-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UI: fix token expiry banner for batch tokens #27479
Conversation
ui/app/services/auth.js
Outdated
// this is the problem -- the auth/userpass/login/ endpoint returns a diff response than self-lookup. it doesn't include anything about expiration for batch tokens | ||
|
||
console.log('authenticate resp: ', resp); | ||
|
||
return this.authSuccess(options, resp.auth || resp.data); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i believe this is the root of the problem. depending on what login method the user is using (token, userpass, LDAP etc), we hit a different API endpoint, and those apis have a different response shape. note the difference between the various responses:
- a GET
/auth/token/lookup-self
(using a batch token created viavault token create -type=batch -policy=test -ttl=20m
) responds withtype: "batch"
andexpiry_time
properties. API docs confirm this. - a POST to
/auth/userpass/login
(using a username and password with a batch token) responds with a property calledtoken_type: "batch"
andlease_duration
but doesn't include an explicitexpiry_time
. API docs confirm this, too
endpoint | response | |
---|---|---|
/auth/token/lookup-self | ||
/auth/userpass/login |
the frontend code on line 308 above suggests to me that we expect the backend responses to be the same regardless of whether the batch token was created via an auth method or via vault token create -type=batch -policy=test
.
CI Results: |
if (resp.renewable) { | ||
Object.assign(data, this.calculateExpiration(resp)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the this.calculateExpiration
function is already set up to handle batch tokens returned by /auth/[backend]/login
methods since those APIs return a lease_duration
, which is accounted for on line 220 above.
as a result, i didn't see a reason why we wouldn't couldn't call calculateExpiration
regardless of whether or not resp.renewable
or not.
so you'll notice i modified this.calculateExpiration
to handle the case where resp.type === 'batch'
(which happens when logging in via a token directly). this way calculateExpiration
is used universally, regardless of the authentication method (token/userpass/ldap, batch token, service token etc).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks like a great approach! I think we just need to do some manual testing for various login expiry flows (unfortunately those are difficult to test automatically)
602a557
to
26f3a3f
Compare
Build Results: |
26f3a3f
to
8acb2b2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Elegant solution and beautiful test coverage! ✨ thank you!
e5dceb6
to
6dd294e
Compare
…g banner is shown
Co-authored-by: Chelsea Shaw <[email protected]>
c8e408a
to
0033b44
Compare
Description
Ensures the "token expired" banner displays in the UI when logged in via a batch token, regardless of whether that token was generated via an auth method or via
vault token create
directly.Previously the banner would not display for users logged in with a batch token that was generated by an auth method.
Screenshot
Batch tokens show token expiry banner
Service tokens show token expiring soon banner
Service tokens show token expiry banner
TODO only if you're a HashiCorp employee
getting backported to N-2, use the new style
backport/ent/x.x.x+ent
labelsinstead of the old style
backport/x.x.x
labels.the normal
backport/x.x.x
label (there should be only 1).of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.