From f0782ee3fbb5c37770776fe50d8cbb9a3442e2e9 Mon Sep 17 00:00:00 2001
From: Chris Capurso <1036769+ccapurso@users.noreply.github.com>
Date: Tue, 24 Sep 2024 15:29:56 -0400
Subject: [PATCH] calculate token lease TTL using tune config (#28498)

* calculate token lease TTL using tune config

* add changelog entry
---
 changelog/28498.txt  | 3 +++
 vault/token_store.go | 9 ++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 changelog/28498.txt

diff --git a/changelog/28498.txt b/changelog/28498.txt
new file mode 100644
index 0000000000..0a6810ad73
--- /dev/null
+++ b/changelog/28498.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/token: Fix token TTL calculation so that it uses `max_lease_ttl` tune value for tokens created via `auth/token/create`.
+```
diff --git a/vault/token_store.go b/vault/token_store.go
index 30d9170e20..492c3b629e 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -3138,9 +3138,16 @@ func (ts *TokenStore) handleCreateCommon(ctx context.Context, req *logical.Reque
 
 	sysView := ts.System().(extendedSystemView)
 
+	var backendMaxTTL time.Duration
+
+	mountEntry := ts.core.router.MatchingMountByAccessor(req.MountAccessor)
+	if mountEntry != nil {
+		backendMaxTTL = mountEntry.Config.MaxLeaseTTL
+	}
+
 	// Only calculate a TTL if you are A) periodic, B) have a TTL, C) do not have a TTL and are not a root token
 	if periodToUse > 0 || te.TTL > 0 || (te.TTL == 0 && !strutil.StrListContains(te.Policies, "root")) {
-		ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, 0, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))
+		ttl, warnings, err := framework.CalculateTTL(sysView, 0, te.TTL, periodToUse, backendMaxTTL, explicitMaxTTLToUse, time.Unix(te.CreationTime, 0))
 		if err != nil {
 			return nil, err
 		}