scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 02:57:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

backport of commit 80e1912adb (#23425)

Browse Source 
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
This commit is contained in:
hc-github-team-secure-vault-core
2023-09-29 22:52:53 -04:00
committed by GitHub
parent 76c683e038
commit cb73fb69cd
7 changed files with 93 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
builtin/credential/aws/backend_test.go
View File

@@ -1504,7 +1504,7 @@ func buildCallerIdentityLoginData(request *http.Request, roleName string) (map[s
"iam_request_url": base64.StdEncoding.EncodeToString([]byte(request.URL.String())), "iam_request_url": base64.StdEncoding.EncodeToString([]byte(request.URL.String())),
"iam_request_headers": base64.StdEncoding.EncodeToString(headersJson), "iam_request_headers": base64.StdEncoding.EncodeToString(headersJson),
"iam_request_body": base64.StdEncoding.EncodeToString(requestBody), "iam_request_body": base64.StdEncoding.EncodeToString(requestBody),
"request_role": roleName, "role": roleName,
}, nil }, nil
} }

32
builtin/credential/aws/path_login.go
View File

@@ -292,7 +292,7 @@ func (b *backend) pathLoginIamGetRoleNameCallerIdAndEntity(ctx context.Context,
config, err := b.lockedClientConfigEntry(ctx, req.Storage) config, err := b.lockedClientConfigEntry(ctx, req.Storage)
if err != nil { if err != nil {
return "", nil, nil, logical.ErrorResponse("error getting configuration"), nil return "", nil, nil, nil, fmt.Errorf("error getting configuration: %w", err)
} }
endpoint := "https://sts.amazonaws.com" endpoint := "https://sts.amazonaws.com"
@@ -319,23 +319,23 @@ func (b *backend) pathLoginIamGetRoleNameCallerIdAndEntity(ctx context.Context,
if config.MaxRetries >= 0 { if config.MaxRetries >= 0 {
maxRetries = config.MaxRetries maxRetries = config.MaxRetries
} }
}
// Extract and use a regional STS endpoint // Extract and use a regional STS endpoint
// based on the region set in the Authorization header. // based on the region set in the Authorization header.
if config.UseSTSRegionFromClient { if config.UseSTSRegionFromClient {
clientSpecifiedRegion, err := awsRegionFromHeader(headers.Get("Authorization")) clientSpecifiedRegion, err := awsRegionFromHeader(headers.Get("Authorization"))
if err != nil { if err != nil {
return "", nil, nil, logical.ErrorResponse("region missing from Authorization header"), nil return "", nil, nil, logical.ErrorResponse("region missing from Authorization header"), nil
}
url, err := stsRegionalEndpoint(clientSpecifiedRegion)
if err != nil {
return "", nil, nil, logical.ErrorResponse(err.Error()), nil
}
b.Logger().Debug("use_sts_region_from_client set; using region specified from header", "region", clientSpecifiedRegion)
endpoint = url
} }
url, err := stsRegionalEndpoint(clientSpecifiedRegion)
if err != nil {
return "", nil, nil, logical.ErrorResponse(err.Error()), nil
}
b.Logger().Debug("use_sts_region_from_client set; using region specified from header", "region", clientSpecifiedRegion)
endpoint = url
} }
b.Logger().Debug("submitting caller identity request", "endpoint", endpoint) b.Logger().Debug("submitting caller identity request", "endpoint", endpoint)

