`bao login` calls the token helper with `get` and expects that to succeed #312

ruuda · 2024-04-29T15:25:09Z

Describe the bug

When I run bao login, and a token helper is configured, Bao will call the token helper with get. This get might fail, the token helper might not have a token. The reason for running bao login in the first place, is to obtain a token and store it using the token helper. But even if the token helper has no token yet, Bao forces it to exit with exit code 0. If it exits with a nonzero exit code, then bao login fails, and we never get to the store step.

We can of course make the token helper exit with exit code 0, but then if you run e.g. bao kv get, and the token helper has no token, then the token helper no longer has the ability to make the kv get fail. Instead the kv get will fail with a misleading “permission denied” error. Permission is denied, because no X-Vault-Token was included in the request. Bao did not include a token, because the token helper did not return 1 but signalled success either way.

To Reproduce
Steps to reproduce the behavior:

Configure a token helper in ~/.bao by putting e.g. token_helper = "/tmp/token_helper.sh" there.
In that file, put the following and make the file executable:
```
#!/usr/bin/bash
echo "$@" >&2
exit 1
```
Run bao login.
Observe how the script got called with get.
Observe how returning 1 from that get prevented bao login from doing any login.

Expected behavior
I would expect bao login to not call the token helper with get. It should only call the token helper with store.

Once bao login does not call the token helper with get, it becomes possible to return 1 when a get lookup fails (because the token does not exist), and that enables the token helper to print a helpful error message in that case, instead of leaving the user with a misleading permission denied error.

Environment:

OpenBao Server Version (retrieve with bao status): irrelevant, we don’t even get tot he point where bao talks to a server
OpenBao CLI Version (retrieve with bao version): OpenBao v2.0.0-alpha20240329 ('74c2dddb0612b9a3da79384c20638266aa7de407'), built 2024-04-26T10:19:19Z
Server Operating System/Architecture: Linux 6.8.7 / x86-64

OpenBao server configuration file(s): irrelevant

Additional context

This bug report is an adaptation of hashicorp/vault#23194.

The text was updated successfully, but these errors were encountered:

`vault login` used to call the token helper in `get` mode, because it constructs an HTTP client, and the client automatically loads the token. For almost everything that is the right thing to do, but for login, that is the thing that is supposed to retrieve the token, and login itself does not require the token. In fact, `vault login` would erase the token on the client later on. Calling the token helper in `get` mode is a problem, because if the token helper fails, that blocks the login. But the token helper might fail because it doesn't have a token yet. This fixes openbao#312. Signed-off-by: Ruud van Asseldonk <ruud@chorus.one>

`bao login` used to call the token helper in `get` mode, because it constructs an HTTP client, and the client automatically loads the token. For almost everything that is the right thing to do, but for login, that is the thing that is supposed to retrieve the token, and login itself does not require the token. In fact, `bao login` would erase the token on the client later on. Calling the token helper in `get` mode is a problem, because if the token helper fails, that blocks the login. But the token helper might fail because it doesn't have a token yet. This fixes openbao#312. Signed-off-by: Ruud van Asseldonk <ruud@chorus.one>

`bao login` used to call the token helper in `get` mode, because it constructs an HTTP client, and the client automatically loads the token. For almost everything that is the right thing to do, but for login, that is the thing that is supposed to retrieve the token, and login itself does not require the token. In fact, `bao login` would erase the token on the client later on. Calling the token helper in `get` mode is a problem, because if the token helper fails, that blocks the login. But the token helper might fail because it doesn't have a token yet. This fixes #312. Signed-off-by: Ruud van Asseldonk <ruud@chorus.one>

ruuda added the bug Something isn't working label Apr 29, 2024

ruuda mentioned this issue Apr 29, 2024

Avoid invoking token helper on login #313

Merged

naphelps closed this as completed in #313 May 3, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`bao login` calls the token helper with `get` and expects that to succeed #312

`bao login` calls the token helper with `get` and expects that to succeed #312

ruuda commented Apr 29, 2024

bao login calls the token helper with get and expects that to succeed #312

bao login calls the token helper with get and expects that to succeed #312

Comments

ruuda commented Apr 29, 2024

`bao login` calls the token helper with `get` and expects that to succeed #312

`bao login` calls the token helper with `get` and expects that to succeed #312