Core handling of TTLs

audit/hashstructure_test.go

@@ -19,8 +19,7 @@ func TestCopy_auth(t *testing.T) {
 	// Make a non-pointer one so that it can't be modified directly
 	expected := logical.Auth{
 		LeaseOptions: logical.LeaseOptions{
-			TTL:       1 * time.Hour,
-			IssueTime: time.Now(),
+			TTL: 1 * time.Hour,
 		},
 
 		ClientToken: "foo",
@@ -183,16 +182,14 @@ func TestHash(t *testing.T) {
 		{
 			&logical.Auth{
 				LeaseOptions: logical.LeaseOptions{
-					TTL:       1 * time.Hour,
-					IssueTime: now,
+					TTL: 1 * time.Hour,
 				},
 
 				ClientToken: "foo",
 			},
 			&logical.Auth{
 				LeaseOptions: logical.LeaseOptions{
-					TTL:       1 * time.Hour,
-					IssueTime: now,
+					TTL: 1 * time.Hour,
 				},
 
 				ClientToken: "hmac-sha256:08ba357e274f528065766c770a639abf6809b39ccfd37c2a3157c7f51954da0a",

builtin/credential/app-id/path_login.go

@@ -146,7 +146,7 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 		return nil, fmt.Errorf("policies do not match")
 	}
 
-	return framework.LeaseExtend(0, 0, b.System())(ctx, req, d)
+	return &logical.Response{Auth: req.Auth}, nil
 }
 
 func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, appId, userId string) (string, *logical.Response, error) {

builtin/credential/approle/path_login.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"fmt"
 	"strings"
-	"time"
 
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/logical"
@@ -107,17 +106,11 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, data
 		return nil, fmt.Errorf("role %s does not exist during renewal", roleName)
 	}
 
-	// If a period is provided, set that as part of resp.Auth.Period and return a
-	// response immediately. Let expiration manager handle renewal from there on.
-	if role.Period > time.Duration(0) {
-		resp := &logical.Response{
-			Auth: req.Auth,
-		}
-		resp.Auth.Period = role.Period
-		return resp, nil
-	}
-
-	return framework.LeaseExtend(role.TokenTTL, role.TokenMaxTTL, b.System())(ctx, req, data)
+	resp := &logical.Response{Auth: req.Auth}
+	resp.Auth.TTL = role.TokenTTL
+	resp.Auth.MaxTTL = role.TokenMaxTTL
+	resp.Auth.Period = role.Period
+	return resp, nil
 }
 
 const pathLoginHelpSys = "Issue a token based on the credentials supplied"

builtin/credential/approle/path_login_test.go

@@ -147,7 +147,6 @@ func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Reques
 	renewReq.Auth.Metadata = auth.Metadata
 	renewReq.Auth.LeaseOptions = auth.LeaseOptions
 	renewReq.Auth.Policies = auth.Policies
-	renewReq.Auth.IssueTime = time.Now()
 	renewReq.Auth.Period = auth.Period
 
 	return renewReq

builtin/credential/approle/validation.go

@@ -112,11 +112,6 @@ func (b *backend) validateCredentials(ctx context.Context, req *logical.Request,
 		return nil, "", metadata, "", fmt.Errorf("failed to validate role_id"), nil
 	}
 
-	// Calculate the TTL boundaries since this reflects the properties of the token issued
-	if role.TokenTTL, role.TokenMaxTTL, err = b.SanitizeTTL(role.TokenTTL, role.TokenMaxTTL); err != nil {
-		return nil, "", metadata, "", nil, err
-	}
-
 	var secretID string
 	if role.BindSecretID {
 		// If 'bind_secret_id' was set on role, look for the field 'secret_id'

builtin/credential/aws/backend_test.go

@@ -1733,7 +1733,6 @@ func generateRenewRequest(s logical.Storage, auth *logical.Auth) *logical.Reques
 	renewReq.Auth.Metadata = auth.Metadata
 	renewReq.Auth.LeaseOptions = auth.LeaseOptions
 	renewReq.Auth.Policies = auth.Policies
-	renewReq.Auth.IssueTime = time.Now()
 	renewReq.Auth.Period = auth.Period
 
 	return renewReq

builtin/credential/aws/path_login.go

@@ -809,6 +809,7 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request,
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
 				TTL:       roleEntry.TTL,
+				MaxTTL:    shortestMaxTTL,
 			},
 			Alias: &logical.Alias{
 				Name: identityDocParsed.InstanceID,
@@ -826,16 +827,6 @@ func (b *backend) pathLoginUpdateEc2(ctx context.Context, req *logical.Request,
 		resp.Auth.Metadata["nonce"] = clientNonce
 	}
 
