Open dopheide-esnet opened 1 year ago
FYI - the vault write
CLI can be thought of as "curl, but with some nice accomodations for interacting with the general form of Vault APIs" - in particular, it has no knowledge of the specific API it is invoking - it has no idea which parameters are valid or invalid, let alone what data types they expect.
As a result, it's not really possible for the CLI to provide this kind of checking.
It would be nice if the Vault server, though, responded with warning or error messages for the CLI to display, about patterns which should be CIDRs not being, or roles that don't exist.
Fair enough, I think that both makes the problem worse and hopefully easier to fix at the same time. Presumably, the API would let me input a role list of: ['valid_role','valid_role2 valid_role3']
that would break the second two. Is that correct? Obviously it'd harder to make that mistake programmatically.
@dopheide-esnet Thanks for filing this issue. Would you please confirm which Vault CLI version did you use? I cannot reproduce the same issue as reported. Though I do see that the Vault server does not verify some of the inputs.
vault --version Vault v1.13.1+ent (8949fec986c7ccd4508e4689d554c4b8d182fe89), built 2023-03-23T20:09:57Z
Describe the bug The vault CLI allows the user to input invalid lists for policy/config attributes. There are two different results we've seen from this.
To Reproduce Steps to reproduce the behavior: For 1) This works fine:
This next one tells you it was successful, but then you can't read the data back:
However, now the app_role is unreadable:
For 2) A bit more complex because our test case requires having a database setup. Setup is basically this if you have docker:
At the psql prompt:
Now we configure the base database config and test role:
Now we can break it.
This works:
This does not:
In both cases they look the same in the read output, showing as separated by a space:
Expected behavior The CLI should try to check if you're inputing things without spaces and should also check that the list elements are valid cidrs in the case of the first issue.
Environment: Version 1.13.1+ent Vault v1.13.1+ent (8949fec986c7ccd4508e4689d554c4b8d182fe89), built 2023-03-23T20:09:57Z Linux Ubuntu (debian bookworm/sid)