Update per feedback, add more tests

backend.go

@@ -59,15 +59,9 @@ func backend() *azureSecretBackend {
 			secretServicePrincipal(&b),
 			secretStaticServicePrincipal(&b),
 		},
-		BackendType: logical.TypeLogical,
-		Invalidate:  b.invalidate,
-
-		WALRollback: b.walRollback,
-
-		// Role assignment can take up to a few minutes, so ensure we don't try
-		// to roll back during creation.
-		WALRollbackMinAge: 10 * time.Minute,
-
+		BackendType:  logical.TypeLogical,
+		Invalidate:   b.invalidate,
+		WALRollback:  b.walRollback,
 		PeriodicFunc: b.periodicFunc,
 	}
 	b.getProvider = newAzureProvider
@@ -89,7 +83,7 @@ func (b *azureSecretBackend) periodicFunc(ctx context.Context, sys *logical.Requ
 	}
 
 	// Password should be at least a minute old before we process it
-	if config.NewClientSecret == "" || (time.Since(config.NewClientSecretCreated) > time.Minute) {
+	if config.NewClientSecret == "" || (time.Since(config.NewClientSecretCreated) < time.Minute) {
 		return nil
 	}
 
@@ -120,10 +114,12 @@ func (b *azureSecretBackend) periodicFunc(ctx context.Context, sys *logical.Requ
 		}
 	}
 
-	b.Logger().Debug("periodic func", "rotate-root", "removing old passwords from Azure")
-	err = removeApplicationPasswords(ctx, client.provider, *app.ID, credsToDelete...)
-	if err != nil {
-		return err
+	if len(credsToDelete) != 0 {
+		b.Logger().Debug("periodic func", "rotate-root", "removing old passwords from Azure")
+		err = removeApplicationPasswords(ctx, client.provider, *app.ID, credsToDelete...)
+		if err != nil {
+			return err
+		}
 	}
 
 	b.Logger().Debug("periodic func", "rotate-root", "updating config with new password")

path_config.go

@@ -36,7 +36,7 @@ type azureConfig struct {
 	PasswordPolicy                string        `json:"password_policy"`
 	UseMsGraphAPI                 bool          `json:"use_microsoft_graph_api"`
 	RootPasswordTTL               time.Duration `json:"root_password_ttl"`
-	RootPasswordExpirationDate    time.Time     `json:"root_password_expiration_date`
+	RootPasswordExpirationDate    time.Time     `json:"root_password_expiration_date"`
 }
 
 func pathConfig(b *azureSecretBackend) *framework.Path {

path_rotate_root.go

@@ -73,12 +73,7 @@ func (b *azureSecretBackend) pathRotateRoot(ctx context.Context, req *logical.Re
 		return nil, fmt.Errorf("failed to add new password: %w", err)
 	}
 
-	wal := walRotateRoot{
-		OldPassword:               config.ClientSecret,
-		OldPasswordKeyID:          config.ClientSecretKeyID,
-		OldPasswordExpirationDate: config.RootPasswordExpirationDate,
-	}
-
+	var wal walRotateRoot
 	walID, walErr := framework.PutWAL(ctx, req.Storage, walRotateRootCreds, wal)
 	if walErr != nil {
 		err = client.provider.RemoveApplicationPassword(ctx, *app.ID, *newPasswordResp.PasswordCredential.KeyID)
@@ -99,7 +94,11 @@ func (b *azureSecretBackend) pathRotateRoot(ctx context.Context, req *logical.Re
 	b.updatePassword = true
 
 	err = framework.DeleteWAL(ctx, req.Storage, walID)
-	return addAADWarning(&logical.Response{}, config), err
+	if err != nil {
+		b.Logger().Error("rotate root", "delete wal", err)
+	}
+
+	return addAADWarning(&logical.Response{}, config), nil
 }
 
 type passwordRemover interface {

path_rotate_root_test.go

@@ -5,11 +5,12 @@ import (
 	"fmt"
 	"reflect"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
-func TestRotateRoot(t *testing.T) {
+func TestRotateRootSuccess(t *testing.T) {
 	b, s := getTestBackend(t, true)
 
 	resp, err := b.HandleRequest(context.Background(), &logical.Request{
@@ -52,6 +53,12 @@ func TestRotateRoot(t *testing.T) {
 		t.Fatal("update password is false, it shouldn't be")
 	}
 
