Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Renew operation for KV v1 #55

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix Renew operation for KV v1 #55

wants to merge 1 commit into from

Conversation

remilapeyre
Copy link

Using handleRead as the Renew method for KV v1 is incorrect and
would fail with the error:

http: panic serving 127.0.0.1:59579: field path not in the schema

in the Vault server without returning a response.

This fixes by returning an empty response which signals properly that
the secret cannot be renewed.

Also remove GeneratesLeases() which was never used and fix a typo in
an error message.

@remilapeyre
Fix Renew operation for KV v1
39f481f 
Using `handleRead` as the `Renew` method for KV v1 is incorrect and
would fail with the error:

	http: panic serving 127.0.0.1:59579: field path not in the schema

in the Vault server without returning a response.

This fixes by returning an empty response which signals properly that
the secret cannot be renewed.

Also remove `GeneratesLeases()` which was never used and fix a typo in
an error message.
@hashicorp-cla
Copy link

hashicorp-cla commented Mar 12, 2022
edited

CLA assistant check
All committers have signed the CLA.

@ccapurso
Copy link
Contributor

Hi, @remilapeyre. Thank you for taking a look into this. Would you be able to provide reproduction steps so that we ensure that we are following the same flow as you?

Regarding the GeneratesLeases function, that is actually used directly within Vault's request handling and thus should not be removed.

@remilapeyre
Copy link
Author

Regarding the GeneratesLeases function, that is actually used directly within Vault's request handling and thus should not be removed.

I don't think this function is used there, it is a different function: https://github.com/hashicorp/vault/blob/8581f3337a52a657c9f862e937dc7ea8a87e87e5/vault/logical_passthrough.go#L165-L167.

Would you be able to provide reproduction steps so that we ensure that we are following the same flow as you?

Here's an example showing the panic occurring during the renew, I'll use cURL to make all operations completely explicit:

$ vault version

Vault v1.11.1 (0f634755745f4adf62ec0723a0b93d6dce5bc33e), built 2022-07-19T20:16:47Z
$ vault server -dev -dev-root-token-id=demo &

[1] 70346
$ ==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.17.12
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: info
                   Mlock: supported: false, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.11.1, built 2022-07-19T20:16:47Z
             Version Sha: 0f634755745f4adf62ec0723a0b93d6dce5bc33e

==> Vault server started! Log data will stream in below:

2022-07-28T22:51:17.313+0200 [INFO]  proxy environment: http_proxy="" https_proxy="" no_proxy=""
2022-07-28T22:51:17.314+0200 [WARN]  no `api_addr` value specified in config or in VAULT_API_ADDR; falling back to detection if possible, but this value should be manually set
2022-07-28T22:51:17.314+0200 [INFO]  core: Initializing version history cache for core
2022-07-28T22:51:17.315+0200 [INFO]  core: security barrier not initialized
2022-07-28T22:51:17.315+0200 [INFO]  core: security barrier initialized: stored=1 shares=1 threshold=1
2022-07-28T22:51:17.315+0200 [INFO]  core: post-unseal setup starting
2022-07-28T22:51:17.318+0200 [INFO]  core: loaded wrapping token key
2022-07-28T22:51:17.318+0200 [INFO]  core: Recorded vault version: vault version=1.11.1 upgrade time="2022-07-28 20:51:17.318088 +0000 UTC" build date=2022-07-19T20:16:47Z
2022-07-28T22:51:17.318+0200 [INFO]  core: successfully setup plugin catalog: plugin-directory=""
2022-07-28T22:51:17.318+0200 [INFO]  core: no mounts; adding default mount table
2022-07-28T22:51:17.319+0200 [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2022-07-28T22:51:17.319+0200 [INFO]  core: successfully mounted backend: type=system path=sys/
2022-07-28T22:51:17.320+0200 [INFO]  core: successfully mounted backend: type=identity path=identity/
2022-07-28T22:51:17.321+0200 [INFO]  core: successfully enabled credential backend: type=token path=token/ namespace="ID: root. Path: "
2022-07-28T22:51:17.322+0200 [INFO]  rollback: starting rollback manager
2022-07-28T22:51:17.323+0200 [INFO]  core: restoring leases
2022-07-28T22:51:17.324+0200 [INFO]  expiration: lease restore complete
2022-07-28T22:51:17.324+0200 [INFO]  identity: entities restored
2022-07-28T22:51:17.324+0200 [INFO]  identity: groups restored
2022-07-28T22:51:17.764+0200 [INFO]  core: post-unseal setup complete
2022-07-28T22:51:17.765+0200 [INFO]  core: root token generated
2022-07-28T22:51:17.765+0200 [INFO]  core: pre-seal teardown starting
2022-07-28T22:51:17.765+0200 [INFO]  rollback: stopping rollback manager
2022-07-28T22:51:17.765+0200 [INFO]  core: pre-seal teardown complete
2022-07-28T22:51:17.765+0200 [INFO]  core.cluster-listener.tcp: starting listener: listener_address=127.0.0.1:8201
2022-07-28T22:51:17.765+0200 [INFO]  core.cluster-listener: serving cluster requests: cluster_listen_address=127.0.0.1:8201
2022-07-28T22:51:17.765+0200 [INFO]  core: post-unseal setup starting
2022-07-28T22:51:17.765+0200 [INFO]  core: loaded wrapping token key
2022-07-28T22:51:17.765+0200 [INFO]  core: successfully setup plugin catalog: plugin-directory=""
2022-07-28T22:51:17.766+0200 [INFO]  core: successfully mounted backend: type=system path=sys/
2022-07-28T22:51:17.767+0200 [INFO]  core: successfully mounted backend: type=identity path=identity/
2022-07-28T22:51:17.768+0200 [INFO]  core: successfully mounted backend: type=cubbyhole path=cubbyhole/
2022-07-28T22:51:17.769+0200 [INFO]  core: successfully enabled credential backend: type=token path=token/ namespace="ID: root. Path: "
2022-07-28T22:51:17.769+0200 [INFO]  rollback: starting rollback manager
2022-07-28T22:51:17.769+0200 [INFO]  core: restoring leases
2022-07-28T22:51:17.769+0200 [INFO]  identity: entities restored
2022-07-28T22:51:17.769+0200 [INFO]  identity: groups restored
2022-07-28T22:51:17.769+0200 [INFO]  core: post-unseal setup complete
2022-07-28T22:51:17.769+0200 [INFO]  core: vault is unsealed
2022-07-28T22:51:17.769+0200 [INFO]  expiration: lease restore complete
2022-07-28T22:51:17.770+0200 [INFO]  expiration: revoked lease: lease_id=auth/token/root/h5dcd1216c85fae96ded332bf1ca3e174047553b0080bc870701c1c0e6569c5ea
2022-07-28T22:51:17.772+0200 [INFO]  core: successful mount: namespace="" path=secret/ type=kv
2022-07-28T22:51:17.782+0200 [INFO]  secrets.kv.kv_dd88e867: collecting keys to upgrade
2022-07-28T22:51:17.783+0200 [INFO]  secrets.kv.kv_dd88e867: done collecting keys: num_keys=1
2022-07-28T22:51:17.783+0200 [INFO]  secrets.kv.kv_dd88e867: upgrading keys finished
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

You may need to set the following environment variable:

    $ export VAULT_ADDR='http://127.0.0.1:8200'

The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.

Unseal Key: ckn6RGuNMWwCAdcik/j3h94mvebEE11M6sFnyOmHh4w=
Root Token: demo

Development mode should NOT be used in production installations!


$ export VAULT_ADDR='http://127.0.0.1:8200'

$ export VAULT_TOKEN=demo

$ curl -X PUT $VAULT_ADDR/v1/sys/mounts/kv-with-lease -H "X-Vault-Token: $VAULT_TOKEN" -d '{"type": "kv-v1", "options": {"leased_passthrough": "true"}}'

2022-07-28T22:51:27.040+0200 [INFO]  core: successful mount: namespace="" path=kv-with-lease/ type=kv
$ curl -X PUT $VAULT_ADDR/v1/kv-with-lease/test -H "X-Vault-Token: $VAULT_TOKEN" -d '{"hello": "world", "ttl": 60}'

$ curl $VAULT_ADDR/v1/kv-with-lease/test -H "X-Vault-Token: $VAULT_TOKEN"

