Circle of Trust Instances cannot be Supported with expiring tokens.

Question

Circle of Trust Instances cannot be Supported with expiring tokens.

georgeskill opened this issue 6 months ago · 1 comments

Describe the bug
I am attempting to use the plugin with a Circle of Trust enabled Artifactory instance. For Circle of Trust to work properly, the tokens cannot be revocable. The tokens work if the I set use_expiring_tokens to false, but do not if set to true. This is caused by the tokens being revocable. So, I am asking to make force_revocable a parameter, so that I can use expiring tokens that cannot be revoked. It's also important note our Artifactory's instance has the setting revocable-expiry-threshold = -1.

To Reproduce
Steps to reproduce the behavior:

Setup the Vault plugin with the following config:

vault write artifactory/config/admin     url=<ARTIFACTORY_URL> access_token=ARTIFACTORY_TOKEN" use_expiring_tokens=true

vault write  artifactory/config/user_token scope="applied-permissions/user" default_ttl=24h max_ttl=48h default_description="Generated by Vault" 

admin@devvy:~/vault-engine-github-token$ vault read artifactory/user_token/ <ARTIFACTORY_USERNAME>
Key                Value
---                -----
lease_id           artifactory/user_token/ <ARTIFACTORY_USERNAME>/CgdNHp7zxR9EhEOv20Iorg1r
lease_duration     24h
lease_renewable    true
access_token       
description        Generated by Vault
expires_in         86400
reference_token    n/a
refresh_token      n/a
scope              applied-permissions/user
token_id           e556518d-ef9d-4782-87ac-0a67e47d177f
username            <ARTIFACTORY_USERNAME>

admin@devvy:~/vault-engine-github-token$ vault write  artifactory/config/user_token scope="applied-permissions/user" default_ttl=24h max_ttl=48h default_description="Generated by Vault" use_expiring_tokens=false
Success! Data written to: artifactory/config/user_token
admin@devvy:~/vault-engine-github-token$ vault read artifactory/user_token/ <ARTIFACTORY_USERNAME>
Key                Value
---                -----
lease_id           artifactory/user_token/ <ARTIFACTORY_USERNAME>/Zz9E3RpgLErArYjt2SjaO5v5
lease_duration     24h
lease_renewable    true
access_token       
description        Generated by Vault
expires_in         0
reference_token    n/a
refresh_token      n/a
scope              applied-permissions/user
token_id           a9e4a036-4837-4a1e-9548-7d1e26b559ca
username           <ARTIFACTORY_USERNAME>

This inability to have revocable tokens with expiration prevents us from using the plugin with Circle of Trust enabled instances.

Requirements for and issue

A description of the bug
A fully functioning vault configuration snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
Your version of artifactory - 7.77.5 Enterprise
Your version of vault - v1.13.2 Enterprise
Your version of vault plugin - v1.5.0

Expected behavior
The plugin should be able to generate tokens that are not revocable, but do expire.

Answer 1 · 2024-04-15T16:52:59.000Z

@georgeskill Thanks for the suggestion. I've added this to our plan.