Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix consul token revocation with namespace specific policies #23010

Merged
merged 9 commits into from
Oct 20, 2023
Merged

Fix consul token revocation with namespace specific policies #23010

merged 9 commits into from
Oct 20, 2023

Conversation

davidadeleon
Copy link
Contributor

This PR fixes a problem with the Consul Secrets engine where tokens generated in specific Consul namespaces were unable to be revoked if the token provided to Vault to be used for management had namespace specific policies.

Closes #22895

@davidadeleon davidadeleon requested a review from a team as a code owner September 12, 2023 16:16
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Sep 12, 2023
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions
Copy link

github-actions bot commented Sep 12, 2023
edited
Loading

CI Results:
All Go tests succeeded! ✅

@davidadeleon davidadeleon added this to the 1.15.0 milestone Sep 13, 2023
@anwittin anwittin modified the milestones: 1.15.0, 1.15.1 Sep 22, 2023
robmonte
robmonte reviewed Sep 29, 2023
View reviewed changes
builtin/logical/consul/secret_token.go Outdated
Comment on lines 91 to 95
if ok {
namespace := namespaceRaw.(string)
revokeWriteOptions = &api.WriteOptions{
Namespace: namespace,
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi David, thanks for catching this oversight!

Actually I believe this check is unnecessary. Unless I am mistaken, Consul never has an unnamed namespace to return because the default one is literally named "default". So this ok should always evaluate to true.

Also it turns out admin partitions have the exact same bug. I'm happy to make these changes myself if you don't mind me pushing to your branch?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check is to see if we had a consul namespace set in the secret itself in Vault. After some testing, it looks like in the case of not having a namespace set in the backend config, or the role config, namespace will return as an empty string so this can evaluate to false. I originally was just passing this WriteOptions struct along with the request even if there wasn't a namespace set as Consul seems to handle that case well, but I wanted to default to the original behavior here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@davidadeleon I'm not seeing this behavior, am I maybe testing this the wrong way? If I remember correctly, when a token is created the namespace and partition are returned from Consul and set on the secret here which should be the "default" value if never set in Vault. It seems to be behaving this way in my testing.

Can you add debug output to confirm the values of req.Data["consul_namespace"] and req.Data["partition"] are empty strings since I'm unable to recreate it?

Copy link
Member

@robmonte robmonte Oct 19, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With Kyle's help I believe we discovered the discrepancy. When using Consul enterprise unset namespace and partition fields are indeed set to default, however free versions of Consul are set to empty strings.

In fact, due to this, the ok still always evaluates to true like I thought, but not exactly for the reason I stated. It is still "set" to empty string rather than being unset, and so the ok check passes. I've committed my changes for this reason.

builtin/logical/consul/backend_test.go Outdated Show resolved Hide resolved
kschoche
kschoche approved these changes Oct 20, 2023
View reviewed changes
Copy link
Contributor

@kschoche kschoche left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@robmonte robmonte merged commit 72d66e2 into main Oct 20, 2023
106 of 107 checks passed
@robmonte robmonte deleted the davidadeleon/fix-consul-token-revoke-with-namespace branch October 20, 2023 18:06
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robmonte robmonte robmonte left review comments

@calvn calvn calvn left review comments

@kschoche kschoche kschoche approved these changes

@jasonodonnell jasonodonnell jasonodonnell approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.15.1
Development

Successfully merging this pull request may close these issues.

Vault fails to delete Consul tokens created by a role that has a namespace set
6 participants
@davidadeleon @calvn @jasonodonnell @kschoche @robmonte @anwittin