Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[VAULT-1986] Cap AWS Token TTL based on Default Lease TTL #12026

Merged
merged 6 commits into from
Jul 15, 2021

Conversation

vinay-gopalan
Copy link
Contributor

This PR fixes a bug in capping the Token TTL for AWS based on the Default Lease TTL. Before, the Token TTL was not being capped by the default lease even though a warning displayed in the console stating that it will be capped.

This PR also includes a test for the bug fix, including some typo fixes in error messages.

@vinay-gopalan vinay-gopalan requested a review from a team July 8, 2021 22:00
@hashicorp-cla
Copy link

hashicorp-cla commented Jul 8, 2021

CLA assistant check
All committers have signed the CLA.

@vercel vercel bot temporarily deployed to Preview – vault July 8, 2021 22:41 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook July 8, 2021 22:41 Inactive
Copy link
Contributor

@tomhjp tomhjp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good 👍 couple of questions but they could definitely be my misunderstanding

@@ -892,9 +892,11 @@ func (b *backend) pathRoleCreateUpdate(ctx context.Context, req *logical.Request
defaultLeaseTTL := b.System().DefaultLeaseTTL()
systemMaxTTL := b.System().MaxLeaseTTL()
if roleEntry.TokenTTL > defaultLeaseTTL {
roleEntry.TokenTTL = defaultLeaseTTL
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How come we clamp TTL to at most the default? I would only expect clamping to be needed for max. Is .DefaultLeaseTTL() just a poorly named function?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function is correctly named, but this is existing behavior within the plugin that was never actually implemented. We can either remove it and only cap on max, or implement the original intent. Thoughts?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In that case, personally I would err towards removing the warning rather than adding capping - it's the more correct and safer change.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Tom's recommendation

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jasonodonnell what do you mean by never implemented? The value from b.System().DefaultLeaseTTL() is determined by this method:

func (d dynamicSystemView) DefaultLeaseTTL() time.Duration {
def, _ := d.fetchTTLs()
return def
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sync'ed up with Vinay on this and it turns out that TTL calculation caps the max TTL but doesn't care about the ttl (or token_ttl) value as long as that's under the max. I'm fine with removing this. At some point we were capping the default but then removed it when we changed things to use tokenutil.

resp.AddWarning(fmt.Sprintf("Given ttl of %d seconds greater than current mount/system default of %d seconds; ttl will be capped at login time", roleEntry.TokenTTL/time.Second, defaultLeaseTTL/time.Second))
}
if roleEntry.TokenMaxTTL > systemMaxTTL {
roleEntry.TokenMaxTTL = systemMaxTTL
resp.AddWarning(fmt.Sprintf("Given max ttl of %d seconds greater than current mount/system default of %d seconds; max ttl will be capped at login time", roleEntry.TokenMaxTTL/time.Second, systemMaxTTL/time.Second))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

max ttl will be capped at login time

Is this now slightly inaccurate? I believe if you read the config back for the role, it will probably have stored the system max TTL instead of the specified max TTL right? So it's actually already been capped.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, we should remove the about "at login". We're now setting this on the role.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe if you read the config back for the role, it will probably have stored the system max TTL instead of the specified max TTL right?

I don't think that this is the case because we're not actually modifying/overriding roleEntry.TokenMaxTTL so the cap is actually determined at login time. The outdated diff looks like we were at one point but then we reverted back (which I think is the right call).

t.Fatalf("resp: %#v, err: %v", resp, err)
}

roleReq.Operation = logical.ReadOperation
Copy link
Contributor

@tomhjp tomhjp Jul 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: It does make the tests more verbose, but I think as a general rule it's nice to treat structs as immutable in tests so that the definition of your requests is always fully defined near the call site, and you reduce the risk of surprising bugs from dependencies between parts of the test.

Copy link
Contributor

@jasonodonnell jasonodonnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I do echo @tomhjp's question about whether or not we should have the capping code and raised this internally.

@vercel vercel bot temporarily deployed to Preview – vault July 12, 2021 17:29 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook July 12, 2021 17:29 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook July 13, 2021 18:41 Inactive
@vercel vercel bot temporarily deployed to Preview – vault July 13, 2021 18:41 Inactive
@vinay-gopalan
Copy link
Contributor Author

@jasonodonnell Here are the new updates after our Sync.

@@ -0,0 +1,3 @@
```release-note:bug
auth/aws: Fix a bug where the Token TTL for AWS is not capped by Default Lease TTL.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this still true?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Forgot about that, fixed now :)

@jasonodonnell jasonodonnell self-requested a review July 13, 2021 18:57
@vercel vercel bot temporarily deployed to Preview – vault July 13, 2021 19:06 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook July 13, 2021 19:06 Inactive
@vercel vercel bot temporarily deployed to Preview – vault July 14, 2021 22:16 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook July 14, 2021 22:16 Inactive
@vinay-gopalan vinay-gopalan merged commit e14d203 into main Jul 15, 2021
@vinay-gopalan vinay-gopalan deleted the fix-cap-token-ttl branch July 15, 2021 17:05
@calvn calvn modified the milestones: 1.8, 1.8.1 Jul 15, 2021
vinay-gopalan added a commit that referenced this pull request Aug 4, 2021
* fix: cap token TTL at login time based on default lease TTL

* add changelog file

* patch: update warning messages to not include 'at login'

* patch: remove default lease capping and test

* update changelog

* patch: revert warning message
calvn pushed a commit that referenced this pull request Aug 4, 2021
…12252)

* fix: cap token TTL at login time based on default lease TTL

* add changelog file

* patch: update warning messages to not include 'at login'

* patch: remove default lease capping and test

* update changelog

* patch: revert warning message
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants