scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 02:02:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

VAULT-33008: ipv6: always display RFC-5952 §4 conformant addresses (#29228)

Browse Source 
USGv6[0] requires implementing §4.1.1 of the NISTv6-r1 profile[1] for
IPv6-Only capabilities. This section requires that whenever Vault
displays IPv6 addresses (including CLI output, Web UI, logs, etc.) that
_all_ IPv6 addresses must conform to RFC-5952 §4 text representation
recommendations[2].

These recommendations do not prevent us from accepting RFC-4241[3] IPv6
addresses, however, whenever these same addresses are displayed they
must conform to the strict RFC-5952 §4 guidelines.

This PR implements handling of IPv6 address conformance in our
`vault server` routine. We handle conformance normalization for all
server, http_proxy, listener, seal, storage and telemetry
configuration where an input could contain an IPv6 address, whether
configured via an HCL file or via corresponding environment variables.

The approach I've taken is to handle conformance normalization at
parse time to ensure that all log output and subsequent usage
inside of Vaults various subsystems always reference a conformant
address, that way we don't need concern ourselves with conformance
later. This approach ought to be backwards compatible to prior loose
address configuration requirements, with the understanding that
going forward all IPv6 representation will be strict regardless of
what has been configured.

In many cases I've updated our various parser functions to call the
new `configutil.NormalizeAddr()` to apply conformance normalization.
Others required no changes because they rely on standard library URL
string output, which always displays IPv6 URLs in a conformant way.

Not included in this changes is any other vault exec mode other than
server. Client, operator commands, agent mode, proxy mode, etc. will
be included in subsequent changes if necessary.

[0]: https://www.nist.gov/publications/usgv6-profile
[1]: https://www.nist.gov/publications/nist-ipv6-profile
[2]: https://www.rfc-editor.org/rfc/rfc5952.html#section-4
[3]: https://www.rfc-editor.org/rfc/rfc4291

Signed-off-by: Ryan Cragun <me@ryan.ec>
This commit is contained in:
Ryan Cragun
2025-01-27 14:14:28 -07:00
committed by GitHub
parent 9456671f04
commit 012cd5a42a
20 changed files with 1423 additions and 141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
command/operator_migrate_test.go
View File

@@ -190,23 +190,23 @@ func TestMigration(t *testing.T) {
cmd := new(OperatorMigrateCommand)
cfgName := filepath.Join(t.TempDir(), "migrator")
os.WriteFile(cfgName, []byte(`
storage_source "src_type" {
storage_source "consul" {
path = "src_path"
}
storage_destination "dest_type" {
storage_destination "raft" {
path = "dest_path"
}`), 0o644)
expCfg := &migratorConfig{
StorageSource: &server.Storage{
Type: "src_type",
Type: "consul",
Config: map[string]string{
"path": "src_path",
},
},
StorageDestination: &server.Storage{
Type: "dest_type",
Type: "raft",
Config: map[string]string{
"path": "dest_path",
},
@@ -230,41 +230,41 @@ storage_destination "dest_type" {
// missing source
verifyBad(`
storage_destination "dest_type" {
storage_destination "raft" {
path = "dest_path"
}`)
// missing destination
verifyBad(`
storage_source "src_type" {
storage_source "consul" {
path = "src_path"
}`)
// duplicate source
verifyBad(`
storage_source "src_type" {
storage_source "consul" {
path = "src_path"
}
storage_source "src_type2" {
storage_source "raft" {
path = "src_path"
}
storage_destination "dest_type" {
storage_destination "raft" {
path = "dest_path"
}`)
// duplicate destination
verifyBad(`
storage_source "src_type" {
storage_source "consul" {
path = "src_path"
}
storage_destination "dest_type" {
storage_destination "raft" {
path = "dest_path"
}
storage_destination "dest_type2" {
storage_destination "consul" {
path = "dest_path"
}`)
})

