From f6c66d5f5790cac2798ed33779b8debb6055ed7f Mon Sep 17 00:00:00 2001
From: Guilherme Santos <157053549+gsantos-hc@users.noreply.github.com>
Date: Fri, 21 Jun 2024 15:13:03 -0400
Subject: [PATCH] mark lease non-renewable when secret is expiring

Mark a lease as non-renewable when the remaining Azure-side lifetime is
shorter than the role's configured TTL.

Marking a lease as non-renewable signals to clients that they must
obtain a new lease/secret when the existing one is approaching the limit
that was originally set through `explicit_max_ttl`.
---
 path_service_principal.go | 16 +++-------------
 1 file changed, 3 insertions(+), 13 deletions(-)

diff --git a/path_service_principal.go b/path_service_principal.go
index bd784326..69c4498b 100644
--- a/path_service_principal.go
+++ b/path_service_principal.go
@@ -248,20 +248,10 @@ func (b *azureSecretBackend) spRenew(ctx context.Context, req *logical.Request,
 	}
 	keyLifetime := time.Until(keyEndDate)
 
-	// Determine TTL and MaxTTL
-	ttl := role.TTL
-	if keyLifetime < ttl {
-		ttl = keyLifetime
-	}
-
-	maxTTL := role.MaxTTL
-	if keyLifetime < maxTTL {
-		maxTTL = keyLifetime
-	}
-
 	resp := &logical.Response{Secret: req.Secret}
-	resp.Secret.TTL = ttl
-	resp.Secret.MaxTTL = maxTTL
+	resp.Secret.TTL = min(role.TTL, keyLifetime)
+	resp.Secret.MaxTTL = min(role.MaxTTL, keyLifetime)
+	resp.Secret.Renewable = role.TTL < keyLifetime // Lease cannot be renewed beyond service-side endDate
 
 	return resp, nil
 }