Skip to content

Commit

Permalink
mark lease non-renewable when secret is expiring
Browse files Browse the repository at this point in the history
Mark a lease as non-renewable when the remaining Azure-side lifetime is
shorter than the role's configured TTL.

Marking a lease as non-renewable signals to clients that they must
obtain a new lease/secret when the existing one is approaching the limit
that was originally set through `explicit_max_ttl`.
  • Loading branch information
gsantos-hc committed Jun 21, 2024
1 parent 3f7198c commit f6c66d5
Showing 1 changed file with 3 additions and 13 deletions.
16 changes: 3 additions & 13 deletions path_service_principal.go
Original file line number Diff line number Diff line change
Expand Up @@ -248,20 +248,10 @@ func (b *azureSecretBackend) spRenew(ctx context.Context, req *logical.Request,
}
keyLifetime := time.Until(keyEndDate)

// Determine TTL and MaxTTL
ttl := role.TTL
if keyLifetime < ttl {
ttl = keyLifetime
}

maxTTL := role.MaxTTL
if keyLifetime < maxTTL {
maxTTL = keyLifetime
}

resp := &logical.Response{Secret: req.Secret}
resp.Secret.TTL = ttl
resp.Secret.MaxTTL = maxTTL
resp.Secret.TTL = min(role.TTL, keyLifetime)
resp.Secret.MaxTTL = min(role.MaxTTL, keyLifetime)
resp.Secret.Renewable = role.TTL < keyLifetime // Lease cannot be renewed beyond service-side endDate

return resp, nil
}
Expand Down

0 comments on commit f6c66d5

Please sign in to comment.