Plugin crashes on tokens that lack expiration

[sspans-sbp]

When configuring version 0.8.0 of the plugin we see the following crash when configuring the engine with a personal access token that doesn't expire:

2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: panic: runtime error: invalid memory address or nil pointer dereference
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: [signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x101035950]
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: goroutine 82 [running]:
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: github.com/ilijamt/vault-plugin-secrets-gitlab.(*Backend).updateConfigClientInfo(0x140005153b0, {0x10148c9c8, 0x1400068e210}, 0x1400049cf70)
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: 	github.com/ilijamt/vault-plugin-secrets-gitlab/path_config.go:173 +0x1e0
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: github.com/ilijamt/vault-plugin-secrets-gitlab.(*Backend).pathConfigWrite(0x140005153b0, {0x10148c9c8, 0x1400068e210}, 0x14000152600, 0x14000482a30)
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: 	github.com/ilijamt/vault-plugin-secrets-gitlab/path_config.go:196 +0xe8
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: github.com/hashicorp/vault/sdk/framework.(*Backend).HandleRequest(0x1400047e100, {0x10148c9c8, 0x1400068e210}, 0x14000152600)
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: 	github.com/hashicorp/vault/[email protected]/framework/backend.go:319 +0x974
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: github.com/hashicorp/vault/sdk/plugin.(*backendGRPCPluginServer).HandleRequest(0x101a3ff50?, {0x10148c9c8, 0x1400068e210}, 0x1400011c8c0)
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: 	github.com/hashicorp/vault/[email protected]/plugin/grpc_backend_server.go:144 +0x168
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: github.com/hashicorp/vault/sdk/plugin/pb._Backend_HandleRequest_Handler({0x10141d460, 0x14000254c80}, {0x10148c9c8, 0x1400068e210}, 0x14000149b00, 0x0)
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: 	github.com/hashicorp/vault/[email protected]/plugin/pb/backend_grpc.pb.go:272 +0x1c0
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: google.golang.org/grpc.(*Server).processUnaryRPC(0x140001ccc00, {0x10148c9c8, 0x1400032df50}, 0x140003808a0, 0x1400032d380, 0x101a50700, 0x0)
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: 	google.golang.org/[email protected]/server.go:1392 +0xc38
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: google.golang.org/grpc.(*Server).handleStream(0x140001ccc00, {0x10148d3c8, 0x1400047c000}, 0x140003808a0)
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: 	google.golang.org/[email protected]/server.go:1802 +0x900
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: google.golang.org/grpc.(*Server).serveStreams.func2.1()
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: 	google.golang.org/[email protected]/server.go:1030 +0x84
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 23
2025-04-14T14:15:15.621+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.vault-plugin-secrets-gitlab_v0.8.0: 	google.golang.org/[email protected]/server.go:1041 +0x138
2025-04-14T14:15:15.622+0200 [ERROR] secrets.gitlab.gitlab_b31cd2d0.gitlab: plugin process exited: path=/Users/sspans/vault/vault-plugin-secrets-gitlab_v0.8.0 pid=95897 error="exit status 2"
2025-04-14T14:15:15.622+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0.gitlab.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2025-04-14T14:15:24.016+0200 [DEBUG] secrets.gitlab.gitlab_b31cd2d0: plugin: reloading plugin backend: plugin=gitlab

Version 0.4.1 provides clearer error output:

2025-04-14T14:24:13.332+0200 [DEBUG] secrets.gitlab.gitlab_3d48c637.gitlab.vault-plugin-secrets-gitlab_v0.4.1: Setting a new client: timestamp="2025-04-14T14:24:13.332+0200"
2025-04-14T14:24:13.438+0200 [DEBUG] secrets.gitlab.gitlab_3d48c637.gitlab.vault-plugin-secrets-gitlab_v0.4.1: Current token info: error=<nil> token="map[access_level: created_at:2025-04-10T18:24:22.263Z expires_at:<nil> gitlab_revokes_token:false name:vault_engine parent_id: path: role_name: scopes:[api] token: token_id:524819 token_type:personal user_id:18998]" timestamp="2025-04-14T14:24:13.437+0200"
2025-04-14T14:24:13.440+0200 [DEBUG] secrets.gitlab.gitlab_3d48c637.gitlab.vault-plugin-secrets-gitlab_v0.4.1: panic: runtime error: invalid memory address or nil pointer dereference
2025-04-14T14:24:13.440+0200 [DEBUG] secrets.gitlab.gitlab_3d48c637.gitlab.vault-plugin-secrets-gitlab_v0.4.1: [signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1027f072c]

[ilijamt]

What version of Gitlab are you using? AFAIK personal access tokens always have to have an expiry date.

[ilijamt]

This happened because it expected the time field for expires to be set, and it wasn't. So the code panicked. Can you check and let me know what version of Gitlab are you running? Because I haven't been able to replicate this on 16 and 17.
Also what type of token did you use? I know you said a PAT, but there are many ways to create one.

[sspans-sbp]

This is with:

gitlab_is_enterprise    true
gitlab_revision         8809f9af4e0
gitlab_version          17.10.4-ee

Broken:

curl --request POST --header "PRIVATE-TOKEN: MY_ADMIN_TOKEN"  --data "name=vault_engine"  --data "scopes[]=api" "https://my-gitlab-instance/api/v4/users/18998/personal_access_tokens"

Working:

curl --request POST --header "PRIVATE-TOKEN: MY_ADMIN_TOKEN"  --data "name=vault_engine"  --data "scopes[]=api" --data "expires_at=2025-09-15" "https://my-gitlab-instance/api/v4/users/18998/personal_access_tokens"

[ilijamt]

Can you show me the output of the broken call, without the pat token?

curl --request POST --header "PRIVATE-TOKEN: MY_ADMIN_TOKEN"  --data "name=vault_engine"  --data "scopes[]=api" "https://my-gitlab-instance/api/v4/users/2/personal_access_tokens"
{
  "id": 93,
  "name": "vault_engine",
  "revoked": false,
  "created_at": "2025-04-16T06:11:44.467Z",
  "description": null,
  "scopes": [
    "api"
  ],
  "user_id": 2,
  "last_used_at": null,
  "active": true,
  "expires_at": "2026-04-16",
  "token": "glpat-....."
}

and

curl https://my-gitlab-instance/api/v4/personal_access_tokens/self -H "Private-Token: glpat-....
{
  "id": 93,
  "name": "vault_engine",
  "revoked": false,
  "created_at": "2025-04-16T06:11:44.467Z",
  "description": null,
  "scopes": [
    "api"
  ],
  "user_id": 2,
  "last_used_at": "2025-04-16T06:28:12.977Z",
  "active": true,
  "expires_at": "2026-04-16"
}

Because with this token I get the following, and I don't get a crash

❯ vault write gitlab/config/default base_url=https://my-gitlab-instance token=glpat-...... auto_rotate_token=false auto_rotate_before=48h type=self-managed
❯ vault read gitlab/config/default
Key                     Value
---                     -----
auto_rotate_before      48h0m0s
auto_rotate_token       false
base_url                https://my-gitlab-instance
gitlab_is_enterprise    true
gitlab_revision         8809f9af4e0
gitlab_version          17.10.4-ee
name                    default
scopes                  api
token_created_at        2025-04-16T06:31:15Z
token_expires_at        2026-04-16T00:00:00Z
token_id                94
token_sha1_hash         6d53f6b1d22075c7445e67f0ee4f3129c6e5e00a
type                    self-managed

[sspans-sbp]

Here's the output:

{
  "id": 536270,
  "name": "vault_engine",
  "revoked": false,
  "created_at": "2025-04-16T14:17:35.316Z",
  "description": null,
  "scopes": [
    "api"
  ],
  "user_id": 18998,
  "last_used_at": null,
  "active": true,
  "expires_at": null,
  "token": "foobar"
}

[ilijamt]

Yeah, that's the problem, expires_at cannot be empty since Gitlab version 16.x, I've tried creating a new token without defining an expires at, and it still sets it for me.

What do you get on curl https://my-gitlab-instance/api/v4/personal_access_tokens/self -H "Private-Token: glpat-...., the expires_at is probably empty there as well?

You have most likely found a GitLab bug, because it shouldn't be possible to create a token, especially PAT ones, without expiry now.

Can you check what is the reported GitLab version in the admin area?

• https://docs.gitlab.com/update/deprecations/#non-expiring-access-tokens
• https://gitlab.com/gitlab-org/gitlab/-/issues/392855
• https://gitlab.com/gitlab-org/gitlab/-/issues/369123
• https://gitlab.com/gitlab-org/gitlab/-/issues/369122

[ilijamt]

With no way to test this, can you check and let me know if this works #179