Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI: Fix token renewal breaking policy checks #29416

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

UI: Fix token renewal breaking policy checks #29416

wants to merge 1 commit into from
+11 −6

Conversation

hellobontempo
Copy link
Contributor

Description

The UI makes a lot of inferences based on the shape of the auth response we receive. The UI relies on the namespace_path from the auth response to set the user's root namespace which is then used to calculate capabilities.

vault/ui/app/adapters/capabilities.js

Lines 16 to 30 in dcdbacd

/*
users don't always have access to the capabilities-self endpoint in the current namespace,
this can happen when logging in to a namespace and then navigating to a child namespace.
adding "relativeNamespace" to the path and/or "this.namespaceService.userRootNamespace"
to the request header ensures we are querying capabilities-self in the user's root namespace,
which is where they are most likely to have their policy/permissions.
*/
_formatPath(path) {
const { relativeNamespace } = this.namespaceService;
if (!relativeNamespace) {
return path;
}
// ensure original path doesn't have leading slash
return `${relativeNamespace}/${sanitizeStart(path)}`;
}

renew-self does not return namespace_path, so this PR manually adds it in the renew() method, if it exists. The auth code is challenging to parse and is prone to regressions. I double checked that this change does not affect the bug the previous PR was solving that introduced these code changes: https://github.com/hashicorp/vault/pull/24168/files

TODO only if you're a HashiCorp employee

  • Backport Labels: If this fix needs to be backported, use the appropriate backport/ label that matches the desired release branch. Note that in the CE repo, the latest release branch will look like backport/x.x.x, but older release branches will be backport/ent/x.x.x+ent.
    • LTS: If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.
  • ENT PR: If this change has an associated ENT PR, please link it in the
    description. Also, make sure the changelog is in this PR, not in your ENT PR.

@hellobontempo hellobontempo added backport/1.18.x backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent labels Jan 24, 2025
@hellobontempo hellobontempo added this to the 1.18.4 milestone Jan 24, 2025
@hellobontempo hellobontempo requested a review from a team as a code owner January 24, 2025 21:29
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Jan 24, 2025
@github-actions GitHub Actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions GitHub Actions
Copy link

CI Results:
All Go tests succeeded! ✅

Monkeychip
Monkeychip reviewed Jan 24, 2025
View reviewed changes
ui/app/services/auth.js
const namespacePath = this.namespaceService.path;
const response = resp.data || resp.auth;
// renew-self does not return namespace_path, so manually add it if it exists
if (!response?.namespace_path && namespacePath) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

really solid logic writing here!

Monkeychip
Monkeychip reviewed Jan 24, 2025
View reviewed changes
Copy link
Contributor

@Monkeychip Monkeychip left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic here seems solid (and easy to read, thank you). Ping when you're ready for final review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Monkeychip Monkeychip Monkeychip left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent backport/1.18.x hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.18.4
Development

Successfully merging this pull request may close these issues.
2 participants
@hellobontempo @Monkeychip