safe local --memory - Unable to generate a new root token: token length / one-time password length mismatch (24/16)

[igas]

Hi!

I get Unable to generate a new root token: token length / one-time password length mismatch (24/16) when I run safe local --memory.

$ vault version
Vault v0.11.3 ('fb601237bfbe4bc16ff679f642248ee8a86e627b')
$ safe version
safe v0.9.7

$ DEBUG=1 safe local --memory
Request:
PUT /v1/sys/init HTTP/1.1
Host: 127.0.0.1:8201

{"secret_shares":1,"secret_threshold":1,"root_token_pgp_key":"","pgp_keys":null}

Response:
HTTP/1.1 200 OK
Content-Length: 181
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 23 Oct 2018 03:38:08 GMT

{"keys":["a33a85586f4b9248678620ff9d24cdd1e32b47d9aea543ac2c0b10eece06255c"],"keys_base64":["ozqFWG9LkkhnhiD/nSTN0eMrR9mupUOsLAsQ7s4GJVw="],"root_token":"I4hAx9hDXodrHN9QUXVjXsjL"}

Request:
PUT /v1/sys/unseal HTTP/1.1
Host: 127.0.0.1:8201

{"reset":true}

Response:
HTTP/1.1 200 OK
Content-Length: 128
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 23 Oct 2018 03:38:08 GMT

{"type":"shamir","initialized":true,"sealed":true,"t":1,"n":1,"progress":0,"nonce":"","version":"0.11.3","recovery_seal":false}

Request:
PUT /v1/sys/unseal HTTP/1.1
Host: 127.0.0.1:8201

{"key":"a33a85586f4b9248678620ff9d24cdd1e32b47d9aea543ac2c0b10eece06255c"}

Response:
HTTP/1.1 200 OK
Content-Length: 221
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 23 Oct 2018 03:38:08 GMT

{"type":"shamir","initialized":true,"sealed":false,"t":1,"n":1,"progress":0,"nonce":"","version":"0.11.3","cluster_name":"vault-cluster-cadbaa49","cluster_id":"05b93169-1110-5118-e366-6d1698bb4068","recovery_seal":false}

Request:
DELETE /v1/sys/generate-root/attempt HTTP/1.1
Host: 127.0.0.1:8201


Response:
HTTP/1.1 204 No Content
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 23 Oct 2018 03:38:08 GMT


Request:
PUT /v1/sys/generate-root/attempt HTTP/1.1
Host: 127.0.0.1:8201

{"otp":"+IFfE3CaB4Xwo9Y+o9mUbQ=="}

Response:
HTTP/1.1 200 OK
Content-Length: 196
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 23 Oct 2018 03:38:08 GMT

{"nonce":"5173a8f3-2faf-1055-2cdd-7a30a7f0c2e7","started":true,"progress":0,"required":1,"complete":false,"encoded_token":"","encoded_root_token":"","pgp_fingerprint":"","otp":"","otp_length":24}

Request:
PUT /v1/sys/generate-root/update HTTP/1.1
Host: 127.0.0.1:8201

{"key":"a33a85586f4b9248678620ff9d24cdd1e32b47d9aea543ac2c0b10eece06255c","nonce":"5173a8f3-2faf-1055-2cdd-7a30a7f0c2e7"}

Response:
HTTP/1.1 200 OK
Content-Length: 258
Cache-Control: no-store
Content-Type: application/json
Date: Tue, 23 Oct 2018 03:38:08 GMT

{"nonce":"5173a8f3-2faf-1055-2cdd-7a30a7f0c2e7","started":true,"progress":1,"required":1,"complete":true,"encoded_token":"GQc1CgF9LCkxcGwRIg4AW1ZAHhMvIHFf","encoded_root_token":"GQc1CgF9LCkxcGwRIg4AW1ZAHhMvIHFf","pgp_fingerprint":"","otp":"","otp_length":0}

!! Unable to generate a new root token: token length / one-time password length mismatch (24/16)
shutting down the Vault...

[thomasmitchell]

Ha. Yeah. I found this in vaultkv and I fixed it there already. Vault changed the way gen root token works. Now they give you a one-time password, as opposed to the user generating it (as it was previously). Except for... if you generate one and provide it, it will take it, even if its not the correct length (which they changed).

I'll try to bump vaultkv in a release soon.

[igas]

Hi @thomasmmitchell,

Could you please take a look at it again as I think it changed again in vault 1.0.0?

Thank you.

[thomasmitchell]

Why wouldn't I doubt that.... I'll bump the vaultkv tests tomorrow for 1.0.0 and watch with amazement as everything fails.

[thomasmitchell]

Fixed this in vaultkv. It'll be in the next release.

[igas]

Thank you @thomasmmitchell!

[thomasmitchell]

fixed in v1.0.0