func (b *backend) secretAccessKeysRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// STS already has a lifetime, and we don't support renewing it
isSTSRaw, ok := req.Secret.InternalData["is_sts"]
if ok {
isSTS, ok := isSTSRaw.(bool)
if ok {
if isSTS {
return nil, nil
}
}
}
lease, err := b.Lease(req.Storage)
if err != nil {
return nil, err
}
if lease == nil {
lease = &configLease{}
}
f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, b.System())
return f(req, d)
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
if req.Auth == nil {
return nil, fmt.Errorf("request auth was nil")
}
tokenRaw, ok := req.Auth.InternalData["token"]
if !ok {
return nil, fmt.Errorf("token created in previous version of Vault cannot be validated properly at renewal time")
}
token := tokenRaw.(string)
var verifyResp *verifyCredentialsResp
if verifyResponse, resp, err := b.verifyCredentials(req, token); err != nil {
return nil, err
} else if resp != nil {
return resp, nil
} else {
verifyResp = verifyResponse
}
if !policyutil.EquivalentPolicies(verifyResp.Policies, req.Auth.Policies) {
return nil, fmt.Errorf("policies do not match")
}
config, err := b.Config(req.Storage)
if err != nil {
return nil, err
}
return framework.LeaseExtend(config.TTL, config.MaxTTL, b.System())(req, d)
}
// Invoked when the token issued by this backend is attempting a renewal.
func (b *backend) pathLoginRenew(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
roleName := req.Auth.InternalData["role_name"].(string)
if roleName == "" {
return nil, fmt.Errorf("failed to fetch role_name during renewal")
}
// Ensure that the Role still exists.
role, err := b.roleEntry(req.Storage, roleName)
if err != nil {
return nil, fmt.Errorf("failed to validate role %s during renewal:%s", roleName, err)
}
if role == nil {
return nil, fmt.Errorf("role %s does not exist during renewal", roleName)
}
// If 'Period' is set on the Role, the token should never expire.
// Replenish the TTL with 'Period's value.
if role.Period > time.Duration(0) {
// If 'Period' was updated after the token was issued,
// token will bear the updated 'Period' value as its TTL.
req.Auth.TTL = role.Period
return &logical.Response{Auth: req.Auth}, nil
} else {
return framework.LeaseExtend(role.TokenTTL, role.TokenMaxTTL, b.System())(req, data)
}
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
config, err := b.Config(req.Storage)
if err != nil {
return nil, err
}
return framework.LeaseExtend(config.TTL, config.MaxTTL, b.System())(req, d)
}
func (b *backend) secretDynamicKeyRenew(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
lease, err := b.Lease(req.Storage)
if err != nil {
return nil, err
}
if lease == nil {
lease = &configLease{Lease: 1 * time.Hour}
}
f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, false)
return f(req, d)
}
func (b *backend) secretCredsRenew(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// Get the lease information
leaseConfig, err := b.LeaseConfig(req.Storage)
if err != nil {
return nil, err
}
if leaseConfig == nil {
leaseConfig = &configLease{}
}
f := framework.LeaseExtend(leaseConfig.TTL, leaseConfig.MaxTTL, b.System())
return f(req, d)
}
func (b *backend) secretCredsRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// Get the username from the internal data
usernameRaw, ok := req.Secret.InternalData["username"]
if !ok {
return nil, fmt.Errorf("secret is missing username internal data")
}
username, ok := usernameRaw.(string)
// Get our connection
db, err := b.DB(req.Storage)
if err != nil {
return nil, err
}
// Get the lease information
lease, err := b.Lease(req.Storage)
if err != nil {
return nil, err
}
if lease == nil {
lease = &configLease{Lease: 1 * time.Hour}
}
f := framework.LeaseExtend(lease.Lease, lease.LeaseMax)
resp, err := f(req, d)
if err != nil {
return nil, err
}
// Make sure we increase the VALID UNTIL endpoint for this user.
if expireTime := resp.Secret.ExpirationTime(); !expireTime.IsZero() {
expiration := expireTime.Add(10 * time.Minute).
Format("2006-01-02 15:04:05")
query := fmt.Sprintf(
"ALTER ROLE %s VALID UNTIL '%s';",
pq.QuoteIdentifier(username),
expiration)
stmt, err := db.Prepare(query)
if err != nil {
return nil, err
}
defer stmt.Close()
if _, err := stmt.Exec(); err != nil {
return nil, err
}
}
return resp, nil
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
config, err := b.Config(req.Storage)
if err != nil {
return nil, err
}
if !config.DisableBinding {
var matched *ParsedCert
if verifyResp, resp, err := b.verifyCredentials(req); err != nil {
return nil, err
} else if resp != nil {
return resp, nil
} else {
matched = verifyResp
}
if matched == nil {
return nil, nil
}
clientCerts := req.Connection.ConnState.PeerCertificates
if len(clientCerts) == 0 {
return nil, fmt.Errorf("no client certificate found")
}
skid := base64.StdEncoding.EncodeToString(clientCerts[0].SubjectKeyId)
akid := base64.StdEncoding.EncodeToString(clientCerts[0].AuthorityKeyId)
// Certificate should not only match a registered certificate policy.
// Also, the identity of the certificate presented should match the identity of the certificate used during login
if req.Auth.InternalData["subject_key_id"] != skid && req.Auth.InternalData["authority_key_id"] != akid {
return nil, fmt.Errorf("client identity during renewal not matching client identity used during login")
}
}
// Get the cert and use its TTL
cert, err := b.Cert(req.Storage, req.Auth.Metadata["cert_name"])
if err != nil {
return nil, err
}
if cert == nil {
// User no longer exists, do not renew
return nil, nil
}
if !policyutil.EquivalentPolicies(cert.Policies, req.Auth.Policies) {
return nil, fmt.Errorf("policies have changed, not renewing")
}
return framework.LeaseExtend(cert.TTL, 0, b.System())(req, d)
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// Get the cert and validate auth
cert, err := b.Cert(req.Storage, req.Auth.Metadata["cert_name"])
if err != nil {
return nil, err
}
if cert == nil {
// User no longer exists, do not renew
return nil, nil
}
return framework.LeaseExtend(cert.TTL, 0, false)(req, d)
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// Get the user and validate auth
user, err := b.User(req.Storage, req.Auth.Metadata["username"])
if err != nil {
return nil, err
}
if user == nil {
// User no longer exists, do not renew
return nil, nil
}
return framework.LeaseExtend(user.MaxTTL, 0, false)(req, d)
}
func (ts *TokenStore) authRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
if req.Auth == nil {
return nil, fmt.Errorf("request auth is nil")
}
te, err := ts.Lookup(req.Auth.ClientToken)
if err != nil {
return nil, fmt.Errorf("error looking up token: %s", err)
}
if te == nil {
return nil, fmt.Errorf("no token entry found during lookup")
}
f := framework.LeaseExtend(req.Auth.Increment, te.ExplicitMaxTTL, ts.System())
// No role? Use normal LeaseExtend semantics
if te.Role == "" {
return f(req, d)
}
role, err := ts.tokenStoreRole(te.Role)
if err != nil {
return nil, fmt.Errorf("error looking up role %s: %s", te.Role, err)
}
if role == nil {
return nil, fmt.Errorf("original token role (%s) could not be found, not renewing", te.Role)
}
// If role.Period is not zero, this is a periodic token. The TTL for a
// periodic token is always the same (the role's period value). It is not
// subject to normal maximum TTL checks that would come from calling
// LeaseExtend, so we fast path it.
//
// The one wrinkle here is if the token has an explicit max TTL. Roles
// don't support having both configured, but they could be changed. We
// don't support tokens that are both periodic and have an explicit max
// TTL, so if the token has one, we treat it as a regular token even if the
// role is periodic.
