Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3007.x] Fixing vault client unwrap function to respect server.verify option. #66215

Merged
merged 2 commits into from
Oct 21, 2024
Merged

[3007.x] Fixing vault client unwrap function to respect server.verify option. #66215

merged 2 commits into from
Oct 21, 2024

Conversation

voyvodov
Copy link
Contributor

What does this PR do?

Currently VaultClient.unwrap is doing own request call without respecting verify option. Any other function is reusing self.request or self.raw_request function which are respecting correctly verify opt. This will change unwrap function to also utilize self.post() which is reusing self.request.

What issues does this PR fix or reference?

Fixes: #66213

Previous Behavior

Vault module not working with self-signed certificate on disk or verify: False

New Behavior

Vault modules works as expected.

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

Commits signed with GPG?

Yes

@voyvodov voyvodov requested a review from a team as a code owner March 12, 2024 14:18
@voyvodov voyvodov requested review from twangboy and removed request for a team March 12, 2024 14:18
@salt-project-bot-prod-environment salt-project-bot-prod-environment bot changed the title Fixing vault client unwrap function to respect server.verify option. [master] Fixing vault client unwrap function to respect server.verify option. Mar 12, 2024
@twangboy
Copy link
Contributor

Hey @voyvodov, thanks for the submission. Would you mind writing a test case for this?

@lkubb
Copy link
Contributor

lkubb commented Mar 12, 2024

Ah, we fixed this in the saltext, but forgot to port it here. The correct fix would be to just pass the verify option since unwrap requests do not need to be authenticated. salt-extensions/saltext-vault#32

@voyvodov
Copy link
Contributor Author

Ah, we fixed this in the saltext, but forgot to port it here. The correct fix would be to just pass the verify option since unwrap requests do not need to be authenticated. salt-extensions/saltext-vault#32

But why making this different? If we don't need auth, why not just removing the headers? This why, if there is need to change something in the way requests are made, a single place will be touched, not "search-and-replace".

@lkubb
Copy link
Contributor

lkubb commented Mar 12, 2024

On a second thought, you might be right. I don't remember the specifics of why I implemented unwrapping in this way tbh, but it was intentional at the time. Suspected it was about limiting token usage or some chicken-and-egg problem, but that doesn't hold up when reflecting on the code.

This patch (necessarily) duplicates some light calls regarding header rendering (_get_headers), but should be fine otherwise if all tests pass. Maybe it really was just about efficiency. Thanks for taking the time to fix this. :)

@voyvodov
Copy link
Contributor Author

Hey @voyvodov, thanks for the submission. Would you mind writing a test case for this?

Added a small test which verifies that unwrap is respecting verify option correctly

@lkubb
Copy link
Contributor

lkubb commented Mar 13, 2024

This should be targeted at the 3007.x branch though, master will become 3008, which - as it stands - will not contain the vault modules when released.

@voyvodov voyvodov changed the base branch from master to 3007.x March 13, 2024 14:20
@salt-project-bot-prod-environment salt-project-bot-prod-environment bot changed the title [master] Fixing vault client unwrap function to respect server.verify option. [3007.x] Fixing vault client unwrap function to respect server.verify option. Mar 13, 2024
@twangboy
Copy link
Contributor

Looks like you have some pre-commit failures

@voyvodov
Copy link
Contributor Author

Looks like you have some pre-commit failures

Fixed. I'm not sure why it wasn't catched during the last push

@lkubb lkubb mentioned this pull request May 28, 2024
Closed
@dwoz dwoz merged commit d7b4d10 into saltstack:3007.x Oct 21, 2024
502 checks passed
@dmurphy18
Copy link
Contributor

@voyvodov You might want to check and see if you need to implement the same changes to the salt-extension for Vault, which has better support for Vault, see https://github.com/salt-extensions/saltext-vault. Eventually this will be the preferred solution in Salt 3008

@voyvodov
Copy link
Contributor Author

@voyvodov You might want to check and see if you need to implement the same changes to the salt-extension for Vault, which has better support for Vault, see https://github.com/salt-extensions/saltext-vault. Eventually this will be the preferred solution in Salt 3008

It's already there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lkubb lkubb lkubb left review comments

@twangboy twangboy twangboy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] New Vault module doesn't respect verify option (3007.0)
5 participants
@voyvodov @twangboy @lkubb @dmurphy18 @dwoz