-	// In this case no role value was set so pull in what will be assigned by
-	// Core for comparison
-	if resp.Auth.TTL == 0 {
-		resp.Auth.TTL = b.System().DefaultLeaseTTL()
-	}
-	if resp.Auth.TTL > shortestMaxTTL {
-		resp.Auth.TTL = shortestMaxTTL
-		resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", resp.Auth.TTL, shortestMaxTTL))
-	}
-
 	return resp, nil
 }
 
@@ -1025,17 +1016,11 @@ func (b *backend) pathLoginRenewIam(ctx context.Context, req *logical.Request, d
 		}
 	}
 
-	// If a period is provided, set that as part of resp.Auth.Period and return a
-	// response immediately. Let expiration manager handle renewal from there on.
-	if roleEntry.Period > time.Duration(0) {
-		resp := &logical.Response{
-			Auth: req.Auth,
-		}
-		resp.Auth.Period = roleEntry.Period
-		return resp, nil
-	}
-
-	return framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(ctx, req, data)
+	resp := &logical.Response{Auth: req.Auth}
+	resp.Auth.TTL = roleEntry.TTL
+	resp.Auth.MaxTTL = roleEntry.MaxTTL
+	resp.Auth.Period = roleEntry.Period
+	return resp, nil
 }
 
 func (b *backend) pathLoginRenewEc2(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
@@ -1115,17 +1100,11 @@ func (b *backend) pathLoginRenewEc2(ctx context.Context, req *logical.Request, d
 		return nil, err
 	}
 
-	// If a period is provided, set that as part of resp.Auth.Period and return a
-	// response immediately. Let expiration manager handle renewal from there on.
-	if roleEntry.Period > time.Duration(0) {
-		resp := &logical.Response{
-			Auth: req.Auth,
-		}
-		resp.Auth.Period = roleEntry.Period
-		return resp, nil
-	}
-
-	return framework.LeaseExtend(roleEntry.TTL, shortestMaxTTL, b.System())(ctx, req, data)
+	resp := &logical.Response{Auth: req.Auth}
+	resp.Auth.TTL = roleEntry.TTL
+	resp.Auth.MaxTTL = shortestMaxTTL
+	resp.Auth.Period = roleEntry.Period
+	return resp, nil
 }
 
 func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {

builtin/credential/cert/backend_test.go

@@ -1416,7 +1416,6 @@ func Test_Renew(t *testing.T) {
 	req.Auth.Metadata = resp.Auth.Metadata
 	req.Auth.LeaseOptions = resp.Auth.LeaseOptions
 	req.Auth.Policies = resp.Auth.Policies
-	req.Auth.IssueTime = time.Now()
 	req.Auth.Period = resp.Auth.Period
 
 	// Normal renewal

builtin/credential/cert/path_login.go

@@ -11,7 +11,6 @@ import (
 	"errors"
 	"fmt"
 	"strings"
-	"time"
 
 	"github.com/hashicorp/vault/helper/certutil"
 	"github.com/hashicorp/vault/helper/policyutil"
@@ -72,11 +71,6 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 		return nil, nil
 	}
 
-	ttl := matched.Entry.TTL
-	if ttl == 0 {
-		ttl = b.System().DefaultLeaseTTL()
-	}
-
 	clientCerts := req.Connection.ConnState.PeerCertificates
 	if len(clientCerts) == 0 {
 		return logical.ErrorResponse("no client certificate found"), nil
@@ -101,28 +95,15 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 			},
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
-				TTL:       ttl,
+				TTL:       matched.Entry.TTL,
+				MaxTTL:    matched.Entry.MaxTTL,
 			},
 			Alias: &logical.Alias{
 				Name: clientCerts[0].SerialNumber.String(),
 			},
 		},
 	}
 
-	if matched.Entry.MaxTTL > time.Duration(0) {
-		// Cap maxTTL to the sysview's max TTL
-		maxTTL := matched.Entry.MaxTTL
-		if maxTTL > b.System().MaxLeaseTTL() {
-			maxTTL = b.System().MaxLeaseTTL()
-		}
-
-		// Cap TTL to MaxTTL
-		if resp.Auth.TTL > maxTTL {
-			resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second)))
-			resp.Auth.TTL = maxTTL
-		}
-	}
-
 	// Generate a response
 	return resp, nil
 }
@@ -175,17 +156,11 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 		return nil, fmt.Errorf("policies have changed, not renewing")
 	}
 
