Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport of Respect increment value in grace period calculations (api/LifetimeWatcher) into release/1.9.x #14938

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #14836 to be assessed for backporting due to the inclusion of the label backport/1.9.x.

WARNING automatic cherry-pick of commits failed. Commits will require human attention.

The below text is copied from the body of the original PR.


Fixes: #14638

Background

api.LifetimeWatcher is a tool that helps to monitor and periodically renew expiring token or credential leases. It determines a grace period based on a given lease duration and attempts to renew the lease within the grace period. The callers of LifetimeWatcher can optionally specify Increment value in seconds, which is sent to the vault server and is meant to override the token's TTL value, if respected by the server.

The issue

This means that for long lived leases, a client cannot submit it's own increment value that is less than the leases grace period without triggering and immediate return (without sleeping).

Change

This PR will make sure that the grace period is calculated based on the minimum of the remaining lease duration & interval (if specified).

How was this tested

I added a short_increment_duration test renewer_test.go.

Additionally, I was able to successfully reproduce the issue in hello-vault-go. Before the fix, setting an increment value lower than the token's actual TTL resulted in an early renewal and the following error every time renew was called:

URL: PUT http://vault-server:8200/v1/sys/wrapping/unwrap
Code: 400. Errors:

* wrapping token is not valid or does not exist. If the AppRoleAuth struct was initialized with the WithWrappingToken LoginOption, then the secret ID's filepath should be a path to a response-wrapping token

When I built against this branch, the error disappeared and the renew period was updated to the increment value minus grace period as expected.

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/averche/lifetime-watcher-increment/fully-magical-tick branch from f7f73bb to ff0b8a4 Compare April 6, 2022 17:05
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 6, 2022 17:05 Inactive
@vercel vercel bot temporarily deployed to Preview – vault April 6, 2022 17:05 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook April 15, 2022 18:58 Inactive
@vercel vercel bot temporarily deployed to Preview – vault April 15, 2022 18:58 Inactive
@averche averche merged commit cd8cad9 into release/1.9.x Apr 15, 2022
@averche averche deleted the backport/averche/lifetime-watcher-increment/fully-magical-tick branch April 15, 2022 20:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants