Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidc: check for nil signing key on rotation #13716

Merged
merged 4 commits into from Jan 24, 2022
Merged

oidc: check for nil signing key on rotation #13716

merged 4 commits into from Jan 24, 2022

Conversation

fairclothjm
Copy link
Contributor

@fairclothjm fairclothjm commented Jan 19, 2022
edited

Description

Check for a nil signing key before performing a rotation and before signing payloads. This is to prevent panics in the event that a nil signing key was written to storage.

If the current signing key is nil during rotation, we will skip setting the ExpireAt and allow the next signing key to be rotated into the current. If the signing key is nil during sign payload, we will return an error.

Background

A panic can occur for any key which was created while being on a version < v1.9.0 but was rotated while being on v1.9.0.

Repro steps:

  • start vault with persistent storage
  • create keys/roles with Vault < v1.9.0
  • upgrade vault to v1.9.0
  • manually rotate the key or wait for an auto rotation
  • once key rotation triggers, a panic will occur
  • restarting vault v1.9.0 should result in panics on rotation
  • upgrade vault to v1.9.1 or greater
  • restart vault with same persistent storage backend
  • once key rotation triggers, a panic will occur
    • this is being fix in the current PR

@fairclothjm fairclothjm changed the title check for nil signing key on rotation oidc: check for nil signing key on rotation Jan 19, 2022
@fairclothjm
Copy link
Contributor Author

Logs

T14:05:11.152-0600 [DEBUG] : rotating OIDC key: key=key1
T14:05:11.152-0600 [DEBUG] : nil signing key detected on rotation
T14:05:11.306-0600 [DEBUG] : generated OIDC public key to sign JWTs: key_id=aa2c1f85-32cf-3645-1a52-7cd7e0983ccf
T14:05:11.459-0600 [DEBUG] : generated OIDC public key for future use: key_id=3d9c57ba-9384-ffd9-6714-2ac56060a286
T14:05:11.537-0600 [DEBUG] : rotated OIDC public key, now using: key_id=f8e1c269-94a1-28b7-e26a-2b020c6b980e
T14:05:11.695-0600 [DEBUG] : deleted OIDC public key: key_id=6d428db6-3c32-ddfa-0e48-f4b616a4a42f


T14:07:11.147-0600 [DEBUG] : rotating OIDC key: key=key1
T14:07:11.557-0600 [DEBUG] : generated OIDC public key for future use: key_id=bfc5304b-d810-cdba-7dd3-40081cb12b19
T14:07:11.635-0600 [DEBUG] : rotated OIDC public key, now using: key_id=3d9c57ba-9384-ffd9-6714-2ac56060a286
T14:07:11.795-0600 [DEBUG] : deleted OIDC public key: key_id=aa2c1f85-32cf-3645-1a52-7cd7e0983ccf

@vercel vercel bot temporarily deployed to Preview – vault January 19, 2022 21:51 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 19, 2022 21:51 Inactive
@fairclothjm fairclothjm added this to the 1.9.3 milestone Jan 20, 2022
calvn
calvn reviewed Jan 20, 2022
View reviewed changes
vault/identity_store_oidc_test.go Show resolved Hide resolved
vault/identity_store_oidc_test.go Outdated Show resolved Hide resolved
vault/identity_store_oidc_test.go Outdated Show resolved Hide resolved
vault/identity_store_oidc_test.go Outdated Show resolved Hide resolved
vault/identity_store_oidc.go Outdated Show resolved Hide resolved
@fairclothjm
Update nil signing key handling
7fc38ac 
- bypass setting ExpireAt if signing key is nil in rotate
- return err if singing key is nil in signPayload
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 24, 2022 16:03 Inactive
@vercel vercel bot temporarily deployed to Preview – vault January 24, 2022 16:03 Inactive
calvn
calvn approved these changes Jan 24, 2022
View reviewed changes
Copy link
Member

@calvn calvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly minor nit, but otherwise looks good!

vault/identity_store_oidc.go Show resolved Hide resolved
vault/identity_store_oidc_test.go Outdated
@@ -985,15 +1097,33 @@ func TestOIDC_PeriodicFunc(t *testing.T) {
}

// measure collected samples
for i := range testSet.testCases {
for i, cycle := range testSet.cycle {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIt: cycle could be an int since it's just used as a counter length reference. You could have something like:

for i := 0; i < cycle; i++ {
  currentCycle := cycle + 1
  ...
}

The for loop above could be reworked to be something similar as well.

vault/identity_store_oidc.go Show resolved Hide resolved
vault/identity_store_oidc_test.go
},
{
// don't set SigningKey to ensure its non-existence can be handled
namedKey: &namedKey{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: I wonder if it would be a bit more obvious that the cases are based on different toggles if we had a test helper that generated the named keys with setSigningKey and setNextSigningKey` as params (which would also remove them from the testSet struct):

namedKey: testGenerateNamedKey("test-key-nil-signing-key", false, true)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the namedKey would need to be removed from the testSet instead since we need to call generateAndSetKey with the storage for each test set. I can create an issue to track cleaning up these tests a bit.

austingebauer
austingebauer approved these changes Jan 24, 2022
View reviewed changes
Copy link
Member

@austingebauer austingebauer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

vault/identity_store_oidc.go Outdated Show resolved Hide resolved
@vercel vercel bot temporarily deployed to Preview – vault January 24, 2022 17:44 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 24, 2022 17:44 Inactive
@fairclothjm fairclothjm merged commit be80dde into main Jan 24, 2022
Merged
@fairclothjm fairclothjm deleted the VAULT-4766/fix-oidc-key-rotation-panic branch January 24, 2022 18:23
qk4l pushed a commit to qk4l/vault that referenced this pull request Feb 4, 2022
@fairclothjm
oidc: check for nil signing key on rotation (hashicorp#13716)
86753fa 
* check for nil signing key on rotation

* add changelog

* Update nil signing key handling

- bypass setting ExpireAt if signing key is nil in rotate
- return err if singing key is nil in signPayload

* add comment; update error msg on signPayload; refactor UT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvn calvn calvn approved these changes

@austingebauer austingebauer austingebauer approved these changes

@robmonte robmonte Awaiting requested review from robmonte

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.9.3
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@fairclothjm @calvn @austingebauer