From a39597ecdc23cf7fc69fe003eef9f10d533551d8 Mon Sep 17 00:00:00 2001
From: Calvin Leung Huang <cleung2010@gmail.com>
Date: Tue, 8 May 2018 15:13:30 -0400
Subject: [PATCH] Return invalid lease on negative TTL

---
 vault/logical_system.go | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/vault/logical_system.go b/vault/logical_system.go
index d94533444805..f78f9a223503 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -2215,34 +2215,36 @@ func (b *SystemBackend) handleLeaseLookup(ctx context.Context, req *logical.Requ
 			logical.ErrInvalidRequest
 	}
 
-	leaseTimes, err := b.Core.expiration.FetchLeaseTimes(leaseID)
+	le, err := b.Core.expiration.FetchLeaseTimes(leaseID)
 	if err != nil {
 		b.Backend.Logger().Error("error retrieving lease", "lease_id", leaseID, "error", err)
 		return handleError(err)
 	}
-	if leaseTimes == nil {
+
+	if le == nil || le.ttl() < 0 {
 		return logical.ErrorResponse("invalid lease"), logical.ErrInvalidRequest
 	}
 
 	resp := &logical.Response{
 		Data: map[string]interface{}{
 			"id":           leaseID,
-			"issue_time":   leaseTimes.IssueTime,
+			"issue_time":   le.IssueTime,
 			"expire_time":  nil,
 			"last_renewal": nil,
 			"ttl":          int64(0),
 		},
 	}
-	renewable, _ := leaseTimes.renewable()
+	renewable, _ := le.renewable()
 	resp.Data["renewable"] = renewable
 
-	if !leaseTimes.LastRenewalTime.IsZero() {
-		resp.Data["last_renewal"] = leaseTimes.LastRenewalTime
+	if !le.LastRenewalTime.IsZero() {
+		resp.Data["last_renewal"] = le.LastRenewalTime
 	}
-	if !leaseTimes.ExpireTime.IsZero() {
-		resp.Data["expire_time"] = leaseTimes.ExpireTime
-		resp.Data["ttl"] = leaseTimes.ttl()
+	if !le.ExpireTime.IsZero() {
+		resp.Data["expire_time"] = le.ExpireTime
+		resp.Data["ttl"] = le.ttl()
 	}
+
 	return resp, nil
 }