Fix handling of TTL in child tokens

jenkinsci · Sep 30, 2022 · cf4899a · cf4899a
1 parent be7448a
commit cf4899a
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/...va/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpiration.java b/...va/com/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpiration.java
@@ -78,9 +78,13 @@ protected String getChildToken(Vault vault, List<String> policies) {
         }
         Auth auth = getVaultAuth(vault);
         try {
-            TokenRequest tokenRequest = (new TokenRequest()).polices(policies);
-            LOGGER.log(Level.FINE, "Requesting child token with policies {0}",
-                new Object[] {policies});
+            String ttl = String.format("%ds", getTokenTTL(vault));
+            TokenRequest tokenRequest = (new TokenRequest())
+                .polices(policies)
+                // Set the TTL to the parent token TTL
+                .ttl(ttl);
+            LOGGER.log(Level.FINE, "Requesting child token with policies {0} and TTL {1}",
+                new Object[] {policies, ttl});
             return auth.createToken(tokenRequest).getAuthClientToken();
         } catch (VaultException e) {
             throw new VaultPluginException("Could not retrieve token with policies from Vault", e);
@@ -131,10 +135,14 @@ protected Vault getVault(VaultConfig config) {
         return new Vault(config);
     }
 
+    private long getTokenTTL(Vault vault) throws VaultException {
+        return getVaultAuth(vault).lookupSelf().getTTL();
+    }
+
     private void setTokenExpiry(Vault vault, String cacheKey) {
         int tokenTTL = 0;
         try {
-            tokenTTL = (int) getVaultAuth(vault).lookupSelf().getTTL();
+            tokenTTL = (int) getTokenTTL(vault);
         } catch (VaultException e) {
             LOGGER.log(Level.WARNING, "Could not determine token expiration for policies '" +
                 cacheKey + "'. Check if token is allowed to access auth/token/lookup-self. " +
@@ -154,6 +162,7 @@ private boolean tokenExpired(String cacheKey) {
         boolean result = true;
         Calendar now = Calendar.getInstance();
         long timeDiffInMillis = now.getTimeInMillis() - expiry.getTimeInMillis();
+        LOGGER.log(Level.FINE, "Expiration for " + cacheKey + " is " + expiry + ", diff: " + timeDiffInMillis);
         if (timeDiffInMillis < -2000L) {
             // token will be valid for at least another 2s
             result = false;

diff --git a/...om/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpirationTest.java b/...om/datapipe/jenkins/vault/credentials/AbstractVaultTokenCredentialWithExpirationTest.java
@@ -87,11 +87,12 @@ public void shouldNotFetchChildTokenIfEmptyPoliciesSpecified() throws VaultExcep
 
     @Test
     public void shouldFetchChildTokenIfPoliciesSpecified() throws VaultException {
-        TokenRequest tokenRequest = (new TokenRequest()).polices(policies);
-        when(auth.createToken(argThat((TokenRequest tr) -> tokenRequest.getPolices() == policies)))
-            .thenReturn(childAuthResponse);
+        when(auth.createToken(argThat((TokenRequest tr) ->
+            tr.getPolices() == policies && tr.getTtl().equals("30s")
+        ))).thenReturn(childAuthResponse);
         when(auth.lookupSelf()).thenReturn(lookupResponse);
-        when(lookupResponse.getTTL()).thenReturn(0L);
+        // First response is for parent, second is for child
+        when(lookupResponse.getTTL()).thenReturn(30L, 0L);
 
         vaultTokenCredentialWithExpiration.authorizeWithVault(vaultConfig, policies);