username": username,
"role": name,
})
resp.Secret.TTL = role.DefaultTTL
resp.Secret.TTL = ttl

unlockFunc()
return resp, nil
Expand Down
8 changes: 7 additions & 1 deletion builtin/logical/mongodb/path_creds_create.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,13 @@ func (b *backend) pathCredsCreateRead(ctx context.Context, req *logical.Request,
"username": username,
"db": role.DB,
})
resp.Secret.TTL = leaseConfig.TTL

ttl := leaseConfig.TTL
if ttl == 0 || (leaseConfig.MaxTTL > 0 && ttl > leaseConfig.MaxTTL) {
ttl = leaseConfig.MaxTTL
}
resp.Secret.TTL = ttl

return resp, nil
}

Expand Down
8 changes: 7 additions & 1 deletion builtin/logical/mssql/path_creds_create.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,13 @@ func (b *backend) pathCredsCreateRead(ctx context.Context, req *logical.Request,
}, map[string]interface{}{
"username": username,
})
resp.Secret.TTL = leaseConfig.TTL

ttl := leaseConfig.TTL
if ttl == 0 || (leaseConfig.TTLMax > 0 && ttl > leaseConfig.TTLMax) {
ttl = leaseConfig.TTLMax
}
resp.Secret.TTL = ttl

return resp, nil
}

Expand Down
8 changes: 7 additions & 1 deletion builtin/logical/mysql/path_role_create.go
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,13 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
"username": username,
"role": name,
})
resp.Secret.TTL = lease.Lease

ttl := lease.Lease
if ttl == 0 || (lease.LeaseMax > 0 && ttl > lease.LeaseMax) {
ttl = lease.LeaseMax
}
resp.Secret.TTL = ttl

return resp, nil
}

Expand Down
9 changes: 7 additions & 2 deletions builtin/logical/postgresql/path_role_create.go
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,11 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
}
}

ttl := lease.Lease
if ttl == 0 || (lease.LeaseMax > 0 && ttl > lease.LeaseMax) {
ttl = lease.LeaseMax
}

// Generate the username, password and expiration. PG limits user to 63 characters
displayName := req.DisplayName
if len(displayName) > 26 {
Expand All @@ -81,7 +86,7 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
return nil, err
}
expiration := time.Now().
Add(lease.Lease).
Add(ttl).
Format("2006-01-02 15:04:05-0700")

// Get our handle
Expand Down Expand Up @@ -142,7 +147,7 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
"username": username,
"role": name,
})
resp.Secret.TTL = lease.Lease
resp.Secret.TTL = ttl
return resp, nil
}

Expand Down
7 changes: 6 additions & 1 deletion builtin/logical/rabbitmq/path_role_create.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,8 +103,13 @@ func (b *backend) pathCredsRead(ctx context.Context, req *logical.Request, d *fr
if err != nil {
return nil, err
}

if lease != nil {
resp.Secret.TTL = lease.TTL
ttl := lease.TTL
if ttl == 0 || (lease.MaxTTL > 0 && ttl > lease.MaxTTL) {
ttl = lease.MaxTTL
}
resp.Secret.TTL = ttl
}

return resp, nil
Expand Down

0 comments on commit 69eca11

Please sign in to comment.