22
command/server.go
View File

@@ -514,7 +514,7 @@ func (c *ServerCommand) runRecoveryMode() int {
}
if config.Storage.Type == storageTypeRaft || (config.HAStorage != nil && config.HAStorage.Type == storageTypeRaft) {
if envCA := os.Getenv("VAULT_CLUSTER_ADDR"); envCA != "" {
config.ClusterAddr = envCA
config.ClusterAddr = configutil.NormalizeAddr(envCA)
}
if len(config.ClusterAddr) == 0 {
@@ -742,9 +742,9 @@ func (c *ServerCommand) runRecoveryMode() int {
func logProxyEnvironmentVariables(logger hclog.Logger) {
proxyCfg := httpproxy.FromEnvironment()
cfgMap := map[string]string{
"http_proxy": proxyCfg.HTTPProxy,
"https_proxy": proxyCfg.HTTPSProxy,
"no_proxy": proxyCfg.NoProxy,
"http_proxy": configutil.NormalizeAddr(proxyCfg.HTTPProxy),
"https_proxy": configutil.NormalizeAddr(proxyCfg.HTTPSProxy),
"no_proxy": configutil.NormalizeAddr(proxyCfg.NoProxy),
}
for k, v := range cfgMap {
u, err := url.Parse(v)
@@ -2243,7 +2243,7 @@ func (c *ServerCommand) detectRedirect(detect physical.RedirectDetect,
}
// Return the URL string
return url.String(), nil
return configutil.NormalizeAddr(url.String()), nil
}
func (c *ServerCommand) Reload(lock *sync.RWMutex, reloadFuncs *map[string][]reloadutil.ReloadFunc, configPath []string, core *vault.Core) error {
@@ -2749,11 +2749,11 @@ func initHaBackend(c *ServerCommand, config *server.Config, coreConfig *vault.Co
func determineRedirectAddr(c *ServerCommand, coreConfig *vault.CoreConfig, config *server.Config) error {
var retErr error
if envRA := os.Getenv("VAULT_API_ADDR"); envRA != "" {
coreConfig.RedirectAddr = envRA
coreConfig.RedirectAddr = configutil.NormalizeAddr(envRA)
} else if envRA := os.Getenv("VAULT_REDIRECT_ADDR"); envRA != "" {
coreConfig.RedirectAddr = envRA
coreConfig.RedirectAddr = configutil.NormalizeAddr(envRA)
} else if envAA := os.Getenv("VAULT_ADVERTISE_ADDR"); envAA != "" {
coreConfig.RedirectAddr = envAA
coreConfig.RedirectAddr = configutil.NormalizeAddr(envAA)
}
// Attempt to detect the redirect address, if possible
@@ -2785,7 +2785,7 @@ func determineRedirectAddr(c *ServerCommand, coreConfig *vault.CoreConfig, confi
if c.flagDevTLS {
protocol = "https"
}
coreConfig.RedirectAddr = fmt.Sprintf("%s://%s", protocol, config.Listeners[0].Address)
coreConfig.RedirectAddr = configutil.NormalizeAddr(fmt.Sprintf("%s://%s", protocol, config.Listeners[0].Address))
}
return retErr
}
@@ -2794,7 +2794,7 @@ func findClusterAddress(c *ServerCommand, coreConfig *vault.CoreConfig, config *
if disableClustering {
coreConfig.ClusterAddr = ""
} else if envCA := os.Getenv("VAULT_CLUSTER_ADDR"); envCA != "" {
coreConfig.ClusterAddr = envCA
coreConfig.ClusterAddr = configutil.NormalizeAddr(envCA)
} else {
var addrToUse string
switch {
@@ -2826,7 +2826,7 @@ func findClusterAddress(c *ServerCommand, coreConfig *vault.CoreConfig, config *
u.Host = net.JoinHostPort(host, strconv.Itoa(nPort+1))
// Will always be TLS-secured
u.Scheme = "https"
coreConfig.ClusterAddr = u.String()
coreConfig.ClusterAddr = configutil.NormalizeAddr(u.String())
}
CLUSTER_SYNTHESIS_COMPLETE:

