Avoid invoking token helper on login #23209
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes #23194.
Problem
vault login
used to call the token helper inget
mode, because it constructs an HTTP client, and the client automatically loads the token. For almost everything that is the right thing to do, but for login, that is the thing that is supposed to retrieve the token, and login itself does not require the token. In fact,vault login
would erase the token on the client later on.Calling the token helper in
get
mode is a problem, because if the token helper fails, that blocks the login. But the token helper might fail because it doesn't have a token yet.The call to
Get
originates here, in the construction of the http client:vault/command/base.go
Line 145 in 6ef2a60
That is being called from here:
vault/command/login.go
Line 215 in 6ef2a60
Solution
Split
Client
into two parts: aClientWithoutToken
that does most of whatClient
did previously, except for setting a token. AndClient
that also sets the token. This does change when the token gets set on the client for calls toClient
, but as far as I can tell, the remainder of the formerClient
, nowClientWithToken
method does not rely on the token being set.For all existing code except
login
,Client
still behaves the way it did and nothing changes. Forlogin
in particular, we can now callClientWithoutToken
. This ensures that the token helper does not get called when the http client is initialized. The token helper still gets called to store the token later.Open questions, testing
There is still this snippet that happens after constructing the client:
vault/command/login.go
Lines 221 to 225 in 6ef2a60
I think this is now useless, the client will not have a token anyway so we don’t need to reset it. But it makes me wonder — if
authMethod == "token"
, does my change break anything?Also, I am not sure what the best way is to test this, if somebody can point me in the right direction, I would appreciate.