if role.Period != 0 && te.ExplicitMaxTTL == 0 {
req.Auth.TTL = role.Period
return &logical.Response{Auth: req.Auth}, nil
}
return f(req, d)
}
func secretToken() *framework.Secret {
return &framework.Secret{
Type: SecretTokenType,
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Request token",
},
},
DefaultDuration: DefaultLeaseDuration,
DefaultGracePeriod: DefaultGracePeriod,
Renew: framework.LeaseExtend(0, 0, true),
Revoke: secretTokenRevoke,
}
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
username := req.Auth.Metadata["username"]
password := req.Auth.InternalData["password"].(string)
loginPolicies, resp, err := b.Login(req, username, password)
if len(loginPolicies) == 0 {
return resp, err
}
if !policyutil.EquivalentPolicies(loginPolicies, req.Auth.Policies) {
return nil, fmt.Errorf("policies have changed, not renewing")
}
return framework.LeaseExtend(0, 0, b.System())(req, d)
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// Get the user
user, err := b.user(req.Storage, req.Auth.Metadata["username"])
if err != nil {
return nil, err
}
if user == nil {
// User no longer exists, do not renew
return nil, nil
}
if !policyutil.EquivalentPolicies(user.Policies, req.Auth.Policies) {
return logical.ErrorResponse("policies have changed, not renewing"), nil
}
return framework.LeaseExtend(user.TTL, user.MaxTTL, b.System())(req, d)
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
username := req.Auth.Metadata["username"]
password := req.Auth.InternalData["password"].(string)
prevpolicies := req.Auth.Metadata["policies"]
policies, resp, err := b.Login(req, username, password)
if len(policies) == 0 {
return resp, err
}
sort.Strings(policies)
if strings.Join(policies, ",") != prevpolicies {
return logical.ErrorResponse("policies have changed, revoking login"), nil
}
return framework.LeaseExtend(1*time.Hour, 0, false)(req, d)
}
func (b *backend) secretCredsRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
// Get the lease information
roleRaw, ok := req.Secret.InternalData["role"]
if !ok {
return nil, fmt.Errorf("Secret is missing role internal data")
}
roleName, ok := roleRaw.(string)
if !ok {
return nil, fmt.Errorf("Error converting role internal data to string")
}
role, err := getRole(req.Storage, roleName)
if err != nil {
return nil, fmt.Errorf("Unable to load role: %s", err)
}
return framework.LeaseExtend(role.Lease, 0, false)(req, d)
}
func (ts *TokenStore) authRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
if req.Auth == nil {
return nil, fmt.Errorf("request auth is nil")
}
f := framework.LeaseExtend(req.Auth.Increment, 0, ts.System())
te, err := ts.Lookup(req.Auth.ClientToken)
if err != nil {
return nil, fmt.Errorf("error looking up token: %s", err)
}
if te == nil {
return nil, fmt.Errorf("no token entry found during lookup")
}
// No role? Use normal LeaseExtend semantics
if te.Role == "" {
return f(req, d)
}
role, err := ts.tokenStoreRole(te.Role)
if err != nil {
return nil, fmt.Errorf("error looking up role %s: %s", te.Role, err)
}
if role == nil {
return logical.ErrorResponse(fmt.Sprintf("original token role (%s) could not be found, not renewing", te.Role)), nil
}
// If role.Period is not zero, this is a periodic token. The TTL for a
// periodic token is always the same (the role's period value). It is not
// subject to normal maximum TTL checks that would come from calling
// LeaseExtend, so we fast path it.
if role.Period != 0 {
req.Auth.TTL = role.Period
return &logical.Response{Auth: req.Auth}, nil
}
return f(req, d)
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
token := req.Auth.InternalData["token"].(string)
var verifyResp *verifyCredentialsResp
if verifyResponse, resp, err := b.verifyCredentials(req, token); err != nil {
return nil, err
} else if resp != nil {
return resp, nil
} else {
verifyResp = verifyResponse
}
if !policyutil.EquivalentPolicies(verifyResp.Policies, req.Auth.Policies) {
return logical.ErrorResponse("policies do not match"), nil
}
config, err := b.Config(req.Storage)
if err != nil {
return nil, err
}
return framework.LeaseExtend(config.TTL, config.MaxTTL, b.System())(req, d)
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
appId := req.Auth.InternalData["app-id"].(string)
userId := req.Auth.InternalData["user-id"].(string)
// Skipping CIDR verification to enable renewal from machines other than
// the ones encompassed by CIDR block.
if _, resp, err := b.verifyCredentials(req, appId, userId); err != nil {
return nil, err
} else if resp != nil {
return resp, nil
}
// Get the policies associated with the app
mapPolicies, err := b.MapAppId.Policies(req.Storage, appId)
if err != nil {
return nil, err
}
if !policyutil.EquivalentPolicies(mapPolicies, req.Auth.Policies) {
return nil, fmt.Errorf("policies do not match")
}
return framework.LeaseExtend(0, 0, b.System())(req, d)
}
// NewTokenStore is used to construct a token store that is
// backed by the given barrier view.
