search

jfrog / vault-plugin-secrets-artifactory

HashiCorp Vault Secrets Plugin for Artifactory
https://jfrog.com
Apache License 2.0
43 stars 21 forks source link

Max_ttl can be exceeded when configured at plugin level #181

Closed loicgreffier closed 7 months ago

loicgreffier commented 7 months ago

Describe the bug When configuring a max_ttl at the plugin level, the value can be overidden and thus exceeded by a specific request.

To Reproduce Steps to reproduce the behavior:

  1. Mount the plugin
vault secrets enable artifactory
  1. Configure the plugin
vault write artifactory/config/admin url=<myUrl> access_token=<myAccessToken>
  1. Configure the user_token
vault write artifactory/config/user_token default_description="Generated by Vault" max_ttl=7200 default_ttl=3600 include_reference_token=true refreshable=true

The max_ttl is 2 hours. The default_ttl is 1 hour.

  1. Check the configuration
vault read artifactory/config/user_token

Key                        Value
---                        -----
access_token_sha256        ***
audience                   n/a
default_description        Generated by Vault
default_ttl                1h
force_revocable            <nil>
include_reference_token    true
max_ttl                    2h
refresh_token_sha256       ***
refreshable                true
scope                      applied-permissions/admin
token_id                   ***
use_expiring_tokens        false
username                   vault
  1. Ask for a token by specifying a max_ttl and a default_ttl that exceed the max_ttl configured on the plugin
vault read artifactory/user_token/<myUser> max_ttl=15000 ttl=15000
  1. Check the lease duration of the delivered token
vault read artifactory/user_token/<myUser> max_ttl=15000 ttl=15000

Key                Value
---                -----
lease_id           artifactory/user_token/<myUser>/***
lease_duration     4h10m

➡️ The lease duration is exceeding the max_ttl configured at the plugin level.

  1. Mount the plugin on another path with a max-lease-ttl and a default-lease-ttl
vault secrets enable -path=artifactory2 -max-lease-ttl=7200 -default-lease-ttl=3600 artifactory
  1. Configure the artifactory2 plugin just like the artifactory plugin, and ask for a token that exceeds the max-lease-ttl
vault read artifactory2/user_token/<myUser> max_ttl=15000 ttl=15000
Key                Value
---                -----
lease_id           artifactory2/user_token/<myUser>/***
lease_duration     2h

The lease duration is limited to 2 hours no matter the max_ttl parameter.

Requirements for and issue

Expected behavior

Reading the documentation: https://github.com/jfrog/vault-plugin-secrets-artifactory?tab=readme-ov-file#user-token-path, I was expecting the max_ttl to be limited to the max_ttl configured at plugin level (2 hours in this scenario), no matter if the user is giving a max_ttl parameter.

When setting the max-lease-ttl at the secret mount level, the max_ttl cannot be exceed as expected.

Is this an expected behaviour? If yes, is setting the max-lease-ttl when mounting the secret engine the proper way to definitely limit the max_ttl?

alexhung commented 7 months ago

@loicgreffier Thanks for the report. I've added this to our plan.

alexhung commented 7 months ago

@loicgreffier When max-lease-ttl is not explicitly set, the plugin uses max lease TTL configured in your Vault server by default. (https://github.com/jfrog/vault-plugin-secrets-artifactory/blob/master/path_user_token_create.go#L116) IIRC that's 768 hours: https://developer.hashicorp.com/vault/docs/configuration#max_lease_ttl

alexhung commented 7 months ago

Is this an expected behaviour? If yes, is setting the max-lease-ttl when mounting the secret engine the proper way to definitely limit the max_ttl?

@loicgreffier Without diving into the code, I'd say yes. Using max-least-ttl arg or change your Vault global configuration are the ways to limit the token's max_ttl.

loicgreffier commented 7 months ago

@alexhung Thanks for the feedback. I guess the issue can be closed as this is the expected behaviour