aws-ec2: Avoid audit logging of custom nonces (#3381)

2026-01-06 09:11:10 +01:00 · 2017-10-27 11:23:15 -04:00 · 2017-10-27 11:23:15 -04:00 · 30aab2aa2f
commit 30aab2aa2f
parent 6157a89f1b
3 changed files with 22 additions and 5 deletions
--- a/builtin/credential/aws/backend_test.go
+++ b/builtin/credential/aws/backend_test.go
@ -1125,6 +1125,11 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 		t.Fatalf("instance ID not present in the response object")
 	}

+	_, ok := resp.Auth.Metadata["nonce"]
+	if ok {
+		t.Fatalf("client nonce should not have been returned")
+	}
+
 	loginInput["nonce"] = "changed-vault-client-nonce"
 	// try to login again with changed nonce
 	resp, err = b.HandleRequest(loginRequest)
@ -1159,7 +1164,9 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 		t.Fatalf("failed to delete whitelist identity")
 	}

-	// Allow a fresh login.
+	// Allow a fresh login without supplying the nonce
+	delete(loginInput, "nonce")
+
 	resp, err = b.HandleRequest(loginRequest)
 	if err != nil {
 		t.Fatal(err)
@ -1167,6 +1174,11 @@ func TestBackendAcc_LoginWithInstanceIdentityDocAndWhitelistIdentity(t *testing.
 	if resp == nil || resp.Auth == nil || resp.IsError() {
 		t.Fatalf("login attempt failed")
 	}
+
+	_, ok = resp.Auth.Metadata["nonce"]
+	if !ok {
+		t.Fatalf("expected nonce to be returned")
+	}
 }

 func TestBackend_pathStsConfig(t *testing.T) {
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws/path_login.go
@ -643,7 +643,7 @@ func (b *backend) pathLoginUpdateEc2(
 			return logical.ErrorResponse(err.Error()), nil
 		}

-		// Don't let subsequent login attempts to bypass in initial
+		// Don't let subsequent login attempts to bypass the initial
 		// intent of disabling reauthentication, despite the properties
 		// of role getting updated. For example: Role has the value set
 		// to 'false', a role-tag login sets the value to 'true', then
@ -693,7 +693,6 @@ func (b *backend) pathLoginUpdateEc2(

 	if roleTagResp != nil {
 		// Role tag is enabled on the role.
-		//

 		// Overwrite the policies with the ones returned from processing the role tag
 		// If there are no policies on the role tag, policies on the role are inherited.
@ -777,8 +776,9 @@ func (b *backend) pathLoginUpdateEc2(
 		},
 	}

-	// Return the nonce only if reauthentication is allowed
-	if !disallowReauthentication {
+	// Return the nonce only if reauthentication is allowed and if the nonce
+	// was not supplied by the user.
+	if !disallowReauthentication && !clientNonceSupplied {
 		// Echo the client nonce back. If nonce param was not supplied
 		// to the endpoint at all (setting it to empty string does not
 		// qualify here), callers should extract out the nonce from
--- a/website/source/docs/auth/aws.html.md
+++ b/website/source/docs/auth/aws.html.md
@ -384,6 +384,11 @@ instance, it is not a bad idea to firewall access to the signed PKCS#7 metadata
 to ensure that it is accessible only to the matching user(s) that require
 access.

+The client nonce which is generated by the backend and which gets returned
+along with the authentication response, will be audit logged in plaintext. If
+this is undesired, clients can supply a custom nonce to the login endpoint
+which will not be returned and hence will not be audit logged.
+
 ## Advanced Options and Caveats

 ### Dynamic Management of Policies Via Role Tags