Check logical.ListResponse, which does this for you!

Magic :).

Can we have a check for leaseID == "" here?

Will do.

Is there a reason for setting these 2 fields explicitly to nil?

This was really just to serialize to null in the serializer. I guess omitting would probably be fine.

Generic secret backend does not attach a lease to secrets. I'm not sure if this test would work.

It does and I was surprised too and this how all the renew and revoke functions are written. I think it might be something in the test harness. Otherwise it isn't straightforward creating a non-token lease without some backing dynamic backend. Maybe pki with generate_lease set true.

When we removed leases from the generic backend in the normal case we still kept the ability to have it issue leases specifically to make testing easier!

Same with this test as well.

Should this be Read operation?

Since lease_id is sensitive, we determined it made sense to pass lease_id as a parameter with an update operation. This is currently the preferred method to use in /sys/renew and /sys/revoke.

Instead of making this optional what if the two framework.Paths were merged with both a read op and a list op?

My only concern here was some arbitrary path would not be an "unsupported operation" on update operations because of the optional prefix.

Can you add a check to make sure prefix is not ""

Empty prefix is valid and will list the top level keys.

Also you'll need to update the root paths test after changing this list

Thanks for the head up. I wasn't aware of that test.

Before this change, I think the prefix parameter was mandatory and would always be set. If it was not supplied, parsing the path pattern would error out. Now that it is an optional param, missing prefix I think will not error out. We might want to check explicitly that the required parameters (but optionally set in the URL) are in fact set. This comment applies to all the similar changes below.

You are right. I got a little ambitious in my refactoring. I'll revert out these changes.

Can we also add revoke-force/* and lease/revoke-force/* to this list?

It is probably the right thing to do but this would be a change in behavior. I just want to make sure that what we want to do. I will note it in the changelog if we decide to go that route.

If revoke-prefix is a privileged operation, revoke-force must be I suppose. If we decide to do this, we should document it in CL as you said, in the docs and as a breaking behavior in the upgrade notes.

Generally we reserve root paths for functions that can be super destructive or super sensitive from a security standpoint. revoke-force does fit that bill and probably should be privileged, but I wonder if we should reserve that change for 0.8; people will be more likely to expect breaking changes for that release and I don't think this is super high priority.

s/handleLeasse/handleLeaseLookup

Sorry for circling around on this. On a second thought, the idea of having fields with default values (like you were doing earlier) does seem like a sensible thing to do too. What might be of concern is that this API will not have deterministic number of response fields. That is okay I guess but I am not sure if that is a problem. Bringing this up so we can all agree on this and move forward.

Reminder to fill these out.

Can this be leases not lease? It's a collection so plural makes sense. (As opposed to a singular system like replication, e.g. if it was lease-management, but that's too wordy.)

I debated this but wanted to match the other paths that had similar functions, like token and policy. I am not strongly either way and was just trying for consistency.

The difference with policy is that it's supposed to be you acting on a single one, e.g. PUT (write) a policy, GET a policy, and so on. If there were a collection of policy-related APIs under a prefix, having that prefix be policies instead of policy would be the right move IMHO.

Also, lease lookup should definitely not be a root path.

What is the point of doing this?

I thought this was a bit confusing and was just consolidating the logic for dealing with the error, which the expiration manager uses, and returning the value of renewable.

I'm concerned about people defaulting to use this function when in fact the exact error returned can be useful, e.g. in a debugging/logs context.

This has a different type than creation_time in the token store; there, you set this to issue_time.

There's a type discrepancy with last_renewal_time too.

👍

s/handleLease/handleLeaseLookup

Can we add a comment here explaining why we are setting values to nil beforehand. This will avoid people removing it in future.

Do we want this to be a root protected path?

@briankassouf Since lease/lookup doesn't return sensitive information (e.g. the contents of internal data) and you have to know the lease ID ahead of time I don't think it needs to be root. In fact, I am actually thinking we may want to add it to the default policy. Listing on the other hand does divulge lease IDs which can be used to e.g. renew them, so that should be root protected.