search

BetterCloud / vault-java-driver

Zero-dependency Java client for HashiCorp's Vault
https://bettercloud.github.io/vault-java-driver/
334 stars 224 forks source link

Unable to renew token #208

Open david-streamlio opened 4 years ago

david-streamlio commented 4 years ago

I am trying to create a token that can renewed using the following code, where the vault is configured to use the root token

TokenRequest tokenRequest = new TokenRequest().ttl("1m").renewable(true).explicitMaxTtl("8h"); auth = getVault().auth().createToken(tokenRequest);

I have a test case that validates that the token is valid, then sleeps long enough for the token to expire. I also validated that attempting to use it after 1 minute results in a 403 response code. Then I call the following method that ALSO fails with a 403 code

if (vaultAuth != null && vaultAuth.isAuthRenewable()) { vaultAuth = vault.auth().renewSelf(); } else { TokenRequest tokenRequest = new TokenRequest().ttl("1h").renewable(true); vaultAuth = vault.auth().createToken(tokenRequest); }

Can someone please point me to proper way of renewing a token inside of Vault with your API? Thanks.

P.S. Also, can someone explain the difference between the isAuthRenewable() and getRenewable() methods of the AuthResponse object? FWIW, I noticed that the value returned by getRenewable() is always false regardless of value passed in with the TokenRequest object.

darkedges commented 3 years ago

Reading the code I don;t think it is possible for autorenew tokens to work. https://github.com/BetterCloud/vault-java-driver/blob/master/src/main/java/com/bettercloud/vault/api/pki/Pki.java#L117 goes to https://github.com/BetterCloud/vault-java-driver/blob/master/src/main/java/com/bettercloud/vault/VaultConfig.java#L356-L357

I cannot see anything in PKI (for example) to get a new token if it has expired.

I think this is a limitation with the HCVault code, as ideally it should return a 401 unauthorized when a token has expired.

for example

String token = this.vault.auth()
    .loginByAppRole("82f979a8-7222-947b-dd9a-376e03ed06ba", "e9c52fab-35a3-2783-6e86-4dcfd7addb412")
    .getAuthClientToken();

returns 

Vault responded with HTTP status code: 400
Response body: {"errors":["invalid secret id"]}

and an expired token returns 

Vault responded with HTTP status code: 403 {"errors":["permission denied"]}

To renew an existing valid token you can do

final AuthResponse createResponse = this.vault.auth().renewSelf();
david-streamlio commented 3 years ago

Thanks!