search

joshcorr / SecretManagement.Hashicorp.Vault.KV

A PowerShell SecretManagement extension for Hashicorp Vault Key Value Engine
MIT License
30 stars 10 forks source link

Secrets with nested jsons can be truncated #17

Closed velkovb closed 3 years ago

velkovb commented 3 years ago

When trying to upload secrets with multiple level jsons, I get the following warning: WARNING: Resulting JSON is truncated as serialization has exceeded the set depth of 2.

I believe it might be related to using the ConvertTo-Json cmdlet in the API call.

https://github.com/joshcorr/SecretManagement.Hashicorp.Vault.KV/blob/bbed87f552822956ebb1b28ced10648cee6a8030/SecretManagement.Hashicorp.Vault.KV/SecretManagement.Hashicorp.Vault.KV.Extension/SecretManagement.Hashicorp.Vault.KV.Extension.psm1#L284

joshcorr commented 3 years ago

Thanks for submitting an issue!

Yes, I believe you are correct. I am not setting the -Depth parameter, which might cause this issue.

Could you provide a pseudo example of what you are trying to execute and what the structure of secret looks like, so I can reproduce? Is the Json a nested key? Or is it a path that is 3+ layers deep?

Also what version of Hasicorp Vault is this on? And what version of the module?

velkovb commented 3 years ago

Here is an example of the secret value in json

{
  "CustomerConfig": [
    {
      "clientId": "test",
      "clientSecret": "test",
      "geniusCustomerId": "0",
      "identityServerUri": "https://test.com"
    },
    {
      "clientId": "test2",
      "clientSecret": "test2",
      "geniusCustomerId": "6699",
      "identityServerUri": "https://test.com"
    }
  ]
}

The path is product/customer/settings-gss in a vault named secret.

From what I was able to debug it is displaying the waring when calling Set-Secret but could not get more info. Tried cloning the module and editing it but I can't seem to make it use the local module.

Testing it on Vault 1.2.3 but soon should be able to test on 1.8.0 as well.

Microsoft.PowerShell.SecretManagement 1.1.0

SecretManagement.Hashicorp.Vault.KV 1.1.0

Microsoft.PowerShell.SecretStore 1.0.3

$PSVersionTable

Name Value

PSVersion 7.1.4 PSEdition Core GitCommitId 7.1.4 OS Microsoft Windows 10.0.19043 Platform Win32NT PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0

P.S. Tested on Vault 1.8.0 and got the same result.

velkovb commented 3 years ago

I figured out that Unregister-SecretVault is not cleaning up my configuration properly and I need to restart my PowerShell process to properly pull new config. Simply adding -Depth 10 in New-VaultAPIBody ConvertTo-Json call seems to solve the issue for me.

joshcorr commented 3 years ago

Thanks for the info and for testing. That is odd behavior on Unregister-SecretVault. That might be an issue with the SecretManagement module.

I haven't tested with JSON as a value of a key, so will work on a fix this evening, or if you want to put a PR together that would be great.

velkovb commented 3 years ago

I admin the way Vault is used here to store stuff is weird but that is what I got. I will try to make a PR, just need to check the contributions guide :)

joshcorr commented 3 years ago

Your contribution is now on the gallery in the next preview branch 1.1.1 🎉

Let me know if this works for you. Found some other bugs I need to fix before releasing this.

I was unable to re-create your issue with the older version of the code, and Hashicorp Vault 1.7.3. This is what I had for my secret. fix

and in powershell

PS C:\> $s = (Get-Secret -Name product/customer/settings-gss -Vault secret -Verbose)
VERBOSE: Invoking command Get-Secret on module SecretManagement.Hashicorp.Vault.KV.Extension
VERBOSE: Secret product/customer/settings-gss was successfully retrieved from vault secret.
PS C:\> $s

----                           -----
CustomerConfig                 {@{clientId=test; clientSecret=test; geniusCustomerId=0; identityServerUri=https://te...

PS C:\> $s.values

clientId clientSecret geniusCustomerId identityServerUri
test     test         0                https://test.com
test2    test2        6699             https://test.com
velkovb commented 3 years ago

The issue is when setting the value with Set-Secret. No problem when getting it.

joshcorr commented 3 years ago

Ahh okay that makes more sense.. I was having an issues with that scenario when calling the function directly. 

$ht2 =@{CustomerConfig=@{clientId='test';clientSecret='test';geniusCustomerId=0;identityServerUri='https://test.com'},@{clientId='test2';clientSecret='test2';geniusCustomerId=6699;identityServerUri='https://test.com'}}
Set-Secret -Name product/customer/settings-gss -AdditionalParameters $ap -VaultName secret -Secret $ht2

Might revisit this in the future to see if there is a dynamic way to increase that depth for more nested hash tables. Okay to close this issue?

velkovb commented 3 years ago

Yes, I think we can close it.