From 021570e7c19fa49b2e4e447c096740cd0dfb1758 Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Mon, 28 Feb 2022 12:55:12 -0600
Subject: [PATCH] Add warning when generate_lease=no_store=true when writing
 PKI role (#14292)

* Add warning when generate_lease=no_store=true

When no_store=true, the value of generate_lease is ignored completely
(and set to false). This means that when generate_lease=true is
specified by the caller of the API, it is silently swallowed. While
changing the behavior could break callers, setting a warning on the
response (changing from a 204->200 in the process) seems to make the
most sense.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 builtin/logical/pki/path_roles.go | 7 ++++++-
 changelog/14292.txt               | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 changelog/14292.txt

diff --git a/builtin/logical/pki/path_roles.go b/builtin/logical/pki/path_roles.go
index 3e5b910836..e788c944bc 100644
--- a/builtin/logical/pki/path_roles.go
+++ b/builtin/logical/pki/path_roles.go
@@ -583,6 +583,7 @@ func (b *backend) pathRoleList(ctx context.Context, req *logical.Request, d *fra
 
 func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
 	var err error
+	var resp *logical.Response
 	name := data.Get("name").(string)
 
 	entry := &roleEntry{
@@ -644,6 +645,10 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 	// no_store implies generate_lease := false
 	if entry.NoStore {
 		*entry.GenerateLease = false
+		if data.Get("generate_lease").(bool) {
+			resp = &logical.Response{}
+			resp.AddWarning("mutually exclusive values no_store=true and generate_lease=true were both specified; no_store=true takes priority")
+		}
 	} else {
 		*entry.GenerateLease = data.Get("generate_lease").(bool)
 	}
@@ -694,7 +699,7 @@ func (b *backend) pathRoleCreate(ctx context.Context, req *logical.Request, data
 		return nil, err
 	}
 
-	return nil, nil
+	return resp, nil
 }
 
 func parseKeyUsages(input []string) int {
diff --git a/changelog/14292.txt b/changelog/14292.txt
new file mode 100644
index 0000000000..98d48f9d4f
--- /dev/null
+++ b/changelog/14292.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: Warn when `generate_lease` and `no_store` are both set to `true` on requests.
+```