search

joshcorr / SecretManagement.Hashicorp.Vault.KV

A PowerShell SecretManagement extension for Hashicorp Vault Key Value Engine
MIT License
30 stars 10 forks source link

[BUG] Unregister-SecretVault asks for URL + authentication #27

Open sebastian-jansson opened 2 years ago

sebastian-jansson commented 2 years ago

Describe the bug When running Unregister-SecretVault, "SecretManagement.Hashicorp.Vault.KV" is prompting for vault parameters just as when "Register-SecretVault" is run. This is not needed when Unregistering and seems like a bug.

To Reproduce Steps to reproduce the behavior:

  1. Register new SecretVault.
  2. Add URL + auth method
  3. Run "Unregister-SecretVault" on the newly registered SecretVault.
  4. The shell should now prompt for the URL to vault + the auth method in the same way as when you run "Register-SecretVault".

Expected behavior When running "Unregister-SecretVault", the defined vault should just get un-registered without the need to be prompted for data used during the actual registration step.

Screenshots image.

Desktop (please complete the following information):

Additional context The SecretVault is still unregistered as intended, after leaving the prompted values empty , as seen in the screenshot.

joshcorr commented 2 years ago

To clarify on your registration steps. Are you running it like this? Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name secret or like this? Register-SecretVault -ModuleName SecretManagement.Hashicorp.Vault.KV -Name secret -VaultParameters @{ VaultServer = 'https://vault.example.com:8200'; KVVersion = 'v1'; VaultAuthType = 'approle'}

Register-SecretVault only registers the vault with your local client, but does not ensure the vault exists on the remote Hashicorp Vault instance. The validation of the remote vault is usually done upon the first execution of Test-SecretVault, Get-Secret, or Set-Secret, etc.

The design of the Unregister-SecretVault cmdlet in this extension is that it both removes the SecretVault from the client as well as providing the opportunity to clean up the vault on the remote server. In order to do this the Test-SecretVault function needs to run to ensure it can connect to vault. (The Test-SecretVault function runs at the start of every function to ensure Vault is up and all necessary parameters are present).

I believe this is what is prompting you for credentials if the vault was not registered with additional parameters, or if your vault was registered in one Powershell session and then used/removed from a different Powershell session. The vaultToken is stored in memory and not written to disk (unless you provide VaultToken as a VaultParameter, which needs to be input as a secure string).

You may validate parameters used for registration by looking at the following file: cat $env:LOCALAPPDATA\PowerShell\secretmanagement\secretvaultregistry\vaultinfo