Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault on oidc login #6921

Closed
MrBlaise opened this issue Jun 19, 2019 · 7 comments · Fixed by hashicorp/vault-plugin-auth-jwt#55
Closed

Segfault on oidc login #6921

MrBlaise opened this issue Jun 19, 2019 · 7 comments · Fixed by hashicorp/vault-plugin-auth-jwt#55
Assignees

Comments

@MrBlaise
Copy link

MrBlaise commented Jun 19, 2019

Describe the bug
When I try to run vault login -method=oidc it gives me the following message:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x1ced39b]

goroutine 1 [running]:
github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-auth-jwt.fetchAuthURL(0xc00023d650, 0x0, 0x0, 0xc000563919, 0x5, 0x3749781, 0x4, 0x385f1f8, 0xc000697a78, 0x1061f9e, ...)
	/gopath/src/github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go:118 +0x30b
github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-auth-jwt.(*CLIHandler).Auth(0x594bfb8, 0xc00023d650, 0xc000657e90, 0x0, 0x0, 0x0)
	/gopath/src/github.com/hashicorp/vault/vendor/github.com/hashicorp/vault-plugin-auth-jwt/cli.go:50 +0x29a
github.com/hashicorp/vault/command.(*LoginCommand).Run(0xc0000d5cc0, 0xc0000a4050, 0x0, 0x0, 0xc00061d0e0)
	/gopath/src/github.com/hashicorp/vault/command/login.go:219 +0x3e3
github.com/hashicorp/vault/vendor/github.com/mitchellh/cli.(*CLI).Run(0xc00025b540, 0xc00025b540, 0xc00061d120, 0xc00061d020)
	/gopath/src/github.com/hashicorp/vault/vendor/github.com/mitchellh/cli/cli.go:255 +0x207
github.com/hashicorp/vault/command.RunCustom(0xc0000a4040, 0x2, 0x2, 0xc0000d5a40, 0x0)
	/gopath/src/github.com/hashicorp/vault/command/main.go:177 +0x5e4
github.com/hashicorp/vault/command.Run(0xc0000a4040, 0x2, 0x2, 0xc000094058)
	/gopath/src/github.com/hashicorp/vault/command/main.go:87 +0x48
main.main()
	/gopath/src/github.com/hashicorp/vault/main.go:10 +0x62

It used to work before. The things I changed: upgraded to 1.1.3 (both server and client), removed custom self signed cert from the server (and the env variable VAULT_CAPATH) from my local client.

After some tries it starts to work somewhat, it logs me in but fails to print out the credentials I've got. Example:

Complete the login via your OIDC provider. Launching browser to:

    https://redacted/authorize?client_id=redacted&redirect_uri=http%3A%2F%2Flocalhost%3A8250%2Foidc%2Fcallback&response_type=code&scope=openid&state=redacted


Error extracting token: empty response from auth helper

To Reproduce
Steps to reproduce the behavior:

  1. Run vault login -method=oidc
  2. See error

Expected behavior
Should not segfault, log me in, print out the policies etc. I have access to.

Environment:

  • Vault Server Version (retrieve with vault status): 1.1.3
  • Vault CLI Version (retrieve with vault version): 1.1.3
  • Server Operating System/Architecture: MacOS

UPDATE:
In my particular case I have introduced istio when I upgraded vault and it caused some rpc calls to fail and that caused the sigsegv in the cli.

@MrBlaise
Copy link
Author

Tried to downgrade the cli to 1.1.2 and I've got the same error. Maybe the server version causes this?

@kalafut kalafut self-assigned this Jun 19, 2019
@kalafut
Copy link
Contributor

kalafut commented Jun 19, 2019

While it shouldn't crash and we'll get that fixed, where it is crashing is pretty much the end of the process anyway, and the CLI doesn't have a valid authorization from the Vault server. What do the server logs say when you attempt the login?

@MrBlaise
Copy link
Author

MrBlaise commented Jun 19, 2019

I figured it out. I am running vault on kubernetes and I also have istio installed and it caused the issue. The log was the following:

2019-06-19T14:27:35.099Z [ERROR] core: error during forwarded RPC request: error="rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: Error while dialing EOF""
2019-06-19T14:27:35.099Z [ERROR] core: forward request error: error="error during forwarding RPC request"

I am not sure why was this at the moment. Disabling istio solves it.

UPDATE: I tried reenabling istio without mutual tls but I still have the problem, seems like I have to somehow tell istio to ignore these rpc calls probably.

@kalafut
Copy link
Contributor

kalafut commented Jun 19, 2019

Glad you're making progress. I have no experience with Istio, but the Vault newsgroup might. In any case, we'll get this panic fixed. At least then you would have been shown a message with next steps: Unable to authorize role %q. Check Vault logs for more information.

Since the CLI is external to the Vault server, it really has no more details in cases like these.

@kalafut
Copy link
Contributor

kalafut commented Jun 19, 2019

That said, it is interesting that this started appearing when you changed up your Vault version/config. I'll let the team know as I would be curious to know if other aspects of Vault might show similar symptoms.

@MrBlaise
Copy link
Author

@kalafut It is most definitely istio I forgot that I have introduced it as well when I upgraded vault. So it is not an issue on vault's side (well the sigsegv was ugly but that's all)

@kalafut
Copy link
Contributor

kalafut commented Jun 19, 2019

@MrBlaise Thanks for that context.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants