Fix panic when role names had a slash in them #112
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'm happy to add some tests for any parts of this that look reasonable but I figured it was better to see if it was even the right approach before spending that time. |
|
Closing in favor of #115 Thanks @raskchanky ! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
This fixes a bug where static roles that have slashes in the name will cause Vault to panic when it starts up.
The reproduction steps in the linked issue are solid, whether you use podman or not, and reliably reproduce the problem. The panic comes from the fact that the role name has a slash in it,
dir1/user1in the linked issue. This causes a problem because when Vault restarts, and initializes this plugin, the plugin populates a rotation queue but it only uses the first part of the role name,dir1/in this case. That causes a nil entry to get retrieved from storage, and hence the panic. The sequence of events looks like this:The problem is that on line 45, from step 6,
roleslooks like this:[]string{"dir1/"}when it should look like[]string{"dir1/user1"}. This is due to the mechanics of how Vault'sList()storage call works.The net effect of having a truncated entry in the
rolesslice is that this line ends up retrieving anilvalue forrolebecauseb.staticRole()returnsnil, nilwhen something isn't found instead of returning an error. The actual panic occurs here.I can't imagine that we're going to change the semantics of how
List()works, as that would break literally everything, so my instinct here was to 1) not allow role names with slashes in them and 2) if the role is nil, add a warning to the log and skip it.But, I'm not on the ecosystem team and I don't know a lot about LDAP 😅 so it's entirely possible this is a terrible solution! @davidadeleon mentioned on Slack that hierarchical static roles are a thing, so maybe given that, this is a bad fix. Maybe it's enough to just skip nil role names and warn, but still let people create static roles with slashes in the name? But then those static roles with slashes in the name will never have automatic credential rotation. So yeah, I'm not sure what the right answer here is. But I figured it was worth putting this PR up anyway and maybe saving someone some investigation time. Feel free to close completely if I'm way off base with this.
Related Issues/Pull Requests
Contributor Checklist