Comments (18)
Filed a support ticket: 242441
for help on the force_revocable
not working as expected. Feel free to shuttle that over to the right folks. :)
from vault-plugin-secrets-artifactory.
I'm curious why this line doesn't work: https://github.com/jfrog/artifactory-secrets-plugin/blob/master/artifactory.go#L65
I mean it logs the error, and return it to Vault. Why does Vault think all's well?
from vault-plugin-secrets-artifactory.
I think the clue is this:
All revocation operations queued successfully!
"queued" ... so it was added to the revoke queue, Vault got the error (and logged it), but the user was already gone. I guess revoking is not a synchronous operation?
from vault-plugin-secrets-artifactory.
@TJM Looks like you can force it to be synchronous. See -sync flag. But that doesn't solve the failure in revoking a force_revocable=true
token.
from vault-plugin-secrets-artifactory.
My findings so far... on Artifactory 7.55.6...
- Tokens with an expiration time of $THRESHOLD_1 do not seem to appear in the
/access/api/v1/tokens
output at all (which I find problematic) - Tokens with an expiration time of $THRESHOLD_2 do appear, but are not revocable (hence the force_revocable not working)
- Tokens with an expiration time of $THRESHOLD_3 appear to work as expected
THRESHOLD_1 - 0-3h
THRESHOLD_2 - 3-6h
THRESHOLD_3 - 24h?
from vault-plugin-secrets-artifactory.
You bump into the Artifactory Revocable Expiry Threshold and Persistency Threshold. See this issue in the Terraform Artifactory provider.
The default value for the revocable expiry threshold is 6 hours, and persistency threshold is 3 hours.
from vault-plugin-secrets-artifactory.
As in the TF provider, I think we need to document extensively in README (and other places?) about these thresholds.
from vault-plugin-secrets-artifactory.
It bothers me that there are tokens that can be created and used, but do not appear in the list of tokens. I did just get a useful error message:
{
"code" : "BAD_REQUEST",
"message" : "Token not revocable",
"detail" : "Token not revocable. Token expirationTimeMillis: 1678834566909, issuedAtMillis: 1678820166909, revocableExpiryThresholdMillis: 21600000"
}
... which is 6h... again, by default.. but I also thought that force_revocable
was supposed to make that all go away? :)
from vault-plugin-secrets-artifactory.
This is me interrupting our own API doc (with the knowledge on how certain phrases are used):
From Artifactory 7.50.3, the "force revocable" flag in the tokens has been removed as a default setting and is now a Boolean parameter called force_revocable in the Create Token REST API. When this parameter is set to true, we will add the force_revocable flag to the token's extension.
Things that jump out at me is:
"force_revocable" flag in the tokens has been removed
This means force_revocable
field in the POST body has been removed.
now a Boolean parameter called force_revocable in the Create Token REST API
The word parameter
generally refers to URL query parameter. So now I'm curious if this is what we need to do to set it:
POST /access/api/v1/tokens?force_revocable=true
Despite the API doc has no mention of query params.
from vault-plugin-secrets-artifactory.
And the answer is 'no'. Just tried with setting force_revocable=true
as url query param and expires_in=10800
. Can't revoke the token.
from vault-plugin-secrets-artifactory.
Test with this payload:
{
"grant_type": "client_credentials",
"username": "admin",
"scope": "applied-permissions/user applied-permissions/admin",
"refreshable": false,
"description": "Test token",
"audience": "*@*",
"expires_in": 10800,
"force_revocable": true
}
And I was able to revoke this token.
from vault-plugin-secrets-artifactory.
Hmm, I was wondering about them specifically saying boolean ... our code sets "string" values. I wonder if it is possible to set it as a "-d" (in curl) or if you would have to pass it a json payload? We are also setting "refreshable" to "false" (the string), but I think false is the default, so that is probably not a big deal. We are also setting "expires_in" to the string value of the number of seconds.
from vault-plugin-secrets-artifactory.
I think we should switch from posting form values to raw text with json. I don't think there's any other way for this to work correctly.
from vault-plugin-secrets-artifactory.
I was thinking the same thing, but I was also thinking that I am willing to remove this feature instead ;) ... The "Values" expects strings. We can re-work that or move to submitting json, probably the more correct path
from vault-plugin-secrets-artifactory.
My vote is move to json.
from vault-plugin-secrets-artifactory.
from vault-plugin-secrets-artifactory.
I posted the same payload but as form values and it doesn't allow me to revoke the token:
curl -L 'http://localhost:8082/access/api/v1/tokens' \
-H 'Authorization: Bearer eyJ2ZXIiOiIy...' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials' \
-d 'username=admin' \
-d 'scope=applied-permissions%2Fuser%20applied-permissions%2Fadmin' \
-d 'refreshable=false' \
-d 'description=Test%20token' \
-d 'audience=*%40*' \
-d 'expires_in=10800' \
-d 'force_revocable=true'
Feels like a bug in the API for form values. Better to use json payload since that's more common use case.
from vault-plugin-secrets-artifactory.
Fixed in #52
from vault-plugin-secrets-artifactory.
Related Issues (20)
- Verification Steps: Signature on GPG Key? HOT 9
- Scoped down tokens from artifactory role HOT 8
- include_reference_token and refreshable not working when configured by default HOT 3
- non-admin token HOT 2
- TTL is not being respected in V1.3 HOT 3
- slashes in admin token username shows wrong username HOT 1
- Allow for "username" parameter on /config/rotate to change token username HOT 1
- make acceptance uses inconsistent env variables HOT 2
- Test Coverage Improvement
- Bump version to 1.0.0 HOT 2
- Renaming repository HOT 4
- GPG Signed *binary* sha256sums in release HOT 5
- Future Makefile ideas
- Embed current version changes (like from the changelog) in release HOT 1
- DELETE artifactory/config/admin should revoke its own access token HOT 7
- Should DELETE artifactory/config/admin cleanup all leased tokens? HOT 3
- BATs acceptance tests? HOT 2
- Add User-Agent string to Artifactory API HTTP request header
- useExpiringTokens should be TypeBool
- test: config/rotate with a bad current token returns the wrong error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-plugin-secrets-artifactory.