database role max_ttl not respected when default_ttl not set

[jgiles]

Environment:

• Vault Version: Vault v0.9.1 ('87b6919dea55da61d7cd444b2442cabb8ede8ab1')
• Operating System/Architecture: library/vault docker image (Alpine linux)

Vault Config File:

Dev server with default config.

Startup Log Output:

vault_1     | ==> Vault server configuration:
vault_1     |
vault_1     |                      Cgo: disabled
vault_1     |          Cluster Address: https://0.0.0.0:8201
vault_1     |               Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", tls: "disabled")
vault_1     |                Log Level:
vault_1     |                    Mlock: supported: true, enabled: false
vault_1     |         Redirect Address: http://0.0.0.0:8200
vault_1     |                  Storage: inmem
vault_1     |                  Version: Vault v0.9.1
vault_1     |              Version Sha: 87b6919dea55da61d7cd444b2442cabb8ede8ab1
vault_1     |
vault_1     | ==> WARNING: Dev mode is enabled!

Expected Behavior:

Roles configured without a default_ttl would still have their TTL capped by max_ttl.

Actual Behavior:

For roles configured without a default_ttl, creds are issued with lease_duration greater than max_ttl, and are still valid after max_ttl.

Steps to Reproduce:

The below is run in a docker-compose environment (to have a database to play with).

# We set a max TTL but not a default.
$ vault read mssql/roles/dbcreator
Key                     Value
---                     -----
creation_statements     CREATE LOGIN [{{name}}] WITH PASSWORD = '{{password}}'; CREATE USER [{{name}}] FOR LOGIN [{{name}}]; ALTER SERVER ROLE dbcreator ADD MEMBER [{{name}}];
db_name                 mssql
default_ttl             0
max_ttl                 60
renew_statements
revocation_statements
rollback_statements

# Getting creds, the lease_duration (786h) looks wrong.
$ vault read mssql/creds/dbcreator
Key             Value
---             -----
lease_id        mssql/creds/dbcreator/bb5f8057-316a-d963-2c6f-4d207433106a
lease_duration  768h0m0s
lease_renewable true
password        A1a-83u8sp05z7vr251v
username        v-token-dbcreator-151pv0y08w2r2zswz5yq-1516239908

# For reference, get the start time.
$ date
Wed Jan 17 20:45:11 EST 2018

# Inspecting the lease, the TTL agrees with the above.
$ vault write sys/leases/lookup lease_id=mssql/creds/dbcreator/bb5f8057-316a-d963-2c6f-4d207433106a
Key             Value
---             -----
expire_time     2018-02-19T01:45:08.412389866Z
id              mssql/creds/dbcreator/bb5f8057-316a-d963-2c6f-4d207433106a
issue_time      2018-01-18T01:45:08.412389587Z
last_renewal    <nil>
renewable       true
ttl             2764756

# We can log into the database.
$ docker-compose exec mssql /opt/mssql-tools/bin/sqlcmd -Q "SELECT DB_NAME()" -U v-token-dbcreator-3804682tyv33rwpy359r-1516239636 -P A1a-19zqwru67wp11v3v

--------------------------------------------------------------------------------------------------------------------------------
master

(1 rows affected)

# Wait a while - date says it has been more than 4 minutes.
$ date
Wed Jan 17 20:49:20 EST 2018
$ docker-compose exec mssql /opt/mssql-tools/bin/sqlcmd -Q "SELECT DB_NAME()" -U v-token-dbcreator-3804682tyv33rwpy359r-1516239636 -P A1a-19zqwru67wp11v3v

--------------------------------------------------------------------------------------------------------------------------------
master

(1 rows affected)

# Renewing doesn't work.
$ vault renew itbitdev/mssql/creds/dbcreator/bb5f8057-316a-d963-2c6f-4d207433106a
Renew error: Error making API request.

URL: PUT http://192.168.99.100:8200/v1/sys/leases/renew
Code: 400. Errors:

* failed to renew entry: resp:(*logical.Response)(nil) err:past the max TTL, cannot renew

# Wait still longer.
$ date
Wed Jan 17 21:00:27 EST 2018

# We can still log in.
$ docker-compose exec mssql /opt/mssql-tools/bin/sqlcmd -Q "SELECT DB_NAME()" -U v-token-dbcreator-3804682tyv33rwpy359r-1516239636 -P A1a-19zqwru67wp11v3v

--------------------------------------------------------------------------------------------------------------------------------
master

(1 rows affected)

# Get a new lease.
$ vault read mssql/creds/dbcreator
Key             Value
---             -----
lease_id        mssql/creds/dbcreator/d7298653-c5e2-7ebf-ed83-cff3561f4470
lease_duration  768h0m0s
lease_renewable true
password        A1a-2qqu2t3x57x94852
username        v-token-dbcreator-p31v98uwy60vq4sy3v3w-1516241240

$ date
Wed Jan 17 21:07:21 EST 2018

# TTL is still more than max_ttl.
$ vault write sys/leases/lookup lease_id=mssql/creds/dbcreator/d7298653-c5e2-7ebf-ed83-cff3561f4470
Key             Value
---             -----
expire_time     2018-02-19T02:07:20.473265677Z
id              mssql/creds/dbcreator/d7298653-c5e2-7ebf-ed83-cff3561f4470
issue_time      2018-01-18T02:07:20.4732654Z
last_renewal    <nil>
renewable       true
ttl             2764779

# Performing a renew operation fixes the TTL.
$ vault renew mssql/creds/dbcreator/d7298653-c5e2-7ebf-ed83-cff3561f4470
Key             Value
---             -----
lease_id        mssql/creds/dbcreator/d7298653-c5e2-7ebf-ed83-cff3561f4470
lease_duration  26s
lease_renewable true

# After more than a minute, and we're locked out.
$ docker-compose exec mssql /opt/mssql-tools/bin/sqlcmd -Q "SELECT DB_NAME()" -U v-token-dbcreator-p31v98uwy60vq4sy3v3w-1516241240 -P A1a-2qqu2t3x57x94852
Sqlcmd: Error: Microsoft ODBC Driver 13 for SQL Server : Login failed for user 'v-token-dbcreator-p31v98uwy60vq4sy3v3w-1516241240'..
$ date
Wed Jan 17 21:08:37 EST 2018

I'm seeing similar behavior with the postgres plugin, though I have not poked at it as much.