Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make sys/wrapping/lookup unauthenticated. #3084

Merged
merged 1 commit into from
Jul 31, 2017
Merged

Make sys/wrapping/lookup unauthenticated. #3084

merged 1 commit into from
Jul 31, 2017

Conversation

jefferai
Copy link
Member

We still perform validation on the token, so if the call makes it
through to this endpoint it's got a valid token (either explicitly
specified in data or as the request token). But this allows
introspection for sanity/safety checking without revoking the token in
the process.

@jefferai
Make sys/wrapping/lookup unauthenticated.
305648b 
We still perform validation on the token, so if the call makes it
through to this endpoint it's got a valid token (either explicitly
specified in data or as the request token). But this allows
introspection for sanity/safety checking without revoking the token in
the process.
@jefferai jefferai added this to the 0.8.0 milestone Jul 31, 2017
@jefferai jefferai requested review from calvn and briankassouf July 31, 2017 20:11
briankassouf
briankassouf reviewed Jul 31, 2017
View reviewed changes
vault/policy_store.go
// wrapping can always succeed. Note that sys/wrapping/lookup isn't
// contained here because using it would revoke the token anyways, so there
// isn't much point.
// wrapping can always succeed.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add sys/wrapping/lookup to this policy now?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't need it! Because it's unauthenticated.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doh!

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wrapping validation function tests the validity of the token itself, but we then bypass the policy checks because it's an unauth endpoint. That's how we get around the use count decrementing.

We could make it an auth endpoint and add that policy but then we need to hard code exclusions from use count decrementing. Which doesn't seem great either.

briankassouf
briankassouf approved these changes Jul 31, 2017
View reviewed changes
Copy link
Contributor

@briankassouf briankassouf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@jefferai jefferai merged commit d313e40 into master Jul 31, 2017
@jefferai jefferai deleted the wrapping-unauth-lookup branch July 31, 2017 20:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briankassouf briankassouf briankassouf approved these changes

@calvn calvn calvn approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.8.0
Development

Successfully merging this pull request may close these issues.
3 participants
@jefferai @calvn @briankassouf