castellan

API changes in vault 0.10.0 causes test to fail.

Bug #1788375 reported by Moisés Guimarães de Medeiros on 2018-08-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	castellan	Fix Committed	Undecided	Moisés Guimarães de Medeiros
	python-castellan (Ubuntu)	Fix Released	Medium	James Page

Bug Description

Since Vault 0.10.0 the K/V engine is versioned by default and returns the following warning:

Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation.

The warning can be seen at:

$ curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{"value": "bar"}' \
    http://127.0.0.1:8200/v1/secret/foo

### Formatted JSON Data returned by curl
{
  "request_id":"48b76803-c396-8f71-0d98-b5949478de2c",
  "lease_id":"",
  "renewable":false,
  "lease_duration":0,
  "data":null,
  "wrap_info":null,
  "warnings":[
    "Invalid path for a versioned K/V secrets engine. See the API docs for the appropriate API endpoints to use. If using the Vault CLI, use 'vault kv put' for this operation."
  ],
  "auth":null
}

---

The VaultKeyManager._store_key_value method doesn't care for the "warnings" value and just returns the key_id, but the data was actually not stored.

The required fixes are in the url (add 'data/' after secret/) and the request data is now {"data":{...}} instead of just {...}.

$ curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{"data":{"value": "bar"}}' \
    http://127.0.0.1:8200/v1/secret/data/foo

### Formatted JSON Data returned by curl
{
  "request_id":"087e314a-c2aa-7261-f004-99f07783e14f",
  "lease_id":"",
  "renewable":false,
  "lease_duration":0,
  "data":{
    "created_time":"2018-08-22T09:58:47.245643874Z",
    "deletion_time":"",
    "destroyed":false,
    "version":1
  },
  "wrap_info":null,
  "warnings":null,
  "auth":null
}

The equivalent fixes are also required in VaultKeyManager.get().

Tags:

Revision history for this message

Moisés Guimarães de Medeiros (moguimar) wrote on 2018-08-22:

VaultKeyManager.delete() and VaultKeyManager.list() also needs fixing.

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-08-22

Changed in castellan:
status:	New → Confirmed

Moisés Guimarães de Medeiros (moguimar) on 2018-08-22

Changed in castellan:
assignee:	nobody → Moisés Guimarães de Medeiros (moguimar)

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-09-20

Changed in castellan:
status:	Confirmed → Fix Committed

James Page (james-page) on 2018-10-10

Changed in python-castellan (Ubuntu):
status:	New → Triaged
assignee:	nobody → James Page (james-page)
importance:	Undecided → Medium

James Page (james-page) on 2018-10-11

Changed in python-castellan (Ubuntu):
status:	Triaged → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-10-11:

This bug was fixed in the package python-castellan - 0.19.0-0ubuntu2

---------------
python-castellan (0.19.0-0ubuntu2) cosmic; urgency=medium

  * d/p/0001-Fix-Vault-K-V-API-compatibility.patchi,
        0002-Add-method-to-wrap-HashiCorp-Vault-HTTP-API-calls.patch:
    Resolve issues with compatibility with Vault 0.10.0 where the KV engine
    is versioned by default (LP: #1788375).
  * d/p/0003-vault-add-AppRole-support.patch: Add support for Vault
    AppRole authentication (LP: #1796851).
  * d/p/0004-vault-support-configuration-of-KV-mountpoint.patch: Add support
    for configuration of the KV mountpoint to use in Vault (LP: #1797148).

-- James Page <email address hidden> Thu, 11 Oct 2018 12:21:17 +0100

Changed in python-castellan (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.