Avoid invoking token helper on login #23209
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`vault login` used to call the token helper in `get` mode, because it constructs an HTTP client, and the client automatically loads the token. For almost everything that is the right thing to do, but for login, that is the thing that is supposed to retrieve the token, and login itself does not require the token. In fact, `vault login` would erase the token on the client later on. Calling the token helper in `get` mode is a problem, because if the token helper fails, that blocks the login. But the token helper might fail because it doesn't have a token yet. This fixes #23194.
|
|
|
HI @ruuda, thank you so much for this PR! In fact, we actually require the client to set the token (and therefore pull the token value using the token helper). The reason is that in case the authentication type is "token" (https://github.com/hashicorp/vault/blob/main/command/login.go#L170), we need the token value to be set. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes #23194.
Problem
vault loginused to call the token helper ingetmode, because it constructs an HTTP client, and the client automatically loads the token. For almost everything that is the right thing to do, but for login, that is the thing that is supposed to retrieve the token, and login itself does not require the token. In fact,vault loginwould erase the token on the client later on.Calling the token helper in
getmode is a problem, because if the token helper fails, that blocks the login. But the token helper might fail because it doesn't have a token yet.The call to
Getoriginates here, in the construction of the http client:vault/command/base.go
Line 145 in 6ef2a60
That is being called from here:
vault/command/login.go
Line 215 in 6ef2a60
Solution
Split
Clientinto two parts: aClientWithoutTokenthat does most of whatClientdid previously, except for setting a token. AndClientthat also sets the token. This does change when the token gets set on the client for calls toClient, but as far as I can tell, the remainder of the formerClient, nowClientWithTokenmethod does not rely on the token being set.For all existing code except
login,Clientstill behaves the way it did and nothing changes. Forloginin particular, we can now callClientWithoutToken. This ensures that the token helper does not get called when the http client is initialized. The token helper still gets called to store the token later.Open questions, testing
There is still this snippet that happens after constructing the client:
vault/command/login.go
Lines 221 to 225 in 6ef2a60
I think this is now useless, the client will not have a token anyway so we don’t need to reset it. But it makes me wonder — if
authMethod == "token", does my change break anything?Also, I am not sure what the best way is to test this, if somebody can point me in the right direction, I would appreciate.