Add the ability to view and list of leases metadata

vault/expiration.go

@@ -395,7 +395,7 @@ func (m *ExpirationManager) Renew(leaseID string, increment time.Duration) (*log
 	}
 
 	// Check if the lease is renewable
-	if err := le.renewable(); err != nil {
+	if err := le.renewableErr(); err != nil {
 		return nil, err
 	}
 
@@ -450,7 +450,7 @@ func (m *ExpirationManager) RenewToken(req *logical.Request, source string, toke
 
 	// Check if the lease is renewable. Note that this also checks for a nil
 	// lease and errors in that case as well.
-	if err := le.renewable(); err != nil {
+	if err := le.renewableErr(); err != nil {
 		return logical.ErrorResponse(err.Error()), logical.ErrInvalidRequest
 	}
 
@@ -841,11 +841,18 @@ type leaseEntry struct {
 }
 
 // encode is used to JSON encode the lease entry
-func (l *leaseEntry) encode() ([]byte, error) {
-	return json.Marshal(l)
+func (le *leaseEntry) encode() ([]byte, error) {
+	return json.Marshal(le)
 }
 
-func (le *leaseEntry) renewable() error {
+func (le *leaseEntry) renewable() bool {
+	if err := le.renewableErr(); err == nil {
+		return true
+	}
+	return false
+}
+
+func (le *leaseEntry) renewableErr() error {
 	// If there is no entry, cannot review
 	if le == nil || le.ExpireTime.IsZero() {
 		return fmt.Errorf("lease not found or lease is not renewable")
@@ -866,6 +873,10 @@ func (le *leaseEntry) renewable() error {
 	return nil
 }
 
+func (le *leaseEntry) ttl() int64 {
+	return int64(le.ExpireTime.Sub(time.Now().Round(time.Second)).Seconds())
+}
+
 // decodeLeaseEntry is used to reverse encode and return a new entry
 func decodeLeaseEntry(buf []byte) (*leaseEntry, error) {
 	out := new(leaseEntry)

vault/logical_system.go

@@ -55,14 +55,16 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen
 			Root: []string{
 				"auth/*",
 				"remount",
-				"revoke-prefix/*",
 				"audit",
 				"audit/*",
 				"raw/*",
 				"replication/primary/secondary-token",
 				"replication/reindex",
 				"rotate",
 				"config/auditing/*",
+				"lease/lookup*",
+				"lease/revoke-prefix/*",
+				"revoke-prefix/*",
 			},
 
 			Unauthenticated: []string{
@@ -299,7 +301,30 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen
 			},
 
 			&framework.Path{
-				Pattern: "renew" + framework.OptionalParamRegex("url_lease_id"),
+				Pattern: "lease/lookup" + framework.OptionalParamRegex("prefix"),
+
+				Fields: map[string]*framework.FieldSchema{
+					"lease_id": &framework.FieldSchema{
+						Type:        framework.TypeString,
+						Description: strings.TrimSpace(sysHelp["lease_id"][0]),
+					},
+					"prefix": &framework.FieldSchema{
+						Type:        framework.TypeString,
+						Description: strings.TrimSpace(sysHelp["lease-list-prefix"][0]),
+					},
+				},
+
+				Callbacks: map[logical.Operation]framework.OperationFunc{
+					logical.UpdateOperation: b.handleLeaseLookup,
+					logical.ListOperation:   b.handleLeaseLookupList,
+				},
+
+				HelpSynopsis:    strings.TrimSpace(sysHelp["lease"][0]),
+				HelpDescription: strings.TrimSpace(sysHelp["lease"][1]),
+			},
+
+			&framework.Path{
+				Pattern: "(lease/)?renew" + framework.OptionalParamRegex("url_lease_id"),
 
 				Fields: map[string]*framework.FieldSchema{
 					"url_lease_id": &framework.FieldSchema{
@@ -325,7 +350,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen
 			},
 
