Fix a few missing TTL core changes (#4265)

* Fix missing ttl handling in backends

* fix test

builtin/credential/approle/path_login.go

@@ -75,6 +75,7 @@ func (b *backend) pathLoginUpdate(ctx context.Context, req *logical.Request, dat
 		LeaseOptions: logical.LeaseOptions{
 			Renewable: true,
 			TTL:       role.TokenTTL,
+			MaxTTL:    role.TokenMaxTTL,
 		},
 		Alias: &logical.Alias{
 			Name: role.RoleID,

builtin/credential/aws/path_login.go

@@ -1308,6 +1308,7 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
 				TTL:       roleEntry.TTL,
+				MaxTTL:    roleEntry.MaxTTL,
 			},
 			Alias: &logical.Alias{
 				Name: callerUniqueId,
@@ -1315,23 +1316,6 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 		},
 	}
 
-	if resp.Auth.TTL == 0 {
-		resp.Auth.TTL = b.System().DefaultLeaseTTL()
-	}
-	if roleEntry.MaxTTL > time.Duration(0) {
-		// Cap maxTTL to the sysview's max TTL
-		maxTTL := roleEntry.MaxTTL
-		if maxTTL > b.System().MaxLeaseTTL() {
-			maxTTL = b.System().MaxLeaseTTL()
-		}
-
-		// Cap TTL to MaxTTL
-		if resp.Auth.TTL > maxTTL {
-			resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", resp.Auth.TTL, maxTTL))
-			resp.Auth.TTL = maxTTL
-		}
-	}
-
 	return resp, nil
 }
 

builtin/credential/github/path_login.go

@@ -67,11 +67,6 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 		return nil, err
 	}
 
-	ttl, maxTTL, err := b.SanitizeTTLStr(config.TTL.String(), config.MaxTTL.String())
-	if err != nil {
-		return logical.ErrorResponse(fmt.Sprintf("error sanitizing TTLs: %s", err)), nil
-	}
-
 	resp := &logical.Response{
 		Auth: &logical.Auth{
 			InternalData: map[string]interface{}{
@@ -84,8 +79,8 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, data *fra
 			},
 			DisplayName: *verifyResp.User.Login,
 			LeaseOptions: logical.LeaseOptions{
-				TTL:       ttl,
-				MaxTTL:    maxTTL,
+				TTL:       config.TTL,
+				MaxTTL:    config.MaxTTL,
 				Renewable: true,
 			},
 			Alias: &logical.Alias{

builtin/credential/radius/path_login.go

@@ -88,7 +88,6 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		}
 	}
 
-	resp.Auth = req.Auth
 	resp.Auth = &logical.Auth{
 		Policies: policies,
 		Metadata: map[string]string{

builtin/logical/database/backend_test.go

@@ -350,10 +350,6 @@ func TestBackend_basic(t *testing.T) {
 	if err != nil || (credsResp != nil && credsResp.IsError()) {
 		t.Fatalf("err:%s resp:%#v\n", err, credsResp)
 	}
-	// Test for #3812
-	if credsResp.Secret.TTL != 10*time.Minute {
-		t.Fatalf("unexpected TTL of %d", credsResp.Secret.TTL)
-	}
 	// Update the role with no max ttl
 	data = map[string]interface{}{
 		"db_name":             "plugin-test",

builtin/logical/database/path_creds_create.go

@@ -63,19 +63,14 @@ func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
 		db.RLock()
 		defer db.RUnlock()
 
-		ttl := b.System().DefaultLeaseTTL()
-		if role.DefaultTTL != 0 {
-			ttl = role.DefaultTTL
+		ttl, _, err := framework.CalculateTTL(b.System(), 0, role.DefaultTTL, 0, role.MaxTTL, 0, time.Time{})
+		if err != nil {
+			return nil, err
 		}
-		maxTTL := b.System().MaxLeaseTTL()
-		if role.MaxTTL != 0 && role.MaxTTL < maxTTL {
-			maxTTL = role.MaxTTL
-		}
-		if ttl > maxTTL {
-			ttl = maxTTL
-		}
-
 		expiration := time.Now().Add(ttl)
+		// Adding a small buffer since the TTL will be calculated again after this call
+		// to ensure the database credential does not expire before the lease
+		expiration = expiration.Add(5 * time.Second)
 
 		usernameConfig := dbplugin.UsernameConfig{
 			DisplayName: req.DisplayName,
@@ -96,7 +91,8 @@ func (b *databaseBackend) pathCredsCreateRead() framework.OperationFunc {
 			"username": username,
 			"role":     name,
 		})
-		resp.Secret.TTL = ttl
+		resp.Secret.TTL = role.DefaultTTL
+		resp.Secret.MaxTTL = role.MaxTTL
 		return resp, nil
 	}
 }

builtin/logical/mongodb/path_creds_create.go

@@ -95,12 +95,8 @@ func (b *backend) pathCredsCreateRead(ctx context.Context, req *logical.Request,
 		"username": username,
 		"db":       role.DB,
 	})
-
-	ttl := leaseConfig.TTL
-	if ttl == 0 || (leaseConfig.MaxTTL > 0 && ttl > leaseConfig.MaxTTL) {
-		ttl = leaseConfig.MaxTTL
-	}
-	resp.Secret.TTL = ttl
+	resp.Secret.TTL = leaseConfig.TTL
+	resp.Secret.MaxTTL = leaseConfig.MaxTTL
 
 	return resp, nil
 }

builtin/logical/mssql/path_creds_create.go

@@ -115,12 +115,8 @@ func (b *backend) pathCredsCreateRead(ctx context.Context, req *logical.Request,
 	}, map[string]interface{}{
 		"username": username,
 	})
-
-	ttl := leaseConfig.TTL
-	if ttl == 0 || (leaseConfig.TTLMax > 0 && ttl > leaseConfig.TTLMax) {
-		ttl = leaseConfig.TTLMax
-	}
-	resp.Secret.TTL = ttl
+	resp.Secret.TTL = leaseConfig.TTL
+	resp.Secret.MaxTTL = leaseConfig.TTLMax
 
 	return resp, nil
 }

builtin/logical/postgresql/path_role_create.go

@@ -58,11 +58,6 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
 		}
 	}
 
-	ttl := lease.Lease
-	if ttl == 0 || (lease.LeaseMax > 0 && ttl > lease.LeaseMax) {
-		ttl = lease.LeaseMax
-	}
-
 	// Generate the username, password and expiration. PG limits user to 63 characters
 	displayName := req.DisplayName
 	if len(displayName) > 26 {
@@ -80,6 +75,11 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
 	if err != nil {
 		return nil, err
 	}
+
+	ttl, _, err := framework.CalculateTTL(b.System(), 0, lease.Lease, 0, lease.LeaseMax, 0, time.Time{})
+	if err != nil {
+		return nil, err
+	}
 	expiration := time.Now().
 		Add(ttl).
 		Format("2006-01-02 15:04:05-0700")
@@ -135,7 +135,8 @@ func (b *backend) pathRoleCreateRead(ctx context.Context, req *logical.Request,
 		"username": username,
 		"role":     name,
 	})
-	resp.Secret.TTL = ttl
+	resp.Secret.TTL = lease.Lease
+	resp.Secret.MaxTTL = lease.LeaseMax
 	return resp, nil
 }