Skip to content

Commit

Permalink
Merge pull request #3695 from hashicorp/creds-period-logic
Browse files Browse the repository at this point in the history
  • Loading branch information
jefferai authored Dec 18, 2017
2 parents 7fd6103 + 38df486 commit a572ed4
Showing 1 changed file with 30 additions and 58 deletions.
88 changes: 30 additions & 58 deletions builtin/credential/aws/path_login.go
Original file line number Diff line number Diff line change
Expand Up @@ -786,23 +786,15 @@ func (b *backend) pathLoginUpdateEc2(
resp.Auth.Metadata["nonce"] = clientNonce
}

if roleEntry.Period > time.Duration(0) {
resp.Auth.TTL = roleEntry.Period
} else {
// Cap the TTL value.
shortestTTL := b.System().DefaultLeaseTTL()
if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL {
shortestTTL = roleEntry.TTL
}
if shortestMaxTTL < shortestTTL {
resp.AddWarning(fmt.Sprintf("Effective ttl of %q exceeded the effective max_ttl of %q; ttl value is capped appropriately", (shortestTTL / time.Second).String(), (shortestMaxTTL / time.Second).String()))
shortestTTL = shortestMaxTTL
if roleEntry.MaxTTL > time.Duration(0) {
// Cap TTL to shortestMaxTTL
if resp.Auth.TTL > shortestMaxTTL {
resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (shortestMaxTTL / time.Second)))
resp.Auth.TTL = shortestMaxTTL
}
resp.Auth.TTL = shortestTTL
}

return resp, nil

}

// handleRoleTagLogin is used to fetch the role tag of the instance and
Expand Down Expand Up @@ -985,13 +977,12 @@ func (b *backend) pathLoginRenewIam(
}
}

// If 'Period' is set on the role, then the token should never expire.
if roleEntry.Period > time.Duration(0) {
req.Auth.TTL = roleEntry.Period
return &logical.Response{Auth: req.Auth}, nil
} else {
return framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data)
resp, err := framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data)
if err != nil {
return nil, err
}
resp.Auth.Period = roleEntry.Period
return resp, nil
}

func (b *backend) pathLoginRenewEc2(
Expand Down Expand Up @@ -1072,24 +1063,12 @@ func (b *backend) pathLoginRenewEc2(
return nil, err
}

// If 'Period' is set on the role, then the token should never expire. Role
// tag does not have a 'Period' field. So, regarless of whether the token
// was issued using a role login or a role tag login, the period set on the
// role should take effect.
if roleEntry.Period > time.Duration(0) {
req.Auth.TTL = roleEntry.Period
return &logical.Response{Auth: req.Auth}, nil
} else {
// Cap the TTL value
shortestTTL := b.System().DefaultLeaseTTL()
if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL {
shortestTTL = roleEntry.TTL
}
if shortestMaxTTL < shortestTTL {
shortestTTL = shortestMaxTTL
}
return framework.LeaseExtend(shortestTTL, shortestMaxTTL, b.System())(req, data)
resp, err := framework.LeaseExtend(roleEntry.TTL, shortestMaxTTL, b.System())(req, data)
if err != nil {
return nil, err
}
resp.Auth.Period = roleEntry.Period
return resp, nil
}

func (b *backend) pathLoginUpdateIam(
Expand Down Expand Up @@ -1238,7 +1217,7 @@ func (b *backend) pathLoginUpdateIam(
policies := roleEntry.Policies

inferredEntityType := ""
inferredEntityId := ""
inferredEntityID := ""
if roleEntry.InferredEntityType == ec2EntityType {
instance, err := b.validateInstance(req.Storage, entity.SessionInfo, roleEntry.InferredAWSRegion, callerID.Account)
if err != nil {
Expand All @@ -1264,7 +1243,7 @@ func (b *backend) pathLoginUpdateIam(
}

inferredEntityType = ec2EntityType
inferredEntityId = entity.SessionInfo
inferredEntityID = entity.SessionInfo
}

resp := &logical.Response{
Expand All @@ -1277,7 +1256,7 @@ func (b *backend) pathLoginUpdateIam(
"client_user_id": callerUniqueId,
"auth_type": iamAuthType,
"inferred_entity_type": inferredEntityType,
"inferred_entity_id": inferredEntityId,
"inferred_entity_id": inferredEntityID,
"inferred_aws_region": roleEntry.InferredAWSRegion,
"account_id": entity.AccountNumber,
},
Expand All @@ -1295,25 +1274,18 @@ func (b *backend) pathLoginUpdateIam(
},
}

if roleEntry.Period > time.Duration(0) {
resp.Auth.TTL = roleEntry.Period
} else {
shortestTTL := b.System().DefaultLeaseTTL()
if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL {
shortestTTL = roleEntry.TTL
}

maxTTL := b.System().MaxLeaseTTL()
if roleEntry.MaxTTL > time.Duration(0) && roleEntry.MaxTTL < maxTTL {
maxTTL = roleEntry.MaxTTL
if roleEntry.MaxTTL > time.Duration(0) {
// Cap maxTTL to the sysview's max TTL
maxTTL := roleEntry.MaxTTL
if maxTTL > b.System().MaxLeaseTTL() {
maxTTL = b.System().MaxLeaseTTL()
}

if shortestTTL > maxTTL {
resp.AddWarning(fmt.Sprintf("Effective TTL of %q exceeded the effective max_ttl of %q; TTL value is capped accordingly", (shortestTTL / time.Second).String(), (maxTTL / time.Second).String()))
shortestTTL = maxTTL
// Cap TTL to MaxTTL
if resp.Auth.TTL > maxTTL {
resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second)))
resp.Auth.TTL = maxTTL
}

resp.Auth.TTL = shortestTTL
}

return resp, nil
Expand All @@ -1333,11 +1305,11 @@ func hasValuesForEc2Auth(data *framework.FieldData) (bool, bool) {

func hasValuesForIamAuth(data *framework.FieldData) (bool, bool) {
_, hasRequestMethod := data.GetOk("iam_http_request_method")
_, hasRequestUrl := data.GetOk("iam_request_url")
_, hasRequestURL := data.GetOk("iam_request_url")
_, hasRequestBody := data.GetOk("iam_request_body")
_, hasRequestHeaders := data.GetOk("iam_request_headers")
return (hasRequestMethod && hasRequestUrl && hasRequestBody && hasRequestHeaders),
(hasRequestMethod || hasRequestUrl || hasRequestBody || hasRequestHeaders)
return (hasRequestMethod && hasRequestURL && hasRequestBody && hasRequestHeaders),
(hasRequestMethod || hasRequestURL || hasRequestBody || hasRequestHeaders)
}

func parseIamArn(iamArn string) (*iamEntity, error) {
Expand Down

0 comments on commit a572ed4

Please sign in to comment.