50
builtin/credential/aws/path_login_test.go
View File

@@ -308,6 +308,56 @@ func TestBackend_validateVaultPostRequestValues(t *testing.T) {
} }
} }
// TestBackend_pathLogin_NoClientConfig covers logging in via IAM auth when the
// client config does not exist. This is a regression test to cover potential
// panics when referencing the potentially-nil config in the login handler. For
// details see https://github.com/hashicorp/vault/issues/23361.
func TestBackend_pathLogin_NoClientConfig(t *testing.T) {
storage := new(logical.InmemStorage)
config := logical.TestBackendConfig()
config.StorageView = storage
b, err := Backend(config)
if err != nil {
t.Fatal(err)
}
err = b.Setup(context.Background(), config)
if err != nil {
t.Fatal(err)
}
// Intentionally left out the client configuration
roleEntry := &awsRoleEntry{
RoleID: "foo",
Version: currentRoleStorageVersion,
AuthType: iamAuthType,
}
err = b.setRole(context.Background(), storage, testValidRoleName, roleEntry)
if err != nil {
t.Fatal(err)
}
loginData, err := defaultLoginData()
if err != nil {
t.Fatal(err)
}
loginRequest := &logical.Request{
Operation: logical.UpdateOperation,
Path: "login",
Storage: storage,
Data: loginData,
Connection: &logical.Connection{},
}
resp, err := b.HandleRequest(context.Background(), loginRequest)
if err != nil {
t.Fatalf("expected nil error, got: %v", err)
}
if !resp.IsError() {
t.Fatalf("expected error response, got: %+v", resp)
}
}
// TestBackend_pathLogin_IAMHeaders tests login with iam_request_headers, // TestBackend_pathLogin_IAMHeaders tests login with iam_request_headers,
// supporting both base64 encoded string and JSON headers // supporting both base64 encoded string and JSON headers
func TestBackend_pathLogin_IAMHeaders(t *testing.T) { func TestBackend_pathLogin_IAMHeaders(t *testing.T) {

3
changelog/23366.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
auth/aws: Fixes a panic that can occur in IAM-based login when a [client config](https://developer.hashicorp.com/vault/api-docs/auth/aws#configure-client) does not exist.
```

5
website/content/docs/release-notes/1.15.0.mdx
View File

@@ -16,6 +16,7 @@ description: |-
Version | Issue Version | Issue
------- | ----- ------- | -----
1.15.0+ | [Vault no longer reports rollback metrics by mountpoint](/vault/docs/upgrading/upgrade-to-1.15.x#rollback-metrics) 1.15.0+ | [Vault no longer reports rollback metrics by mountpoint](/vault/docs/upgrading/upgrade-to-1.15.x#rollback-metrics)
1.15.0 | [Panic in AWS auth method during IAM-based login](/vault/docs/upgrading/upgrade-to-1.15.x#panic-in-aws-auth-method-during-iam-based-login)
## Vault companion updates ## Vault companion updates
@@ -59,7 +60,7 @@ Follow the learn more links for more information, or browse the list of
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<td rowSpan={2} style={{verticalAlign: 'middle'}}> <td rowSpan={2} style={{verticalAlign: 'middle'}}>
Vault Agent Vault Agent
@@ -76,7 +77,7 @@ Follow the learn more links for more information, or browse the list of
<tr> <tr>
<td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td> <td style={{verticalAlign: 'middle', textAlign: 'center'}}>GA</td>
<td style={{verticalAlign: 'middle'}}> <td style={{verticalAlign: 'middle'}}>
Fetch secrets directly into your application as environment variables. Fetch secrets directly into your application as environment variables.
<br /><br /> <br /><br />
Learn more: <a href="/vault/docs/agent-and-proxy/agent/process-supervisor">Process Supervisor Mode</a> Learn more: <a href="/vault/docs/agent-and-proxy/agent/process-supervisor">Process Supervisor Mode</a>
</td> </td>

2
website/content/docs/upgrading/upgrade-to-1.15.x.mdx
View File

@@ -50,3 +50,5 @@ option.
@include 'known-issues/transit-managed-keys-panics.mdx' @include 'known-issues/transit-managed-keys-panics.mdx'
@include 'known-issues/transit-managed-keys-sign-fails.mdx' @include 'known-issues/transit-managed-keys-sign-fails.mdx'
@include 'known-issues/aws-auth-panics.mdx'

18
website/content/partials/known-issues/aws-auth-panics.mdx Normal file
View File

@@ -0,0 +1,18 @@
### Panic in AWS auth method during IAM-based login
#### Affected versions
- 1.15.0
#### Issue
A panic can occur in the AWS auth method during [IAM-based](/vault/docs/auth/aws#iam-auth-method)
login when a [client config](/vault/api-docs/auth/aws#configure-client) does not exist.
#### Workaround
The panic can be avoided by writing an empty [client config](/vault/api-docs/auth/aws#configure-client):
```shell-session
vault write -f auth/aws/config/client
```