diff --git a/builtin/logical/nomad/backend.go b/builtin/logical/nomad/backend.go index 94e3f4e7de70..e346f827e9d4 100644 --- a/builtin/logical/nomad/backend.go +++ b/builtin/logical/nomad/backend.go @@ -22,6 +22,7 @@ func Backend() *backend { b.Backend = &framework.Backend{ Paths: []*framework.Path{ pathConfigAccess(), + pathConfigLease(&b), pathListRoles(&b), pathRoles(), pathToken(&b), @@ -89,3 +90,21 @@ func (b *backend) resetClient() { b.client = nil } + +// Lease returns the lease information +func (b *backend) Lease(s logical.Storage) (*configLease, error) { + entry, err := s.Get("config/lease") + if err != nil { + return nil, err + } + if entry == nil { + return nil, nil + } + + var result configLease + if err := entry.DecodeJSON(&result); err != nil { + return nil, err + } + + return &result, nil +} diff --git a/builtin/logical/nomad/path_config.go b/builtin/logical/nomad/path_config_access.go similarity index 100% rename from builtin/logical/nomad/path_config.go rename to builtin/logical/nomad/path_config_access.go diff --git a/builtin/logical/nomad/path_config_lease.go b/builtin/logical/nomad/path_config_lease.go new file mode 100644 index 000000000000..8625aa6fee4b --- /dev/null +++ b/builtin/logical/nomad/path_config_lease.go @@ -0,0 +1,83 @@ +package nomad + +import ( + "time" + + "github.com/fatih/structs" + "github.com/hashicorp/vault/logical" + "github.com/hashicorp/vault/logical/framework" +) + +func pathConfigLease(b *backend) *framework.Path { + return &framework.Path{ + Pattern: "config/lease", + Fields: map[string]*framework.FieldSchema{ + "ttl": &framework.FieldSchema{ + Type: framework.TypeDurationSecond, + Default: 0, + Description: "Duration before which the issued token needs renewal", + }, + "max_ttl": &framework.FieldSchema{ + Type: framework.TypeDurationSecond, + Default: 0, + Description: `Duration after which the issued token should not be allowed to be renewed`, + }, + }, + + Callbacks: map[logical.Operation]framework.OperationFunc{ + logical.ReadOperation: b.pathLeaseRead, + logical.UpdateOperation: b.pathLeaseUpdate, + }, + + HelpSynopsis: pathConfigLeaseHelpSyn, + HelpDescription: pathConfigLeaseHelpDesc, + } +} + +// Sets the lease configuration parameters +func (b *backend) pathLeaseUpdate(req *logical.Request, d *framework.FieldData) (*logical.Response, error) { + entry, err := logical.StorageEntryJSON("config/lease", &configLease{ + TTL: time.Second * time.Duration(d.Get("ttl").(int)), + MaxTTL: time.Second * time.Duration(d.Get("max_ttl").(int)), + }) + if err != nil { + return nil, err + } + if err := req.Storage.Put(entry); err != nil { + return nil, err + } + + return nil, nil +} + +// Returns the lease configuration parameters +func (b *backend) pathLeaseRead(req *logical.Request, data *framework.FieldData) (*logical.Response, error) { + lease, err := b.Lease(req.Storage) + if err != nil { + return nil, err + } + if lease == nil { + return nil, nil + } + + lease.TTL = lease.TTL / time.Second + lease.MaxTTL = lease.MaxTTL / time.Second + + return &logical.Response{ + Data: structs.New(lease).Map(), + }, nil +} + +// Lease configuration information for the secrets issued by this backend +type configLease struct { + TTL time.Duration `json:"ttl" structs:"ttl" mapstructure:"ttl"` + MaxTTL time.Duration `json:"max_ttl" structs:"max_ttl" mapstructure:"max_ttl"` +} + +var pathConfigLeaseHelpSyn = "Configure the lease parameters for generated tokens" + +var pathConfigLeaseHelpDesc = ` +Sets the ttl and max_ttl values for the secrets to be issued by this backend. +Both ttl and max_ttl takes in an integer number of seconds as input as well as +inputs like "1h". +` diff --git a/builtin/logical/nomad/path_roles.go b/builtin/logical/nomad/path_roles.go index 3beec71754e7..f1c183490d75 100644 --- a/builtin/logical/nomad/path_roles.go +++ b/builtin/logical/nomad/path_roles.go @@ -1,9 +1,6 @@ package nomad import ( - "fmt" - "time" - "github.com/hashicorp/vault/logical" "github.com/hashicorp/vault/logical/framework" ) @@ -45,11 +42,6 @@ or 'management'. If a 'management' token, the "policy" parameter is not required. Defaults to 'client'.`, }, - - "lease": &framework.FieldSchema{ - Type: framework.TypeString, - Description: "Lease time of the role.", - }, }, Callbacks: map[logical.Operation]framework.OperationFunc{ @@ -90,7 +82,6 @@ func pathRolesRead( // Generate the response resp := &logical.Response{ Data: map[string]interface{}{ - "lease": result.Lease.String(), "token_type": result.TokenType, "global": result.Global, }, @@ -129,19 +120,8 @@ func pathRolesWrite( } } - var lease time.Duration - leaseParam := d.Get("lease").(string) - if leaseParam != "" { - lease, err = time.ParseDuration(leaseParam) - if err != nil { - return logical.ErrorResponse(fmt.Sprintf( - "error parsing given lease of %s: %s", leaseParam, err)), nil - } - } - entry, err := logical.StorageEntryJSON("role/"+name, roleConfig{ Policy: policy, - Lease: lease, TokenType: tokenType, Global: global, }) @@ -166,8 +146,7 @@ func pathRolesDelete( } type roleConfig struct { - Policy []string `json:"policy"` - Lease time.Duration `json:"lease"` - TokenType string `json:"token_type"` - Global bool `json:"global"` + Policy []string `json:"policy"` + TokenType string `json:"token_type"` + Global bool `json:"global"` } diff --git a/builtin/logical/nomad/path_token.go b/builtin/logical/nomad/path_token.go index 28a397858e42..ac69e0d0c2c1 100644 --- a/builtin/logical/nomad/path_token.go +++ b/builtin/logical/nomad/path_token.go @@ -73,7 +73,6 @@ func (b *backend) pathTokenRead( }, map[string]interface{}{ "accessor_id": token.AccessorID, }) - s.Secret.TTL = result.Lease return s, nil } diff --git a/builtin/logical/nomad/secret_token.go b/builtin/logical/nomad/secret_token.go index 5ba048a8e50c..d3455cd68106 100644 --- a/builtin/logical/nomad/secret_token.go +++ b/builtin/logical/nomad/secret_token.go @@ -26,8 +26,15 @@ func secretToken(b *backend) *framework.Secret { func (b *backend) secretTokenRenew( req *logical.Request, d *framework.FieldData) (*logical.Response, error) { + lease, err := b.Lease(req.Storage) + if err != nil { + return nil, err + } + if lease == nil { + lease = &configLease{} + } - return framework.LeaseExtend(0, 0, b.System())(req, d) + return framework.LeaseExtend(lease.TTL, lease.MaxTTL, b.System())(req, d) } func (b *backend) secretTokenRevoke(