Revert "Remove Server Side Consistent Tokens (SSCTs)"

This reverts commit 1f2635c. As discussed on #openbao-general, this breaks existing migrations: anyone with SSCT tokens present in token store would lose all existing tokens and need to re-auth everything. This is moderately more disruptive for root tokens in particular, as `operator generate-root` would need to be taken (and sometimes these root tokens are stored but not used, as they don't necessarily expire). This reasonably breaks the "drop-in migration" guarantees of a Raft storage backend, and thus will be reverted for the time being. Other than the protobuf regeneration (which makes sense as it is an auto-generated file anyways), this was a clean revert. Resolves: #297 Signed-off-by: Alexander Scheel <[email protected]>
openbao · Jun 12, 2024 · 15c4855 · 15c4855
1 parent 5ac7393
commit 15c4855
Show file tree

Hide file tree

Showing 30 changed files with 1,164 additions and 417 deletions.
diff --git a/command/login_test.go b/command/login_test.go
@@ -20,6 +20,11 @@ import (
  "github.com/openbao/openbao/vault"
 )
 
+// minTokenLengthExternal is the minimum size of SSC
+// tokens we are currently handing out to end users, without any
+// namespace information
+const minTokenLengthExternal = 91
+
 func testLoginCommand(tb testing.TB) (*cli.MockUi, *LoginCommand) {
  tb.Helper()
 
@@ -86,7 +91,7 @@ func TestCustomPath(t *testing.T) {
  t.Fatal(err)
  }
 
- if l, exp := len(storedToken), vault.TokenLength+2; l < exp {
+ if l, exp := len(storedToken), minTokenLengthExternal+vault.TokenPrefixLength; l < exp {
  t.Errorf("expected token to be %d characters, was %d: %q", exp, l, storedToken)
  }
 }
@@ -214,7 +219,7 @@ func TestTokenOnly(t *testing.T) {
 
  // Verify only the token was printed
  token := ui.OutputWriter.String()
- if l, exp := len(token), vault.TokenLength+2; l != exp {
+ if l, exp := len(token), minTokenLengthExternal+vault.TokenPrefixLength; l != exp {
  t.Errorf("expected token to be %d characters, was %d: %q", exp, l, token)
  }
 

diff --git a/command/server.go b/command/server.go
@@ -2657,6 +2657,7 @@ func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.
  SecureRandomReader: secureRandomReader,
  EnableResponseHeaderHostname: config.EnableResponseHeaderHostname,
  EnableResponseHeaderRaftNodeID: config.EnableResponseHeaderRaftNodeID,
+ DisableSSCTokens: config.DisableSSCTokens,
  AdministrativeNamespacePath: config.AdministrativeNamespacePath,
  }
 

diff --git a/command/server/config.go b/command/server/config.go
@@ -107,6 +107,8 @@ type Config struct {
 
  EnableResponseHeaderRaftNodeID bool `hcl:"-"`
  EnableResponseHeaderRaftNodeIDRaw interface{} `hcl:"enable_response_header_raft_node_id"`
+
+ DisableSSCTokens bool `hcl:"-"`
 }
 
 const (

diff --git a/helper/namespace/namespace.go b/helper/namespace/namespace.go
@@ -107,13 +107,19 @@ func SplitIDFromString(input string) (string, string) {
  slashIdx := strings.LastIndex(input, "/")
 
  switch {
- case strings.HasPrefix(input, consts.BatchTokenPrefix):
- prefix = consts.BatchTokenPrefix
+ case strings.HasPrefix(input, consts.LegacyBatchTokenPrefix):
+ prefix = consts.LegacyBatchTokenPrefix
  input = input[2:]
 
+ case strings.HasPrefix(input, consts.LegacyServiceTokenPrefix):
+ prefix = consts.LegacyServiceTokenPrefix
+ input = input[2:]
+ case strings.HasPrefix(input, consts.BatchTokenPrefix):
+ prefix = consts.BatchTokenPrefix
+ input = input[4:]
  case strings.HasPrefix(input, consts.ServiceTokenPrefix):
  prefix = consts.ServiceTokenPrefix
- input = input[2:]
+ input = input[4:]
 
  case slashIdx > 0:
  // Leases will never have a b./s. to start

diff --git a/http/sys_generate_root.go b/http/sys_generate_root.go
@@ -67,8 +67,12 @@ func handleSysGenerateRootAttemptGet(core *vault.Core, w http.ResponseWriter, r
  respondError(w, http.StatusInternalServerError, err)
  return
  }
-
- otpLength := vault.TokenLength + vault.TokenPrefixLength
+ var otpLength int
+ if core.DisableSSCTokens() {
+ otpLength = vault.TokenLength + vault.OldTokenPrefixLength
+ } else {
+ otpLength = vault.TokenLength + vault.TokenPrefixLength
+ }
 
  // Format the status
  status := &GenerateRootStatusResponse{
@@ -103,7 +107,11 @@ func handleSysGenerateRootAttemptPut(core *vault.Core, w http.ResponseWriter, r
  case len(req.PGPKey) > 0, len(req.OTP) > 0:
  default:
  genned = true
- req.OTP, err = base62.Random(vault.TokenLength + vault.TokenPrefixLength)
+ if core.DisableSSCTokens() {
+ req.OTP, err = base62.Random(vault.TokenLength + vault.OldTokenPrefixLength)
+ } else {
+ req.OTP, err = base62.Random(vault.TokenLength + vault.TokenPrefixLength)
+ }
  if err != nil {
  respondError(w, http.StatusInternalServerError, err)
  return

diff --git a/sdk/helper/consts/token_consts.go b/sdk/helper/consts/token_consts.go
@@ -4,7 +4,10 @@
 package consts
 
 const (
- ServiceTokenPrefix = "s."
- BatchTokenPrefix = "b."
- RecoveryTokenPrefix = "r."
+ ServiceTokenPrefix = "hvs."
+ BatchTokenPrefix = "hvb."
+ RecoveryTokenPrefix = "hvr."
+ LegacyServiceTokenPrefix = "s."
+ LegacyBatchTokenPrefix = "b."
+ LegacyRecoveryTokenPrefix = "r."
 )
diff --git a/sdk/logical/request.go b/sdk/logical/request.go
@@ -203,6 +203,10 @@ type Request struct {
  // client token.
  ClientID string `json:"client_id" structs:"client_id" mapstructure:"client_id" sentinel:""`
 
+ // InboundSSCToken is the token that arrives on an inbound request, supplied
+ // by the vault user.
+ InboundSSCToken string
+
  // When a request has been forwarded, contains information of the host the request was forwarded 'from'
  ForwardedFrom string `json:"forwarded_from,omitempty"`
 }

diff --git a/sdk/logical/token.go b/sdk/logical/token.go
@@ -96,6 +96,10 @@ type TokenEntry struct {
  // ID of this entry, generally a random UUID
  ID string `json:"id" mapstructure:"id" structs:"id" sentinel:""`
 
+ // ExternalID is the ID of a newly created service
+ // token that will be returned to a user
+ ExternalID string `json:"-"`
+
  // Accessor for this token, a random UUID
  Accessor string `json:"accessor" mapstructure:"accessor" structs:"accessor" sentinel:""`