revoke not working about vault-plugin-secrets-artifactory HOT 18 CLOSED

Filed a support ticket: 242441 for help on the force_revocable not working as expected. Feel free to shuttle that over to the right folks. :)

from vault-plugin-secrets-artifactory.

I'm curious why this line doesn't work: https://github.com/jfrog/artifactory-secrets-plugin/blob/master/artifactory.go#L65

I mean it logs the error, and return it to Vault. Why does Vault think all's well?

from vault-plugin-secrets-artifactory.

I think the clue is this:

All revocation operations queued successfully!

"queued" ... so it was added to the revoke queue, Vault got the error (and logged it), but the user was already gone. I guess revoking is not a synchronous operation?

from vault-plugin-secrets-artifactory.

@TJM Looks like you can force it to be synchronous. See -sync flag. But that doesn't solve the failure in revoking a force_revocable=true token.

from vault-plugin-secrets-artifactory.

My findings so far... on Artifactory 7.55.6...

• Tokens with an expiration time of $THRESHOLD_1 do not seem to appear in the /access/api/v1/tokens output at all (which I find problematic)
• Tokens with an expiration time of $THRESHOLD_2 do appear, but are not revocable (hence the force_revocable not working)
• Tokens with an expiration time of $THRESHOLD_3 appear to work as expected

THRESHOLD_1 - 0-3h
THRESHOLD_2 - 3-6h
THRESHOLD_3 - 24h?

from vault-plugin-secrets-artifactory.

You bump into the Artifactory Revocable Expiry Threshold and Persistency Threshold. See this issue in the Terraform Artifactory provider.

The default value for the revocable expiry threshold is 6 hours, and persistency threshold is 3 hours.

from vault-plugin-secrets-artifactory.

As in the TF provider, I think we need to document extensively in README (and other places?) about these thresholds.

from vault-plugin-secrets-artifactory.

It bothers me that there are tokens that can be created and used, but do not appear in the list of tokens. I did just get a useful error message:

{
  "code" : "BAD_REQUEST",
  "message" : "Token not revocable",
  "detail" : "Token not revocable. Token expirationTimeMillis: 1678834566909, issuedAtMillis: 1678820166909, revocableExpiryThresholdMillis: 21600000"
}

... which is 6h... again, by default.. but I also thought that force_revocable was supposed to make that all go away? :)

from vault-plugin-secrets-artifactory.

This is me interrupting our own API doc (with the knowledge on how certain phrases are used):

From Artifactory 7.50.3, the "force revocable" flag in the tokens has been removed as a default setting and is now a Boolean parameter called force_revocable in the Create Token REST API. When this parameter is set to true, we will add the force_revocable flag to the token's extension.

Things that jump out at me is:

"force_revocable" flag in the tokens has been removed

This means force_revocable field in the POST body has been removed.

now a Boolean parameter called force_revocable in the Create Token REST API

The word parameter generally refers to URL query parameter. So now I'm curious if this is what we need to do to set it:

POST /access/api/v1/tokens?force_revocable=true

Despite the API doc has no mention of query params.

from vault-plugin-secrets-artifactory.

And the answer is 'no'. Just tried with setting force_revocable=true as url query param and expires_in=10800. Can't revoke the token.

from vault-plugin-secrets-artifactory.

Test with this payload:

{
    "grant_type": "client_credentials",
    "username": "admin",
    "scope": "applied-permissions/user applied-permissions/admin",
    "refreshable": false,
    "description": "Test token",
    "audience": "*@*",
    "expires_in": 10800,
    "force_revocable": true
}

And I was able to revoke this token.

from vault-plugin-secrets-artifactory.

Hmm, I was wondering about them specifically saying boolean ... our code sets "string" values. I wonder if it is possible to set it as a "-d" (in curl) or if you would have to pass it a json payload? We are also setting "refreshable" to "false" (the string), but I think false is the default, so that is probably not a big deal. We are also setting "expires_in" to the string value of the number of seconds.

from vault-plugin-secrets-artifactory.

I think we should switch from posting form values to raw text with json. I don't think there's any other way for this to work correctly.

from vault-plugin-secrets-artifactory.

I was thinking the same thing, but I was also thinking that I am willing to remove this feature instead ;) ... The "Values" expects strings. We can re-work that or move to submitting json, probably the more correct path

from vault-plugin-secrets-artifactory.

My vote is move to json.

from vault-plugin-secrets-artifactory.

from vault-plugin-secrets-artifactory.

I posted the same payload but as form values and it doesn't allow me to revoke the token:

curl -L 'http://localhost:8082/access/api/v1/tokens' \
-H 'Authorization: Bearer eyJ2ZXIiOiIy...' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials' \
-d 'username=admin' \
-d 'scope=applied-permissions%2Fuser%20applied-permissions%2Fadmin' \
-d 'refreshable=false' \
-d 'description=Test%20token' \
-d 'audience=*%40*' \
-d 'expires_in=10800' \
-d 'force_revocable=true'

Feels like a bug in the API for form values. Better to use json payload since that's more common use case.

from vault-plugin-secrets-artifactory.

Fixed in #52

from vault-plugin-secrets-artifactory.