Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vault responds with a 500 status code after receiving a 4xx during GitHub authentication #18579

Open
tijmendj opened this issue Jan 2, 2023 · 6 comments
Open

Vault responds with a 500 status code after receiving a 4xx during GitHub authentication #18579

tijmendj opened this issue Jan 2, 2023 · 6 comments
Labels
auth/github good-first-issue

Comments

@tijmendj
Copy link

tijmendj commented Jan 2, 2023

Describe the bug
When using Vault with GitHub authentication, invalid/expired/missing personal access tokens will result in Vault responding with a 500 status code. This is despite the response body (presumably forwarded from GitHub) containing a 4xx status code.

This behavior was originally found in a production Vault, but can be reproduced with a local development Vault. All steps and configuration refer to the latter for ease of reproduction.

Error 1, when the GITHUB_TOKEN is not set:

< HTTP/1.1 500 Internal Server Error
< Cache-Control: no-store
< Content-Type: application/json
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Mon, 02 Jan 2023 14:01:43 GMT
< Content-Length: 79
< 
{"errors":["GET https://api.github.com/user: 401 Requires authentication []"]}
* Connection #0 to host localhost left intact

Error 2, when the GITHUB_TOKEN is incorrect:

< HTTP/1.1 500 Internal Server Error
< Cache-Control: no-store
< Content-Type: application/json
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Date: Mon, 02 Jan 2023 14:04:37 GMT
< Content-Length: 71
< 
{"errors":["GET https://api.github.com/user: 401 Bad credentials []"]}
* Connection #0 to host localhost left intact

To Reproduce
Steps to reproduce the behavior:

  1. vault server -dev
  2. vault auth enable github
  3. vault write auth/github/config organization=ORGANIZATION
  4. curl -v --request POST --data "{\"token\": \"$GITHUB_TOKEN\"}" localhost:8200/v1/auth/github/login
  5. See Error 1
  6. Set the GITHUB_TOKEN environment variable to any value that's not the empty string or the actual PAT
  7. See Error 2

Expected behavior

Vault would return a 401 status code in the above responses rather than 500

Environment:

  • Vault Server Version (retrieve with vault status): 1.13.0-dev1 (originally found on 1.8.3)
  • Vault CLI Version (retrieve with vault version): Vault v1.13.0-dev1 ('159b60a181bae2d54c666ad09ca607988e4bf5c5'), built 2022-12-23T17:14:41Z
  • Server Operating System/Architecture: Linux, Ubuntu 22.04, x86-64

Vault server configuration file(s):

None, clean install

Additional context

None so far
@aitumik
Copy link

aitumik commented Jan 8, 2023

@mladlow @tijmendj @hsimon-hashicorp Can I work on this one?

@tijmendj
Copy link
Author

@aitumik Fine by me, I think that if you create a PR someone from Hashicorp will be asked to review.

@mhdiiilham
Copy link

Hi @aitumik , are you already working on this one or can I work on this one?

@aitumik
Copy link

aitumik commented Feb 11, 2023

@mhdiiilham no am not currently working you can work on it

@Glyphack
Copy link

Glyphack commented Mar 6, 2023

Hi, I wanted to check if this is still relevant to pick up but this seems resolved.

curl -v --request POST --data "{\"token\": \"$GITHUB_TOKEN\"}" localhost:8200/v1/auth/github/login
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:8200...
* Connected to localhost (127.0.0.1) port 8200 (#0)
> POST /v1/auth/github/login HTTP/1.1
> Host: localhost:8200
> User-Agent: curl/7.86.0
> Accept: */*
> Content-Length: 13
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Cache-Control: no-store
< Content-Type: application/json
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Length: 33
<
{"errors":["permission denied"]}
* Connection #0 to host localhost left intact

curl -v --request POST --data "{\"token\": \"111\"}" localhost:8200/v1/auth/github/login
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:8200...
* Connected to localhost (127.0.0.1) port 8200 (#0)
> POST /v1/auth/github/login HTTP/1.1
> Host: localhost:8200
> User-Agent: curl/7.86.0
> Accept: */*
> Content-Length: 16
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< Cache-Control: no-store
< Content-Type: application/json
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< Content-Length: 33
<
{"errors":["permission denied"]}

@tijmendj
Copy link
Author

tijmendj commented Mar 7, 2023

@Glyphack I just tried my steps on the latest build of Vault and I still get the same results as in my initial report. What steps did you take? I get a similar permission denied message if I don't vault auth enable github. Is the organization you entered a valid GitHub organization?

@bertptrs bertptrs mentioned this issue Apr 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth/github good-first-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tijmendj @mladlow @Glyphack @aitumik @mhdiiilham @hsimon-hashicorp