Make the Vault token ttl configurable

README.md

@@ -41,6 +41,64 @@ That will setup the default policy and generate a token for CMS and output:
 
     export VAULT_ADDR="http://localhost:8200"
     export VAULT_TOKEN="<token>"
+
+## Configuration 
+
+### Configurable Properties
+
+There are a few parameters that need to be configured for CMS to run properly, they are defined in this table. 
+
+property                    | required | notes
+--------------------------- | -------- | ----------
+JDBC.url                    | Yes | The JDBC url for the mysql db
+JDBC.username               | Yes | The JDBC user name for the mysql db
+JDBC.password               | Yes | The JDBC JDBC.password for the mysql db
+root.user.arn               | Yes | The arn for the root AWS user, needed to make the KMS keys deletable.
+admin.role.arn              | Yes | The arn for an AWS user, needed to make the KMS keys deletable.
+cms.role.arn                | Yes | The arn for the Instance profile for CMS instances, so they can admin KMS keys that they create.
+cms.admin.group             | Yes | Group that user can be identified by to get admin privileges, currently this just enables users to access `/v1/stats` see API.md
+cms.auth.connector          | Yes | The user authentication connector implementation to use for user auth.
+cms.user.token.ttl.override | No  | By default user tokens are created with a TTL of 1h, you can override that with this param
+cms.iam.token.ttl.override  | No  | By default IAM tokens are created with a TTL of 1h, you can override that with this param
+
+For local dev see `Running CMS Locally`.
+
+For deployed environments they are configured via the CLI, which will generate a props file and stuff it into S3 encrypted with KMS.
+
+    cerberus --debug \
+    -e demo \
+    -r us-west-2 \
+    create-cms-config \
+    --admin-group cerberus-admins \
+    -P cms.auth.connector=com.nike.cerberus.auth.connector.onelogin.OneLoginAuthConnector \
+    -P auth.connector.onelogin.api_region=us \
+    -P auth.connector.onelogin.client_id=$ONE_LOGIN_CLIENT_ID \
+    -P auth.connector.onelogin.client_secret=$ONE_LOGIN_CLIENT_SECRET \
+    -P auth.connector.onelogin.subdomain=nike
+
+See [Creating an environment](http://engineering.nike.com/cerberus/docs/administration-guide/creating-an-environment) for more information.
+
+CMS will download the props file at startup time and load the props into Guice.
+
+### User Authentication
+
+#### Auth Connector Interface
+
+The User authentication contract is defined by the [AuthConnector](https://github.com/Nike-Inc/cerberus-management-service/blob/master/src/main/java/com/nike/cerberus/auth/connector/AuthConnector.java) interface.  
+
+The only included implementation of this interface targets 
+OneLogin.  We expect to implement more connectors in the near future.
+
+##### OneLogin Auth Connector
+
+property                              | required | notes
+------------------------------------- | -------- | ----------
+auth.connector.onelogin.api_region    | Yes      | `us` or `eu`
+auth.connector.onelogin.client_id     | Yes      | The OneLogin API client id
+auth.connector.onelogin.client_secret | Yes      | The OneLogin API client secret
+auth.connector.onelogin.subdomain     | Yes      | Your orgs OneLogin subdomain [xxxxx].onelogin.com
+
+**Assumption: The current implementation looks up group membership for a user via the member_of field on the getUserById API response.**
 
 ## Running CMS Locally
 
@@ -72,28 +130,6 @@ You'll need a few pieces of information before you can run the application:
     cms.auth.connector=<YOUR AUTH CONNECTOR CLASS>
 ```
 
-## User Authentication Configuration 
-
-## Auth Connector Interface
-
-The User authentication contract is defined by the `AuthConnector` interface.  The only included implementation of this interface targets 
-OneLogin.  We expect to implement more connectors in the near future.
-
-#### OneLogin Auth Connector
-
-The following properties must be defined:
-
-    # Auth Connector
-    cms.auth.connector=com.nike.cerberus.auth.connector.onelogin.OneLoginAuthConnector
-
-    # OneLogin Auth Connector Properties
-    auth.connector.onelogin.api_region=<us or eu>
-    auth.connector.onelogin.client_id=<OneLogin API client ID>
-    auth.connector.onelogin.client_secret=<OneLogin API client secret>
-    auth.connector.onelogin.subdomain=<your orgs onelogin subdomain>
-
-**Assumption: The current implementation looks up group membership for a user via the member_of field on the getUserById API response.**
-
 ### From the IDE
 
 Simply run `com.nike.cerberus.Main`.  The following VM arguments should be set:

gradle.properties

@@ -14,6 +14,6 @@
 # limitations under the License.
 #
 
-version=0.6.2
+version=0.7.0
 groupId=com.nike.cerberus
 artifactId=cms

src/main/java/com/nike/cerberus/service/AuthenticationService.java

@@ -26,6 +26,9 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
+import com.google.inject.Inject;
+import com.google.inject.Singleton;
+import com.google.inject.name.Named;
 import com.nike.backstopper.exception.ApiException;
 import com.nike.cerberus.auth.connector.AuthConnector;
 import com.nike.cerberus.auth.connector.AuthData;
@@ -52,9 +55,6 @@
 import org.apache.commons.lang3.StringUtils;
 import org.apache.http.HttpStatus;
 
-import javax.inject.Inject;
-import javax.inject.Named;
-import javax.inject.Singleton;
 import java.nio.ByteBuffer;
 import java.nio.charset.Charset;
 import java.util.List;
@@ -72,6 +72,10 @@ public class AuthenticationService {
 
     public static final String ADMIN_GROUP_PROPERTY = "cms.admin.group";
 
+    public static final String USER_TOKEN_TTL_OVERRIDE = "cms.user.token.ttl.override";
+
+    public static final String IAM_TOKEN_TTL_OVERRIDE = "cms.iam.token.ttl.override";
+
     public static final String LOOKUP_SELF_POLICY = "lookup-self";
 
     public static final String DEFAULT_TOKEN_TTL = "1h";
@@ -87,6 +91,14 @@ public class AuthenticationService {
     private final String adminGroup;
     private final DateTimeSupplier dateTimeSupplier;
 
+    @Inject(optional=true)
+    @Named(USER_TOKEN_TTL_OVERRIDE)
+    String userTokenTTL = DEFAULT_TOKEN_TTL;
+
+    @Inject(optional=true)
+    @Named(IAM_TOKEN_TTL_OVERRIDE)
+    String iamTokenTTL = DEFAULT_TOKEN_TTL;
+
     @Inject
     public AuthenticationService(final SafeDepositBoxDao safeDepositBoxDao,
                                  final AwsIamRoleDao awsIamRoleDao,
@@ -167,7 +179,7 @@ public IamRoleAuthResponse authenticate(IamRoleCredentials credentials) {
         final VaultTokenAuthRequest tokenAuthRequest = new VaultTokenAuthRequest()
                 .setPolicies(policies)
                 .setMeta(meta)
-                .setTtl(DEFAULT_TOKEN_TTL)
+                .setTtl(iamTokenTTL)
                 .setNoDefaultPolicy(true);
 
         final VaultAuthResponse authResponse = vaultAdminClient.createOrphanToken(tokenAuthRequest);
@@ -252,7 +264,7 @@ private VaultAuthResponse generateToken(final String username, final Set<String>
                 .setDisplayName(username)
                 .setPolicies(policies)
                 .setMeta(meta)
-                .setTtl(DEFAULT_TOKEN_TTL)
+                .setTtl(userTokenTTL)
                 .setNoDefaultPolicy(true);
 
         return vaultAdminClient.createOrphanToken(tokenAuthRequest);