Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vault /auth/token/create returns ignoring unrecognized parameters [meta] when creating token #18550

Closed
noahehall opened this issue Dec 24, 2022 · 0 comments · Fixed by #18556
Closed

vault /auth/token/create returns ignoring unrecognized parameters [meta] when creating token #18550

noahehall opened this issue Dec 24, 2022 · 0 comments · Fixed by #18556
Labels
bug Used to indicate a potential bug core/openapi core/token

Comments

@noahehall
Copy link

noahehall commented Dec 24, 2022
edited
Loading

Describe the bug
A clear and concise description of what the bug is.

  • vault /auth/token/create returns ignoring unrecognized parameters [meta] when creating token
  • according to docs we can use meta in payload
  • the meta value is being set (see curl response below) so im unsure why the warning is included in the response

To Reproduce
Steps to reproduce the behavior:

  1. send this payload
  2. to this endpoint /auth/token/create
  3. see warning about meta, but confirm metadata includes appropriate value

Expected behavior
A clear and concise description of what you expected to happen.

  • no warnings are returned if request payload matches api spec

Environment:

  • Vault Server Version (retrieve with vault status):
  • Vault CLI Version (retrieve with vault version):
  • Server Operating System/Architecture:

Vault server configuration file(s):

# Paste your Vault config here.
# Be sure to scrub any sensitive values
# @see https://developer.hashicorp.com/vault/docs/configuration

default_lease_ttl = "7d"
default_max_request_duration = "30s"
disable_cahe = false
disable_mlock = false
enable_response_header_hostname = true
enable_response_header_raft_node_id = true
log_format= "json"
max_lease_ttl = "30d"
raw_storage_endpoint = false
ui = true # requires at least 1 listener stanza

storage "raft" {
  path    = "/vault/data"
  node_id = "node1"
}


# advertise the non-loopback interface
api_addr = "https://127.0.0.1:8300"
cluster_addr = "https://127.0.0.1:8301"

listener "tcp" {
  address = "0.0.0.0:8300" # provides access to vault UI
  tls_cert_file = "/etc/ssl/certs/live/dev.nirv.ai/fullchain.pem"
  tls_key_file = "/etc/ssl/certs/live/dev.nirv.ai/privkey.pem"
  tls_disable = false
}


############################# todo
# plugin_directory
# plugin_file_uid
# plugin_file_permissions
// telemetry {
//   statsite_address = "127.0.0.1:8125"
//   disable_hostname = true
// }
// seal "transit" { @see https://developer.hashicorp.com/vault/docs/configuration/seal/transit
// }

Additional context

01:16 PM (develop *|u=) 
$ ./script.vault.sh create token child config/vault/vault_admin/admin_role_vault.json

creating child token with payload: /home/poop/git/private/nirv/scripts/config/vault/vault_admin/admin_role_vault.json

[DEBUG] SCRIPT.VAULT.SH
------------
[url]: https://dev.nirv.ai:8300/v1/auth/token/create
[rest]: -H X-Vault-Token: pooperscooper --data @/home/poop/git/private/nirv/scripts/config/vault/vault_admin/admin_role_vault.json

