search

jfrog / vault-plugin-secrets-artifactory

HashiCorp Vault Secrets Plugin for Artifactory
https://jfrog.com
Apache License 2.0
39 stars 20 forks source link

Circle of Trust Instances cannot be Supported with expiring tokens. #174

Closed georgeskill closed 4 months ago

georgeskill commented 4 months ago

Describe the bug I am attempting to use the plugin with a Circle of Trust enabled Artifactory instance. For Circle of Trust to work properly, the tokens cannot be revocable. The tokens work if the I set use_expiring_tokens to false, but do not if set to true. This is caused by the tokens being revocable. So, I am asking to make force_revocable a parameter, so that I can use expiring tokens that cannot be revoked. It's also important note our Artifactory's instance has the setting revocable-expiry-threshold = -1.

To Reproduce Steps to reproduce the behavior:

  1. Setup the Vault plugin with the following config: 
    
vault write artifactory/config/admin     url=<ARTIFACTORY_URL> access_token=ARTIFACTORY_TOKEN" use_expiring_tokens=true

vault write artifactory/config/user_token scope="applied-permissions/user" default_ttl=24h max_ttl=48h default_description="Generated by Vault"

admin@devvy:~/vault-engine-github-token$ vault read artifactory/user_token/ Key Value

lease_id artifactory/user_token/ /CgdNHp7zxR9EhEOv20Iorg1r lease_duration 24h lease_renewable true access_token
description Generated by Vault expires_in 86400 reference_token n/a refresh_token n/a scope applied-permissions/user token_id e556518d-ef9d-4782-87ac-0a67e47d177f username

admin@devvy:~/vault-engine-github-token$ vault write artifactory/config/user_token scope="applied-permissions/user" default_ttl=24h max_ttl=48h default_description="Generated by Vault" use_expiring_tokens=false Success! Data written to: artifactory/config/user_token admin@devvy:~/vault-engine-github-token$ vault read artifactory/user_token/ Key Value

lease_id artifactory/user_token/ /Zz9E3RpgLErArYjt2SjaO5v5 lease_duration 24h lease_renewable true access_token
description Generated by Vault expires_in 0 reference_token n/a refresh_token n/a scope applied-permissions/user token_id a9e4a036-4837-4a1e-9548-7d1e26b559ca username 


This inability to have revocable tokens with expiration prevents us from using the plugin with Circle of Trust enabled instances.

**Requirements for and issue**
- [X] A description of the bug
- [X] A fully functioning vault configuration snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). **If this is not supplied, this issue will likely be closed without any effort expended.**
- [X] Your version of artifactory -  7.77.5 Enterprise
- [X] Your version of vault - v1.13.2 Enterprise
- [X] Your version of vault plugin - v1.5.0

**Expected behavior**
The plugin should be able to generate tokens that are not revocable, but do expire.
alexhung commented 4 months ago

@georgeskill Thanks for the suggestion. I've added this to our plan.