search

hashicorp / vault

A tool for secrets management, encryption as a service, and privileged access management
https://www.vaultproject.io/
Other
31.03k stars 4.2k forks source link

misleading error "ldap operation failed: failed to bind as user" when password contains trailing newline #20439

Open classabbyamp opened 1 year ago

classabbyamp commented 1 year ago

Describe the bug

when passing a password from stdin, it may contain an extra trailing newline. this causes the error ldap operation failed: failed to bind as user, which is very misleading. However, the real issue is that it accepted the newline as part of the password.

To Reproduce

Note: while echo/printf are used here for ease of reproduction, this applies to anything that could pipe the password to stdin, like a password manager

Steps to reproduce the behavior:

$ echo mypassword | vault login -method=ldap username=myuser password=-
Error authenticating: Error making API request.

URL: PUT https://vault.s.voidlinux.org/v1/auth/ldap/login/abby
Code: 400. Errors:

* ldap operation failed: failed to bind as user

this is made clear by using -output-curl-string:

$ echo mypassword | vault login -output-curl-string -method=ldap username=myuser password=-
curl -X PUT -H "X-Vault-Request: true" -d '{"password":"mypassword\n"}' $VAULT_ADDR/v1/auth/ldap/login/myuser

Expected behavior

login from stdin works as intended:

$ printf mypassword | vault login -output-curl-string -method=ldap username=myuser password=-
curl -X PUT -H "X-Vault-Request: true" -d '{"password":"mypassword"}' $VAULT_ADDR/v1/auth/ldap/login/myuser
$ printf mypassword | vault login -method=ldap username=myuser password=- 
Success! You are now authenticated.

Environment:

Vault server configuration file(s):

I am just a user, I did not set up this vault server.

miagilepner commented 1 year ago

Thank you for submitting this request! Please note that you can also use echo -n in order to echo without a newline.

For others who are interested in this, please stick a 👍 on this issue. We’re currently developing an internal process to review and prioritize requests.

classabbyamp commented 1 year ago

as I mentioned in the original report, echo was just for demonstration purposes, I'm not actually passing my password in plaintext with echo...

maxb commented 1 year ago

This issue would be a delicate balance between not introducing unexpected data transformations in places that could break things for people, and making the CLI useful for ad-hoc use.

Unfortunately there probably is no single choice of behaviour that will make everyone happy here. It's possible that leaving things as is might be the least worst compromise.