{"request_id":"24e6698b-516e-3b6a-591e-7a7a1aa3ca5e","lease_id":"kv-with-lease/test/B1Lf4QCxiTVtpDpWHLtaruIm","renewable":true,"lease_duration":60,"data":{"hello":"world","ttl":60},"wrap_info":null,"warnings":null,"auth":null}
$ curl -X POST $VAULT_ADDR/v1/sys/leases/renew -H "X-Vault-Token: $VAULT_TOKEN" -d '{"lease_id": "kv-with-lease/test/B1Lf4QCxiTVtpDpWHLtaruIm", "increment": 40}'

2022-07-28T22:51:42.426+0200 [INFO]  http: panic serving 127.0.0.1:65018: field path not in the schema
goroutine 853 [running]:
net/http.(*conn).serve.func1()
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:1802 +0xb9
panic({0x50d91c0, 0xc000f7b110})
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/runtime/panic.go:1047 +0x266
github.com/hashicorp/vault/sdk/framework.(*FieldData).Get(0xc000f7b0f0, {0x5efa820, 0x4})
        /Users/runner/work/vault/vault/sdk/framework/field_data.go:63 +0xda
github.com/hashicorp/vault-plugin-secrets-kv.(*PassthroughBackend).handleRead.func1({0x70b8090, 0xc0012170b0}, 0xc000742480, 0xc0011188a0)
        /Users/runner/go/pkg/mod/github.com/hashicorp/vault-plugin-secrets-kv@v0.12.1/passthrough.go:124 +0x47
github.com/hashicorp/vault/sdk/framework.(*Secret).HandleRenew(0xc000f25080, {0x70b8090, 0xc0012170b0}, 0xc000742480)
        /Users/runner/work/vault/vault/sdk/framework/secret.go:76 +0xa3
github.com/hashicorp/vault/sdk/framework.(*Backend).handleRevokeRenew(0x3332a8c2c89cd44e, {0x70b8090, 0xc0012170b0}, 0xc000742480)
        /Users/runner/work/vault/vault/sdk/framework/backend.go:566 +0xf9
github.com/hashicorp/vault/sdk/framework.(*Backend).HandleRequest(0xc000898340, {0x70b8090, 0xc0012170b0}, 0xc000742480)
        /Users/runner/work/vault/vault/sdk/framework/backend.go:194 +0xe7
github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc0008ac1e0, {0x70b8090, 0xc0012170b0}, 0xc000742480, 0x0)
        /Users/runner/work/vault/vault/vault/router.go:727 +0x17cc
github.com/hashicorp/vault/vault.(*Router).Route(...)
        /Users/runner/work/vault/vault/vault/router.go:507
github.com/hashicorp/vault/vault.(*ExpirationManager).renewEntry(0xc00000a5a0, {0x70b8090, 0xc001216840}, 0xc0001de3c0, 0x9502f9000)
        /Users/runner/work/vault/vault/vault/expiration.go:1900 +0x216
github.com/hashicorp/vault/vault.(*ExpirationManager).Renew(0xc00000a5a0, {0x70b8090, 0xc001216840}, {0xc0013021e0, 0x9ecf640}, 0xc000d7bd26)
        /Users/runner/work/vault/vault/vault/expiration.go:1197 +0x613
github.com/hashicorp/vault/vault.(*SystemBackend).handleRenew(0xc00120a300, {0x70b8090, 0xc001216840}, 0x0, 0xffffffffffffffff)
        /Users/runner/work/vault/vault/vault/logical_system.go:1959 +0x1d1
github.com/hashicorp/vault/sdk/framework.(*Backend).HandleRequest(0xc0001baa90, {0x70b8090, 0xc001216840}, 0xc000742300)
        /Users/runner/work/vault/vault/sdk/framework/backend.go:287 +0xa51
github.com/hashicorp/vault/vault.(*Router).routeCommon(0xc0008ac1e0, {0x70b8090, 0xc001216840}, 0xc000742300, 0x0)
        /Users/runner/work/vault/vault/vault/router.go:727 +0x17cc
github.com/hashicorp/vault/vault.(*Router).Route(...)
        /Users/runner/work/vault/vault/vault/router.go:507
github.com/hashicorp/vault/vault.(*Core).doRouting(0xc0014de600, {0x70b8090, 0xc001216840}, 0xc000354150)
        /Users/runner/work/vault/vault/vault/request_handling.go:806 +0x2c
github.com/hashicorp/vault/vault.(*Core).handleRequest(0xc000924000, {0x70b8090, 0xc001216840}, 0xc000742300)
        /Users/runner/work/vault/vault/vault/request_handling.go:995 +0x124d
github.com/hashicorp/vault/vault.(*Core).handleCancelableRequest(0xc000924000, {0x70b8090, 0xc0012164e0}, 0xc000742300)
        /Users/runner/work/vault/vault/vault/request_handling.go:654 +0x1493
github.com/hashicorp/vault/vault.(*Core).switchedLockHandleRequest(0xc000924000, {0x70b8090, 0xc0012162a0}, 0xc000742300, 0x60)
        /Users/runner/work/vault/vault/vault/request_handling.go:472 +0x51f
github.com/hashicorp/vault/vault.(*Core).HandleRequest(...)
        /Users/runner/work/vault/vault/vault/request_handling.go:433
github.com/hashicorp/vault/http.request(0x5981160, {0x70634c0, 0xc0012161b0}, 0xc0002e5d00, 0xc000742300)
        /Users/runner/work/vault/vault/http/handler.go:910 +0x86
github.com/hashicorp/vault/http.handleLogicalInternal.func1({0x70634c0, 0xc0012161b0}, 0xc0002e5d00)
        /Users/runner/work/vault/vault/http/logical.go:343 +0xb6
net/http.HandlerFunc.ServeHTTP(0xc001302155, {0x70634c0, 0xc0012161b0}, 0xc0005dde00)
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:2047 +0x2f
github.com/hashicorp/vault/http.handleRequestForwarding.func1({0x70634c0, 0xc0012161b0}, 0xc0002e5d00)
        /Users/runner/work/vault/vault/http/handler.go:835 +0x39d
net/http.HandlerFunc.ServeHTTP(0xc0007493c0, {0x70634c0, 0xc0012161b0}, 0x0)
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:2047 +0x2f
net/http.(*ServeMux).ServeHTTP(0x7055c90, {0x70634c0, 0xc0012161b0}, 0xc0002e5d00)
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:2425 +0x149
github.com/hashicorp/vault/http.wrapHelpHandler.func1({0x70634c0, 0xc0012161b0}, 0xc0002e5d00)
        /Users/runner/work/vault/vault/http/help.go:25 +0x129
net/http.HandlerFunc.ServeHTTP(0xc00121c0a0, {0x70634c0, 0xc0012161b0}, 0xc000749470)
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:2047 +0x2f
github.com/hashicorp/vault/http.wrapCORSHandler.func1({0x70634c0, 0xc0012161b0}, 0xc000749530)
        /Users/runner/work/vault/vault/http/cors.go:29 +0x6e4
net/http.HandlerFunc.ServeHTTP(0xc000924000, {0x70634c0, 0xc0012161b0}, 0xc0008a7270)
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:2047 +0x2f
github.com/hashicorp/vault/http.rateLimitQuotaWrapping.func1({0x70634c0, 0xc0012161b0}, 0xc0002e5d00)
        /Users/runner/work/vault/vault/http/util.go:97 +0x9d0
net/http.HandlerFunc.ServeHTTP(0xc001216120, {0x70634c0, 0xc0012161b0}, 0xc00121a040)
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:2047 +0x2f
github.com/hashicorp/vault/http.wrapGenericHandler.func1({0x7071e30, 0xc00021f340}, 0xc0002e5a00)
        /Users/runner/work/vault/vault/http/handler.go:422 +0x119c
net/http.HandlerFunc.ServeHTTP(0xc001302155, {0x7071e30, 0xc00021f340}, 0x1)
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:2047 +0x2f
github.com/hashicorp/go-cleanhttp.PrintablePathCheckHandler.func1({0x7071e30, 0xc00021f340}, 0xc0002e5a00)
        /Users/runner/go/pkg/mod/github.com/hashicorp/go-cleanhttp@v0.5.2/handlers.go:42 +0x98
net/http.HandlerFunc.ServeHTTP(0x0, {0x7071e30, 0xc00021f340}, 0x108bc06d94ccd)
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:2047 +0x2f
net/http.serverHandler.ServeHTTP({0x705bed8}, {0x7071e30, 0xc00021f340}, 0xc0002e5a00)
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:2879 +0x43b
net/http.(*conn).serve(0xc000e07900, {0x70b8090, 0xc0007400c0})
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:1930 +0xb08
created by net/http.(*Server).Serve
        /Users/runner/hostedtoolcache/go/1.17.12/x64/src/net/http/server.go:3034 +0x4e8
curl: (52) Empty reply from server

You can also see the bug by keeping the TestPassthroughBackend_Renew() test case and running the test without the current version of the code:

$ go test ./...
2022-07-28T22:54:48.307+0200 [INFO]  collecting keys to upgrade
2022-07-28T22:54:48.307+0200 [INFO]  done collecting keys: num_keys=1
2022-07-28T22:54:48.307+0200 [DEBUG] upgrading keys: progress=0/1
2022-07-28T22:54:48.307+0200 [INFO]  upgrading keys finished
2022-07-28T22:54:48.307+0200 [INFO]  collecting keys to upgrade
2022-07-28T22:54:48.307+0200 [INFO]  done collecting keys: num_keys=1
2022-07-28T22:54:48.307+0200 [DEBUG] upgrading keys: progress=0/1
2022-07-28T22:54:48.307+0200 [INFO]  upgrading keys finished
2022-07-28T22:54:48.307+0200 [INFO]  collecting keys to upgrade
2022-07-28T22:54:48.307+0200 [INFO]  collecting keys to upgrade
2022-07-28T22:54:48.307+0200 [INFO]  collecting keys to upgrade
2022-07-28T22:54:48.307+0200 [INFO]  done collecting keys: num_keys=1
2022-07-28T22:54:48.307+0200 [DEBUG] upgrading keys: progress=0/1
2022-07-28T22:54:48.307+0200 [INFO]  upgrading keys finished
2022-07-28T22:54:48.307+0200 [INFO]  collecting keys to upgrade
2022-07-28T22:54:48.307+0200 [INFO]  done collecting keys: num_keys=1
2022-07-28T22:54:48.307+0200 [INFO]  collecting keys to upgrade
2022-07-28T22:54:48.307+0200 [INFO]  done collecting keys: num_keys=1
2022-07-28T22:54:48.307+0200 [DEBUG] upgrading keys: progress=0/1
2022-07-28T22:54:48.307+0200 [INFO]  done collecting keys: num_keys=1
2022-07-28T22:54:48.307+0200 [DEBUG] upgrading keys: progress=0/1
2022-07-28T22:54:48.307+0200 [DEBUG] upgrading keys: progress=0/1
2022-07-28T22:54:48.307+0200 [INFO]  upgrading keys finished
2022-07-28T22:54:48.307+0200 [INFO]  upgrading keys finished
2022-07-28T22:54:48.307+0200 [INFO]  upgrading keys finished
2022-07-28T22:54:48.307+0200 [INFO]  done collecting keys: num_keys=1
2022-07-28T22:54:48.308+0200 [DEBUG] upgrading keys: progress=0/1
2022-07-28T22:54:48.308+0200 [INFO]  upgrading keys finished
--- FAIL: TestPassthroughBackend_Renew (0.00s)
panic: field path not in the schema [recovered]
        panic: field path not in the schema