 			&framework.Path{
-				Pattern: "revoke" + framework.OptionalParamRegex("url_lease_id"),
+				Pattern: "(lease/)?revoke" + framework.OptionalParamRegex("url_lease_id"),
 
 				Fields: map[string]*framework.FieldSchema{
 					"url_lease_id": &framework.FieldSchema{
@@ -347,7 +372,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen
 			},
 
 			&framework.Path{
-				Pattern: "revoke-force/(?P<prefix>.+)",
+				Pattern: "(lease/)?revoke-force/(?P<prefix>.+)",
 
 				Fields: map[string]*framework.FieldSchema{
 					"prefix": &framework.FieldSchema{
@@ -365,7 +390,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen
 			},
 
 			&framework.Path{
-				Pattern: "revoke-prefix/(?P<prefix>.+)",
+				Pattern: "(lease/)?revoke-prefix/(?P<prefix>.+)",
 
 				Fields: map[string]*framework.FieldSchema{
 					"prefix": &framework.FieldSchema{
@@ -686,6 +711,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen
 				HelpSynopsis:    strings.TrimSpace(sysHelp["audited-headers-name"][0]),
 				HelpDescription: strings.TrimSpace(sysHelp["audited-headers-name"][1]),
 			},
+
 			&framework.Path{
 				Pattern: "config/auditing/request-headers$",
 
@@ -1274,6 +1300,56 @@ func (b *SystemBackend) handleTuneWriteCommon(
 	return nil, nil
 }
 
+// handleLeasse is use to view the metadata for a given LeaseID
+func (b *SystemBackend) handleLeaseLookup(
+	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	leaseID := data.Get("lease_id").(string)
+	if leaseID == "" {
+		return logical.ErrorResponse("lease_id must be specified"),
+			logical.ErrInvalidRequest
+	}
+
+	leaseTimes, err := b.Core.expiration.FetchLeaseTimes(leaseID)
+	if err != nil {
+		b.Backend.Logger().Error("sys: error retrieving lease", "lease_id", leaseID, "error", err)
+		return handleError(err)
+	}
+	if leaseTimes == nil {
+		return logical.ErrorResponse("invalid lease"), logical.ErrInvalidRequest
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"id":            leaseID,
+			"creation_time": leaseTimes.IssueTime,
+			"renewable":     leaseTimes.renewable(),
+		},
+	}
+	if !leaseTimes.LastRenewalTime.IsZero() {
+		resp.Data["last_renewal_time"] = leaseTimes.LastRenewalTime
+	}
+	if !leaseTimes.ExpireTime.IsZero() {
+		resp.Data["expire_time"] = leaseTimes.ExpireTime
+		resp.Data["ttl"] = leaseTimes.ttl()
+	}
+	return resp, nil
+}
+
+func (b *SystemBackend) handleLeaseLookupList(
+	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	prefix := data.Get("prefix").(string)
+	if !strings.HasSuffix(prefix, "/") {
+		prefix = prefix + "/"
+	}
+
+	keys, err := b.Core.expiration.idView.List(prefix)
+	if err != nil {
+		b.Backend.Logger().Error("sys: error listing leases", "prefix", prefix, "error", err)
+		return handleError(err)
+	}
+	return logical.ListResponse(keys), nil
+}
+
 // handleRenew is used to renew a lease with a given LeaseID
 func (b *SystemBackend) handleRenew(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
@@ -2429,4 +2505,19 @@ This path responds to the following HTTP methods.
 		"Lists the headers configured to be audited.",
 		`Returns a list of headers that have been configured to be audited.`,
 	},
+
+	"lease": {
+		``,
+		``,
+	},
+
+	"lease-list": {
+		``,
+		``,
+	},
+
+	"lease-list-prefix": {
+		`The path to list leases under. Example: "prod/aws/ops"`,
+		`Returns a list of lease ids.`,
+	},
 }