TTL is not being respected in V1.3
georgeskill opened this issue · 3 comments
Describe the bug
The default TTL for tokens is not being applied to user tokens in V1.3. V1.2 applied the correct default TTL to user tokens, but V1.3 has broken my org's TTL policy.
To Reproduce
When using the V1.3 plugin, I run these commands:
vault secrets enable -path=artifactory artifactory_1.3
vault write artifactory/config/admin url=<artifactory_instanceurl.com> access_token=<token>
vault write artifactory/config/user_token scope="applied-permissions/user" default_ttl=24h max_ttl=48h default_description="Generated by Vault"
vault read artifactory/user_token/<username>
This is the output of the previous command:
vault read artifactory/user_token/<username>
Key Value
--- -----
lease_id artifactory/user_token/<username>/IpZOc5pGLad1BoX82Pf98DDp
lease_duration 768h
lease_renewable true
access_token <access_token>
description n/a
expires_in 0
reference_token n/a
refresh_token n/a
scope applied-permissions/user
token_id dfd799c8-ef13-471e-be98-120bfd978fd8
username <username>
The lease duration is not connected to the default_ttl. Whereas, when I run the exact same commands with version 1.2 of the plugin, my user token's TTL is correct.
admin@gold-devvy:~/jfrog--vault-plugin-secrets-artifactory$ vault read artifactory/user_token/<username>
Key Value
--- -----
lease_id artifactory/user_token/<username>/f32dmCtgdnYE3Cv5O4mE451f
lease_duration 24h
lease_renewable true
access_token <access_token>
description n/a
expires_in 0
reference_token n/a
refresh_token n/a
scope applied-permissions/user
token_id dfd799c8-ef13-471e-be98-120bfd978fd8
username <username>```
Here is my vault config:
vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.15.5
Build Date 2024-01-26T14:53:40Z
Storage Type inmem
Cluster Name vault-cluster-1eb112b5
Cluster ID bfe3c12a-6052-3e1f-0bb9-eb984bcfcf3a
HA Enabled false
I am interacting with an Artifactory instance that is running version EnterpriseX 7.77.5
Requirements for and issue
- A description of the bug
- A fully functioning vault configuration snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
- Your version of artifactory (you can
curl
it at$host/artifactory/api/system/version
- Your version of vault
- Your version of vault plugin
Expected behavior
The default TTL should be honored for user tokens with V1.3
Desktop (please complete the following information):
- OS: Linux
- Browser Chrome
@georgeskill Thanks for the bug report. I've added this to our sprint.
@georgeskill FYI, if you can run your Vault server with log at DEBUG level, you will see logs showing which TTL is used:
and and@alexhung Thanks for the prompt response. Here are the logs when running these commands:
2024-03-07T22:16:34.963Z [DEBUG] system: pinning plugin version: plugin type=secret plugin name=artifactory_1.3 plugin version=v1.3.0
2024-03-07T22:16:34.963Z [DEBUG] core: spawning a new plugin process: plugin_name=artifactory_1.3 id=UdsiXFXYdB
2024-03-07T22:16:35.010Z [INFO] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: configuring client automatic mTLS
2024-03-07T22:16:35.017Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: starting plugin: path=/home/admin/vault-engine-github-token/vault/plugins/artifactory_1.3 args=["/home/admin/vault-engine-github-token/vault/plugins/artifactory_1.3"]
2024-03-07T22:16:35.017Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: plugin started: path=/home/admin/vault-engine-github-token/vault/plugins/artifactory_1.3 pid=3079259
2024-03-07T22:16:35.017Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: waiting for RPC address: plugin=/home/admin/vault-engine-github-token/vault/plugins/artifactory_1.3
2024-03-07T22:16:35.026Z [INFO] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: configuring server automatic mTLS: timestamp=2024-03-07T22:16:35.026Z
2024-03-07T22:16:35.039Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: plugin address: address=/tmp/plugin221858565 network=unix timestamp=2024-03-07T22:16:35.039Z
2024-03-07T22:16:35.039Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3: using plugin: version=5
2024-03-07T22:16:35.061Z [INFO] core: successful mount: namespace="" path=artifactory/ type=artifactory_1.3 version=v1.3.0
2024-03-07T22:16:50.751Z [DEBUG] system: pinning plugin version: plugin type=secret plugin name=artifactory plugin version=v1.2.0
2024-03-07T22:16:50.752Z [ERROR] secrets.system.system_b2f79b80: error occurred during enable mount: path=artifactory/ error="path is already in use at artifactory/"
2024-03-07T22:16:56.520Z [DEBUG] system: pinning plugin version: plugin type=secret plugin name=artifactory_1.3 plugin version=v1.3.0
2024-03-07T22:16:56.520Z [ERROR] secrets.system.system_b2f79b80: error occurred during enable mount: path=artifactory/ error="path is already in use at artifactory/"
2024-03-07T22:17:48.493Z [INFO] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: fetching user token configuration: path=config/user_token timestamp=2024-03-07T22:17:48.493Z
2024-03-07T22:17:48.494Z [INFO] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: saving user token configuration: path=config/user_token timestamp=2024-03-07T22:17:48.494Z
2024-03-07T22:17:56.381Z [INFO] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: fetching user token configuration: path=config/user_token/<user_token> timestamp=2024-03-07T22:17:56.381Z
2024-03-07T22:17:56.382Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: initialize maxLeaseTTL to system value: maxLeaseTTL="2.7648e+15" timestamp=2024-03-07T22:17:56.382Z
2024-03-07T22:17:56.382Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: Max lease TTL (sec): maxLeaseTTL="2.7648e+15" timestamp=2024-03-07T22:17:56.382Z
2024-03-07T22:17:56.382Z [DEBUG] secrets.artifactory_1.3.artifactory_1.3_9868e52f.artifactory_1.3.artifactory_1.3: TTL (sec): ttl="2.7648e+15" timestamp=2024-03-07T22:17:56.382Z