Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of oidc: check for nil signing key on rotation into release/1.9.x #13764

Merged
merged 4 commits into from Jan 24, 2022
Merged

Backport of oidc: check for nil signing key on rotation into release/1.9.x #13764

merged 4 commits into from Jan 24, 2022

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #13716 to be assessed for backporting due to the inclusion of the label backport/1.9.x.

The below text is copied from the body of the original PR.

Description

Check for a nil signing key before performing a rotation and before signing payloads. This is to prevent panics in the event that a nil signing key was written to storage.

If the current signing key is nil during rotation, we will skip setting the ExpireAt and allow the next signing key to be rotated into the current. If the signing key is nil during sign payload, we will return an error.

Background

A panic can occur for any key which was created while being on a version < v1.9.0 but was rotated while being on v1.9.0.

Repro steps:

  • start vault with persistent storage
  • create keys/roles with Vault < v1.9.0
  • upgrade vault to v1.9.0
  • manually rotate the key or wait for an auto rotation
  • once key rotation triggers, a panic will occur
  • restarting vault v1.9.0 should result in panics on rotation
  • upgrade vault to v1.9.1 or greater
  • restart vault with same persistent storage backend
  • once key rotation triggers, a panic will occur
    • this is being fix in the current PR

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/VAULT-4766/fix-oidc-key-rotation-panic/moderately-proud-louse branch from 788c903 to 31884d1 Compare January 24, 2022 18:06
@vercel vercel bot temporarily deployed to Preview – vault January 24, 2022 18:06 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook January 24, 2022 18:06 Inactive
@fairclothjm fairclothjm merged commit 8a66132 into release/1.9.x Jan 24, 2022
@fairclothjm fairclothjm deleted the backport/VAULT-4766/fix-oidc-key-rotation-panic/moderately-proud-louse branch January 24, 2022 19:04
@kalafut kalafut added this to the 1.9.3 milestone Jan 24, 2022
@thiskevinwang thiskevinwang mentioned this pull request Apr 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calvn calvn calvn approved these changes

@austingebauer austingebauer austingebauer approved these changes

@fairclothjm fairclothjm Awaiting requested review from fairclothjm

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.9.3
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@hc-github-team-secure-vault-core @calvn @austingebauer @kalafut @fairclothjm