Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix unexpected behavior when multiple file sinks used with agent #5610

Merged
merged 1 commit into from
Nov 1, 2018
Merged

Fix unexpected behavior when multiple file sinks used with agent #5610

merged 1 commit into from
Nov 1, 2018

Conversation

dbellinghoven
Copy link
Contributor

@dbellinghoven dbellinghoven commented Oct 25, 2018
edited

As I was trying out the auto_auth feature of the agent, I noticed there was some strange behavior with the file sinks. Specifically, I used the agent with the following configuration file:

pid_file = "./pidfile"

auto_auth {
        method "aws" {
                mount_path = "auth/aws"
                config = {
                        role = "dev-role-iam"
			type = "iam"
                }
        }

	sink "file" {
		wrap_ttl = "5m"
		aad      = "foobar"
		dh_type  = "curve25519"
		dh_path  = "/tmp/test/file-foo-dhpath"
                config   = {
                        path = "/tmp/test/file-foo"
                }
	}

	sink "file" {
                config   = {
                        path = "/tmp/test/file-bar"
                }
        }        
}

One would expect that this would create two file sinks: one file named file-foo that is encrypted, and another named file-bar with just a token in plain text. file-bar was indeed just a plain text token, as expected. However, file-foo looked like this:

{
    "token": "e5b0c789-e93d-b403-3c4c-8427743637db",
    "accessor": "4ee05d7e-30ec-111b-0365-543337ebf075",
    "ttl": 300,
    "creation_time": "2018-10-25T13:26:24.795673261-04:00",
    "creation_path": "sys/wrapping/wrap",
    "wrapped_accessor": ""
}

In other words, it was TTL-wrapped, but not encrypted. However, when I reverse the order of the file sinks in the configuration file so that it now looks as shown below, things were equally weird.

pid_file = "./pidfile"

auto_auth {
        method "aws" {
                mount_path = "auth/aws"
                config = {
                        role = "dev-role-iam"
			type = "iam"
                }
        }

	sink "file" {
                config   = {
                        path = "/tmp/test/file-bar"
                }
        }  

	sink "file" {
		wrap_ttl = "5m"
		aad      = "foobar"
		dh_type  = "curve25519"
		dh_path  = "/tmp/test/file-foo-dhpath"
                config   = {
                        path = "/tmp/test/file-foo"
                }
	}      
}

After restarting the agent with this config file, file-foo now looks like this:

{
    "curve25519_public_key": "Q7coLblOzb9gzo6qxgvC9/0m31b390MjcnZZw2rVEVs=",
    "nonce": "GK8I526qdmIapLfK",
    "encrypted_payload": "DrXN1E/2DMrAF1aGIrejqcwTAQxFRwX6ZzyOU5UYVNmgEGu4cCfgt7JGIkPeuS3sq5W1o1YHzAR65Ty/fv4GKA4XsrGVpoFJcKrWHDMyYJMhbRwR0e/0uujkp8ZLMHvswA8cnJIYpJwX273hUsPnffSiTcTshFJx/T+vFK24vIWIx/UO8iXiUe9zMDytkj8XxPdtIYAvLBnL06iST4mz6m8MEEUTzCM/fA4Ddlp5e53b3okmAkykxd1hov7GjZPL0UgeHR5BEY81rTNFx94hi7VTepbrqHYXQCK2tmT7XxuFSLARfJb3rFBn6Wcx"
}

while file-bar looks like this:

{
    "curve25519_public_key": "Q7coLblOzb9gzo6qxgvC9/0m31b390MjcnZZw2rVEVs=",
    "nonce": "a13jXzxRNkkPMJGY",
    "encrypted_payload": "KZU1DnbXR5eA5WAqITbeebTa1hTNqrxnX+YeWk6mWi/ZSZ+YAV4RgwzQpMXAlEwWnSUIqw=="
}

It appeared to me that the nature of this issue lie in this block so I fixed it to reference only the first argument to the sinkFunc rather than the s. With this change, it seems that the agent writes to sinks as expected - file-bar will be plain-text client token, while file-foo will be an encrypted token, regardless of the order in which they appear in the config file.

@dbellinghoven
command/agent/sink/sink.go: This fix solves the problem where when mu…
b01f762 
…ltiple file sinks are specified in the agent HCL file, there is unexpected behavior
@chrishoffman chrishoffman added this to the 1.0 milestone Oct 25, 2018
@dbellinghoven
Copy link
Contributor Author

Any updates on this? Was anybody able to reproduce this issue?

briankassouf
briankassouf approved these changes Nov 1, 2018
View reviewed changes
Copy link
Member

@briankassouf briankassouf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks for the fix!

@briankassouf briankassouf merged commit f99afb9 into hashicorp:master Nov 1, 2018
briankassouf pushed a commit that referenced this pull request Nov 9, 2018
@dbellinghoven @briankassouf
command/agent/sink/sink.go: This fix solves the problem where when mu…
7fbcb70 
…ltiple file sinks are specified in the agent HCL file, there is unexpected behavior (#5610)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briankassouf briankassouf briankassouf approved these changes

@vishalnayak vishalnayak vishalnayak approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dbellinghoven @briankassouf @vishalnayak @chrishoffman