Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow users to non-interactively pass in the password to tls_key_file #7074

Merged
merged 1 commit into from
Jul 5, 2019
Merged

Allow users to non-interactively pass in the password to tls_key_file #7074

merged 1 commit into from
Jul 5, 2019

Conversation

tyrannosaurus-becks
Copy link
Contributor

@tyrannosaurus-becks tyrannosaurus-becks commented Jul 5, 2019
edited
Loading

Fixes #3844

When users attempt to non-interactively provide a password for their tls_key_file using a syntax like this:

echo $PASSWORD | vault server -config=/path/to/config-with-password-protected-tls-key.hcl

They receive a panic like this:

Enter passphrase for /home/tbex/Documents/vault_configs/key-with-pass/private.key: panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x5a6f90]

goroutine 72 [running]:
bufio.(*Reader).fill(0xc000525f58)
	/usr/local/go/src/bufio/bufio.go:100 +0xe0
bufio.(*Reader).ReadSlice(0xc000746f58, 0x7f8c2a568a0a, 0x1245401, 0x101000000000010, 0x0, 0x1000, 0xc000740000)
	/usr/local/go/src/bufio/bufio.go:356 +0x3d
bufio.(*Reader).ReadBytes(0xc000746f58, 0x100a, 0x1000, 0xc000740000, 0x0, 0x0, 0x0)
	/usr/local/go/src/bufio/bufio.go:434 +0x70
bufio.(*Reader).ReadString(...)
	/usr/local/go/src/bufio/bufio.go:474
github.com/mitchellh/cli.(*BasicUi).ask.func1(0xc0006e1d01, 0xc0005804e0, 0xc0006e1ce0, 0xc0006e1d40)
	/home/tbex/go/pkg/mod/github.com/mitchellh/[email protected]/ui.go:83 +0xd6
created by github.com/mitchellh/cli.(*BasicUi).ask
	/home/tbex/go/pkg/mod/github.com/mitchellh/[email protected]/ui.go:76 +0x243

This was happening because the reader used at line 76 was nil. It resolves the panic to add a reader to our UI that takes user input. (The UI here is actually the CLI btw.)

This results in the expected behavior:

$ echo $PASSWORD | vault server -config=/home/tbex/Documents/vault_configs/key-with-pass/private-key-tls-cert-test.hcl
Enter passphrase for /home/tbex/Documents/vault_configs/key-with-pass/private.key: ==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "enabled")
               Log Level: debug
                   Mlock: supported: true, enabled: false
                 Storage: inmem
                 Version: Vault v1.2.0-beta1
             Version Sha: 4cdbe34c02fbde25d5603dfa2dba6bb66a8b309f+CHANGES

==> Vault server started! Log data will stream in below:

@tyrannosaurus-becks tyrannosaurus-becks merged commit 3cc7f4a into master Jul 5, 2019
@tyrannosaurus-becks tyrannosaurus-becks deleted the 3844-allow-private-key-password-noninteractively branch July 5, 2019 20:36
@jefferai jefferai added this to the 1.2 milestone Aug 21, 2019
@ingtarius ingtarius mentioned this pull request Jan 29, 2021
Open
@GPKyte GPKyte mentioned this pull request Apr 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ncabatoff ncabatoff ncabatoff approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.2
Development

Successfully merging this pull request may close these issues.

Run vault as a service with password protected private key
3 participants
@tyrannosaurus-becks @ncabatoff @jefferai