salt icon indicating copy to clipboard operation
salt copied to clipboard

Published 20 hours ago verified publisher icon saltstack

[BUG] Vault session storage does not allow unlimited use tokens

Open bluesliverx opened this issue 2 years ago • 1 comments

Description When using the Vault module default session token_backend and creating tokens with unlimited uses (0), the token is never used more than once. This occurs due to the fact that the unlimited_use_token flag can never set on the connection unless the token_backend is set to disk. I would like to use the disk backend, but cannot due to issues using Vault in extpillar modules.

Setup Our configuration quite complex, but using a boiled down config of:

peer_run:
  .*:
  - vault.generate_token
vault:
  auth:
    method: approle
    role_id: <role-id>
    secret_id: <secret-id>
    # Default value left in to make it clear what the value is
    token_backend: session
    ttl: 1800
    uses: 0
  # We use a namespace, but this isn't required at all to exhibit the bug
  #namespace: <namespace>
  # Limiting policies also would no effect here
  #policies:
  #- policy_common
  #- policy_{grains[role]}
  url: <vault-url>

should end up triggering the bug. Anytime a Vault token is generated, it will immediately discard it and generate a new token on the next use since the unlimited_use_token flag was never set on it (see the code here that is only reached if the backend is disk).

This occurs on VMs and bare metal machines. Anything that is integrated with vault with that token storage backend stored in the session.

Steps to Reproduce the behavior Reproducing it is easy, but knowing that it is reproduced is harder since the logging is not always in a place where you can see it. Configure the salt master with Vault as shown above and then start salt master with DEBUG logging. Run a state that retrieves any vault secret twice (different secrets are fine too) using vault.read_secret. As long as that method is called twice in the same Salt run, the behavior will show up since two tokens will be generated. The minion or the master logs will show the behavior. I verified the behavior by editing the code and writing to a file every time a token was generated just to make sure, but that shouldn't be necessary.

Expected behavior Session storage should only create a token once during any salt call no matter the number of secrets retrieved if configured with uses: 0.

Screenshots If applicable, add screenshots to help explain your problem. n/a

Versions Report

salt --versions-report (Provided by running salt --versions-report. Please also mention any differences in master/minion versions.) 
Salt Version:
          Salt: 3004.1

Dependency Versions:
          cffi: Not Installed
      cherrypy: Not Installed
      dateutil: Not Installed
     docker-py: Not Installed
         gitdb: Not Installed
     gitpython: Not Installed
        Jinja2: 3.1.2
       libgit2: Not Installed
      M2Crypto: 0.35.2
          Mako: Not Installed
       msgpack: 1.0.4.rc1
  msgpack-pure: Not Installed
  mysql-python: Not Installed
     pycparser: Not Installed
      pycrypto: Not Installed
  pycryptodome: 3.14.1
        pygit2: Not Installed
        Python: 3.6.8 (default, Nov 16 2020, 16:55:22)
  python-gnupg: Not Installed
        PyYAML: 6.0
         PyZMQ: 21.0.2
         smmap: Not Installed
       timelib: Not Installed
       Tornado: 4.5.3
           ZMQ: 4.3.3

System Versions:
          dist: centos 7 Core
        locale: UTF-8
       machine: x86_64
       release: 3.10.0-1160.36.2.el7.x86_64
        system: Linux
       version: CentOS Linux 7 Core

Additional context Recent changes to the vault utils module in master do not fix this issue as well. I already have a fix that I'll be submitting shortly.

bluesliverx avatar Jul 25 '22 22:07 bluesliverx

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey. Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar. If you have additional questions, email us at [email protected]. We’re glad you’ve joined our community and look forward to doing awesome things with you!

welcome[bot] avatar Jul 25 '22 22:07 welcome[bot]

#62684 will fix this hopefully, but even more, I think it might have already been addressed by commits in master around the vault functionality. Just an FYI. I'll leave this open until I can confirm either one.

bluesliverx avatar Apr 26 '23 16:04 bluesliverx