goroutine 42 [running]:
testing.tRunner.func1.2({0x15d9c20, 0xc0001157a0})
        /usr/local/Cellar/go/1.18.4/libexec/src/testing/testing.go:1389 +0x24e
testing.tRunner.func1()
        /usr/local/Cellar/go/1.18.4/libexec/src/testing/testing.go:1392 +0x39f
panic({0x15d9c20, 0xc0001157a0})
        /usr/local/Cellar/go/1.18.4/libexec/src/runtime/panic.go:838 +0x207
github.com/hashicorp/vault/sdk/framework.(*FieldData).Get(0xc000115780, {0x16b859b, 0x4})
        /Users/remi/go/pkg/mod/github.com/hashicorp/vault/sdk@v0.3.0/framework/field_data.go:63 +0xda
github.com/hashicorp/vault-plugin-secrets-kv.(*PassthroughBackend).handleRead.func1({0x17b0880, 0xc0000240c0}, 0xc0002bc300, 0xc000509e60?)
        /Users/remi/go/src/github.com/hashicorp/vault-plugin-secrets-kv/passthrough.go:124 +0x5e
github.com/hashicorp/vault/sdk/framework.(*Secret).HandleRenew(0xc0003821b0, {0x17b0880, 0xc0000240c0}, 0xc0002bc300)
        /Users/remi/go/pkg/mod/github.com/hashicorp/vault/sdk@v0.3.0/framework/secret.go:76 +0xa3
github.com/hashicorp/vault/sdk/framework.(*Backend).handleRevokeRenew(0xc0002600d0, {0x17b0880, 0xc0000240c0}, 0xc0002bc300)
        /Users/remi/go/pkg/mod/github.com/hashicorp/vault/sdk@v0.3.0/framework/backend.go:515 +0x205
github.com/hashicorp/vault/sdk/framework.(*Backend).HandleRequest(0xc0002600d0, {0x17b0880, 0xc0000240c0}, 0xc0002bc300)
        /Users/remi/go/pkg/mod/github.com/hashicorp/vault/sdk@v0.3.0/framework/backend.go:194 +0xe7
github.com/hashicorp/vault-plugin-secrets-kv.TestPassthroughBackend_Renew.func1({0x17b3620, 0xc000115710})
        /Users/remi/go/src/github.com/hashicorp/vault-plugin-secrets-kv/passthrough_test.go:222 +0x1ce
github.com/hashicorp/vault-plugin-secrets-kv.TestPassthroughBackend_Renew(0xc000103380?)
        /Users/remi/go/src/github.com/hashicorp/vault-plugin-secrets-kv/passthrough_test.go:227 +0x3c
testing.tRunner(0xc0002ae1a0, 0x1703340)
        /usr/local/Cellar/go/1.18.4/libexec/src/testing/testing.go:1439 +0x102
created by testing.(*T).Run
        /usr/local/Cellar/go/1.18.4/libexec/src/testing/testing.go:1486 +0x35f
FAIL    github.com/hashicorp/vault-plugin-secrets-kv    1.277s
?       github.com/hashicorp/vault-plugin-secrets-kv/cmd/vault-plugin-secrets-kv        [no test files]
FAIL

Also notice that before the introduction of TestPassthroughBackend_Renew() there was no unit test for renewing a lease there, so it is not surprising that is is broken.

@ccapurso
Copy link
Contributor

I don't think this function is used there, it is a different function: https://github.com/hashicorp/vault/blob/8581f3337a52a657c9f862e937dc7ea8a87e87e5/vault/logical_passthrough.go#L165-L167.

Ah, thank you for clarifying. I was too quick while reading.

Oddly enough, I am not able to generate the panic running the same Vault binary with the sequence of curl commands that you provided. The test fails as expected though. Just trying to understand the problem, is a no-op for the RenewOperation what we want? The path field can be added to the schema which also fixes the panic and allows the request to be process as originally intended. You likely have a better low-level understanding of the KVv1 lease logic than me :-).

@remilapeyre
Copy link
Author

I will have a look at the other secret engines to be sure on what should be done here. I should be able to come back to this sometime next week.

@maxb
Copy link
Contributor

maxb commented Jul 25, 2023

This renew operation used to work, and still does in the copy of this code embedded in the Vault repo, but it got inadvertently broken here by #17.

Adding a test is good, but rather than deleting the functionality, it would be better to restore it to functioning correctly.

maxb added a commit to maxb/vault-plugin-secrets-kv that referenced this pull request Jul 25, 2023
@maxb
Remove unused code
f14d31a 
The `Passthrough` interface ceased to be used after some code was
removed in hashicorp#11.

The `GenerateLeases` function ceased to be used when this code was
made capable of being a separate plugin, rather than a builtin part of
Vault - credit to @remilapeyre for noticing this in hashicorp#55 - I'm just
cherrypicking the removal of unused code from that old unmerged PR,
whilst I had some other unused code to PR the removal of too.
@maxb maxb mentioned this pull request Jul 25, 2023
Merged
@maxb
Copy link
Contributor

maxb commented Jul 25, 2023

I have opened #118 with my alternative take on how to address this.

averche pushed a commit that referenced this pull request Jul 25, 2023
@maxb
Remove unused code (#117)
5af8cae 
The `Passthrough` interface ceased to be used after some code was
removed in #11.

The `GenerateLeases` function ceased to be used when this code was
made capable of being a separate plugin, rather than a builtin part of
Vault - credit to @remilapeyre for noticing this in #55 - I'm just
cherrypicking the removal of unused code from that old unmerged PR,
whilst I had some other unused code to PR the removal of too.
@maxb maxb mentioned this pull request Sep 1, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@remilapeyre @hashicorp-cla @ccapurso @maxb