Selector can optionally be prepended to UserID with a delimiter

hashicorp · May 19, 2016 · da4aa80 · da4aa80
1 parent fd845ca
commit da4aa80
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 7 deletions.
diff --git a/builtin/credential/appgroup/path_app.go b/builtin/credential/appgroup/path_app.go
@@ -328,15 +328,21 @@ func (b *backend) pathAppCreateUpdate(req *logical.Request, data *framework.Fiel
 		app.TokenMaxTTL = time.Second * time.Duration(data.Get("token_max_ttl").(int))
 	}
 
+	resp := &logical.Response{}
+
 	// Check that the TokenMaxTTL value provided is less than the TokenMaxTTL.
 	// Sanitizing the TTL and MaxTTL is not required now and can be performed
 	// at credential issue time.
 	if app.TokenMaxTTL > time.Duration(0) && app.TokenTTL > app.TokenMaxTTL {
 		return logical.ErrorResponse("token_ttl should not be greater than token_max_ttl"), nil
 	}
 
+	if app.TokenMaxTTL > b.System().MaxLeaseTTL() {
+		resp.AddWarning("token_max_ttl is greater than the backend mount's maximum TTL value; issued tokens' max TTL value will be truncated")
+	}
+
 	// Store the entry.
-	return nil, b.setAppEntry(req.Storage, appName, app)
+	return resp, b.setAppEntry(req.Storage, appName, app)
 }
 
 // pathAppRead grabs a read lock and reads the options set on the App from the storage

diff --git a/builtin/credential/appgroup/path_generic.go b/builtin/credential/appgroup/path_generic.go
@@ -15,7 +15,7 @@ import (
 // genericStorageEntry stores all the options that are set during UserID
 // creation in "generic" mode.
 type genericStorageEntry struct {
-	// All the Groups that are to be accessible by the UseID created
+	// All the Groups that are to be accessible by the UserID created
 	Groups []string `json:"groups" structs:"groups" mapstructure:"groups"`
 
 	// All the Apps that are to be accessible by the UserID created

diff --git a/builtin/credential/appgroup/path_login.go b/builtin/credential/appgroup/path_login.go
@@ -45,16 +45,25 @@ func (b *backend) pathLoginRenew(req *logical.Request, data *framework.FieldData
 }
 
 func (b *backend) pathLoginUpdate(req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	selector := strings.TrimSpace(data.Get("selector").(string))
-	if selector == "" {
-		return logical.ErrorResponse("missing selector"), nil
-	}
-
 	userID := strings.TrimSpace(data.Get("user_id").(string))
 	if userID == "" {
 		return logical.ErrorResponse("missing user_id"), nil
 	}
 
+	// Selector can optionally be prepended to the UserID with a `;` delimiter
+	selector := strings.TrimSpace(data.Get("selector").(string))
+	if selector == "" {
+		selectorFields := strings.SplitN(userID, ";", 2)
+		if len(selectorFields) != 2 || selectorFields[0] == "" {
+			return logical.ErrorResponse("missing selector"), nil
+		} else if selectorFields[1] == "" {
+			return logical.ErrorResponse("missing user_id"), nil
+		} else {
+			selector = selectorFields[0]
+			userID = selectorFields[1]
+		}
+	}
+
 	validateResp, err := b.validateCredentials(req.Storage, selector, userID)
 	if err != nil {
 		return logical.ErrorResponse(fmt.Sprintf("failed to validate user ID: %s", err)), nil