New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Renew operation for KV v1 #55
base: main
Are you sure you want to change the base?
Conversation
Using `handleRead` as the `Renew` method for KV v1 is incorrect and would fail with the error: http: panic serving 127.0.0.1:59579: field path not in the schema in the Vault server without returning a response. This fixes by returning an empty response which signals properly that the secret cannot be renewed. Also remove `GeneratesLeases()` which was never used and fix a typo in an error message.
9f88b02
to
39f481f
Compare
Hi, @remilapeyre. Thank you for taking a look into this. Would you be able to provide reproduction steps so that we ensure that we are following the same flow as you? Regarding the |
I don't think this function is used there, it is a different function: https://github.com/hashicorp/vault/blob/8581f3337a52a657c9f862e937dc7ea8a87e87e5/vault/logical_passthrough.go#L165-L167.
Here's an example showing the panic occurring during the renew, I'll use cURL to make all operations completely explicit:
You can also see the bug by keeping the
Also notice that before the introduction of |
Ah, thank you for clarifying. I was too quick while reading. Oddly enough, I am not able to generate the panic running the same Vault binary with the sequence of curl commands that you provided. The test fails as expected though. Just trying to understand the problem, is a no-op for the |
I will have a look at the other secret engines to be sure on what should be done here. I should be able to come back to this sometime next week. |
This renew operation used to work, and still does in the copy of this code embedded in the Vault repo, but it got inadvertently broken here by #17. Adding a test is good, but rather than deleting the functionality, it would be better to restore it to functioning correctly. |
The `Passthrough` interface ceased to be used after some code was removed in hashicorp#11. The `GenerateLeases` function ceased to be used when this code was made capable of being a separate plugin, rather than a builtin part of Vault - credit to @remilapeyre for noticing this in hashicorp#55 - I'm just cherrypicking the removal of unused code from that old unmerged PR, whilst I had some other unused code to PR the removal of too.
I have opened #118 with my alternative take on how to address this. |
The `Passthrough` interface ceased to be used after some code was removed in #11. The `GenerateLeases` function ceased to be used when this code was made capable of being a separate plugin, rather than a builtin part of Vault - credit to @remilapeyre for noticing this in #55 - I'm just cherrypicking the removal of unused code from that old unmerged PR, whilst I had some other unused code to PR the removal of too.
Using
handleRead
as theRenew
method for KV v1 is incorrect andwould fail with the error:
in the Vault server without returning a response.
This fixes by returning an empty response which signals properly that
the secret cannot be renewed.
Also remove
GeneratesLeases()
which was never used and fix a typo inan error message.