Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use provided namespace for wrapping lookup cubbyhole request #15583

Merged
merged 2 commits into from
May 26, 2022

Conversation

ccapurso
Copy link
Contributor

@ccapurso ccapurso commented May 24, 2022

Wrapping and unwrapping works in namespaces, but a lookup operation always throws an error.

Example of proper functioning within root namespace:

❯ vault write -format=json sys/wrapping/wrap foo=bar | jq .wrap_info.token
"hvs.CAESIIKmFRNNJnGtpY204WMmkfoaLndJkBd0ZG4ZVtaan81lGh4KHGh2cy41cGxKYURDeGRwWlpaaTNYTWNSdmRuWFg"

❯ vault write sys/wrapping/lookup token=hvs.CAESIIKmFRNNJnGtpY204WMmkfoaLndJkBd0ZG4ZVtaan81lGh4KHGh2cy41cGxKYURDeGRwWlpaaTNYTWNSdmRuWFg
Key              Value
---              -----
creation_path    sys/wrapping/wrap
creation_time    2022-05-24T17:00:57.64062-04:00
creation_ttl     5m

❯ vault write -format=json sys/wrapping/unwrap token=hvs.CAESIIKmFRNNJnGtpY204WMmkfoaLndJkBd0ZG4ZVtaan81lGh4KHGh2cy41cGxKYURDeGRwWlpaaTNYTWNSdmRuWFg
{
  "foo": "bar"
}

Example of error within a child namespace ns1:

❯ vault namespace create ns1

❯ VAULT_NAMESPACE=ns1 vault write -format=json sys/wrapping/wrap foo=bar | jq .wrap_info.token
"hvs.CAESILNnfxufSwP8Nhoiv3fwE5govVuMae8BT_dlSQlOjykgGiQKImh2cy5ZelFEN0RFTndXZFpGRWlxdHR3d0hIUjIudzEzeXI"

❯ VAULT_NAMESPACE=ns1 vault write sys/wrapping/lookup token=hvs.CAESILNnfxufSwP8Nhoiv3fwE5govVuMae8BT_dlSQlOjykgGiQKImh2cy5ZelFEN0RFTndXZFpGRWlxdHR3d0hIUjIudzEzeXI

Error writing data to sys/wrapping/lookup: Error making API request.

URL: PUT https://127.0.0.1:8200/v1/sys/wrapping/lookup
Code: 400. Errors:

* no information found; wrapping token may be from a previous Vault version

❯ VAULT_NAMESPACE=ns1 vault write -format=json sys/wrapping/unwrap token=hvs.CAESILNnfxufSwP8Nhoiv3fwE5govVuMae8BT_dlSQlOjykgGiQKImh2cy5ZelFEN0RFTndXZFpGRWlxdHR3d0hIUjIudzEzeXI | jq .data
{
  "foo": "bar"
}

The underlying logical.ReadOperation request to cubbyhole/wrapinfo for API calls to sys/wrapping/lookup is not provided the requested namespace. This PR fixes that by providing that logical.ReadOperation request with a context with the requested namespace through use of namespace.ContextWithNamespace.

An enterprise test validating this fix will be provided in a separate PR.

@ccapurso ccapurso marked this pull request as ready for review May 24, 2022 21:15
@ccapurso ccapurso requested review from a team May 24, 2022 21:15
Copy link
Contributor

@hghaf099 hghaf099 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ccapurso ccapurso merged commit 0213921 into main May 26, 2022
@ccapurso ccapurso deleted the vault-3976-wrapping-lookup-ns-fix branch May 26, 2022 19:17
Gabrielopesantos pushed a commit to Gabrielopesantos/vault that referenced this pull request Jun 6, 2022
…rp#15583)

* use provided namespace for wrapping lookup cubbyhole request

* add changelog entry
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants