mark lease non-renewable when secret is expiring

Mark a lease as non-renewable when the remaining Azure-side lifetime is shorter than the role's configured TTL. Marking a lease as non-renewable signals to clients that they must obtain a new lease/secret when the existing one is approaching the limit that was originally set through `explicit_max_ttl`.
hashicorp · Jun 21, 2024 · 812483b · 812483b
1 parent 0fb38e1
commit 812483b
Showing 1 changed file with 3 additions and 13 deletions.
diff --git a/path_service_principal.go b/path_service_principal.go
@@ -248,20 +248,10 @@ func (b *azureSecretBackend) spRenew(ctx context.Context, req *logical.Request,
 	}
 	keyLifetime := time.Until(keyEndDate)
 
-	// Determine TTL and MaxTTL
-	ttl := role.TTL
-	if keyLifetime < ttl {
-		ttl = keyLifetime
-	}
-
-	maxTTL := role.MaxTTL
-	if keyLifetime < maxTTL {
-		maxTTL = keyLifetime
-	}
-
 	resp := &logical.Response{Secret: req.Secret}
-	resp.Secret.TTL = ttl
-	resp.Secret.MaxTTL = maxTTL
+	resp.Secret.TTL = min(role.TTL, keyLifetime)
+	resp.Secret.MaxTTL = min(role.MaxTTL, keyLifetime)
+	resp.Secret.Renewable = role.TTL < keyLifetime // Lease cannot be renewed beyond service-side endDate
 
 	return resp, nil
 }