Merge pull request #3695 from hashicorp/creds-period-logic

builtin/credential/aws/path_login.go

@@ -786,23 +786,15 @@ func (b *backend) pathLoginUpdateEc2(
 		resp.Auth.Metadata["nonce"] = clientNonce
 	}
 
-	if roleEntry.Period > time.Duration(0) {
-		resp.Auth.TTL = roleEntry.Period
-	} else {
-		// Cap the TTL value.
-		shortestTTL := b.System().DefaultLeaseTTL()
-		if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL {
-			shortestTTL = roleEntry.TTL
-		}
-		if shortestMaxTTL < shortestTTL {
-			resp.AddWarning(fmt.Sprintf("Effective ttl of %q exceeded the effective max_ttl of %q; ttl value is capped appropriately", (shortestTTL / time.Second).String(), (shortestMaxTTL / time.Second).String()))
-			shortestTTL = shortestMaxTTL
+	if roleEntry.MaxTTL > time.Duration(0) {
+		// Cap TTL to shortestMaxTTL
+		if resp.Auth.TTL > shortestMaxTTL {
+			resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (shortestMaxTTL / time.Second)))
+			resp.Auth.TTL = shortestMaxTTL
 		}
-		resp.Auth.TTL = shortestTTL
 	}
 
 	return resp, nil
-
 }
 
 // handleRoleTagLogin is used to fetch the role tag of the instance and
@@ -985,13 +977,12 @@ func (b *backend) pathLoginRenewIam(
 		}
 	}
 
-	// If 'Period' is set on the role, then the token should never expire.
-	if roleEntry.Period > time.Duration(0) {
-		req.Auth.TTL = roleEntry.Period
-		return &logical.Response{Auth: req.Auth}, nil
-	} else {
-		return framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data)
+	resp, err := framework.LeaseExtend(roleEntry.TTL, roleEntry.MaxTTL, b.System())(req, data)
+	if err != nil {
+		return nil, err
 	}
+	resp.Auth.Period = roleEntry.Period
+	return resp, nil
 }
 
 func (b *backend) pathLoginRenewEc2(
@@ -1072,24 +1063,12 @@ func (b *backend) pathLoginRenewEc2(
 		return nil, err
 	}
 
-	// If 'Period' is set on the role, then the token should never expire. Role
-	// tag does not have a 'Period' field. So, regarless of whether the token
-	// was issued using a role login or a role tag login, the period set on the
-	// role should take effect.
-	if roleEntry.Period > time.Duration(0) {
-		req.Auth.TTL = roleEntry.Period
-		return &logical.Response{Auth: req.Auth}, nil
-	} else {
-		// Cap the TTL value
-		shortestTTL := b.System().DefaultLeaseTTL()
-		if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL {
-			shortestTTL = roleEntry.TTL
-		}
-		if shortestMaxTTL < shortestTTL {
-			shortestTTL = shortestMaxTTL
-		}
-		return framework.LeaseExtend(shortestTTL, shortestMaxTTL, b.System())(req, data)
+	resp, err := framework.LeaseExtend(roleEntry.TTL, shortestMaxTTL, b.System())(req, data)
+	if err != nil {
+		return nil, err
 	}
+	resp.Auth.Period = roleEntry.Period
+	return resp, nil
 }
 
 func (b *backend) pathLoginUpdateIam(
@@ -1238,7 +1217,7 @@ func (b *backend) pathLoginUpdateIam(
 	policies := roleEntry.Policies
 
 	inferredEntityType := ""
-	inferredEntityId := ""
+	inferredEntityID := ""
 	if roleEntry.InferredEntityType == ec2EntityType {
 		instance, err := b.validateInstance(req.Storage, entity.SessionInfo, roleEntry.InferredAWSRegion, callerID.Account)
 		if err != nil {
@@ -1264,7 +1243,7 @@ func (b *backend) pathLoginUpdateIam(
 		}
 
 		inferredEntityType = ec2EntityType
-		inferredEntityId = entity.SessionInfo
+		inferredEntityID = entity.SessionInfo
 	}
 
 	resp := &logical.Response{
@@ -1277,7 +1256,7 @@ func (b *backend) pathLoginUpdateIam(
 				"client_user_id":       callerUniqueId,
 				"auth_type":            iamAuthType,
 				"inferred_entity_type": inferredEntityType,
-				"inferred_entity_id":   inferredEntityId,
+				"inferred_entity_id":   inferredEntityID,
 				"inferred_aws_region":  roleEntry.InferredAWSRegion,
 				"account_id":           entity.AccountNumber,
 			},
@@ -1295,25 +1274,18 @@ func (b *backend) pathLoginUpdateIam(
 		},
 	}
 
-	if roleEntry.Period > time.Duration(0) {
-		resp.Auth.TTL = roleEntry.Period
-	} else {
-		shortestTTL := b.System().DefaultLeaseTTL()
-		if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL {
-			shortestTTL = roleEntry.TTL
-		}
-
-		maxTTL := b.System().MaxLeaseTTL()
-		if roleEntry.MaxTTL > time.Duration(0) && roleEntry.MaxTTL < maxTTL {
-			maxTTL = roleEntry.MaxTTL
+	if roleEntry.MaxTTL > time.Duration(0) {
+		// Cap maxTTL to the sysview's max TTL
+		maxTTL := roleEntry.MaxTTL
+		if maxTTL > b.System().MaxLeaseTTL() {
+			maxTTL = b.System().MaxLeaseTTL()
 		}
 
-		if shortestTTL > maxTTL {
-			resp.AddWarning(fmt.Sprintf("Effective TTL of %q exceeded the effective max_ttl of %q; TTL value is capped accordingly", (shortestTTL / time.Second).String(), (maxTTL / time.Second).String()))
-			shortestTTL = maxTTL
+		// Cap TTL to MaxTTL
+		if resp.Auth.TTL > maxTTL {
+			resp.AddWarning(fmt.Sprintf("Effective TTL of '%s' exceeded the effective max_ttl of '%s'; TTL value is capped accordingly", (resp.Auth.TTL / time.Second), (maxTTL / time.Second)))
+			resp.Auth.TTL = maxTTL
 		}
-
-		resp.Auth.TTL = shortestTTL
 	}
 
 	return resp, nil
@@ -1333,11 +1305,11 @@ func hasValuesForEc2Auth(data *framework.FieldData) (bool, bool) {
 
 func hasValuesForIamAuth(data *framework.FieldData) (bool, bool) {
 	_, hasRequestMethod := data.GetOk("iam_http_request_method")
-	_, hasRequestUrl := data.GetOk("iam_request_url")
+	_, hasRequestURL := data.GetOk("iam_request_url")
 	_, hasRequestBody := data.GetOk("iam_request_body")
 	_, hasRequestHeaders := data.GetOk("iam_request_headers")
-	return (hasRequestMethod && hasRequestUrl && hasRequestBody && hasRequestHeaders),
-		(hasRequestMethod || hasRequestUrl || hasRequestBody || hasRequestHeaders)
+	return (hasRequestMethod && hasRequestURL && hasRequestBody && hasRequestHeaders),
+		(hasRequestMethod || hasRequestURL || hasRequestBody || hasRequestHeaders)
 }
 
 func parseIamArn(iamArn string) (*iamEntity, error) {