vault
vault copied to clipboard
Published
20 hours ago •
hashicorp
hashicorp
Submitting invalid token_bound_cidrs breaks AppRole
Describe the bug
Vault CLI allows setting invalid token_bound_cidrs on AppRoles and breaks the AppRole.
To Reproduce Steps to reproduce the behavior:
- Create a test AppRole:
# vault write auth/approle/role/test secret_id_ttl=10m token_num_uses=10 token_ttl=20m token_max_ttl=30m
Success! Data written to: auth/approle/role/test
- Check the AppRole:
# vault read auth/approle/role/test
Key Value
--- -----
bind_secret_id true
local_secret_ids false
secret_id_bound_cidrs <nil>
secret_id_num_uses 0
secret_id_ttl 10m
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 30m
token_no_default_policy false
token_num_uses 10
token_period 0s
token_policies []
token_ttl 20m
token_type default
- Write invalid
token_bound_cidrs(space-separated values instead of comma-separatedCIDRS):
# vault write auth/approle/role/test token_bound_cidrs="10.10.10.2/32 10.10.10.3/32"
Success! Data written to: auth/approle/role/test
- Check the AppRole again:
# vault read auth/approle/role/test
Error reading auth/approle/role/test: Error making API request.
URL: GET https://vault1.domain.tld:8200/v1/auth/approle/role/test
Code: 500. Errors:
* internal error
Expected behavior
Vault CLI should not allow submitting invalid token_bound_cidrs. It expects comma-separated CIDRS but it doesn't return an error when submitting space-separated CIDRS.
Environment:
- Vault Server Version (retrieve with
vault status): 1.11.0 - Vault CLI Version (retrieve with
vault version): 1.11.0 - Server Operating System/Architecture: CentOS 7 X64
Vault server configuration file(s):
ui = true
# https://www.vaultproject.io/docs/configuration#log_level
log_level = "Trace"
# https://www.vaultproject.io/docs/internals/plugins
plugin_directory = "/etc/vault.d/plugins"
# https://www.vaultproject.io/docs/configuration/listener/tcp
listener "tcp" {
address = "vault1.domain.tld:8200"
cluster_address = "vault1.domain.tld:8201"
tls_cert_file = "/etc/vault.d/tls/server.crt"
tls_key_file = "/etc/vault.d/tls/server.key"
x_forwarded_for_authorized_addrs = "10.10.10.0/28"
x_forwarded_for_reject_not_authorized = false
x_forwarded_for_reject_not_present = false
telemetry {
unauthenticated_metrics_access = true
}
}
# https://www.vaultproject.io/docs/internals/integrated-storage
# https://www.vaultproject.io/docs/configuration/storage/raft
storage "raft" {
path = "/opt/raft"
node_id = "vault1"
performance_multiplier = 1
retry_join {
leader_tls_servername = "localhost"
leader_api_addr = "https://hashivault.domain.tld"
leader_ca_cert_file = "/etc/vault.d/tls/ca.crt"
leader_client_cert_file = "/etc/vault.d/tls/server.crt"
leader_client_key_file = "/etc/vault.d/tls/server.key"
}
}
# required when running with raft storage, swap should also be disabled on host
# https://www.vaultproject.io/docs/configuration#disable_mlock
disable_mlock = true
# https://www.vaultproject.io/docs/configuration/seal/awskms.html
seal "awskms" {
region = "eu-central-1"
access_key = "XXXX"
secret_key = "XXXX"
kms_key_id = "XXXX"
}
# https://www.vaultproject.io/docs/internals/telemetry
# https://www.vaultproject.io/docs/configuration/telemetry
# https://www.vaultproject.io/docs/configuration/telemetry#prometheus
telemetry {
prometheus_retention_time = "2h"
disable_hostname = true
}
# https://www.vaultproject.io/docs/configuration#api_addr
api_addr = "https://vault1.domain.tld:8200"
# https://www.vaultproject.io/docs/configuration#cluster_addr
cluster_addr = "https://vault1.domain.tld:8201"
Additional context You can still log in with the AppRole after submitting invalid data but when trying to use the token you get 502:
$ vault login hvs.ZZZZZZZZZZZZZZ
Error authenticating: error looking up token: Error making API request.
URL: GET https://hashivault.domain.tld/v1/auth/token/lookup-self
Code: 502. Raw Message:
<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>
You can repair the AppRole by submitting valid token_bound_cidrs but you need to create a new token by logging in with the AppRole again.
