search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.13k stars 4.21k forks source link

vault write pki/roles/<rolename> key=value modifies unrelated keys not mentioned on commandline #15689

Closed pieter-lautus closed 2 years ago

pieter-lautus commented 2 years ago

Describe the bug When setting individual keys on a PKI role, for example to toggle allow_wildcard_certificates from true to false, then several unrelated keys are modified (reset to their defaults?) at the same time.

In other words, when editing a PKI role, one has to be careful to specify all keys and values lest you lose important settings

To Reproduce

  1. vault write pki/roles/example allow_bare_domains=true allowed_domains=foo.example.com client_flag=false server_flag=true max_ttl=7d key_bits=4096 allow_wildcard_certificates=true
  2. vault read pki_lxd_images_ro/roles/example > before
  3. vault write pki/roles/example allow_wildcard_certificates=false
  4. vault read pki_lxd_images_ro/roles/example > after
  5. diff -u before after 
    --- before      2022-05-31 13:28:28.394905148 +0200
+++ after       2022-05-31 13:29:30.712659664 +0200
@@ -1,21 +1,21 @@
Key                                   Value
---                                   -----
allow_any_name                        false
-allow_bare_domains                    true
+allow_bare_domains                    false
allow_glob_domains                    false
allow_ip_sans                         true
allow_localhost                       true
allow_subdomains                      false
allow_token_displayname               false
-allow_wildcard_certificates           true
-allowed_domains                       [foo.example.com]
+allow_wildcard_certificates           false
+allowed_domains                       []
allowed_domains_template              false
allowed_other_sans                    []
allowed_serial_numbers                []
allowed_uri_sans                      []
allowed_uri_sans_template             false
basic_constraints_valid_for_non_ca    false
-client_flag                           false
+client_flag                           true
code_signing_flag                     false
country                               []
email_protection_flag                 false
@@ -23,11 +23,11 @@
ext_key_usage                         []
ext_key_usage_oids                    []
generate_lease                        false
-key_bits                              4096
+key_bits                              2048
key_type                              rsa
key_usage                             [DigitalSignature KeyAgreement KeyEncipherment]
locality                              []
-max_ttl                               168h
+max_ttl                               0s
no_store                              false
not_after                             n/a
not_before_duration                   30s

Expected behavior I expect the write in step 3 to only modify a single key. Instead several values are modified. In the process one can accidentally lose security-sensitive settings one took great pains to set.

Environment:

cipherboy commented 2 years ago

This is now better documented; CREATE/UPDATE endpoints always overwrite the role completely with all specified arguments and the defaults of any missing arguments.

There's new PATCH functionality in 1.11 that'll allow you to update specific fields, but note that the vault CLI doesn't support PATCH operations to non-KV endpoints. Hopefully a future CLI version will support that functionality :-)