Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of VAULT-5935 agent: redact renew-self if using auto auth into release/1.9.x #15397

Merged
merged 1 commit into from May 12, 2022
Merged

Backport of VAULT-5935 agent: redact renew-self if using auto auth into release/1.9.x #15397

merged 1 commit into from May 12, 2022

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #15380 to be assessed for backporting due to the inclusion of the label backport/1.9.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

The below text is copied from the body of the original PR.

Vault agent redacts the token and accessor for /auth/token/lookup-self (and lookup)
if the token is the auto auth token to prevent it from leaking.

Similarly, we need to redact the token and accessor from renew-self
and renew, which also leak the token and accessor.

I tested this locally by starting up a Vault agent and querying the
agent endpoints, and ensuring that the accessor and token were set to
the empty string in the response.

@hashicorp-cla
Copy link

hashicorp-cla commented May 12, 2022
edited

CLA assistant check
All committers have signed the CLA.

@swenson swenson force-pushed the backport/VAULT-5935-redact-renew-self/vaguely-quality-skunk branch from fbc10cf to c9de4ef Compare May 12, 2022 16:31
@swenson
VAULT-5935 agent: redact renew-self if using auto auth (#15380)
b1cdf3a 
Vault agent redacts the token and accessor for `/auth/token/lookup-self` (and `lookup`)
if the token is the auto auth token to prevent it from leaking.

Similarly, we need to redact the token and accessor from `renew-self`
and `renew`, which also leak the token and accessor.

I tested this locally by starting up a Vault agent and querying the
agent endpoints, and ensuring that the accessor and token were set to
the empty string in the response.
@swenson swenson force-pushed the backport/VAULT-5935-redact-renew-self/vaguely-quality-skunk branch from c9de4ef to b1cdf3a Compare May 12, 2022 16:32
@swenson swenson merged commit 91489d5 into release/1.9.x May 12, 2022
@swenson swenson deleted the backport/VAULT-5935-redact-renew-self/vaguely-quality-skunk branch May 12, 2022 17:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomhjp tomhjp tomhjp approved these changes

@swenson swenson Awaiting requested review from swenson

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hc-github-team-secure-vault-core @hashicorp-cla @tomhjp @swenson