hashicorp · chrishoffman · May 4, 2017 · Apr 27, 2017 · Apr 27, 2017 · Apr 27, 2017
diff --git a/vault/logical_system.go b/vault/logical_system.go
@@ -63,6 +63,7 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen
 				"replication/reindex",
 				"rotate",
 				"config/auditing/*",
+				"lease*",
 			},
 
 			Unauthenticated: []string{
@@ -298,6 +299,42 @@ func NewSystemBackend(core *Core, config *logical.BackendConfig) (logical.Backen
 				HelpDescription: strings.TrimSpace(sysHelp["remount"][1]),
 			},
 
+			&framework.Path{
+				Pattern: "lease",
+
+				Fields: map[string]*framework.FieldSchema{
+					"lease_id": &framework.FieldSchema{
+						Type:        framework.TypeString,
+						Description: strings.TrimSpace(sysHelp["lease_id"][0]),
+					},
+				},
+
+				Callbacks: map[logical.Operation]framework.OperationFunc{
+					logical.UpdateOperation: b.handleLease,
+				},
+
+				HelpSynopsis:    strings.TrimSpace(sysHelp["lease"][0]),
+				HelpDescription: strings.TrimSpace(sysHelp["lease"][1]),
+			},
+
+			&framework.Path{
+				Pattern: "lease" + framework.OptionalParamRegex("prefix"),
+
+				Fields: map[string]*framework.FieldSchema{
+					"prefix": &framework.FieldSchema{
+						Type:        framework.TypeString,
+						Description: strings.TrimSpace(sysHelp["lease-list-prefix"][0]),
+					},
+				},
+
+				Callbacks: map[logical.Operation]framework.OperationFunc{
+					logical.ListOperation: b.handleLeaseList,
+				},
+
+				HelpSynopsis:    strings.TrimSpace(sysHelp["lease-list"][0]),
+				HelpDescription: strings.TrimSpace(sysHelp["lease-list"][1]),
+			},
+
 			&framework.Path{
 				Pattern: "renew" + framework.OptionalParamRegex("url_lease_id"),
 
@@ -1270,6 +1307,66 @@ func (b *SystemBackend) handleTuneWriteCommon(
 	return nil, nil
 }
 
+// handleLeasse is use to view the metadata for a given LeaseID
+func (b *SystemBackend) handleLease(
+	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	leaseID := data.Get("lease_id").(string)
+
+	leaseTimes, err := b.Core.expiration.FetchLeaseTimes(leaseID)
+	if err != nil {
+		b.Backend.Logger().Error("sys: error retrieving lease", "lease_id", leaseID, "error", err)
+		return handleError(err)
+	}
+	if leaseTimes == nil {
+		return logical.ErrorResponse("invalid lease"), logical.ErrInvalidRequest
+	}
+
+	resp := &logical.Response{
+		Data: map[string]interface{}{
+			"lease_id":          leaseID,
+			"issue_time":        leaseTimes.IssueTime,
+			"expire_time":       nil,
+			"last_renewal_time": nil,
+		},
+	}
+	if !leaseTimes.LastRenewalTime.IsZero() {
+		resp.Data["last_renewal_time"] = leaseTimes.LastRenewalTime
+	}
+	if !leaseTimes.ExpireTime.IsZero() {
+		resp.Data["expire_time"] = leaseTimes.ExpireTime
+	}
+	if leaseTimes.Auth != nil {
+		resp.Data["renewable"] = leaseTimes.Auth.Renewable
+		resp.Data["ttl"] = leaseTimes.Auth.TTL
+	}
+	if leaseTimes.Secret != nil {
+		resp.Data["renewable"] = leaseTimes.Secret.Renewable
+		resp.Data["ttl"] = leaseTimes.Secret.TTL
+	}
+
+	return resp, nil
+}
+
+func (b *SystemBackend) handleLeaseList(
+	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
+	prefix := data.Get("prefix").(string)
+	if !strings.HasSuffix(prefix, "/") {
+		prefix = prefix + "/"
+	}
+
+	keys, err := b.Core.expiration.idView.List(prefix)
+	if err != nil {
+		b.Backend.Logger().Error("sys: error listing leases", "prefix", prefix, "error", err)
+		return handleError(err)
+	}
+
+	return &logical.Response{
+		Data: map[string]interface{}{
+			"keys": keys,
+		},
+	}, nil
+}
+
 // handleRenew is used to renew a lease with a given LeaseID
 func (b *SystemBackend) handleRenew(
 	req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
@@ -2414,4 +2511,19 @@ This path responds to the following HTTP methods.
 		"Lists the headers configured to be audited.",
 		`Returns a list of headers that have been configured to be audited.`,
 	},
+
+	"lease": {
+		``,
+		``,
+	},
+
+	"lease-list": {
+		``,
+		``,
+	},
+
+	"lease-list-prefix": {
+		`The path to list leases under. Example: "prod/aws/ops"`,
+		`Returns a list of lease ids.`,
+	},
 }
diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go
@@ -3,6 +3,7 @@ package vault
 import (
 	"crypto/sha256"
 	"reflect"
+	"sort"
 	"strings"
 	"testing"
 	"time"
@@ -11,6 +12,7 @@ import (
 	"github.com/hashicorp/vault/audit"
 	"github.com/hashicorp/vault/helper/salt"
 	"github.com/hashicorp/vault/logical"
+	"github.com/mitchellh/mapstructure"
 )
 
