scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-03 03:58:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add renewable flag and API setting for token creation

Browse Source
This commit is contained in:
Jeff Mitchell
2016-06-08 11:14:30 -04:00
parent 1268c45d45
commit 517571c04a
4 changed files with 45 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
api/auth_token.go
View File

@@ -173,4 +173,5 @@ type TokenCreateRequest struct {
NoDefaultPolicy bool `json:"no_default_policy,omitempty"`
DisplayName string `json:"display_name"`
NumUses int `json:"num_uses"`
Renewable *bool `json:"renewable,omitempty"`
}

29
api/auth_token_test.go
View File

@@ -28,10 +28,37 @@ func TestAuthTokenCreate(t *testing.T) {
if err != nil {
t.Fatal(err)
}
if secret.Auth.LeaseDuration != 3600 {
t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
}
renewCreateRequest := &TokenCreateRequest{
TTL: "1h",
Renewable: new(bool),
}
secret, err = client.Auth().Token().Create(renewCreateRequest)
if err != nil {
t.Fatal(err)
}
if secret.Auth.LeaseDuration != 3600 {
t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
}
if secret.Auth.Renewable {
t.Errorf("expected non-renewable token")
}
*renewCreateRequest.Renewable = true
secret, err = client.Auth().Token().Create(renewCreateRequest)
if err != nil {
t.Fatal(err)
}
if secret.Auth.LeaseDuration != 3600 {
t.Errorf("expected 1h, got %q", secret.Auth.LeaseDuration)
}
if !secret.Auth.Renewable {
t.Errorf("expected renewable token")
}
}
func TestAuthTokenLookup(t *testing.T) {

12
command/token_create.go
View File

@@ -18,7 +18,7 @@ type TokenCreateCommand struct {
func (c *TokenCreateCommand) Run(args []string) int {
var format string
var id, displayName, lease, ttl, role string
var orphan, noDefaultPolicy bool
var orphan, noDefaultPolicy, renewable bool
var metadata map[string]string
var numUses int
var policies []string
@@ -30,6 +30,7 @@ func (c *TokenCreateCommand) Run(args []string) int {
flags.StringVar(&ttl, "ttl", "", "")
flags.StringVar(&role, "role", "", "")
flags.BoolVar(&orphan, "orphan", false, "")
flags.BoolVar(&renewable, "renewable", true, "")
flags.BoolVar(&noDefaultPolicy, "no-default-policy", false, "")
flags.IntVar(&numUses, "use-limit", 0, "")
flags.Var((*kvFlag.Flag)(&metadata), "metadata", "")
@@ -67,7 +68,9 @@ func (c *TokenCreateCommand) Run(args []string) int {
NoDefaultPolicy: noDefaultPolicy,
DisplayName: displayName,
NumUses: numUses,
Renewable: new(bool),
}
*tcr.Renewable = renewable
var secret *api.Secret
if role != "" {
@@ -121,11 +124,14 @@ Token Options:
is a non-security sensitive value used to help
identify created secrets, i.e. prefixes.
-lease="1h" Deprecated; use "-ttl" instead.
-ttl="1h" Initial TTL to associate with the token; renewals can
extend this value.
-renewable=true Whether or not the token is renewable to extend its
TTL up to Vault's configured maximum TTL for tokens.
This defaults to true; set to false to disable
renewal of this token.
-metadata="key=value" Metadata to associate with the token. This shows
up in the audit log. This can be specified multiple
times.

8
vault/token_store.go
View File

@@ -935,6 +935,7 @@ func (ts *TokenStore) handleCreateCommon(
NoDefaultPolicy bool `mapstructure:"no_default_policy"`
Lease string
TTL string
Renewable *bool
DisplayName string `mapstructure:"display_name"`
NumUses int `mapstructure:"num_uses"`
}
@@ -964,6 +965,11 @@ func (ts *TokenStore) handleCreateCommon(
CreationTime: time.Now().Unix(),
}
renewable := true
if data.Renewable != nil {
renewable = *data.Renewable
}
// If the role is not nil, we add the role name as part of the token's
// path. This makes it much easier to later revoke tokens that were issued
// by a role (using revoke-prefix). Users can further specify a PathSuffix
@@ -1122,7 +1128,7 @@ func (ts *TokenStore) handleCreateCommon(
Metadata: te.Meta,
LeaseOptions: logical.LeaseOptions{
TTL: te.TTL,
Renewable: true,
Renewable: renewable,
},
ClientToken: te.ID,
Accessor: te.Accessor,