drcgjung commented 6 days ago

Bug Report

Describe the Bug

Starting TX EDC 0.8.0-RC3 in a local environment (based on EDC 0.10.0-20240918-SNAPSHOT, hence main) outputs a hashicorp vault warning both in control-plane and data-plane images when using a static EDC_VAULT_HASHICORP_TOKEN from the environment

Expected Behavior

No Warning, token refresh should work.

Observed Behavior

WARNING 2024-09-27T14:06:12.663937303 [Hashicorp Vault] Initial token look up failed with reason: Failed to look up token with reason: Unexpected character ('<' (code 60)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION disabled); line: 1, column: 1]

Since the initial token lookup failed, the guess is that also the refresh does not work.

Steps to Reproduce

Steps to reproduce the behavior:

Run a local vault with a preconfigured token
configure a tractus-x image (also tested with TX EDC 0.7.4 --> EDC 0.7.2 - same problem) against the vault using that token in EDC_VAULT_HASHICORP_TOKEN
start the image and log at the log

Context Information

EDC main/0.10.0-20240918-SNAPSHOT inside of TX EDC 0.8.0-RC3
hashicorp/vault:>1.17.3 as the vault implementation (docker releae "vault" stuck with <=1.13.3 7 months ago - see https://hub.docker.com/_/vault)
OS: MacOS, Orbstack with linux/amd64 rosetta emulation

Detailed Description

The culprit seems to lie in the HashiCorpVaultClient#isTokenRenewable method

https://github.com/eclipse-edc/Connector/blob/067ded3635b33a81c645cfe061dec5bbf73e00c0/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/client/HashicorpVaultClient.java#L124

especially when compared to the renewToken implementation

https://github.com/eclipse-edc/Connector/blob/067ded3635b33a81c645cfe061dec5bbf73e00c0/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/client/HashicorpVaultClient.java#L161

The TOKEN_LOOK_UP_SELF_PATH is encoded as "v1%2Fauth%2Ftoken%2Flookup-self" and appended to the vault url. A call is then made to (local cluster sample) "http://vault:8201/v1%2Fauth%2Ftoken%2Flookup-self". The default hashicorp/vault:latest image answers with "200 OK" from a redirection to "http://vault:8201/ui" and the content will be html, not the expected json response (which shows the seen parsing error/warning).

Possible Implementation

Instead of

        var uri = settings.url()
                .newBuilder()
                .addPathSegment(TOKEN_LOOK_UP_SELF_PATH)
                .build();

it rather should be

        var uri = settings.url()
                .newBuilder()
                .addPathSegments(TOKEN_LOOK_UP_SELF_PATH)
                .build();

to split the TOKEN_LOOK_UP_SELF_PATH before encoding only the remaining individual segments and not encoding the TOKEN_LOOK_UP_SELF_PATH as a whole.

ndr-brt commented 3 days ago

hi, thanks for reporting, would you be able to provide a PR to fix this?

drcgjung commented 3 days ago