Merge f0782ee into backport/vault-28314-token-max-lease-ttl-fix/forma…

…lly-usable-jawfish
hashicorp · Sep 25, 2024 · b77eaca · b77eaca
2 parents 4e2c767 + f0782ee
commit b77eaca
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 1 deletion.
diff --git a/changelog/28498.txt b/changelog/28498.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/token: Fix token TTL calculation so that it uses `max_lease_ttl` tune value for tokens created via `auth/token/create`.
+```
diff --git a/vault/token_store.go b/vault/token_store.go
@@ -3138,9 +3138,16 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 
 	sysView := ts.System().(extendedSystemView)
 
+	var backendMaxTTL time.Duration
+
+	mountEntry := ts.core.router.MatchingMountByAccessor(req.MountAccessor)
+	if mountEntry != nil {
+		backendMaxTTL = mountEntry.Config.MaxLeaseTTL
+	}
+
 	// Only calculate a TTL if you are A) periodic, B) have a TTL, C) do not have a TTL and are not a root token
 	if periodToUse > 0 || te.TTL > 0 || (te.TTL == 0 && !strutil.StrListContains(te.Policies, "root")) {
-		ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, 0, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))
+		ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, backendMaxTTL, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))
 		if err != nil {
 			return nil, err
 		}