New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn instead of returning error when missing intermediate mount tune permissions #15035
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvement | ||
connect/ca: Log a warning message instead of erroring when attempting to update the intermediate pki mount when using the Vault provider. | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,13 +20,29 @@ import ( | |
) | ||
|
||
const pkiTestPolicy = ` | ||
path "sys/mounts/*" | ||
path "sys/mounts" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | ||
capabilities = ["read"] | ||
} | ||
path "sys/mounts/pki-root" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list"] | ||
} | ||
path "sys/mounts/pki-intermediate" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list"] | ||
} | ||
path "sys/mounts/pki-intermediate/tune" | ||
{ | ||
capabilities = ["update"] | ||
} | ||
path "pki-root/*" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list"] | ||
} | ||
path "pki-intermediate/*" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | ||
capabilities = ["create", "read", "update", "delete", "list"] | ||
}` | ||
|
||
func TestVaultCAProvider_ParseVaultCAConfig(t *testing.T) { | ||
|
@@ -794,6 +810,98 @@ func TestVaultProvider_RotateAuthMethodToken(t *testing.T) { | |
}, 10*time.Second, 100*time.Millisecond) | ||
} | ||
|
||
func TestVaultProvider_ReconfigureIntermediateTTL(t *testing.T) { | ||
SkipIfVaultNotPresent(t) | ||
|
||
// Set up a standard policy without any sys/mounts/pki-intermediate/tune permissions. | ||
policy := ` | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @kyhavlov : Should we modify the other tests in here to use the minimal, recommended permissions (demonstrated in this test) rather than the maximal (not recommended) permissions currently used for most of the tests? That would help us catch similar issues in the future, if the Vault CA provider code is modified to require access to a new endpoint (that needs new permissions). Without that change to the test permissions, it's easy for an issue like this one to recur. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @kyhavlov : Should the read permissions on the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Good call - none of the other tests need it yet, but it could be relevant in future tests. |
||
path "sys/mounts" | ||
{ | ||
capabilities = ["read"] | ||
} | ||
path "sys/mounts/pki-root" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list"] | ||
} | ||
path "sys/mounts/pki-intermediate" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list"] | ||
} | ||
path "pki-root/*" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list"] | ||
} | ||
path "pki-intermediate/*" | ||
{ | ||
capabilities = ["create", "read", "update", "delete", "list"] | ||
}` | ||
testVault := NewTestVaultServer(t) | ||
|
||
err := testVault.Client().Sys().PutPolicy("pki", policy) | ||
require.NoError(t, err) | ||
|
||
tcr := &vaultapi.TokenCreateRequest{ | ||
Policies: []string{"pki"}, | ||
} | ||
secret, err := testVault.client.Auth().Token().Create(tcr) | ||
require.NoError(t, err) | ||
providerToken := secret.Auth.ClientToken | ||
|
||
makeProviderConfWithTTL := func(ttl string) ProviderConfig { | ||
conf := map[string]interface{}{ | ||
"Address": testVault.Addr, | ||
"RootPKIPath": "pki-root/", | ||
"IntermediatePKIPath": "pki-intermediate/", | ||
"Token": providerToken, | ||
"IntermediateCertTTL": ttl, | ||
} | ||
cfg := ProviderConfig{ | ||
ClusterID: connect.TestClusterID, | ||
Datacenter: "dc1", | ||
IsPrimary: true, | ||
RawConfig: conf, | ||
} | ||
return cfg | ||
} | ||
|
||
provider := NewVaultProvider(hclog.New(nil)) | ||
|
||
// Set up the initial provider config | ||
t.Cleanup(provider.Stop) | ||
err = provider.Configure(makeProviderConfWithTTL("222h")) | ||
require.NoError(t, err) | ||
_, err = provider.GenerateRoot() | ||
require.NoError(t, err) | ||
_, err = provider.GenerateIntermediate() | ||
require.NoError(t, err) | ||
|
||
// Attempt to update the ttl without permissions for the tune endpoint - shouldn't | ||
// return an error. | ||
err = provider.Configure(makeProviderConfWithTTL("333h")) | ||
require.NoError(t, err) | ||
|
||
// Intermediate TTL shouldn't have changed | ||
mountConfig, err := testVault.Client().Sys().MountConfig("pki-intermediate") | ||
require.NoError(t, err) | ||
require.Equal(t, 222*3600, mountConfig.MaxLeaseTTL) | ||
|
||
// Update the policy and verify we can reconfigure the TTL properly. | ||
policy += ` | ||
path "sys/mounts/pki-intermediate/tune" | ||
{ | ||
capabilities = ["update"] | ||
}` | ||
err = testVault.Client().Sys().PutPolicy("pki", policy) | ||
require.NoError(t, err) | ||
|
||
err = provider.Configure(makeProviderConfWithTTL("333h")) | ||
require.NoError(t, err) | ||
|
||
mountConfig, err = testVault.Client().Sys().MountConfig("pki-intermediate") | ||
require.NoError(t, err) | ||
require.Equal(t, 333*3600, mountConfig.MaxLeaseTTL) | ||
} | ||
|
||
func getIntermediateCertTTL(t *testing.T, caConf *structs.CAConfiguration) time.Duration { | ||
t.Helper() | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kyhavlov : Does
err
here contain any messaging explaining that the problem is that the read capability in Vault is missing on the path?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes - if it's due to permission denied, it'll have that in the error message as well as the endpoint it was trying to access (
../tune
in this case)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The log message looks like this: