hashicorp · chrishoffman · Apr 3, 2018 · Mar 27, 2018 · Mar 29, 2018 · Mar 30, 2018
diff --git a/builtin/logical/database/secret_creds.go b/builtin/logical/database/secret_creds.go
@@ -3,6 +3,7 @@ package database
 import (
 	"context"
 	"fmt"
+	"time"
 
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -42,12 +43,6 @@ func (b *databaseBackend) secretCredsRenew() framework.OperationFunc {
 			return nil, fmt.Errorf("error during renew: could not find role with name %s", req.Secret.InternalData["role"])
 		}
 
-		f := framework.LeaseExtend(role.DefaultTTL, role.MaxTTL, b.System())
-		resp, err := f(ctx, req, data)
-		if err != nil {
-			return nil, err
-		}
-
 		// Get the Database object
 		db, err := b.GetConnection(ctx, req.Storage, role.DBName)
 		if err != nil {
@@ -57,14 +52,28 @@ func (b *databaseBackend) secretCredsRenew() framework.OperationFunc {
 		db.RLock()
 		defer db.RUnlock()
 
-		// Make sure we increase the VALID UNTIL endpoint for this user.
-		if expireTime := resp.Secret.ExpirationTime(); !expireTime.IsZero() {
+		// Make sure we increase the VALID UNTIL endpoint for this user.  This value is estimated and does not
+		// take into account any backend specific values.  These value will be calculated by core and will only
+		// reduce the TTL based on any running max ttl.  Since vault still manages the lease, it will still get
+		// revokes at the lesser time.
+		if req.Secret.EstimatedTTL > 0 {
+			ttl := req.Secret.EstimatedTTL
+			if role.DefaultTTL > 0 && role.DefaultTTL < ttl {
+				ttl = role.DefaultTTL
+			}
+			if role.MaxTTL > 0 && role.MaxTTL < ttl {
+				ttl = role.MaxTTL
+			}
+			expireTime := time.Now().Add(ttl)
 			err := db.RenewUser(ctx, role.Statements, username, expireTime)
 			if err != nil {
 				b.CloseIfShutdown(db, err)
 				return nil, err
 			}
 		}
+		resp := &logical.Response{Secret: req.Secret}
+		resp.Secret.TTL = role.DefaultTTL
+		resp.Secret.MaxTTL = role.MaxTTL
 		return resp, nil
 	}
 }

diff --git a/builtin/logical/postgresql/secret_creds.go b/builtin/logical/postgresql/secret_creds.go
@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"fmt"
 	"strings"
+	"time"
 
 	"github.com/hashicorp/vault/helper/strutil"
 	"github.com/hashicorp/vault/logical"
@@ -59,14 +60,16 @@ func (b *backend) secretCredsRenew(ctx context.Context, req *logical.Request, d
 		lease = &configLease{}
 	}
 
-	f := framework.LeaseExtend(lease.Lease, lease.LeaseMax, b.System())
-	resp, err := f(ctx, req, d)
-	if err != nil {
-		return nil, err
-	}
-
 	// Make sure we increase the VALID UNTIL endpoint for this user.
-	if expireTime := resp.Secret.ExpirationTime(); !expireTime.IsZero() {
+	if req.Secret.EstimatedTTL > 0 {
+		ttl := req.Secret.EstimatedTTL
+		if lease.Lease > 0 && lease.Lease < ttl {
+			ttl = lease.Lease
+		}
+		if lease.LeaseMax > 0 && lease.LeaseMax < ttl {
+			ttl = lease.LeaseMax
+		}
+		expireTime := time.Now().Add(ttl)
 		expiration := expireTime.Format("2006-01-02 15:04:05-0700")
 
 		query := fmt.Sprintf(
@@ -83,6 +86,9 @@ func (b *backend) secretCredsRenew(ctx context.Context, req *logical.Request, d
 		}
 	}
 
+	resp := &logical.Response{Secret: req.Secret}
+	resp.Secret.TTL = lease.Lease
+	resp.Secret.MaxTTL = lease.LeaseMax
 	return resp, nil
 }
 

diff --git a/logical/lease.go b/logical/lease.go
@@ -14,6 +14,11 @@ type LeaseOptions struct {
 	// MaxTTL is the maximum duration that this secret is valid for.
 	MaxTTL time.Duration `json:"max_ttl"`
 
+	// EstimatedTTL is passed to backends to provide an anticipated value
+	// to use for any renewal functions that are required since TTL is not
+	// known at renewal
+	EstimatedTTL time.Duration `json:"-"`
+
 	// Renewable, if true, means that this secret can be renewed.
 	Renewable bool `json:"renewable"`
 }