From fe65481f9b3f25bf32acb1e81040bd2722c10715 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Fri, 13 May 2022 15:36:22 -0400 Subject: [PATCH 1/7] VAULT-5885: Fix erroneous success message in case of two-phase MFA, and provide MFA information in table format --- command/format.go | 11 +++++++++++ command/login.go | 25 ++++++++++++++++--------- 2 files changed, 27 insertions(+), 9 deletions(-) diff --git a/command/format.go b/command/format.go index 314090136085..e5253d5337b9 100644 --- a/command/format.go +++ b/command/format.go @@ -401,6 +401,17 @@ func (t TableFormatter) OutputSecret(ui cli.Ui, secret *api.Secret) error { for k, v := range secret.Auth.Metadata { out = append(out, fmt.Sprintf("token_meta_%s %s %v", k, hopeDelim, v)) } + + if secret.Auth.MFARequirement != nil { + out = append(out, fmt.Sprintf("mfa_request_id %s %s", hopeDelim, secret.Auth.MFARequirement.MFARequestID)) + + for k, constraintSet := range secret.Auth.MFARequirement.MFAConstraints { + for _, constraint := range constraintSet.Any { + out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_id %s %s", k, constraint.Type, hopeDelim, constraint.ID)) + out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_uses_passcode %s %t", k, constraint.Type, hopeDelim, constraint.UsesPasscode)) + } + } + } } if secret.WrapInfo != nil { diff --git a/command/login.go b/command/login.go index 4a56075e43ee..fc2a0f7e6a59 100644 --- a/command/login.go +++ b/command/login.go @@ -240,6 +240,10 @@ func (c *LoginCommand) Run(args []string) int { c.UI.Warn(wrapAtLength("A login request was issued that is subject to "+ "MFA validation. Please make sure to validate the login by sending another "+ "request to sys/mfa/validate endpoint.") + "\n") + + // We return early to prevent success message from being printed + c.checkForAndWarnAboutLoginToken() + return OutputSecret(c.UI, secret) } // Unset any previous token wrapping functionality. If the original request @@ -302,15 +306,7 @@ func (c *LoginCommand) Run(args []string) int { return 2 } - // Warn if the VAULT_TOKEN environment variable is set, as that will take - // precedence. We output as a warning, so piping should still work since it - // will be on a different stream. - if os.Getenv("VAULT_TOKEN") != "" { - c.UI.Warn(wrapAtLength("WARNING! The VAULT_TOKEN environment variable "+ - "is set! This takes precedence over the value set by this command. To "+ - "use the value set by this command, unset the VAULT_TOKEN environment "+ - "variable or set it to the token displayed below.") + "\n") - } + c.checkForAndWarnAboutLoginToken() } else if !c.flagTokenOnly { // If token-only the user knows it won't be stored, so don't warn c.UI.Warn(wrapAtLength( @@ -372,3 +368,14 @@ func (c *LoginCommand) extractToken(client *api.Client, secret *api.Secret, unwr return nil, false, fmt.Errorf("no auth or wrapping info in response") } } + +// Warn if the VAULT_TOKEN environment variable is set, as that will take +// precedence. We output as a warning, so piping should still work since it +// will be on a different stream. +func (c *LoginCommand) checkForAndWarnAboutLoginToken() { + if os.Getenv("VAULT_TOKEN") != "" { + c.UI.Warn(wrapAtLength("WARNING! The VAULT_TOKEN environment variable "+ + "is set! The value of this variable will take precedence; if this is unwanted "+ + "please unset VAULT_TOKEN or update its value accordingly.") + "\n") + } +} From 17df0c31e72706ef75311df2b92f1c44e695931e Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Fri, 13 May 2022 15:43:01 -0400 Subject: [PATCH 2/7] VAULT-5885 Add changelog --- changelog/15428.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/15428.txt diff --git a/changelog/15428.txt b/changelog/15428.txt new file mode 100644 index 000000000000..25ab06502072 --- /dev/null +++ b/changelog/15428.txt @@ -0,0 +1,3 @@ +```release-note:bug +login/mfa: Fixed erroneous success message in case of two-phase MFA, and fixed MFA information missing from table format. +``` \ No newline at end of file From 0259b56c8ebeff51c535cfe5eb54b344f3254318 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Mon, 16 May 2022 09:15:47 -0400 Subject: [PATCH 3/7] VAULT-5885 Update changelog as per PR comments --- changelog/15428.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/15428.txt b/changelog/15428.txt index 25ab06502072..153e8f8888bb 100644 --- a/changelog/15428.txt +++ b/changelog/15428.txt @@ -1,3 +1,3 @@ ```release-note:bug -login/mfa: Fixed erroneous success message in case of two-phase MFA, and fixed MFA information missing from table format. +login/mfa: Fixed erroneous success message when using vault login in case of two-phase MFA, and fixed MFA information missing from table format when using vault login. ``` \ No newline at end of file From 50316cbd13eac10401a457febb07e1ecdf7dfc26 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Mon, 16 May 2022 09:39:23 -0400 Subject: [PATCH 4/7] VAULT-5885 Update changelog category to just 'auth' --- changelog/15428.