TTL is not being respected in V1.3

georgeskill commented 5 months ago

Describe the bug The default TTL for tokens is not being applied to user tokens in V1.3. V1.2 applied the correct default TTL to user tokens, but V1.3 has broken my org's TTL policy.

To Reproduce When using the V1.3 plugin, I run these commands:

vault secrets enable -path=artifactory artifactory_1.3

vault write artifactory/config/admin url=<artifactory_instanceurl.com> access_token=<token>

vault write artifactory/config/user_token scope="applied-permissions/user" default_ttl=24h max_ttl=48h default_description="Generated by Vault"

vault read artifactory/user_token/<username>

This is the output of the previous command:

vault read artifactory/user_token/<username>
Key                Value
---                -----
lease_id           artifactory/user_token/<username>/IpZOc5pGLad1BoX82Pf98DDp
lease_duration     768h
lease_renewable    true
access_token       <access_token>
description        n/a
expires_in         0
reference_token    n/a
refresh_token      n/a
scope              applied-permissions/user
token_id           dfd799c8-ef13-471e-be98-120bfd978fd8
username           <username>

The lease duration is not connected to the default_ttl. Whereas, when I run the exact same commands with version 1.2 of the plugin, my user token's TTL is correct.

admin@gold-devvy:~/jfrog--vault-plugin-secrets-artifactory$ vault read artifactory/user_token/<username>
Key                Value
---                -----
lease_id           artifactory/user_token/<username>/f32dmCtgdnYE3Cv5O4mE451f
lease_duration     24h
lease_renewable    true
access_token       <access_token>
description        n/a
expires_in         0
reference_token    n/a
refresh_token      n/a
scope              applied-permissions/user
token_id           dfd799c8-ef13-471e-be98-120bfd978fd8
username           <username>```

Here is my vault config:

vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.15.5
Build Date      2024-01-26T14:53:40Z
Storage Type    inmem
Cluster Name    vault-cluster-1eb112b5
Cluster ID      bfe3c12a-6052-3e1f-0bb9-eb984bcfcf3a
HA Enabled      false

I am interacting with an Artifactory instance that is running version EnterpriseX 7.77.5

Requirements for and issue

[X] A description of the bug
[X] A fully functioning vault configuration snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
[X] Your version of artifactory (you can curl it at $host/artifactory/api/system/version
[X] Your version of vault
[X] Your version of vault plugin

Expected behavior The default TTL should be honored for user tokens with V1.3

Desktop (please complete the following information):

OS: Linux
Browser Chrome

alexhung commented 5 months ago

@georgeskill Thanks for the bug report. I've added this to our sprint.

alexhung commented 5 months ago

@georgeskill FYI, if you can run your Vault server with log at DEBUG level, you will see logs showing which TTL is used: https://github.com/jfrog/vault-plugin-secrets-artifactory/blob/09b183deb2445b1540179b94b1feedf3fb6b9245/path_user_token_create.go#L127 and https://github.com/jfrog/vault-plugin-secrets-artifactory/blob/09b183deb2445b1540179b94b1feedf3fb6b9245/path_user_token_create.go#L130 and https://github.com/jfrog/vault-plugin-secrets-artifactory/blob/09b183deb2445b1540179b94b1feedf3fb6b9245/path_user_token_create.go#L139

georgeskill commented 5 months ago

@alexhung Thanks for the prompt response. Here are the logs when running these commands:

2024-03-07T22:16:34.963Z [DEBUG] system: pinning plugin version: plugin type=secret plugin name=artifactory_1.3 plugin version=v1.3.0
2024-03-07T22:16:34.963Z [DEBUG] core: spawning a new plugin process: plugin_name=artifactory_1.3 id=UdsiXFXYdB
2024-03-07T22:16:35.010Z [INFO]  secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: configuring client automatic mTLS
2024-03-07T22:16:35.017Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: starting plugin: path=/home/admin/vault-engine-github-token/vault/plugins/artifactory_1.3 args=["/home/admin/vault-engine-github-token/vault/plugins/artifactory_1.3"]
2024-03-07T22:16:35.017Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: plugin started: path=/home/admin/vault-engine-github-token/vault/plugins/artifactory_1.3 pid=3079259
2024-03-07T22:16:35.017Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: waiting for RPC address: plugin=/home/admin/vault-engine-github-token/vault/plugins/artifactory_1.3
2024-03-07T22:16:35.026Z [INFO]  secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: configuring server automatic mTLS: timestamp=2024-03-07T22:16:35.026Z
2024-03-07T22:16:35.039Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: plugin address: address=/tmp/plugin221858565 network=unix timestamp=2024-03-07T22:16:35.039Z
2024-03-07T22:16:35.039Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: using plugin: version=5
2024-03-07T22:16:35.061Z [INFO]  core: successful mount: namespace="" path=artifactory/ type=artifactory_1.3 version=v1.3.0
2024-03-07T22:16:50.751Z [DEBUG] system: pinning plugin version: plugin type=secret plugin name=artifactory plugin version=v1.2.0
2024-03-07T22:16:50.752Z [ERROR] secrets.system.system_b2f79b80: error occurred during enable mount: path=artifactory/ error="path is already in use at artifactory/"
2024-03-07T22:16:56.520Z [DEBUG] system: pinning plugin version: plugin type=secret plugin name=artifactory_1.3 plugin version=v1.3.0
2024-03-07T22:16:56.520Z [ERROR] secrets.system.system_b2f79b80: error occurred during enable mount: path=artifactory/ error="path is already in use at artifactory/"
2024-03-07T22:17:48.493Z [INFO]  secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: fetching user token configuration: path=config/user_token timestamp=2024-03-07T22:17:48.493Z
2024-03-07T22:17:48.494Z [INFO]  secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: saving user token configuration: path=config/user_token timestamp=2024-03-07T22:17:48.494Z
2024-03-07T22:17:56.381Z [INFO]  secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: fetching user token configuration: path=config/user_token/<user_token> timestamp=2024-03-07T22:17:56.381Z
2024-03-07T22:17:56.382Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: initialize maxLeaseTTL to system value: maxLeaseTTL="2.7648e+15" timestamp=2024-03-07T22:17:56.382Z
2024-03-07T22:17:56.382Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: Max lease TTL (sec): maxLeaseTTL="2.7648e+15" timestamp=2024-03-07T22:17:56.382Z
2024-03-07T22:17:56.382Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: TTL (sec): ttl="2.7648e+15" timestamp=2024-03-07T22:17:56.382Z

jfrog / vault-plugin-secrets-artifactory

TTL is not being respected in V1.3 #159