Circle of Trust Instances cannot be Supported with expiring tokens.
georgeskill opened this issue · 1 comments
Describe the bug
I am attempting to use the plugin with a Circle of Trust enabled Artifactory instance. For Circle of Trust to work properly, the tokens cannot be revocable. The tokens work if the I set use_expiring_tokens
to false, but do not if set to true. This is caused by the tokens being revocable. So, I am asking to make force_revocable
a parameter, so that I can use expiring tokens that cannot be revoked. It's also important note our Artifactory's instance has the setting revocable-expiry-threshold = -1
.
To Reproduce
Steps to reproduce the behavior:
- Setup the Vault plugin with the following config:
vault write artifactory/config/admin url=<ARTIFACTORY_URL> access_token=ARTIFACTORY_TOKEN" use_expiring_tokens=true
vault write artifactory/config/user_token scope="applied-permissions/user" default_ttl=24h max_ttl=48h default_description="Generated by Vault"
admin@devvy:~/vault-engine-github-token$ vault read artifactory/user_token/ <ARTIFACTORY_USERNAME>
Key Value
--- -----
lease_id artifactory/user_token/ <ARTIFACTORY_USERNAME>/CgdNHp7zxR9EhEOv20Iorg1r
lease_duration 24h
lease_renewable true
access_token
description Generated by Vault
expires_in 86400
reference_token n/a
refresh_token n/a
scope applied-permissions/user
token_id e556518d-ef9d-4782-87ac-0a67e47d177f
username <ARTIFACTORY_USERNAME>
admin@devvy:~/vault-engine-github-token$ vault write artifactory/config/user_token scope="applied-permissions/user" default_ttl=24h max_ttl=48h default_description="Generated by Vault" use_expiring_tokens=false
Success! Data written to: artifactory/config/user_token
admin@devvy:~/vault-engine-github-token$ vault read artifactory/user_token/ <ARTIFACTORY_USERNAME>
Key Value
--- -----
lease_id artifactory/user_token/ <ARTIFACTORY_USERNAME>/Zz9E3RpgLErArYjt2SjaO5v5
lease_duration 24h
lease_renewable true
access_token
description Generated by Vault
expires_in 0
reference_token n/a
refresh_token n/a
scope applied-permissions/user
token_id a9e4a036-4837-4a1e-9548-7d1e26b559ca
username <ARTIFACTORY_USERNAME>
This inability to have revocable tokens with expiration prevents us from using the plugin with Circle of Trust enabled instances.
Requirements for and issue
- A description of the bug
- A fully functioning vault configuration snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
- Your version of artifactory - 7.77.5 Enterprise
- Your version of vault - v1.13.2 Enterprise
- Your version of vault plugin - v1.5.0
Expected behavior
The plugin should be able to generate tokens that are not revocable, but do expire.
@georgeskill Thanks for the suggestion. I've added this to our plan.