Add period and max_ttl to cert role creation #3642
Conversation
| return &logical.Response{ | ||
| Data: map[string]interface{}{ | ||
| "certificate": cert.Certificate, | ||
| "display_name": cert.DisplayName, | ||
| "policies": cert.Policies, | ||
| "ttl": duration / time.Second, |
There was a problem hiding this comment.
I think we should actually not display ttl, max_ttl, or period if they're not set. This is because the value will vary according to the system/mount tuning, so returning 0 (or not returning the key at all) keeps people from making assumptions based on snapshots of the current values.
There was a problem hiding this comment.
Period will be 0 if that's not set. I can remove ttl and max_ttl from using the sys values if those are zero so that they return zero as well. AFAIK the other backends return ttl, max_ttl, and period all the time so if we do decide to remove them if unset we would have to do so for other backends as well, though this would could be a breaking change on people using these values from the response.
If this value will vary and we are returning 0 or hiding it if it's unset, where can the user/operator find out what these values are, would it be by doing a token lookup directly?
| if ttl == 0 { | ||
| ttl = time.Second * time.Duration(d.Get("lease").(int)) | ||
| } | ||
| if ttl > systemDefaultTTL { |
There was a problem hiding this comment.
Don't check against system TTL/max TTL. We'll automatically truncate the time for issued credentials and this can cause subtle issues. At the most, I'd make this a warning instead of an error.
There was a problem hiding this comment.
I've changed it to be a warning instead of error below.
| if maxTTL != 0 { | ||
| // If ttl is 0, set the ttl as the max ttl | ||
| if ttl == 0 { | ||
| ttl = maxTTL |
There was a problem hiding this comment.
Don't do this; this will happen automatically in core if TTL is zero and there is a max TTL.
|
|
||
| // If a period is provided, use that as the ttl instead, ignoring previously set ttl | ||
| if period > 0 { | ||
| ttl = period |
There was a problem hiding this comment.
Also don't do this. Set according to period at token issue or renew time. Don't modify the input parameters.
| @@ -77,16 +78,21 @@ func (b *backend) pathLogin( | |||
| ttl = b.System().DefaultLeaseTTL() | |||
| } | |||
|
|
|||
| maxTTL := matched.Entry.MaxTTL | |||
| if maxTTL == 0 { | |||
| maxTTL = b.System().MaxLeaseTTL() | |||
There was a problem hiding this comment.
You don't need to do this, the max TTL at the mount/system level will be applied automatically. However, what you do need to do is check if maxTTL is zero, and if it isn't, ensure that the TTL value is capped to it.
Basically: if both are zero, leave it at zero. If both exist, ensure that the TTL is less than the MaxTTL. If only TTL exists, leave things alone, and if only max TTL exists, set TTL to the system default and then cap it to max TTL if max TTL is less.
| resp := &logical.Response{ | ||
| Auth: &logical.Auth{ | ||
| Period: matched.Entry.Period, |
There was a problem hiding this comment.
This actually isn't handled automatically (possibly/probably it should) -- if a period is non-zero, you should explicitly set the TTL to the period after the other TTL machinations are in place.
There was a problem hiding this comment.
This is handled explicitly below now.
There was a problem hiding this comment.
No longer handled explicitly at the backend level, check is now performed in core after #3677
|
@calvn I don't have any new comments on top of Jeff's comments. This is looking good. |
|
@jefferai this should be good for a second look |
| duration = b.System().DefaultLeaseTTL() | ||
| ttl := cert.TTL | ||
| if ttl == 0 { | ||
| ttl = b.System().DefaultLeaseTTL() |
There was a problem hiding this comment.
When returning the cert info we should return the actual stored info, not the effective info. Let the cert.TTL and cert.MaxTTL bits stay at zero if they're zero, because that indicates that they weren't configured.
There was a problem hiding this comment.
Ok, I'd guess the same applies for max_ttl on https://github.com/hashicorp/vault/pull/3642/files/4043a5f8dda025e58ab7c399126f3a7a9b229396#diff-881681caf9da9a575287a64096baa902R146
| resp.AddWarning(fmt.Sprintf("Given max_ttl of %d seconds is greater than current mount/system default of %d seconds", maxTTL/time.Second, systemMaxTTL/time.Second)) | ||
| } | ||
|
|
||
| if maxTTL < time.Duration(0) { |
There was a problem hiding this comment.
Should probably have a similar check for ttl
There was a problem hiding this comment.
Handled up top as well now
| // Parse period | ||
| period := time.Duration(d.Get("period").(int)) * time.Second | ||
| if period > systemMaxTTL { | ||
| return logical.ErrorResponse(fmt.Sprintf("Given period of %d seconds is greater than the backend's maximum TTL of %d seconds", period/time.Second, systemMaxTTL/time.Second)), nil |
There was a problem hiding this comment.
This should be a warning, not an error.
| @@ -79,14 +80,14 @@ func (b *backend) pathLogin( | |||
|
|
|||
| clientCerts := req.Connection.ConnState.PeerCertificates | |||
| if len(clientCerts) == 0 { | |||
| return logical.ErrorResponse("no client certificate found"), nil | |||
| return nil, fmt.Errorf("no client certificate found") | |||
There was a problem hiding this comment.
Why change this? This is more likely to be user error than an internal error.
There was a problem hiding this comment.
I'll revert this. Changed https://github.com/hashicorp/vault/pull/3642/files#diff-0f3ca593a1923ab0963f7b2f7e165b17R154 to be logical.ErrorResponse
| @@ -135,7 +152,7 @@ func (b *backend) pathLoginRenew( | |||
|
|
|||
| clientCerts := req.Connection.ConnState.PeerCertificates | |||
| if len(clientCerts) == 0 { | |||
| return nil, fmt.Errorf("no client certificate found") | |||
| return logical.ErrorResponse("no client certificate found"), nil | |||
There was a problem hiding this comment.
Does this need a typed error return, maybe logical.ErrInvalidRequest?
There was a problem hiding this comment.
ErrInvalidRequest is actually the default for a logical.ErrorResponse with no typed error.
| (`3600`) or an integer time unit (`60m`) after which the issued token can no | ||
| longer be renewed. | ||
| - `period` `(string: "")` - Duration in either an integer number of seconds | ||
| (3600) or an integer time unit (60m). If set, the generated token is a |
There was a problem hiding this comment.
Integer time unit is not used anywhere else in the docs and is a little confusing. I've seen a duration with hours as the largest suffix as well as some other ones. We should probably make the docs consistent for ttl, max_ttl, and period.
| systemDefaultTTL := b.System().DefaultLeaseTTL() | ||
| ttl := time.Duration(d.Get("ttl").(int)) * time.Second | ||
| if ttl == 0 { | ||
| ttl = time.Second * time.Duration(d.Get("lease").(int)) |
There was a problem hiding this comment.
minor, the previous statement is ttl * time.Second while this one is time.Second * lease.
There was a problem hiding this comment.
It should definitely be ttl, nice catch!
There was a problem hiding this comment.
That is for backwards compatibility with the old term for it, lease. I was just commenting on the ordering of the time math which makes it harder to scan through.
There was a problem hiding this comment.
Yea you're right. I'll swap the ordering and keep lease.
calvn
dismissed stale reviews from briankassouf and chrishoffman
via
8620a95
Closes #3533