diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go index 30c69047edf2..578575ca3a7c 100644 --- a/builtin/credential/aws/path_login.go +++ b/builtin/credential/aws/path_login.go @@ -786,23 +786,15 @@ func (b *backend) pathLoginUpdateEc2( resp.Auth.Metadata["nonce"] = clientNonce } - if roleEntry.Period > time.Duration(0) { - resp.Auth.TTL = roleEntry.Period - } else { - // Cap the TTL value. - shortestTTL := b.System().DefaultLeaseTTL() - if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL { - shortestTTL = roleEntry.TTL - } - if shortestMaxTTL < shortestTTL { - resp.AddWarning(fmt.Sprintf("Effective ttl of %q exceeded the effective max_ttl of %q; ttl value is capped appropriately", (shortestTTL / time.Second).String(), (shortestMaxTTL / time.Second).String())) - shortestTTL = shortestMaxTTL + if roleEntry.MaxTTL > time.Duration(0) { + // Cap TTL to shortestMaxTTL + if resp.Auth.TTL > shortestMaxTTL { + resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (shortestMaxTTL / time.Second))) + resp.Auth.TTL = shortestMaxTTL } - resp.Auth.TTL = shortestTTL } return resp, nil - } // handleRoleTagLogin is used to fetch the role tag of the instance and @@ -985,13 +977,12 @@ func (b *backend) pathLoginRenewIam( } } - // If 'Period' is set on the role, then the token should never expire. - if roleEntry.Period > time.Duration(0) { - req.Auth.TTL = roleEntry.Period - return &logical.Response{Auth: req.Auth}, nil - } else { - return framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data) + resp, err := framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data) + if err != nil { + return nil, err } + resp.Auth.Period = roleEntry.Period + return resp, nil } func (b *backend) pathLoginRenewEc2( @@ -1072,24 +1063,12 @@ func (b *backend) pathLoginRenewEc2( return nil, err } - // If 'Period' is set on the role, then the token should never expire. Role - // tag does not have a 'Period' field. So, regarless of whether the token - // was issued using a role login or a role tag login, the period set on the - // role should take effect. - if roleEntry.Period > time.Duration(0) { - req.Auth.TTL = roleEntry.Period - return &logical.Response{Auth: req.Auth}, nil - } else { - // Cap the TTL value - shortestTTL := b.System().DefaultLeaseTTL() - if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL { - shortestTTL = roleEntry.TTL - } - if shortestMaxTTL < shortestTTL { - shortestTTL = shortestMaxTTL - } - return framework.LeaseExtend(shortestTTL, shortestMaxTTL, b.System())(req, data) + resp, err := framework.LeaseExtend(roleEntry.TTL, shortestMaxTTL, b.System())(req, data) + if err != nil { + return nil, err } + resp.Auth.Period = roleEntry.Period + return resp, nil } func (b *backend) pathLoginUpdateIam( @@ -1238,7 +1217,7 @@ func (b *backend) pathLoginUpdateIam( policies := roleEntry.Policies inferredEntityType := "" - inferredEntityId := "" + inferredEntityID := "" if roleEntry.InferredEntityType == ec2EntityType { instance, err := b.validateInstance(req.Storage, entity.SessionInfo, roleEntry.InferredAWSRegion, callerID.Account) if err != nil { @@ -1264,7 +1243,7 @@ func (b *backend) pathLoginUpdateIam( } inferredEntityType = ec2EntityType - inferredEntityId = entity.SessionInfo + inferredEntityID = entity.SessionInfo } resp := &logical.Response{ @@ -1277,7 +1256,7 @@ func (b *backend) pathLoginUpdateIam( "client_user_id": callerUniqueId, "auth_type": iamAuthType, "inferred_entity_type": inferredEntityType, - "inferred_entity_id": inferredEntityId, + "inferred_entity_id": inferredEntityID, "inferred_aws_region": roleEntry.InferredAWSRegion, "account_id": entity.AccountNumber, }, @@ -1295,25 +1274,18 @@ func (b *backend) pathLoginUpdateIam( }, } - if roleEntry.Period > time.Duration(0) { - resp.Auth.TTL = roleEntry.Period - } else { - shortestTTL := b.System().DefaultLeaseTTL() - if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL { - shortestTTL = roleEntry.TTL - } - - maxTTL := b.System().MaxLeaseTTL() - if roleEntry.MaxTTL > time.Duration(0) && roleEntry.MaxTTL < maxTTL { - maxTTL = roleEntry.MaxTTL + if roleEntry.MaxTTL > time.Duration(0) { + // Cap maxTTL to the sysview's max TTL + maxTTL := roleEntry.MaxTTL + if maxTTL > b.System().MaxLeaseTTL() { + maxTTL = b.System().MaxLeaseTTL() } - if shortestTTL > maxTTL { - resp.AddWarning(fmt.Sprintf("Effective TTL of %q exceeded the effective max_ttl of %q; TTL value is capped accordingly", (shortestTTL / time.Second).String(), (maxTTL / time.Second).String())) - shortestTTL = maxTTL + // Cap TTL to MaxTTL + if resp.Auth.TTL > maxTTL { + resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second))) + resp.Auth.TTL = maxTTL } - - resp.Auth.TTL = shortestTTL } return resp, nil @@ -1333,11 +1305,11 @@ func hasValuesForEc2Auth(data *framework.FieldData) (bool, bool) { func hasValuesForIamAuth(data *framework.FieldData) (bool, bool) { _, hasRequestMethod := data.GetOk("iam_http_request_method") - _, hasRequestUrl := data.GetOk("iam_request_url") + _, hasRequestURL := data.GetOk("iam_request_url") _, hasRequestBody := data.GetOk("iam_request_body") _, hasRequestHeaders := data.GetOk("iam_request_headers") - return (hasRequestMethod && hasRequestUrl && hasRequestBody && hasRequestHeaders), - (hasRequestMethod || hasRequestUrl || hasRequestBody || hasRequestHeaders) + return (hasRequestMethod && hasRequestURL && hasRequestBody && hasRequestHeaders), + (hasRequestMethod || hasRequestURL || hasRequestBody || hasRequestHeaders) } func parseIamArn(iamArn string) (*iamEntity, error) {