func NewTokenStore(c *Core) (*TokenStore, error) {
// Create a sub-view
view := c.systemView.SubView(tokenSubPath)
// Initialize the store
t := &TokenStore{
view: view,
}
// Look for the salt
raw, err := view.Get(tokenSaltLocation)
if err != nil {
return nil, fmt.Errorf("failed to read salt: %v", err)
}
// Restore the salt if it exists
if raw != nil {
t.salt = string(raw.Value)
}
// Generate a new salt if necessary
if t.salt == "" {
t.salt = generateUUID()
raw = &logical.StorageEntry{Key: tokenSaltLocation, Value: []byte(t.salt)}
if err := view.Put(raw); err != nil {
return nil, fmt.Errorf("failed to persist salt: %v", err)
}
}
// Setup the framework endpoints
t.Backend = &framework.Backend{
AuthRenew: framework.LeaseExtend(0, 0),
PathsSpecial: &logical.Paths{
Root: []string{
"revoke-prefix/*",
},
Unauthenticated: []string{
"lookup-self",
},
},
Paths: []*framework.Path{
&framework.Path{
Pattern: "create$",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleCreate,
},
HelpSynopsis: strings.TrimSpace(tokenCreateHelp),
HelpDescription: strings.TrimSpace(tokenCreateHelp),
},
&framework.Path{
Pattern: "lookup/(?P<token>.+)",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to lookup",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: t.handleLookup,
},
HelpSynopsis: strings.TrimSpace(tokenLookupHelp),
HelpDescription: strings.TrimSpace(tokenLookupHelp),
},
&framework.Path{
Pattern: "lookup-self$",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to lookup",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: t.handleLookup,
},
HelpSynopsis: strings.TrimSpace(tokenLookupHelp),
HelpDescription: strings.TrimSpace(tokenLookupHelp),
},
&framework.Path{
Pattern: "revoke/(?P<token>.+)",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to revoke",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleRevokeTree,
},
HelpSynopsis: strings.TrimSpace(tokenRevokeHelp),
HelpDescription: strings.TrimSpace(tokenRevokeHelp),
},
&framework.Path{
Pattern: "revoke-orphan/(?P<token>.+)",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to revoke",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleRevokeOrphan,
},
HelpSynopsis: strings.TrimSpace(tokenRevokeOrphanHelp),
HelpDescription: strings.TrimSpace(tokenRevokeOrphanHelp),
},
&framework.Path{
Pattern: "revoke-prefix/(?P<prefix>.+)",
Fields: map[string]*framework.FieldSchema{
"prefix": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token source prefix to revoke",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleRevokePrefix,
},
HelpSynopsis: strings.TrimSpace(tokenRevokePrefixHelp),
HelpDescription: strings.TrimSpace(tokenRevokePrefixHelp),
},
&framework.Path{
Pattern: "renew/(?P<token>.+)",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to renew",
},
"increment": &framework.FieldSchema{
Type: framework.TypeInt,
Description: "The desired increment in seconds to the token expiration",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleRenew,
},
HelpSynopsis: strings.TrimSpace(tokenRenewHelp),
HelpDescription: strings.TrimSpace(tokenRenewHelp),
},
},
}
return t, nil
}
// pathLoginRenew is used to renew an authenticated token.
func (b *backend) pathLoginRenew(
req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
instanceID := req.Auth.Metadata["instance_id"]
if instanceID == "" {
return nil, fmt.Errorf("unable to fetch instance ID from metadata during renewal")
}
region := req.Auth.Metadata["region"]
if region == "" {
return nil, fmt.Errorf("unable to fetch region from metadata during renewal")
}
// Cross check that the instance is still in 'running' state
_, err := b.validateInstance(req.Storage, instanceID, region)
if err != nil {
return nil, fmt.Errorf("failed to verify instance ID '%s': %s", instanceID, err)
}
storedIdentity, err := whitelistIdentityEntry(req.Storage, instanceID)
if err != nil {
return nil, err
}
if storedIdentity == nil {
return nil, fmt.Errorf("failed to verify the whitelist identity entry for instance ID: %s", instanceID)
}
// Ensure that role entry is not deleted.
roleEntry, err := b.lockedAWSRole(req.Storage, storedIdentity.Role)
if err != nil {
return nil, err
}
if roleEntry == nil {
return nil, fmt.Errorf("role entry not found")
}
// If the login was made using the role tag, then max_ttl from tag
// is cached in internal data during login and used here to cap the
// max_ttl of renewal.
rTagMaxTTL, err := time.ParseDuration(req.Auth.Metadata["role_tag_max_ttl"])
if err != nil {
return nil, err
}
// Re-evaluate the maxTTL bounds.
shortestMaxTTL := b.System().MaxLeaseTTL()
longestMaxTTL := b.System().MaxLeaseTTL()
if roleEntry.MaxTTL > time.Duration(0) && roleEntry.MaxTTL < shortestMaxTTL {
shortestMaxTTL = roleEntry.MaxTTL
}
if roleEntry.MaxTTL > longestMaxTTL {
longestMaxTTL = roleEntry.MaxTTL
}
if rTagMaxTTL > time.Duration(0) && rTagMaxTTL < shortestMaxTTL {
shortestMaxTTL = rTagMaxTTL
}
if rTagMaxTTL > longestMaxTTL {
longestMaxTTL = rTagMaxTTL
}
// Only LastUpdatedTime and ExpirationTime change and all other fields remain the same.
