#5216 ipa vault-add creates user vault with non-existent user
Closed: Invalid None Opened 8 years ago by spoore.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1253458

Description of problem:
[root@master ~]# ipa vault-add vname --user=user_dne
-------------------
Added vault "vname"
-------------------
  Vault name: vname
  Type: standard
  Owner users: admin

[root@master ~]# ipa vault-show vname --user=user_dne
  Vault name: vname
  Type: standard
  Owner users: admin

Version-Release number of selected component (if applicable):
ipa-server-4.2.0-4.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  ipa-server-install
2.  ipa-kra-install
3.  kinit admin
4.  ipa vault-add vname --user=user_dne


Actual results:
adds vault

Expected results:
should not add vault if user doesn't exist

Additional info:

It seems that the vault secrets / vault itself is not influenced by new potential user with the same name.

[root@freeipa-box ~]# ipa vault-show bah --user=bah
ipa: ERROR: bah: vault not found
[root@freeipa-box ~]# ipa vault-add bah --user=bah
-----------------
Added vault "bah"
-----------------
  Vault name: bah
  Type: standard
  Owner users: admin
  Vault user: bah
[root@freeipa-box ~]# ipa vault-show bah
ipa: ERROR: bah: vault not found
[root@freeipa-box ~]# ipa vault-show bah --user=bah
  Vault name: bah
  Type: standard
  Owner users: admin
  Vault user: bah
[root@freeipa-box ~]# ipa vault-archive bah --data=$(echo "some secret" | base64) --user=bah
------------------------------
Archived data into vault "bah"
------------------------------
[root@freeipa-box ~]# ipa vault-retrieve bah --user=bah
-------------------------------
Retrieved data from vault "bah"
-------------------------------
  Data: c29tZSBzZWNyZXQK
[root@freeipa-box ~]# ipa user-add --first=bah --last=test --password bah
Password: 
Enter Password again to verify: 
----------------
Added user "bah"
----------------
  User login: bah
  First name: bah
  Last name: test
  Full name: bah test
  Display name: bah test
  Initials: bt
  Home directory: /home/bah
  GECOS: bah test
  Login shell: /bin/sh
  Kerberos principal: bah@ABC.EXAMPLE.COM
  Email address: bah@abc.example.com
  UID: 1025000044
  GID: 1025000044
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True



bah@freeipa-box$ whoami
bah
bah@freeipa-box$ ipa vault-find
----------------
0 vaults matched
----------------
----------------------------
Number of entries returned 0
----------------------------
bah@freeipa-box$ ipa vault-find --user=bah
----------------
0 vaults matched
----------------
----------------------------
Number of entries returned 0
----------------------------
bah@freeipa-box$ ipa vault-show bah
ipa: ERROR: bah: vault not found
bah@freeipa-box$ ipa vault-show bah --user=bah
ipa: ERROR: bah: vault not found
bah@freeipa-box$ ipa vault-retrieve bah
ipa: ERROR: bah: vault not found
bah@freeipa-box$ ipa vault-retrieve bah --user=bah
ipa: ERROR: bah: vault not found



[root@freeipa-box ~]# ipa vault-add-member bah --users=bah
ipa: ERROR: bah: vault not found
[root@freeipa-box ~]# ipa vault-add-member bah --users=bah --user=bah
  Vault name: bah
  Type: standard
  Owner users: admin
  Vault user: bah
  Member users: bah
-------------------------
Number of members added 1
-------------------------



bah@freeipa-box$ ipa vault-retrieve bah
-------------------------------
Retrieved data from vault "bah"
-------------------------------
  Data: c29tZSBzZWNyZXQK
bah@freeipa-box$ ipa vault-retrieve bah --user=bah
-------------------------------
Retrieved data from vault "bah"
-------------------------------
  Data: c29tZSBzZWNyZXQK



[root@freeipa-box ~]# ipa vault-remove-member bah --users=bah --user=bah
  Vault name: bah
  Type: standard
  Owner users: admin
  Vault user: bah
---------------------------
Number of members removed 1
---------------------------



bah@freeipa-box$ ipa vault-retrieve bah
ipa: ERROR: bah: vault not found
bah@freeipa-box$ ipa vault-retrieve bah --user=bah
ipa: ERROR: bah: vault not found



[root@freeipa-box ~]# ipa vault-add-owner bah --users=bah --user=bah
  Vault name: bah
  Type: standard
  Owner users: admin, bah
  Vault user: bah
------------------------
Number of owners added 1
------------------------
[root@freeipa-box ~]# ipa vault-remove-owner bah --users=admin --user=bah
  Vault name: bah
  Type: standard
  Owner users: bah
  Vault user: bah
--------------------------
Number of owners removed 1
--------------------------



bah@freeipa-box$ ipa vault-retrieve bah
-------------------------------
Retrieved data from vault "bah"
-------------------------------
  Data: c29tZSBzZWNyZXQK
bah@freeipa-box$ ipa vault-retrieve bah --user=bah
-------------------------------
Retrieved data from vault "bah"
-------------------------------
  Data: c29tZSBzZWNyZXQK



[root@freeipa-box ~]# ipa user-del bah
------------------
Deleted user "bah"
------------------
[root@freeipa-box ~]# ipa user-show bah
ipa: ERROR: bah: user not found
[root@freeipa-box ~]# ipa vault-find --user=bah
---------------
1 vault matched
---------------
  Vault name: bah
  Type: standard
  Vault user: bah
----------------------------
Number of entries returned 1
----------------------------
[root@freeipa-box ~]# ipa user-add --first=bah --last=test --password bah
Password: 
Enter Password again to verify: 
----------------
Added user "bah"
----------------
  User login: bah
  First name: bah
  Last name: test
  Full name: bah test
  Display name: bah test
  Initials: bt
  Home directory: /home/bah
  GECOS: bah test
  Login shell: /bin/sh
  Kerberos principal: bah@ABC.EXAMPLE.COM
  Email address: bah@abc.example.com
  UID: 1025000045
  GID: 1025000045
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True



bah@freeipa-box$ ipa vault-find --user=bah
----------------
0 vaults matched
----------------
----------------------------
Number of entries returned 0
----------------------------
bah@freeipa-box$ ipa vault-retrieve bah --user=bah
ipa: ERROR: bah: vault not found

Was discussed offline and was decided that creating a vault for non-existent user/service is a valid use-case.

Metadata Update from @spoore:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Login to comment on this ticket.

Metadata