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/15428.txt b/changelog/15428.txt index 153e8f8888bb..13491bd1c810 100644 --- a/changelog/15428.txt +++ b/changelog/15428.txt @@ -1,3 +1,3 @@ ```release-note:bug -login/mfa: Fixed erroneous success message when using vault login in case of two-phase MFA, and fixed MFA information missing from table format when using vault login. +auth: Fixed erroneous success message when using vault login in case of two-phase MFA, and fixed MFA information missing from table format when using vault login. ``` \ No newline at end of file From 91e49822227a11e1c6d7492fc6ee2b3356a04142 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Mon, 16 May 2022 13:15:59 -0400 Subject: [PATCH 5/7] VAULT-5885 Hide useless token info in two-phase MFA case --- command/format.go | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/command/format.go b/command/format.go index e5253d5337b9..fd065db1724f 100644 --- a/command/format.go +++ b/command/format.go @@ -385,23 +385,6 @@ func (t TableFormatter) OutputSecret(ui cli.Ui, secret *api.Secret) error { } if secret.Auth != nil { - out = append(out, fmt.Sprintf("token %s %s", hopeDelim, secret.Auth.ClientToken)) - out = append(out, fmt.Sprintf("token_accessor %s %s", hopeDelim, secret.Auth.Accessor)) - // If the lease duration is 0, it's likely a root token, so output the - // duration as "infinity" to clear things up. - if secret.Auth.LeaseDuration == 0 { - out = append(out, fmt.Sprintf("token_duration %s %s", hopeDelim, "∞")) - } else { - out = append(out, fmt.Sprintf("token_duration %s %v", hopeDelim, humanDurationInt(secret.Auth.LeaseDuration))) - } - out = append(out, fmt.Sprintf("token_renewable %s %t", hopeDelim, secret.Auth.Renewable)) - out = append(out, fmt.Sprintf("token_policies %s %q", hopeDelim, secret.Auth.TokenPolicies)) - out = append(out, fmt.Sprintf("identity_policies %s %q", hopeDelim, secret.Auth.IdentityPolicies)) - out = append(out, fmt.Sprintf("policies %s %q", hopeDelim, secret.Auth.Policies)) - for k, v := range secret.Auth.Metadata { - out = append(out, fmt.Sprintf("token_meta_%s %s %v", k, hopeDelim, v)) - } - if secret.Auth.MFARequirement != nil { out = append(out, fmt.Sprintf("mfa_request_id %s %s", hopeDelim, secret.Auth.MFARequirement.MFARequestID)) @@ -411,6 +394,23 @@ func (t TableFormatter) OutputSecret(ui cli.Ui, secret *api.Secret) error { out = append(out, fmt.Sprintf("mfa_constraint_%s_%s_uses_passcode %s %t", k, constraint.Type, hopeDelim, constraint.UsesPasscode)) } } + } else { // Token information only makes sense if no further MFA requirement (i.e. if we actually have a token) + out = append(out, fmt.Sprintf("token %s %s", hopeDelim, secret.Auth.ClientToken)) + out = append(out, fmt.Sprintf("token_accessor %s %s", hopeDelim, secret.Auth.Accessor)) + // If the lease duration is 0, it's likely a root token, so output the + // duration as "infinity" to clear things up. + if secret.Auth.LeaseDuration == 0 { + out = append(out, fmt.Sprintf("token_duration %s %s", hopeDelim, "∞")) + } else { + out = append(out, fmt.Sprintf("token_duration %s %v", hopeDelim, humanDurationInt(secret.Auth.LeaseDuration))) + } + out = append(out, fmt.Sprintf("token_renewable %s %t", hopeDelim, secret.Auth.Renewable)) + out = append(out, fmt.Sprintf("token_policies %s %q", hopeDelim, secret.Auth.TokenPolicies)) + out = append(out, fmt.Sprintf("identity_policies %s %q", hopeDelim, secret.Auth.IdentityPolicies)) + out = append(out, fmt.Sprintf("policies %s %q", hopeDelim, secret.Auth.Policies)) + for k, v := range secret.Auth.Metadata { + out = append(out, fmt.Sprintf("token_meta_%s %s %v", k, hopeDelim, v)) + } } } From 3b9d81ad51f6f07bc56009d7561f15374cf962b4 Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Mon, 16 May 2022 14:52:07 -0400 Subject: [PATCH 6/7] VAULT-5885 Update changelog to reflect token info now no longer present --- changelog/15428.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changelog/15428.txt b/changelog/15428.txt index 13491bd1c810..6b2eee54838e 100644 --- a/changelog/15428.txt +++ b/changelog/15428.txt @@ -1,3 +1,3 @@ ```release-note:bug -auth: Fixed erroneous success message when using vault login in case of two-phase MFA, and fixed MFA information missing from table format when using vault login. +auth: Fixed erroneous success message and token info when using vault login in case of two-phase MFA, and fixed MFA information missing from table format when using vault login. ``` \ No newline at end of file From 45ce67fd15a50f17f01d1aaa7434f0643ef911ee Mon Sep 17 00:00:00 2001 From: Violet Hynes Date: Tue, 17 May 2022 13:01:43 -0400 Subject: [PATCH 7/7] VAULT-5885 split up changelog into three blocks --- changelog/15428.txt | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/changelog/15428.txt b/changelog/15428.txt index 6b2eee54838e..2c4a4a5f0960 100644 --- a/changelog/15428.txt +++ b/changelog/15428.txt @@ -1,3 +1,9 @@ ```release-note:bug -auth: Fixed erroneous success message and token info when using vault login in case of two-phase MFA, and fixed MFA information missing from table format when using vault login. +auth: Fixed erroneous success message when using vault login in case of two-phase MFA +``` +```release-note:bug +auth: Fixed erroneous token information being displayed when using vault login in case of two-phase MFA +``` +```release-note:bug +auth: Fixed two-phase MFA information missing from table format when using vault login ``` \ No newline at end of file