currentTime := time.Now().UTC()
storedIdentity.LastUpdatedTime = currentTime
storedIdentity.ExpirationTime = currentTime.Add(longestMaxTTL)
if err = setWhitelistIdentityEntry(req.Storage, instanceID, storedIdentity); err != nil {
return nil, err
}
return framework.LeaseExtend(req.Auth.TTL, shortestMaxTTL, b.System())(req, data)
}
// NewTokenStore is used to construct a token store that is
// backed by the given barrier view.
func NewTokenStore(c *Core, config *logical.BackendConfig) (*TokenStore, error) {
// Create a sub-view
view := c.systemBarrierView.SubView(tokenSubPath)
// Initialize the store
t := &TokenStore{
view: view,
}
// Setup the salt
salt, err := salt.NewSalt(view, nil)
if err != nil {
return nil, err
}
t.salt = salt
// Setup the framework endpoints
t.Backend = &framework.Backend{
// Allow a token lease to be extended indefinitely, but each time for only
// as much as the original lease allowed for. If the lease has a 1 hour expiration,
// it can only be extended up to another hour each time this means.
AuthRenew: framework.LeaseExtend(0, 0, true),
PathsSpecial: &logical.Paths{
Root: []string{
"revoke-prefix/*",
"revoke-orphan/*",
},
},
Paths: []*framework.Path{
&framework.Path{
Pattern: "create$",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleCreate,
},
HelpSynopsis: strings.TrimSpace(tokenCreateHelp),
HelpDescription: strings.TrimSpace(tokenCreateHelp),
},
&framework.Path{
Pattern: "lookup/(?P<token>.+)",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to lookup",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: t.handleLookup,
},
HelpSynopsis: strings.TrimSpace(tokenLookupHelp),
HelpDescription: strings.TrimSpace(tokenLookupHelp),
},
&framework.Path{
Pattern: "lookup-self$",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to lookup",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.ReadOperation: t.handleLookup,
},
HelpSynopsis: strings.TrimSpace(tokenLookupHelp),
HelpDescription: strings.TrimSpace(tokenLookupHelp),
},
&framework.Path{
Pattern: "revoke-self",
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleRevokeSelf,
},
HelpSynopsis: strings.TrimSpace(tokenRevokeSelfHelp),
HelpDescription: strings.TrimSpace(tokenRevokeSelfHelp),
},
&framework.Path{
Pattern: "revoke/(?P<token>.+)",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to revoke",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleRevokeTree,
},
HelpSynopsis: strings.TrimSpace(tokenRevokeHelp),
HelpDescription: strings.TrimSpace(tokenRevokeHelp),
},
&framework.Path{
Pattern: "revoke-orphan/(?P<token>.+)",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to revoke",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleRevokeOrphan,
},
HelpSynopsis: strings.TrimSpace(tokenRevokeOrphanHelp),
HelpDescription: strings.TrimSpace(tokenRevokeOrphanHelp),
},
&framework.Path{
Pattern: "revoke-prefix/(?P<prefix>.+)",
Fields: map[string]*framework.FieldSchema{
"prefix": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token source prefix to revoke",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleRevokePrefix,
},
HelpSynopsis: strings.TrimSpace(tokenRevokePrefixHelp),
HelpDescription: strings.TrimSpace(tokenRevokePrefixHelp),
},
&framework.Path{
Pattern: "renew/(?P<token>.+)",
Fields: map[string]*framework.FieldSchema{
"token": &framework.FieldSchema{
Type: framework.TypeString,
Description: "Token to renew",
},
"increment": &framework.FieldSchema{
Type: framework.TypeDurationSecond,
Description: "The desired increment in seconds to the token expiration",
},
},
Callbacks: map[logical.Operation]framework.OperationFunc{
logical.WriteOperation: t.handleRenew,
},
HelpSynopsis: strings.TrimSpace(tokenRenewHelp),
HelpDescription: strings.TrimSpace(tokenRenewHelp),
},
},
}
t.Backend.Setup(config)
return t, nil
}
func (ts *TokenStore) authRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
f := framework.LeaseExtend(0, 0, ts.System())
return f(req, d)
}
func (b *backend) pathLoginRenew(
req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
return framework.LeaseExtend(0, 0, b.System())(req, d)
}
func (b *backend) secretDynamicKeyRenew(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
f := framework.LeaseExtend(0, 0, b.System())
return f(req, d)
}
func (b *backend) secretDynamicKeyRenew(req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
f := framework.LeaseExtend(b.System().DefaultLeaseTTL(), b.System().MaxLeaseTTL(), false)
return f(req, d)
}