Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAULT-5935 agent: redact renew-self if using auto auth #15380

Merged
merged 1 commit into from
May 12, 2022
Merged

VAULT-5935 agent: redact renew-self if using auto auth #15380

merged 1 commit into from
May 12, 2022

Conversation

swenson
Copy link
Contributor

@swenson swenson commented May 11, 2022

Vault agent redacts the token and accessor for /auth/token/lookup-self (and lookup)
if the token is the auto auth token to prevent it from leaking.

Similarly, we need to redact the token and accessor from renew-self
and renew, which also leak the token and accessor.

I tested this locally by starting up a Vault agent and querying the
agent endpoints, and ensuring that the accessor and token were set to
the empty string in the response.

@swenson swenson requested review from calvn, mickael-hc and a team May 11, 2022 21:26
@swenson swenson force-pushed the VAULT-5935-redact-renew-self branch from 78b4e14 to 43e9ea6 Compare May 11, 2022 21:27
VAULT-5935 agent: redact renew-self if using auto auth
5bce0cb 
Vault agent redacts the token and accessor for `/auth/token/lookup-self` (and `lookup`)
if the token is the auto auth token to prevent it from leaking.

Similarly, we need to redact the token and accessor from `renew-self`
and `renew`, which also leak the token and accessor.

I tested this locally by starting up a Vault agent and querying the
agent endpoints, and ensuring that the accessor and token were set to
the empty string in the response.
@swenson swenson force-pushed the VAULT-5935-redact-renew-self branch from 2f4d051 to 5bce0cb Compare May 11, 2022 21:29
calvn
calvn approved these changes May 12, 2022
View reviewed changes
Copy link
Contributor

@calvn calvn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

tomhjp
tomhjp approved these changes May 12, 2022
View reviewed changes
Copy link
Contributor

@tomhjp tomhjp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@swenson
Copy link
Contributor Author

swenson commented May 12, 2022

Thanks!

@swenson swenson merged commit 816036b into main May 12, 2022
@swenson swenson deleted the VAULT-5935-redact-renew-self branch May 12, 2022 16:25
This was referenced May 12, 2022
Merged
Merged
Merged
swenson added a commit that referenced this pull request May 12, 2022
@swenson
VAULT-5935 agent: redact renew-self if using auto auth (#15380)
b1cdf3a 
Vault agent redacts the token and accessor for `/auth/token/lookup-self` (and `lookup`)
if the token is the auto auth token to prevent it from leaking.

Similarly, we need to redact the token and accessor from `renew-self`
and `renew`, which also leak the token and accessor.

I tested this locally by starting up a Vault agent and querying the
agent endpoints, and ensuring that the accessor and token were set to
the empty string in the response.
swenson added a commit that referenced this pull request May 12, 2022
@swenson
VAULT-5935 agent: redact renew-self if using auto auth (#15380)
135345d 
Vault agent redacts the token and accessor for `/auth/token/lookup-self` (and `lookup`)
if the token is the auto auth token to prevent it from leaking.

Similarly, we need to redact the token and accessor from `renew-self`
and `renew`, which also leak the token and accessor.

I tested this locally by starting up a Vault agent and querying the
agent endpoints, and ensuring that the accessor and token were set to
the empty string in the response.
swenson added a commit that referenced this pull request May 12, 2022
@hc-github-team-secure-vault-core @swenson
VAULT-5935 agent: redact renew-self if using auto auth (#15380) (#15397)
91489d5 
Vault agent redacts the token and accessor for `/auth/token/lookup-self` (and `lookup`)
if the token is the auto auth token to prevent it from leaking.

Similarly, we need to redact the token and accessor from `renew-self`
and `renew`, which also leak the token and accessor.

I tested this locally by starting up a Vault agent and querying the
agent endpoints, and ensuring that the accessor and token were set to
the empty string in the response.

Co-authored-by: Christopher Swenson <[email protected]>
swenson added a commit that referenced this pull request May 12, 2022
@hc-github-team-secure-vault-core @swenson
VAULT-5935 agent: redact renew-self if using auto auth (#15380) (#15398)
283bf7c 
Vault agent redacts the token and accessor for `/auth/token/lookup-self` (and `lookup`)
if the token is the auto auth token to prevent it from leaking.

Similarly, we need to redact the token and accessor from `renew-self`
and `renew`, which also leak the token and accessor.

I tested this locally by starting up a Vault agent and querying the
agent endpoints, and ensuring that the accessor and token were set to
the empty string in the response.

Co-authored-by: Christopher Swenson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomhjp tomhjp tomhjp approved these changes

@calvn calvn calvn approved these changes

@mickael-hc mickael-hc Awaiting requested review from mickael-hc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@swenson @calvn @tomhjp