------------
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1:8300...
* Connected to dev.nirv.ai (127.0.0.1) port 8300 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
{ [45 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [3817 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
} [8 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=dev.nirv.ai
*  start date: Dec 14 07:03:19 2022 GMT
*  expire date: Mar 14 07:03:18 2023 GMT
*  subjectAltName: host "dev.nirv.ai" matched cert's "dev.nirv.ai"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x562fc76ade80)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
> POST /v1/auth/token/create HTTP/2
> Host: dev.nirv.ai:8300
> user-agent: curl/7.81.0
> accept: */*
> connection: close
> content-length: 203
> content-type: application/x-www-form-urlencoded
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [130 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* We are completely uploaded and fine
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
< HTTP/2 200 
< cache-control: no-store
< content-type: application/json
< strict-transport-security: max-age=31536000; includeSubDomains
< x-vault-hostname: dev.nirv.ai
< x-vault-raft-node-id: node1
< content-length: 671
< date: Sat, 24 Dec 2022 20:16:35 GMT
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
100   874  100   671  100   203   7983   2415 --:--:-- --:--:-- --:--:-- 10530
* Connection #0 to host dev.nirv.ai left intact
{
  "request_id": "37033ef6-8d02-8736-3d4d-8a7be4b12ccd",
  "lease_id": "",
  "renewable": false,
  "lease_duration": 0,
  "data": null,
  "wrap_info": null,
  "warnings": [
    "Policy \"admin_policy_vault\" does not exist",
    "Endpoint ignored these unrecognized parameters: [meta]"
  ],
  "auth": {
    "client_token": "merry.christmas",
    "accessor": "supa dupa fly",
    "policies": [
      "admin_policy_vault",
      "default"
    ],
    "token_policies": [
      "admin_policy_vault",
      "default"
    ],
    "metadata": {
      "created_by_root": "1"
    },
    "lease_duration": 2592000,
    "renewable": true,
    "entity_id": "",
    "token_type": "service",
    "orphan": false,
    "mfa_requirement": null,
    "num_uses": 0
  }
}
@noahehall noahehall changed the title vault /auth/token/create returns ignoring unrecognized parameters [meta] when creating token and display_name` not being set vault /auth/token/create returns ignoring unrecognized parameters [meta] when creating token and display_name not being set Dec 24, 2022
@noahehall noahehall mentioned this issue Dec 24, 2022
Open
@noahehall noahehall changed the title vault /auth/token/create returns ignoring unrecognized parameters [meta] when creating token and display_name not being set vault /auth/token/create returns ignoring unrecognized parameters [meta] when creating token Dec 25, 2022
maxb added a commit to maxb/vault that referenced this issue Dec 26, 2022
@maxb
Fix aspects of auth/token/create request parsing
383a373 
Fixes hashicorp#18550

Currently, the `auth/token/create` family of APIs (`create`,
`create-orphan`, `create/{role}`) does non-standard parsing of requests,
by directly using `mapstructure.WeakDecode(request.Data, ...)` instead
of using the standard `framework.FieldData` abstraction.

Furthermore, the fields declared for these APIs are incorrect, leading
to inappropriate OpenAPI generation, and inappropriate warnings about
ignored parameters.

Detailed changes:

* Factor out triplicated definitions of common fields across these three
  APIs.

* Remove incorrect `role_name` field from `create-orphan`.

* Add missing `lease` deprecated field.

* Rename incorrectly named `metadata` field to `meta`, and change from
  `TypeMap` to `TypeKVPairs` to reflect actual underlying Go type is
  `map[string]string`.

* Remove entirely incorrect `format` field.

* Add declarative `Default: true` to `renewable` field, to match
  behaviour currently implemented in code.

* Having fixed the field definitions to match current usage, remove the
  secondary decoding of the request via `mapstructure` inside
  `handleCreateCommon`, and migrate to using `FieldData` APIs like
  a normal operation function.
@maxb maxb mentioned this issue Dec 26, 2022
Merged
@heatherezell heatherezell added bug Used to indicate a potential bug core/token core/openapi labels Jan 4, 2023
@bnevis-i bnevis-i mentioned this issue Jan 12, 2023
Closed
averche pushed a commit that referenced this issue Jul 10, 2023
@maxb
Fix aspects of auth/token/create request parsing (#18556)
3bf1299 
* Fix aspects of `auth/token/create` request parsing

Fixes #18550

Currently, the `auth/token/create` family of APIs (`create`,
`create-orphan`, `create/{role}`) does non-standard parsing of requests,
by directly using `mapstructure.WeakDecode(request.Data, ...)` instead
of using the standard `framework.FieldData` abstraction.

Furthermore, the fields declared for these APIs are incorrect, leading
to inappropriate OpenAPI generation, and inappropriate warnings about
ignored parameters.

Detailed changes:

* Factor out triplicated definitions of common fields across these three
  APIs.

* Remove incorrect `role_name` field from `create-orphan`.

* Add missing `lease` deprecated field.

* Rename incorrectly named `metadata` field to `meta`, and change from
  `TypeMap` to `TypeKVPairs` to reflect actual underlying Go type is
  `map[string]string`.

* Remove entirely incorrect `format` field.

* Add declarative `Default: true` to `renewable` field, to match
  behaviour currently implemented in code.

* Having fixed the field definitions to match current usage, remove the
  secondary decoding of the request via `mapstructure` inside
  `handleCreateCommon`, and migrate to using `FieldData` APIs like
  a normal operation function.

* Add changelog

* Rephrase comment.
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/openapi core/token
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix aspects of auth/token/create request parsing maxb/vault
2 participants
@noahehall @heatherezell