Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of config: set default length only if password policy is missing into release/vault-1.11.x #86

Merged
merged 4 commits into from
Jun 22, 2022
Merged

Backport of config: set default length only if password policy is missing into release/vault-1.11.x #86

merged 4 commits into from
Jun 22, 2022

Conversation

hc-github-team-secure-vault-ecosystem
Copy link
Contributor

Backport

This PR is auto-generated from #85 to be assessed for backporting due to the inclusion of the label backport/vault-1.11.x.

The below text is copied from the body of the original PR.

Overview

This PR fixes an issue in the config endpoint where the default length value is always set regardless of whether password_policy is provided. This leads to configuration errors unless length=0 is explicitly provided. password_policy and length are mutually exclusive, with preferred on password_policy, so the engine should understand that the value is ignored and not necessary if password_policy is provided.

vault write ad/config \
    binddn=vagrant \
    bindpass=vagrant \
    url=ldaps://127.0.0.1 \
    userdn='dc=Marti,dc=com' \
    password_policy=example

Error writing data to ad/config: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/ad/config
Code: 500. Errors:

* 1 error occurred:
* cannot set password_policy and either length or formatter

Design of Change

We now parse the password_policy first, and fallback to fetching length's default value if both the length and password_policy is absent. The change should be backwards compatible.

Contributor Checklist

  • Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
    Note: Docs already describes this behavior, but the engine was not behaving as expected.
  • Backwards compatible

@hc-github-team-secure-vault-ecosystem hc-github-team-secure-vault-ecosystem force-pushed the backport/password-policy-over-default-length/optionally-destined-mole branch from 8bec7c0 to 76763f8 Compare June 21, 2022 23:53
@calvn calvn requested a review from a team June 21, 2022 23:56
swenson
swenson approved these changes Jun 22, 2022
View reviewed changes
Copy link

@swenson swenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@calvn calvn merged commit 2cb8c53 into release/vault-1.11.x Jun 22, 2022
@calvn calvn deleted the backport/password-policy-over-default-length/optionally-destined-mole branch June 22, 2022 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swenson swenson swenson approved these changes

@calvn calvn Awaiting requested review from calvn

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hc-github-team-secure-vault-ecosystem @swenson @calvn