Refactored Lease into the Backend configuration

builtin/logical/nomad/backend.go

@@ -22,6 +22,7 @@ func Backend() *backend {
 	b.Backend = &framework.Backend{
 		Paths: []*framework.Path{
 			pathConfigAccess(),
+			pathConfigLease(&b),
 			pathListRoles(&b),
 			pathRoles(),
 			pathToken(&b),
@@ -89,3 +90,21 @@ func (b *backend) resetClient() {
 
 	b.client = nil
 }
+
+// Lease returns the lease information
+func (b *backend) Lease(s logical.Storage) (*configLease, error) {
+	entry, err := s.Get("config/lease")
+	if err != nil {
+		return nil, err
+	}
+	if entry == nil {
+		return nil, nil
+	}
+
+	var result configLease
+	if err := entry.DecodeJSON(&result); err != nil {
+		return nil, err
+	}
+
+	return &result, nil
+}

builtin/logical/nomad/path_config_lease.go

@@ -0,0 +1,83 @@
+package nomad
+
+import (
+	"time"
+
+	"github.com/fatih/structs"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/logical/framework"
+)
+
+func pathConfigLease(b *backend) *framework.Path {
+	return &framework.Path{
+		Pattern: "config/lease",
+		Fields: map[string]*framework.FieldSchema{
+			"ttl": &framework.FieldSchema{
+				Type:        framework.TypeDurationSecond,
+				Default:     0,
+				Description: "Duration before which the issued token needs renewal",
+			},
+			"max_ttl": &framework.FieldSchema{
+				Type:        framework.TypeDurationSecond,
+				Default:     0,
+				Description: `Duration after which the issued token should not be allowed to be renewed`,
+			},
+		},
+
+		Callbacks: map[logical.Operation]framework.OperationFunc{
+			logical.ReadOperation:   b.pathLeaseRead,
+			logical.UpdateOperation: b.pathLeaseUpdate,
+		},
+
+		HelpSynopsis:    pathConfigLeaseHelpSyn,
+		HelpDescription: pathConfigLeaseHelpDesc,
+	}
+}
+
+// Sets the lease configuration parameters
+func (b *backend) pathLeaseUpdate(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	entry, err := logical.StorageEntryJSON("config/lease", &configLease{
+		TTL:    time.Second * time.Duration(d.Get("ttl").(int)),
+		MaxTTL: time.Second * time.Duration(d.Get("max_ttl").(int)),
+	})
+	if err != nil {
+		return nil, err
+	}
+	if err := req.Storage.Put(entry); err != nil {
+		return nil, err
+	}
+
+	return nil, nil
+}
+
+// Returns the lease configuration parameters
+func (b *backend) pathLeaseRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	lease, err := b.Lease(req.Storage)
+	if err != nil {
+		return nil, err
+	}
+	if lease == nil {
+		return nil, nil
+	}
+
+	lease.TTL = lease.TTL / time.Second
+	lease.MaxTTL = lease.MaxTTL / time.Second
+
+	return &logical.Response{
+		Data: structs.New(lease).Map(),
+	}, nil
+}
+
+// Lease configuration information for the secrets issued by this backend
+type configLease struct {
+	TTL    time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl"`
+	MaxTTL time.Duration `json:"max_ttl" structs:"max_ttl" mapstructure:"max_ttl"`
+}
+
+var pathConfigLeaseHelpSyn = "Configure the lease parameters for generated tokens"
+
+var pathConfigLeaseHelpDesc = `
+Sets the ttl and max_ttl values for the secrets to be issued by this backend.
+Both ttl and max_ttl takes in an integer number of seconds as input as well as
+inputs like "1h".
+`

builtin/logical/nomad/path_roles.go

@@ -1,9 +1,6 @@
 package nomad
 
 import (
-	"fmt"
-	"time"
-
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -45,11 +42,6 @@ or 'management'. If a 'management' token,
 the "policy" parameter is not required.
 Defaults to 'client'.`,
 			},
-
-			"lease": &framework.FieldSchema{
-				Type:        framework.TypeString,
-				Description: "Lease time of the role.",
-			},
 		},
 
 		Callbacks: map[logical.Operation]framework.OperationFunc{
@@ -90,7 +82,6 @@ func pathRolesRead(
 	// Generate the response
 	resp := &logical.Response{
 		Data: map[string]interface{}{
-			"lease":      result.Lease.String(),
 			"token_type": result.TokenType,
 			"global":     result.Global,
 		},
@@ -129,19 +120,8 @@ func pathRolesWrite(
 		}
 	}
 
-	var lease time.Duration
-	leaseParam := d.Get("lease").(string)
-	if leaseParam != "" {
-		lease, err = time.ParseDuration(leaseParam)
-		if err != nil {
-			return logical.ErrorResponse(fmt.Sprintf(
-				"error parsing given lease of %s: %s", leaseParam, err)), nil
-		}
-	}
-
 	entry, err := logical.StorageEntryJSON("role/"+name, roleConfig{
 		Policy:    policy,
-		Lease:     lease,
 		TokenType: tokenType,
 		Global:    global,
 	})
@@ -166,8 +146,7 @@ func pathRolesDelete(
 }
 
 type roleConfig struct {
-	Policy    []string      `json:"policy"`
-	Lease     time.Duration `json:"lease"`
-	TokenType string        `json:"token_type"`
-	Global    bool          `json:"global"`
+	Policy    []string `json:"policy"`
+	TokenType string   `json:"token_type"`
+	Global    bool     `json:"global"`
 }

builtin/logical/nomad/path_token.go

@@ -73,7 +73,6 @@ func (b *backend) pathTokenRead(
 	}, map[string]interface{}{
 		"accessor_id": token.AccessorID,
 	})
-	s.Secret.TTL = result.Lease
 
 	return s, nil
 }

builtin/logical/nomad/secret_token.go

@@ -26,8 +26,15 @@ func secretToken(b *backend) *framework.Secret {
 
 func (b *backend) secretTokenRenew(
 	req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	lease, err := b.Lease(req.Storage)
+	if err != nil {
+		return nil, err
+	}
+	if lease == nil {
+		lease = &configLease{}
+	}
 
-	return framework.LeaseExtend(0, 0, b.System())(req, d)
+	return framework.LeaseExtend(lease.TTL, lease.MaxTTL, b.System())(req, d)
 }
 
 func (b *backend) secretTokenRevoke(