Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hashicorp Vault Token Renewal Initialization Failure #4508

Closed
drcgjung opened this issue Sep 27, 2024 · 2 comments · Fixed by #4512
Closed

Hashicorp Vault Token Renewal Initialization Failure #4508

drcgjung opened this issue Sep 27, 2024 · 2 comments · Fixed by #4512
Labels
triage all new issues awaiting classification

Comments

@drcgjung
Copy link
Contributor

drcgjung commented Sep 27, 2024
edited
Loading

Bug Report

Describe the Bug

Starting TX EDC 0.8.0-RC3 in a local environment (based on EDC 0.10.0-20240918-SNAPSHOT, hence main) outputs a hashicorp vault warning both in control-plane and data-plane images when using a static EDC_VAULT_HASHICORP_TOKEN from the environment

Expected Behavior

No Warning, token refresh should work.

Observed Behavior

WARNING 2024-09-27T14:06:12.663937303 [Hashicorp Vault] Initial token look up failed with reason: Failed to look up token with reason: Unexpected character ('<' (code 60)): expected a valid value (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION disabled); line: 1, column: 1]

Since the initial token lookup failed, the guess is that also the refresh does not work.

Steps to Reproduce

Steps to reproduce the behavior:

  1. Run a local vault with a preconfigured token
  2. configure a tractus-x image (also tested with TX EDC 0.7.4 --> EDC 0.7.2 - same problem) against the vault using that token in EDC_VAULT_HASHICORP_TOKEN
  3. start the image and log at the log

Context Information

  • EDC main/0.10.0-20240918-SNAPSHOT inside of TX EDC 0.8.0-RC3
  • hashicorp/vault:>1.17.3 as the vault implementation (docker releae "vault" stuck with <=1.13.3 7 months ago - see https://hub.docker.com/_/vault)
  • OS: MacOS, Orbstack with linux/amd64 rosetta emulation

Detailed Description

The culprit seems to lie in the HashiCorpVaultClient#isTokenRenewable method

Connector/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/client/HashicorpVaultClient.java

Line 124 in 067ded3

.addPathSegment(TOKEN_LOOK_UP_SELF_PATH)

especially when compared to the renewToken implementation

Connector/extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/client/HashicorpVaultClient.java

Line 161 in 067ded3

.addPathSegments(TOKEN_RENEW_SELF_PATH)

The TOKEN_LOOK_UP_SELF_PATH is encoded as "v1%2Fauth%2Ftoken%2Flookup-self" and appended to the vault url.
A call is then made to (local cluster sample) "http://vault:8201/v1%2Fauth%2Ftoken%2Flookup-self". The default hashicorp/vault:latest image answers with "200 OK" from a redirection to "http://vault:8201/ui" and the content will be html, not the expected json response (which shows the seen parsing error/warning).

Possible Implementation

Instead of

        var uri = settings.url()
                .newBuilder()
                .addPathSegment(TOKEN_LOOK_UP_SELF_PATH)
                .build();

it rather should be

        var uri = settings.url()
                .newBuilder()
                .addPathSegments(TOKEN_LOOK_UP_SELF_PATH)
                .build();

to split the TOKEN_LOOK_UP_SELF_PATH before encoding only the remaining individual segments and not encoding the TOKEN_LOOK_UP_SELF_PATH as a whole.
@github-actions github-actions bot added the triage all new issues awaiting classification label Sep 27, 2024
@ndr-brt
Copy link
Member

ndr-brt commented Sep 30, 2024

hi, thanks for reporting, would you be able to provide a PR to fix this?

@drcgjung
Copy link
Contributor Author

hi, thanks for reporting, would you be able to provide a PR to fix this?

sure, will do.

drcgjung added a commit to drcgjung/DataSpaceConnector that referenced this issue Sep 30, 2024
@drcgjung
eclipse-edc#4508 interpret token self-lookup path as several segments…
fc43d08 
…, not a single segment which encodes the path slashes.
@drcgjung drcgjung mentioned this issue Sep 30, 2024
Merged
ndr-brt pushed a commit that referenced this issue Oct 9, 2024
@drcgjung
fix: (hashicorp-vault) token self-lookup path as segments (#4512)
84917d2 
* #4508 interpret token self-lookup path as several segments, not a single segment which encodes the path slashes.

* feature: introduce/clone integration test to run against hashicorps BS-Licencesed product.

* fix: stay with static container/test initialization not to risk multiple vault instances. Courtesy of @paullatzelsperger.

* chore: update DEPs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage all new issues awaiting classification
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: (hashicorp-vault) token self-lookup path as segments drcgjung/DataSpaceConnector
2 participants
@drcgjung @ndr-brt