Fix the consul secret backends renewal revocation problem

builtin/logical/consul/path_token.go

@@ -67,7 +67,9 @@ func (b *backend) pathTokenRead(
 	// Use the helper to create the secret
 	s := b.Secret(SecretTokenType).Response(map[string]interface{}{
 		"token": token,
-	}, nil)
+	}, map[string]interface{}{
+		"token": token,
+	})
 	s.Secret.TTL = result.Lease
 
 	return s, nil

builtin/logical/consul/secret_token.go

@@ -1,6 +1,8 @@
 package consul
 
 import (
+	"fmt"
+
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
 )
@@ -37,7 +39,12 @@ func secretTokenRevoke(
 		return logical.ErrorResponse(err.Error()), nil
 	}
 
-	_, err = c.ACL().Destroy(d.Get("token").(string), nil)
+	tokenRaw, ok := req.Secret.InternalData["token"]
+	if !ok {
+		return nil, fmt.Errorf("secret is missing internal data: token")
+	}
+
+	_, err = c.ACL().Destroy(tokenRaw.(string), nil)
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}

vault/expiration.go

@@ -562,10 +562,10 @@ func (m *ExpirationManager) revokeEntry(le *leaseEntry) error {
 	}
 
 	// Handle standard revocation via backends
-	_, err := m.router.Route(logical.RevokeRequest(
+	resp, err := m.router.Route(logical.RevokeRequest(
 		le.Path, le.Secret, le.Data))
-	if err != nil {
-		return fmt.Errorf("failed to revoke entry: %v", err)
+	if err != nil || (resp != nil && resp.IsError()) {
+		return fmt.Errorf("failed to revoke entry: resp:%#v err:%s", resp, err)
 	}
 	return nil
 }
@@ -579,8 +579,8 @@ func (m *ExpirationManager) renewEntry(le *leaseEntry, increment time.Duration)
 
 	req := logical.RenewRequest(le.Path, &secret, le.Data)
 	resp, err := m.router.Route(req)
-	if err != nil {
-		return nil, fmt.Errorf("failed to renew entry: %v", err)
+	if err != nil || (resp != nil && resp.IsError()) {
+		return nil, fmt.Errorf("failed to renew entry: resp:%#v err:%s", resp, err)
 	}
 	return resp, nil
 }