-	// If a period is provided, set that as part of resp.Auth.Period and return a
-	// response immediately. Let expiration manager handle renewal from there on.
-	if cert.Period > time.Duration(0) {
-		resp := &logical.Response{
-			Auth: req.Auth,
-		}
-		resp.Auth.Period = cert.Period
-		return resp, nil
-	}
-
-	return framework.LeaseExtend(cert.TTL, cert.MaxTTL, b.System())(ctx, req, d)
+	resp := &logical.Response{Auth: req.Auth}
+	resp.Auth.TTL = cert.TTL
+	resp.Auth.MaxTTL = cert.MaxTTL
+	resp.Auth.Period = cert.Period
+	return resp, nil
 }
 
 func (b *backend) verifyCredentials(ctx context.Context, req *logical.Request, d *framework.FieldData) (*ParsedCert, *logical.Response, error) {

builtin/credential/github/path_login.go

@@ -67,7 +67,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 		return nil, err
 	}
 
-	ttl, _, err := b.SanitizeTTLStr(config.TTL.String(), config.MaxTTL.String())
+	ttl, maxTTL, err := b.SanitizeTTLStr(config.TTL.String(), config.MaxTTL.String())
 	if err != nil {
 		return logical.ErrorResponse(fmt.Sprintf("error sanitizing TTLs: %s", err)), nil
 	}
@@ -85,6 +85,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 			DisplayName: *verifyResp.User.Login,
 			LeaseOptions: logical.LeaseOptions{
 				TTL:       ttl,
+				MaxTTL:    maxTTL,
 				Renewable: true,
 			},
 			Alias: &logical.Alias{
@@ -133,10 +134,9 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 		return nil, err
 	}
 
-	resp, err := framework.LeaseExtend(config.TTL, config.MaxTTL, b.System())(ctx, req, d)
-	if err != nil {
-		return nil, err
-	}
+	resp := &logical.Response{Auth: req.Auth}
+	resp.Auth.TTL = config.TTL
+	resp.Auth.MaxTTL = config.MaxTTL
 
 	// Remove old aliases
 	resp.Auth.GroupAliases = nil

builtin/credential/ldap/path_login.go

@@ -111,10 +111,7 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 		return nil, fmt.Errorf("policies have changed, not renewing")
 	}
 
-	resp, err = framework.LeaseExtend(0, 0, b.System())(ctx, req, d)
-	if err != nil {
-		return nil, err
-	}
+	resp.Auth = req.Auth
 
 	// Remove old aliases
 	resp.Auth.GroupAliases = nil

builtin/credential/okta/path_login.go

@@ -89,28 +89,14 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		DisplayName: username,
 		LeaseOptions: logical.LeaseOptions{
 			TTL:       cfg.TTL,
+			MaxTTL:    cfg.MaxTTL,
 			Renewable: true,
 		},
 		Alias: &logical.Alias{
 			Name: username,
 		},
 	}
 
-	if resp.Auth.TTL == 0 {
-		resp.Auth.TTL = b.System().DefaultLeaseTTL()
-	}
-	if cfg.MaxTTL > 0 {
-		maxTTL := cfg.MaxTTL
-		if maxTTL > b.System().MaxLeaseTTL() {
-			maxTTL = b.System().MaxLeaseTTL()
-		}
-
-		if resp.Auth.TTL > maxTTL {
-			resp.Auth.TTL = maxTTL
-			resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", resp.Auth.TTL, maxTTL))
-		}
-	}
-
 	for _, groupName := range groupNames {
 		if groupName == "" {
 			continue
@@ -141,10 +127,9 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 		return nil, err
 	}
 
-	resp, err = framework.LeaseExtend(cfg.TTL, cfg.MaxTTL, b.System())(ctx, req, d)
-	if err != nil {
-		return nil, err
-	}
+	resp.Auth = req.Auth
+	resp.Auth.TTL = cfg.TTL
+	resp.Auth.MaxTTL = cfg.MaxTTL
 
 	// Remove old aliases
 	resp.Auth.GroupAliases = nil

builtin/credential/radius/path_login.go

@@ -88,6 +88,7 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		}
 	}
 
+	resp.Auth = req.Auth
 	resp.Auth = &logical.Auth{
 		Policies: policies,
 		Metadata: map[string]string{
@@ -126,7 +127,7 @@ func (b *backend) pathLoginRenew(ctx context.Context, req *logical.Request, d *f
 		return nil, fmt.Errorf("policies have changed, not renewing")
 	}
 
-	return framework.LeaseExtend(0, 0, b.System())(ctx, req, d)
+	return &logical.Response{Auth: req.Auth}, nil
 }
 
 func (b *backend) RadiusLogin(ctx context.Context, req *logical.Request, username string, password string) ([]string, *logical.Response, error) {