Max_ttl can be exceeded when configured at plugin level
loicgreffier opened this issue · 4 comments
Describe the bug
When configuring a max_ttl
at the plugin level, the value can be overidden and thus exceeded by a specific request.
To Reproduce
Steps to reproduce the behavior:
- Mount the plugin
vault secrets enable artifactory
- Configure the plugin
vault write artifactory/config/admin url=<myUrl> access_token=<myAccessToken>
- Configure the user_token
vault write artifactory/config/user_token default_description="Generated by Vault" max_ttl=7200 default_ttl=3600 include_reference_token=true refreshable=true
The max_ttl
is 2 hours. The default_ttl
is 1 hour.
- Check the configuration
vault read artifactory/config/user_token
Key Value
--- -----
access_token_sha256 ***
audience n/a
default_description Generated by Vault
default_ttl 1h
force_revocable <nil>
include_reference_token true
max_ttl 2h
refresh_token_sha256 ***
refreshable true
scope applied-permissions/admin
token_id ***
use_expiring_tokens false
username vault
- Ask for a token by specifying a
max_ttl
and adefault_ttl
that exceed themax_ttl
configured on the plugin
vault read artifactory/user_token/<myUser> max_ttl=15000 ttl=15000
- Check the lease duration of the delivered token
vault read artifactory/user_token/<myUser> max_ttl=15000 ttl=15000
Key Value
--- -----
lease_id artifactory/user_token/<myUser>/***
lease_duration 4h10m
➡️ The lease duration is exceeding the max_ttl
configured at the plugin level.
- Mount the plugin on another path with a
max-lease-ttl
and adefault-lease-ttl
vault secrets enable -path=artifactory2 -max-lease-ttl=7200 -default-lease-ttl=3600 artifactory
- Configure the
artifactory2
plugin just like theartifactory
plugin, and ask for a token that exceeds themax-lease-ttl
vault read artifactory2/user_token/<myUser> max_ttl=15000 ttl=15000
Key Value
--- -----
lease_id artifactory2/user_token/<myUser>/***
lease_duration 2h
The lease duration is limited to 2 hours no matter the max_ttl
parameter.
Requirements for and issue
- Artifactory 7.71.18
- Vault 1.16.2
- Vault Plugin 1.6.0
Expected behavior
Reading the documentation: https://github.com/jfrog/vault-plugin-secrets-artifactory?tab=readme-ov-file#user-token-path, I was expecting the max_ttl
to be limited to the max_ttl
configured at plugin level (2 hours in this scenario), no matter if the user is giving a max_ttl
parameter.
When setting the max-lease-ttl
at the secret mount level, the max_ttl
cannot be exceed as expected.
Is this an expected behaviour? If yes, is setting the max-lease-ttl
when mounting the secret engine the proper way to definitely limit the max_ttl
?
@loicgreffier Thanks for the report. I've added this to our plan.
@loicgreffier When max-lease-ttl
is not explicitly set, the plugin uses max lease TTL configured in your Vault server by default. (https://github.com/jfrog/vault-plugin-secrets-artifactory/blob/master/path_user_token_create.go#L116) IIRC that's 768 hours: https://developer.hashicorp.com/vault/docs/configuration#max_lease_ttl
Is this an expected behaviour? If yes, is setting the max-lease-ttl when mounting the secret engine the proper way to definitely limit the max_ttl?
@loicgreffier Without diving into the code, I'd say yes. Using max-least-ttl
arg or change your Vault global configuration are the ways to limit the token's max_ttl
.
@alexhung Thanks for the feedback. I guess the issue can be closed as this is the expected behaviour