+	config.NewClientSecretCreated = config.NewClientSecretCreated.Add(-(time.Minute * 1))
+	err = b.saveConfig(context.Background(), config, s)
+	if err != nil {
+		t.Fatal(err)
+	}
+
 	err = b.periodicFunc(context.Background(), &logical.Request{
 		Storage: s,
 	})
@@ -70,6 +77,78 @@ func TestRotateRoot(t *testing.T) {
 	}
 }
 
+func TestRotateRootPeroidicFunctionBeforeMinute(t *testing.T) {
+	b, s := getTestBackend(t, true)
+
+	resp, err := b.HandleRequest(context.Background(), &logical.Request{
+		Operation: logical.UpdateOperation,
+		Path:      "rotate-root",
+		Data:      map[string]interface{}{},
+		Storage:   s,
+	})
+
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp != nil && resp.IsError() {
+		t.Fatal(resp.Error())
+	}
+
+	tests := []struct {
+		Name    string
+		Created time.Duration
+	}{
+		{
+			Name:    "1 second test:",
+			Created: time.Second * 1,
+		},
+		{
+			Name:    "5 seconds test:",
+			Created: time.Second * 5,
+		},
+		{
+			Name:    "30 seconds test:",
+			Created: time.Second * 30,
+		},
+		{
+			Name:    "50 seconds test:",
+			Created: time.Second * 50,
+		},
+	}
+
+	for _, test := range tests {
+		t.Log(test.Name)
+		config, err := b.getConfig(context.Background(), s)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		config.NewClientSecretCreated = time.Now().Add(-(test.Created))
+		err = b.saveConfig(context.Background(), config, s)
+		if err != nil {
+			t.Fatal(test.Name, err)
+		}
+
+		err = b.periodicFunc(context.Background(), &logical.Request{
+			Storage: s,
+		})
+
+		if err != nil {
+			t.Fatal(test.Name, err)
+		}
+
+		newConfig, err := b.getConfig(context.Background(), s)
+		if err != nil {
+			t.Fatal(test.Name, err)
+		}
+
+		if newConfig.ClientSecret == config.NewClientSecret {
+			t.Fatal(test.Name, fmt.Errorf("old and new password are equal after periodic function, they shouldn't be"))
+		}
+	}
+}
+
 func TestIntersectStrings(t *testing.T) {
 	type testCase struct {
 		a      []string

wal.go

@@ -72,11 +72,7 @@ func (b *azureSecretBackend) rollbackAppWAL(ctx context.Context, req *logical.Re
 	return nil
 }
 
-type walRotateRoot struct {
-	OldPassword               string
-	OldPasswordKeyID          string
-	OldPasswordExpirationDate time.Time
-}
+type walRotateRoot struct{}
 
 func (b *azureSecretBackend) rollbackRootWAL(ctx context.Context, req *logical.Request, data interface{}) error {
 	// Decode the WAL data
@@ -93,15 +89,12 @@ func (b *azureSecretBackend) rollbackRootWAL(ctx context.Context, req *logical.R
 		return err
 	}
 
-	b.Logger().Debug("rolling back root password in storage")
+	b.Logger().Debug("rolling back config")
 	config, err := b.getConfig(ctx, req.Storage)
 	if err != nil {
 		return err
 	}
 
-	config.ClientID = entry.OldPasswordKeyID
-	config.ClientSecret = entry.OldPassword
-	config.RootPasswordExpirationDate = entry.OldPasswordExpirationDate
 	config.NewClientSecret = ""
 	config.NewClientSecretCreated = time.Time{}
 	config.NewClientSecretExpirationDate = time.Time{}