Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

is_authenticated() returns false after correct auth_app_id() call. #29

Closed
csawyerYumaed opened this issue Dec 8, 2015 · 5 comments
Closed

is_authenticated() returns false after correct auth_app_id() call. #29

csawyerYumaed opened this issue Dec 8, 2015 · 5 comments

Comments

@csawyerYumaed
Copy link

setup:

$ vault auth-enable app-id
$ vault write auth/app-id/map/app-id/0d1ab824-d56d-4fed-991d-5056dccf3ce1 value=root display_name=root
$ vault write auth/app-id/map/user-id/66064160138498 value=0d1ab824-d56d-4fed-991d-5056dccf3ce1

code:

>>> import hvac
>>> client = hvac.Client("http:https://127.0.0.1:8200")
>>> print client.auth_app_id(appID, uuid.getnode())
{u'lease_id': u'', u'lease_duration': 0, u'data': None, u'auth': {u'client_token': u'c2faafc8-fdaa-f92d-423a-6bc57debcb8a', u'lease_duration': 2592000, u'renewable': False, u'policies': [u'root'], u'metadata': {u'userid': u'sha1:e3676dc08fd42cbb74cbcd7d77ff87b5f0225efb', u'app-id':u'sha1:8b9dcb03444de65755802dd6e65dc134f6c35bff'}}, u'renewable': False}
>>> print v.client.token
u'c2faafc8-fdaa-f92d-423a-6bc57debcb8a'
>>> print client.is_authenticated()
False

Makes me sad. read/write work, even if is_authenticated lies to you. You can go forth and write, read, etc (per policy)
@ianunruh
Copy link
Member

ianunruh commented Dec 8, 2015

Well, that method simply calls GET /auth/token/lookup-self. So either this is a bug in Vault or we need a better way to check if the token is valid.

@csawyerYumaed
Copy link
Author

right, I have no idea, I'm very very new to vault, so still learning (today is day 2).

@hobbeswalsh
Copy link
Contributor

I encountered the same issue, and realized that the lookup-self policy is not enabled by default on new tokens. So there are a few possible "solutions" here:

  1. Ensure that all policies (even ones for AppID authentication) have explicit read access to auth/token/lookup-self
  2. Don't rely on is_authenticated() to tell you the truth; just try to read secrets.
  3. Open an issue with the Vault team and ask if this is an intentional feature or an accidental bug.

@csawyerYumaed
Copy link
Author

Seems vault knows about it, and fixed it (on Nov. 6th):

hashicorp/vault#732

@ianunruh
Copy link
Member

I think the suggestions by hobbeswalsh are currently the best solutions to this problem. If anyone has other suggestions for how we can fix this in HVAC, I would appreciate it :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hobbeswalsh @ianunruh @csawyerYumaed