search

fishi0x01 / vsh

vsh - HashiCorp Vault interactive shell and cli tool
MIT License
284 stars 12 forks source link

Bug: Cannot execute write operations with valid JSON #62

Closed tommartensen closed 3 years ago

tommartensen commented 3 years ago

Thanks for the awesome tool, it is helping a lot in secret management!

We observed the following bug:

  1. secret/ is a kv key/value secret storage in API version 1.
  2. We create a secret: vault kv put secret/test data=1.
  3. When using VSH to copy or move the secret, we experience a Go panic:
$ vsh -c "cp secret/test secret/test2"
panic: interface conversion: interface {} is string, not map[string]interface {}

goroutine 1 [running]:
github.com/fishi0x01/vsh/client.transformToKV1Secret(...)
    /home/fishi0x01/Workspaces/fishi0x01/vsh/client/util.go:88
github.com/fishi0x01/vsh/client.(*Client).lowLevelWrite(0xc0003fe180, 0xc000130c21, 0xc, 0xc0000a0900, 0x2, 0x0)
    /home/fishi0x01/Workspaces/fishi0x01/vsh/client/write.go:16 +0x3a7
github.com/fishi0x01/vsh/client.(*Client).Write(0xc0003fe180, 0xc000130c20, 0xd, 0xc0000a0900, 0x0, 0x0)
    /home/fishi0x01/Workspaces/fishi0x01/vsh/client/client.go:113 +0x165
github.com/fishi0x01/vsh/cli.(*CopyCommand).copySecret(0xc0003fe200, 0xc000130c10, 0xc, 0xc000130c20, 0xd, 0xd, 0x2)
    /home/fishi0x01/Workspaces/fishi0x01/vsh/cli/cp.go:79 +0xa0
github.com/fishi0x01/vsh/cli.(*CopyCommand).Run(0xc0003fe200, 0x1)
    /home/fishi0x01/Workspaces/fishi0x01/vsh/cli/cp.go:60 +0x140
main.executor(0x7ffeefbff857, 0x1b)
    /home/fishi0x01/Workspaces/fishi0x01/vsh/main.go:77 +0x178
main.main()
    /home/fishi0x01/Workspaces/fishi0x01/vsh/main.go:177 +0x4a2

Other secrets, e.g. as given in the integration tests value=1, work without issues.

System information:

Happy to provide further information as needed :)

fishi0x01 commented 3 years ago

Hi Tom :smile: :wave:

Thx for submission. Looks interesting, because the copy case for KV1 is tested in this suite

From the stacktrace it seems that for some reason secret/test is perceived as a KV2 secret. vsh then tries to convert it to KV1, which fails, because it already is KV1. I will try to reproduce that issue in a test. What's your permission policy on secret/ and secret/test?

fishi0x01 commented 3 years ago

Was able to reproduce the behavior in a test. (#63)

tommartensen commented 3 years ago

Great! The reproduced error looks familiar. Thanks a lot for the help and we look forward to a fix! 🥇 Should you need further information, we are more than happy to assist.

fishi0x01 commented 3 years ago

@tommartensen Latest master should work with data key. Please let me know if you still witness any issues.

tommartensen commented 3 years ago

@fishi0x01 Thanks a lot for the fast fix! I can confirm that latest master works with our system.