Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make the error and http code clearer when supplying wrong unseal key #17836

Merged
merged 8 commits into from
Nov 29, 2022

Conversation

nsimons
Copy link
Contributor

@nsimons nsimons commented Nov 7, 2022

The error message inspection is the same as used elsewhere in the code (vault/barrier_aes_gcm.go).
ErrInvalidKey is already handled as a http 400 response in http/sys_seal.go, so we can simply use it in vault/seal.go to get http 400.

Regarding the error message, omitting the "message authentication failed" part, as it is printed to the end user.

Fixes #17792

@hashicorp-cla
Copy link

hashicorp-cla commented Nov 7, 2022

CLA assistant check
All committers have signed the CLA.

@hghaf099
Copy link
Contributor

@nsimons Thanks for submitting this PR. Copying my response from the linked issue:
I just checked the response error code going back to Vault 1.8, and we have always returned 500 error code if the unseal key is a properly b64 encoded key, however, it is invalid. On the other hand, providing an improper key, like unseal-key=1, to the unseal API will return the following though:

Error unsealing: Error making API request.

URL: PUT http://localhost:8200/v1/sys/unseal
Code: 400. Errors:

* 'key' must be a valid hex or base64 string

Note that changing this now would be considered backwards incompatible. I am going to close this ticket for now. Please reopen this issue or open a new one for further discussions.

@hghaf099 hghaf099 closed this Nov 16, 2022
@hghaf099 hghaf099 reopened this Nov 18, 2022
@hghaf099
Copy link
Contributor

@nsimons Thanks for contributing to Vault. We discussed the issue internally, and we would like to get the issue fixed. Would you please add a test (preferably a table test) to iterate through various cases to make sure the unseal behaviour is consistent? It would be good to see the same error code for all cases.

The new case is triggered when key length is within valid range
[16, 32], but it has uneven bytes, causing crypto/aes to return
invalid key size.
@nsimons
Copy link
Contributor Author

nsimons commented Nov 23, 2022

Thanks for the guidance! Table test added, with some unseal cases. Is this more or less what you were after?

The test uses single key shard threshold so that we get the errors out. With higher threshold the invalid keys are quite often "blindly" accepted (HTTP 200) and the unseal mechanism waits for next key shard. But I guess this is by design.

Found one other return branch where it would make sense to have HTTP 400. The case is where key length is within the correct range, but the underlying AES cipher requires the length to be even. Two of the test cases tests for uneven byte length.

vault/seal.go Outdated Show resolved Hide resolved
http/sys_seal_test.go Outdated Show resolved Hide resolved
@hghaf099
Copy link
Contributor

Thanks for working on this issue.
A couple of additional tests would be good to be added. One is testing at least another seal type. Second, testing unseal having multipart keys. I was able to trigger a couple of 500 error codes which were returned from here and here. The latter was found while configuring GCP seal, and unsealing with valid unseal keys from another cluster.

@nsimons
Copy link
Contributor Author

nsimons commented Nov 28, 2022

Thanks! I added test cases for multi key-shards and AutoUnseal seal config. The two code locations that you found are hit by those test cases.

Copy link
Contributor

@raskchanky raskchanky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks for the contribution @nsimons

@raskchanky raskchanky merged commit 4891122 into hashicorp:main Nov 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

unseal with wrong key returns HTTP 500 instead of 400 (again?)
5 participants