Azure-sdk-for-java: [BUG]KeyVaultPropertySource Class/getPropertyNames method will load all secrets (including disable secrets) in the key vault

Created on 13 Aug 2020  ·  10Comments  ·  Source: Azure/azure-sdk-for-java

Describe the bug
Currently the key vault enable the soft-delete feature by default. If create/deleted the certificate will cause the Jave app crashed because it load the disabled the secret.
The KeyVaultPropertySource Class loads all secrets in the KeyVault. It should not load disabled secrets in getPropertyNames method
By the way, the workaround is purged the certificate. But it still may better improve it at SDK part because there is not request to load the soft-deleted secret

Exception or Stack Trace
Add the exception log and stack trace if available

To Reproduce
Steps to reproduce the behavior:
A. Created KeyVault Certificates (not secret) and deleted the Certificates after that the java application crashed.
C. the certificates automatically creates Secret Identifier when creating new certificates
D. And after deleting the certificate the Azure system DISABLE the secret identifier
E. In that case java application try to read the DISABLED secret in run time
i. And then java app crashed.
The library is com.microsoft.azure:azure-keyvault:1.2.2
Code Snippet
Add the code snippet that causes the issue.

@Value("${cluster-app-sb-connection-string}")
String connectionString;
@Value("${cluster-app.sb.topic-name}")
String topicName;
Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Setup (please complete the following information):

  • OS: [e.g. iOS]
  • IDE : [e.g. IntelliJ]
  • Version of the Library used

Additional context
Add any other context about the problem here.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • [x] Bug Description Added
  • [ ] Repro Steps Added
  • [ ] Setup information Added
Client azure-spring azure-spring-keyvault customer-reported question
Source
picture TonySh127-ms

Most helpful comment

The issue is caused by how the Spring Boot starter for Key Vault Secrets works. we didn't filter disabled secrets. now I create a PR to fix the problem

picture zhoufenqin on 25 Aug 2020
👍2 👀1

All 10 comments

@TonySh127-ms are you using the key vault starter or the sdk directly?

saragluna picture saragluna on 14 Aug 2020

Discussed with @TonySh127-ms offline and the customer used the spring-boot-starter for keyvault. Need confirmation from the SDK side that whether the new SDK solves this kind of issue.

saragluna picture saragluna on 17 Aug 2020

@AlexGhiondea @vcolin7 can you please follow up?

joshfree picture joshfree on 17 Aug 2020
👍2

thanks @joshfree and @saragluna. Waiting update from @AlexGhiondea and @vcolin7 . Please let me know if it cannot fix in a short term. I can explain it to client side. Many thanks your time again!

TonySh127-ms picture TonySh127-ms on 18 Aug 2020

Hi @TonySh127-ms,

I spent some time looking into this issue and found the following: the behavior the customer sees is caused by how the Spring Boot starter for Key Vault Secrets works. Basically, whenever a Spring application using this starter runs, it will obtain the names of all the existing secrets in a given vault by calling the /secrets endpoint, which loads all enabled and disabled secrets (not the deleted ones), the application will then retrieve details of specific secrets if required. It is not an issue with the Key Vault service or SDK but just a consequence of how the Spring Boot starter is coded.

A short-term solution is not to use the Spring Boot starter but the Key Vault SDK itself directly. This way the customer will have more control about which secrets are loaded and when during an applications lifecycle.

Additionally, I could not reproduce a case where my application crashed from loading too many secrets just by creating and deleting a certificate in a vault. In order to do something like this I would need more information from the customer: what dependencies they use in their project including versions and sample code where this can be reproduced.

vcolin7 picture vcolin7 on 19 Aug 2020

@vcolin7 do we have an option could pass to the SDK that load only enabled secrets? Seems like we shouldn't load the disabled secrets in our Spring integration.

saragluna picture saragluna on 20 Aug 2020

@saragluna Unfortunately, there is no parameter we can pass the service for it to give us enabled secrets only :/

vcolin7 picture vcolin7 on 20 Aug 2020

The issue is caused by how the Spring Boot starter for Key Vault Secrets works. we didn't filter disabled secrets. now I create a PR to fix the problem

zhoufenqin picture zhoufenqin on 25 Aug 2020
👍2 👀1

@TonySh127-ms
We build a dev package, you can try it.
Follow this page to download the dev package

zhoufenqin picture zhoufenqin on 28 Aug 2020
😄1

Hi Team, the issue has been confirmed fixed. We can close this thread now. Many thanks everyone great effort and time!!!

TonySh127-ms picture TonySh127-ms on 8 Sep 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alzimmermsft picture alzimmermsft  ·  3Comments
marciopd picture marciopd  ·  3Comments
ronny-sphera picture ronny-sphera  ·  3Comments
valmol picture valmol  ·  4Comments
jordanjennings picture jordanjennings  ·  5Comments