-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid invoking token helper on login #313
Conversation
Signed-off-by: Ruud van Asseldonk <ruud@chorus.one>
@ruuda in this case, since it was your own PR that you own the rights to, it is fine. In general, taking PRs from upstream from others isn't accepted. :-) I'll have to take a closer look at this, but did you happen to handle @divyaac's comment? At first glance it looks valid; a token helper could be used in conjunction with |
@@ -216,7 +216,7 @@ func (c *LoginCommand) Run(args []string) int { | |||
} | |||
|
|||
// Create the client | |||
client, err := c.Client() | |||
client, err := c.ClientWithoutToken() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In particular, down below where token
is cleared when the authMethod != "token"
, I'd add an else condition to re-trigger the helper logic on (new) lines 187...197 above in command/base.go
.
Other than that, LGTM!
I don’t think I understand what is going on with
So I see three approaches:
Does any of this make sense, or am I misunderstanding something? |
\o Hello @ruuda,
I might be missing something, but in approach 2, why do you think:
is bad? This roughly aligned with my understanding, I think? A user want to log in ( Aha, so my line numbers are not greedy enough. Let's expand it to something like (the full existing behavior): } else { // authMethod == "token"
token := client.Token() // get from env
if token == "" {
// invoke token helper and err if necessary
}
client.SetToken(token) // set token
} Thoughts? I think you are broadly right though, if you knew ahead of time that you were going to auth with token auth, its a rather useless method in the general case and could probably just drop the call to |
Yes it does make sense to me now! I was confused about the order of things, if you provide a token in the environment or on the command line, but the token helper doesn’t have it yet, then we should not check the token helper, and the login should succeed. I’ll update the PR accordingly. |
I’m testing this further, and the current behavior of If we make I think it is probably best not to change that behavior? I will make the case where the token is provided as a CLI arg store it in the token helper then, but not change how it works without additional args. @cipherboy what do you think? Edit: Ah but that behavior, to make |
Huh, TIL! Then I guess we're good. Thank you @ruuda! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
`bao login` used to call the token helper in `get` mode, because it constructs an HTTP client, and the client automatically loads the token. For almost everything that is the right thing to do, but for login, that is the thing that is supposed to retrieve the token, and login itself does not require the token. In fact, `bao login` would erase the token on the client later on. Calling the token helper in `get` mode is a problem, because if the token helper fails, that blocks the login. But the token helper might fail because it doesn't have a token yet. This fixes openbao#312. Signed-off-by: Ruud van Asseldonk <ruud@chorus.one>
Signed-off-by: Ruud van Asseldonk <ruud@chorus.one>
Resolves #312.
Problem
bao login
used to call the token helper inget
mode, because it constructs an HTTP client, and the client automatically loads the token. For almost everything that is the right thing to do, but for login, that is the thing that is supposed to retrieve the token, and login itself does not require the token. In fact,vault login
would erase the token on the client later on.Calling the token helper in
get
mode is a problem, because if the token helper fails, that blocks the login. But the token helper might fail because it doesn't have a token yet.The call to
Get
originates here, in the construction of the http client:openbao/command/base.go
Line 145 in 6ef2a60
That is being called from here:
openbao/command/login.go
Line 215 in 6ef2a60
Solution
Split
Client
into two parts: aClientWithoutToken
that does most of whatClient
did previously, except for setting a token. AndClient
that also sets the token. This does change when the token gets set on the client for calls toClient
, but as far as I can tell, the remainder of the formerClient
, nowClientWithToken
method does not rely on the token being set.For all existing code except
login
,Client
still behaves the way it did and nothing changes. Forlogin
in particular, we can now callClientWithoutToken
. This ensures that the token helper does not get called when the http client is initialized. The token helper still gets called to store the token later.Open questions, testing
There is still this snippet that happens after constructing the client:
openbao/command/login.go
Lines 221 to 225 in 6ef2a60
I think this is now useless, the client will not have a token anyway so we don’t need to reset it. But it makes me wonder — if
authMethod == "token"
, does my change break anything?Also, I am not sure what the best way is to add tests for this, if somebody can point me in the right direction, I would appreciate.
Note about Source-Available License Policy
I adapted this patch from one I originally submitted to Hashicorp Vault in hashicorp/vault#23209. However, the change was not accepted there and never included into a Hashicorp release, so I think it’s fine to submit it here?
The pull request was closed there with a message that’s unclear to me, but given that it took more than half a year and me posting and asking in multiple places before a person even looked at it, I don’t have high hopes for getting a clarification there. I hope OpenBao is more open to community contributions. If the approach in this pull request is not the right one, I’m happy to change it if somebody can explain what the correct approach would be.
Target Release
No particular target, by default this was pre-filled to 1.14.7.