Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Editing role twice in SSH secret engine cause default_extension to be empty using Web UI #21571

Closed
cwchristerw opened this issue Jul 5, 2023 · 2 comments
Closed

Editing role twice in SSH secret engine cause default_extension to be empty using Web UI #21571

cwchristerw opened this issue Jul 5, 2023 · 2 comments
Assignees
@hashishaw
Labels
bug Used to indicate a potential bug secret/ssh ui

Comments

@cwchristerw
Copy link

cwchristerw commented Jul 5, 2023
edited
Loading

Describe the bug
I'm adding default_extension to existing role in SSH secret engine with using Web UI. After it I tried to edit another setting in that same role without changing default_extension causes default_extension to be empty. Also changing default_extension when there is value causes it to become empty.

I have tested that this default extensions works properly when connecting to server when its value is not empty.

Default extensions

{
    "permit-X11-forwarding": "",
    "permit-agent-forwarding": "",
    "permit-port-forwarding": "",
    "permit-pty": "",
    "permit-user-rc": ""
}

To Reproduce
Steps to reproduce the behavior:

  1. Open Web UI
  2. Login with privileged user to Web UI
  3. Add new SSH secret engine
  4. Add new "sysadmin" role
Allow user Certificates: (checked)
Allowed users: *
Allowed domains: *
TTL: 5 minutes (enabled)
Max TTL: 1 days (enabled)
Allowed extensions: permit-X11-forwarding,permit-agent-forwarding,permit-port-forwarding,permit-pty,permit-user-rc
Allow bare domains: (checked)
Allow subdomains: (checked)

Everything else is default.
5. Edit existing role and adding default_extensions
6. Edit existing role again and changing e.g. TTL to 30 seconds.
8. See error in Default extensions.

Expected behavior
Keep existing options when changing other options. Default extension shouldn't be empty after changing value of other option. This is affecting also Default critical options as well.

Environment:

  • Vault Server Version (retrieve with vault status):
Key                     Value
---                     -----
Seal Type               shamir
Initialized             true
Sealed                  false
Total Shares            1
Threshold               1
Version                 1.14.0
Build Date              2023-06-19T11:40:23Z
Storage Type            raft
Cluster Name            vault-cluster-REDACTED
Cluster ID              REDACTED
HA Enabled              true
HA Cluster              https://[REDACTED]:8201
HA Mode                 active
Active Since            2023-07-04T07:45:09.45531346Z
Raft Committed Index    1010356
Raft Applied Index      1010356
  • Vault CLI Version (retrieve with vault version):
Vault v1.14.0 (13a649f860186dffe3f3a4459814d87191efc321), built 2023-06-19T11:40:23Z
  • Server Operating System/Architecture:
Docker Image: hashicorp/vault:latest

Vault server configuration file(s):

{
    "storage": {
        "raft": {
            "path": "/vault/data/raft",
            "node_id": "REDACTED"
        }
    },
    "listener": [
        {
            "tcp": {
                "address": "[::]:8200",
                "cluster_address": "[::]:8201",
                "tls_cert_file": "/vault/certs/REDACTED/fullchain.pem",
                "tls_key_file": "/vault/certs/REDACTED/privkey.pem",
                "tls_min_version": "tls12",
                "telemetry": {
                    "unauthenticated_metrics_access": false
                }
            }
        }
    ],
    "api_addr": "https://[REDACTED]:8200",
    "cluster_addr":"https://[REDACTED]:8201",
    "disable_mlock": true,
    "default_lease_ttl": "168h",
    "max_lease_ttl": "720h",
    "ui": true,
    "telemetry": {
        "prometheus_retention_time": "30s",
        "disable_hostname": true
    }
}

Additional context
I'm using Ansible to deploy Hashicorp Vault.
@cwchristerw
Copy link
Author

cwchristerw commented Jul 5, 2023
edited
Loading

This affects also default critical options in SSH Role.

@cwchristerw cwchristerw changed the title Edit default_extension twice in SSH Role with UI cause value to be empty Edit default_extension twice in SSH Role with Web UI cause value to be empty Jul 5, 2023
@cwchristerw cwchristerw changed the title Edit default_extension twice in SSH Role with Web UI cause value to be empty Editing role twice in SSH secret engine cause default_extension to be empty using Web UI Jul 5, 2023
@cipherboy cipherboy added ui bug Used to indicate a potential bug secret/ssh labels Jul 5, 2023
@hashishaw hashishaw self-assigned this Jul 7, 2023
@hashishaw hashishaw mentioned this issue Jul 10, 2023
Merged
This was referenced Jul 11, 2023
Merged
Merged
Merged
@cwchristerw
Copy link
Author

cwchristerw commented Jul 14, 2023
edited
Loading

Thank you for this fix @hashishaw ❤️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hashishaw hashishaw

Labels
bug Used to indicate a potential bug secret/ssh ui
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cipherboy @cwchristerw @hashishaw