search

BetterCloud / vault-java-driver

Zero-dependency Java client for HashiCorp's Vault
https://bettercloud.github.io/vault-java-driver/
335 stars 224 forks source link

Unauthenticated token unwrapping failure #180

Open SmedbergM opened 5 years ago

SmedbergM commented 5 years ago

There appears to be a broken assumption in the unauthenticated token unwrapping flow.

MWR: (in Scala):

val vaultAddress = "http://localhost:8200"
val wrappingToken = "s.whatever" // obtain from wrapping endpoint or agent
val config = new VaultConfig()
  .address(vaultAddress)
  .token(token)
  .openTimeout(5)
  .readTimeout(60)
  .build()
val vault = new Vault(config)

val authResponse = vault.auth().unwrap()
val unwrappedToken = authResponse.getAuthClientToken

This follows exactly the client flow listed in the Javadoc to AuthResponse.unwrap().

Expected result: unwrappedToken is a string, which can be used to authenticate further Vault instances.

Actual result:

Exception in thread "main" com.bettercloud.vault.VaultException: java.lang.UnsupportedOperationException: Not an object: null
    at com.bettercloud.vault.api.Auth.unwrap(Auth.java:1406)
    at com.bettercloud.vault.api.Auth.unwrap(Auth.java:1327)
        ...
Caused by: java.lang.UnsupportedOperationException: Not an object: null
    at com.bettercloud.vault.json.JsonValue.asObject(JsonValue.java:145)
    at com.bettercloud.vault.response.AuthResponse.<init>(AuthResponse.java:40)
    at com.bettercloud.vault.api.Auth.unwrap(Auth.java:1390)

due to trying to extract an auth property out of the following REST response body:

{"request_id":"6bb0cd01-70e8-b6a8-ffeb-83f2a3462397","lease_id":"","renewable":false,"lease_duration":0,"data":{"token":"s.[redacted]"},"wrap_info":null,"warnings":null,"auth":null}
SmedbergM commented 5 years ago

This is against a running Vault 1.0.3 instance.