 func TestSystemBackend_RootPaths(t *testing.T) {
@@ -315,6 +317,179 @@ func TestSystemBackend_remount_system(t *testing.T) {
 	}
 }
 
+func TestSystemBackend_lease(t *testing.T) {
+	core, b, root := testCoreSystemBackend(t)
+
+	// Create a key with a lease
+	req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.ClientToken = root
+	resp, err := core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	resp, err = core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read lease
+	req = logical.TestRequest(t, logical.UpdateOperation, "lease")
+	req.Data["lease_id"] = resp.Secret.LeaseID
+	resp, err = b.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp.Data["renewable"] == nil || resp.Data["renewable"].(bool) {
+		t.Fatal("generic leases are not renewable")
+	}
+
+	// Invalid lease
+	req = logical.TestRequest(t, logical.UpdateOperation, "lease")
+	req.Data["lease_id"] = "invalid"
+	resp, err = b.HandleRequest(req)
+	if err != logical.ErrInvalidRequest {
+		t.Fatalf("expected invalid request, got err: %v", err)
+	}
+}
+
+func TestSystemBackend_lease_list(t *testing.T) {
+	core, b, root := testCoreSystemBackend(t)
+
+	// Create a key with a lease
+	req := logical.TestRequest(t, logical.UpdateOperation, "secret/foo")
+	req.Data["foo"] = "bar"
+	req.ClientToken = root
+	resp, err := core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	resp, err = core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// List lease
+	req = logical.TestRequest(t, logical.ListOperation, "lease/secret/foo")
+	resp, err = b.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	var keys []string
+	if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(keys) != 1 {
+		t.Fatalf("Expected 1 secret lease, got %d: %#v", len(keys), keys)
+	}
+
+	// Generate multiple leases
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	resp, err = core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/foo")
+	req.ClientToken = root
+	resp, err = core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	req = logical.TestRequest(t, logical.ListOperation, "lease/secret/foo")
+	resp, err = b.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	if err := mapstructure.WeakDecode(resp.Data["keys"], &keys); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(keys) != 3 {
+		t.Fatalf("Expected 3 secret lease, got %d: %#v", len(keys), keys)
+	}
+
+	// Listing subkeys
+	req = logical.TestRequest(t, logical.UpdateOperation, "secret/bar")
+	req.Data["foo"] = "bar"
+	req.ClientToken = root
+	resp, err = core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp != nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	// Read a key with a LeaseID
+	req = logical.TestRequest(t, logical.ReadOperation, "secret/bar")
+	req.ClientToken = root
+	resp, err = core.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Secret == nil || resp.Secret.LeaseID == "" {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	req = logical.TestRequest(t, logical.ListOperation, "lease/secret")
+	resp, err = b.HandleRequest(req)
+	if err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if resp == nil || resp.Data == nil {
+		t.Fatalf("bad: %#v", resp)
+	}
+
+	var keys2 []string
+	if err := mapstructure.WeakDecode(resp.Data["keys"], &keys2); err != nil {
+		t.Fatalf("err: %v", err)
+	}
+	if len(keys2) != 2 {
+		t.Fatalf("Expected 2 secret lease, got %d: %#v", len(keys), keys)
+	}
+	expected := []string{"bar/", "foo/"}
+	sort.Strings(keys2)
+	if !reflect.DeepEqual(expected, keys2) {
+		t.Fatalf("exp: %#v, act: %#v", expected, keys2)
+	}
+}
+
 func TestSystemBackend_renew(t *testing.T) {
 	core, b, root := testCoreSystemBackend(t)