Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error code 500 when looking up bad token #16102

Closed
qlaut opened this issue Jun 22, 2022 · 4 comments · Fixed by #16112
Closed

Error code 500 when looking up bad token #16102

qlaut opened this issue Jun 22, 2022 · 4 comments · Fixed by #16112
Labels
bug Used to indicate a potential bug core/token

Comments

@qlaut
Copy link

qlaut commented Jun 22, 2022

Describe the bug
When using the lookup endpoint to check a bad service token following the new format introduced in vault 1.10, vault returns an error code 500 due to the server side consistent token check failing. Starting from a valid service token, two different errors happen.
When adding or removing a character to the token :
server side consistent token check failed: error occurred when unmarshalling ssc token: proto: cannot parse invalid wire-format data
When replacing characters (thus making the token bad but keeping it the same length) :
server side consistent token check failed: token mac for token_version:1 hmac:"\x1e\xbf\x95\xfbuP/\xc8lf*U_\x06\xd4\xcd0\xdc-c\x07\x00\x16\xc4;=\xdbC;\xb6\xf3M" token:"\n\x1chvs.77tWHeLVpiBwPGUByWfGXgXL" is incorrect: err %!w(<nil>)

Removing two characters produces the expected error code 403 with the bad token message.

To Reproduce
Steps to reproduce the behavior:

  1. Start the vault dev server vault server -dev
  2. Create a new service token with default policy vault token create -policy="default"
  3. Use the lookup command with the new service token and its altered versions vault token lookup <token>

Expected behavior
Always getting an error code 403 and message bad token.

Environment:

  • Vault Server Version (retrieve with vault status): 1.10.4 (found also for 1.10.3, 1.11.0 and the main branch)
  • Vault CLI Version (retrieve with vault version): 1.10.4 (found also for 1.10.3, 1.11.0 and the main branch)
  • Server Operating System/Architecture: Ubuntu 20.04

Vault server configuration file(s):
Using the default configuration of the dev server.
@raskchanky
Copy link
Contributor

Hi @qlaut

I'm having trouble reproducing this using Vault built from the main branch.

CleanShot 2022-06-22 at 09 49 07

All of my errors are the 403 one would expect. I'll try with 1.10.x as well.

@raskchanky
Copy link
Contributor

I'm also unable to repro using the latest commit from the release/1.10.x release branch. I will attempt to repro using 1.10.3 specifically, as mentioned in your initial bug report.

@raskchanky
Copy link
Contributor

I'm able to repro now. I see the error with my earlier attempts.

@raskchanky raskchanky added bug Used to indicate a potential bug core/token labels Jun 22, 2022
@raskchanky raskchanky mentioned this issue Jun 22, 2022
Merged
This was referenced Jul 28, 2022
Merged
Merged
@boldandbusted
Copy link

Howdy. I am getting bit by this on Vault 1.10.3. I searched the Changelog, and only 1.11.X (and the unreleased 1.12.0) apparently have the fix applied. Is there a way I can follow these specific PR merges and release for the 1.10.X series? Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Used to indicate a potential bug core/token
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Return a 403 for a bad SSCT instead of 500 hashicorp/vault
4 participants
@raskchanky @boldandbusted @heatherezell @qlaut