Unable to access secrets from Hashicorp Vault Cubbyhole | Spring Boot

277 views Asked by At

I am trying to access secrets from the Cubbyhole engine by dynamically creating a token having use-limit, policy and ttl.

After incorporating the changes in the answers, the exception has changed to:

org.springframework.vault.authentication.VaultLoginException: Cannot login using Cubbyhole: []

followed by:

Caused by: org.springframework.web.client.HttpClientErrorException$NotFound: 404 Not Found: "{"errors":[]}<EOL>"

Here is the secret in my vault: enter image description here

Following is the code. I am running vault in development mode with the command ./vault.exe server --dev --dev-root-token-id="mytoken". Any sort of help is gratefully appreciated.

Configuration:

@Configuration
public class VaultConfig extends AbstractVaultConfiguration {

    public static VaultEndpoint vaultEndpoint;
    private static RestOperations restOperations;
    public static VaultTemplate vaultTemplate;

    @EventListener(ApplicationReadyEvent.class)
    public void init() {
        VaultConfig.restOperations = restOperations();
        VaultConfig.vaultEndpoint = vaultEndpoint();
        VaultConfig.vaultTemplate = vaultTemplate();
    }

    @Override
    public VaultEndpoint vaultEndpoint() {
        VaultEndpoint vaultEndpoint = VaultEndpoint.create("localhost", 8200);
        vaultEndpoint.setScheme("http");
        return vaultEndpoint;
    }

    @Override
    public ClientAuthentication clientAuthentication() {
        return new TokenAuthentication("mytoken");
    }

    public static CubbyholeAuthentication getCubbyholeAuthentication(String token) {
        CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions.builder()
                .initialToken(VaultToken.of(token))
                .path("cubbyhole/token")
                .build();
        return new CubbyholeAuthentication(options, VaultConfig.restOperations);
    }
}

Service implementation:

@Service
public class CubbyHoleService {

    @EventListener(ApplicationReadyEvent.class)
    public void init() {
        String cubbyholeToken = getCubbyholeToken().getToken().getToken();
        String uuid = UUID.randomUUID().toString();
        cubbyHoleWrite(uuid, cubbyholeToken);
        cubbyHoleRead(uuid, cubbyholeToken);
    }

    public void cubbyHoleWrite(String uuid, String token) {
        VaultTemplate vaultTemplate = getVaultTemplate(token);
        VaultKeyValueOperations vaultKeyValueOperations = vaultTemplate
                .opsForKeyValue("cubbyhole", VaultKeyValueOperationsSupport.KeyValueBackend.KV_1);
        vaultKeyValueOperations.put(uuid, new Secrets("john_cubby", "wick_value"));
        System.out.println("CubbyHole Data Saved");
    }

    public void cubbyHoleRead(String uuid, String token) {
        VaultTemplate vaultTemplate = getVaultTemplate(token);
        VaultKeyValueOperations vaultKeyValueOperations = vaultTemplate
                .opsForKeyValue("cubbyhole", VaultKeyValueOperationsSupport.KeyValueBackend.KV_1);
        VaultResponseSupport<Secrets> responseSupport = vaultKeyValueOperations.get(uuid, Secrets.class);
        if (responseSupport == null) {
            System.out.println("CubbyHole Data not found");
            return;
        }
        System.out.println("CubbyHole Data found");
        Secrets secrets = responseSupport.getData();
        System.out.println(secrets.toString());
    }

    private VaultTemplate getVaultTemplate(String token) {
        return new VaultTemplate(VaultConfig.vaultEndpoint, VaultConfig.getCubbyholeAuthentication(token));
    }

    private VaultTokenResponse getCubbyholeToken(){
        List<String> policies = Arrays.asList("default", "cubbyhole-policy", "cubbyhole-policy-token");
        VaultTokenRequest tokenRequest = VaultTokenRequest.builder()
                .ttl(120, TimeUnit.MINUTES).numUses(100).policies(policies).renewable(true)
                .build();
        return VaultConfig.vaultTemplate.opsForToken().create(tokenRequest);
    }
}

Secrets POJO:

@Data
@AllArgsConstructor
@NoArgsConstructor
public class Secrets {
    private String key;
    private String value;
}

Policies created:

cubbyhole-policy.hcl:

    path "cubbyhole/data/*" {
        capabilities = ["read", "create", "update", "delete", "list"]
    }

cubbyhole-policy-token.hcl:

    path "cubbyhole/token/*" {
       capabilities = ["read", "create", "update", "delete", "list"]
    }

While debugging, I have found the issue to be in the method lookupToken() in CubbyholeAuthentication.java. It is not able to login it seems.

enter image description here

For convenience I have provided the code in github: https://github.com/SpringVaultPrac/

0

There are 0 answers