193
command/server/config.go
View File

@@ -11,6 +11,7 @@ import (
"math"
"os"
"path/filepath"
"slices"
"strconv"
"strings"
"time"
@@ -934,33 +935,49 @@ func ParseStorage(result *Config, list *ast.ObjectList, name string) error {
}
m := make(map[string]string)
for key, val := range config {
valStr, ok := val.(string)
for k, v := range config {
vStr, ok := v.(string)
if ok {
m[key] = valStr
var err error
m[k], err = normalizeStorageConfigAddresses(key, k, vStr)
if err != nil {
return err
}
continue
}
valBytes, err := json.Marshal(val)
if err != nil {
return err
var err error
var vBytes []byte
// Raft's retry_join requires special normalization due to its complexity
if key == "raft" && k == "retry_join" {
vBytes, err = normalizeRaftRetryJoin(v)
if err != nil {
return err
}
} else {
vBytes, err = json.Marshal(v)
if err != nil {
return err
}
}
m[key] = string(valBytes)
m[k] = string(vBytes)
}
// Pull out the redirect address since it's common to all backends
var redirectAddr string
if v, ok := m["redirect_addr"]; ok {
redirectAddr = v
redirectAddr = configutil.NormalizeAddr(v)
delete(m, "redirect_addr")
} else if v, ok := m["advertise_addr"]; ok {
redirectAddr = v
redirectAddr = configutil.NormalizeAddr(v)
delete(m, "advertise_addr")
}
// Pull out the cluster address since it's common to all backends
var clusterAddr string
if v, ok := m["cluster_addr"]; ok {
clusterAddr = v
clusterAddr = configutil.NormalizeAddr(v)
delete(m, "cluster_addr")
}
@@ -997,6 +1014,120 @@ func ParseStorage(result *Config, list *ast.ObjectList, name string) error {
return nil
}
// storageAddressKeys maps a storage backend type to its associated
// configuration whose values are URLs, IP addresses, or host:port style
// addresses. All physical storage types must have an entry in this map,
// otherwise our normalization check will fail when parsing the storage entry
// config. Physical storage types which don't contain such keys should include
// an empty array.
var storageAddressKeys = map[string][]string{
"aerospike": {"hostname"},
"alicloudoss": {"endpoint"},
"azure": {"arm_endpoint"},
"cassandra": {"hosts"},
"cockroachdb": {"connection_url"},
"consul": {"address", "service_address"},
"couchdb": {"endpoint"},
"dynamodb": {"endpoint"},
"etcd": {"address", "discovery_srv"},
"file": {},
"filesystem": {},
"foundationdb": {},
"gcs": {},
"inmem": {},
"inmem_ha": {},
"inmem_transactional": {},
"inmem_transactional_ha": {},
"manta": {"url"},
"mssql": {"server"},
"mysql": {"address"},
"oci": {},
"postgresql": {"connection_url"},
"raft": {}, // retry_join is handled separately in normalizeRaftRetryJoin()
"s3": {"endpoint"},
"spanner": {},
"swift": {"auth_url", "storage_url"},
"zookeeper": {"address"},
}
// normalizeStorageConfigAddresses takes a storage name, a configuration key
// and it's associated value and will normalize any URLs, IP addresses, or
// host:port style addresses.
func normalizeStorageConfigAddresses(storage string, key string, value string) (string, error) {
keys, ok := storageAddressKeys[storage]
if !ok {
return "", fmt.Errorf("unknown storage type %s", storage)
}
if slices.Contains(keys, key) {
return configutil.NormalizeAddr(value), nil
}
return value, nil
}
// normalizeRaftRetryJoin takes the hcl decoded value representation of a
// retry_join stanza and normalizes any URLs, IP addresses, or host:port style
// addresses, and returns the value encoded as JSON.
func normalizeRaftRetryJoin(val any) ([]byte, error) {
res := []map[string]any{}
// Depending on whether the retry_join stanzas were configured as an attribute,
// a block, or a mixture of both, we'll get different values from which we
// need to extract our individual retry joins stanzas.
stanzas := []map[string]any{}
if retryJoin, ok := val.([]map[string]any); ok {
// retry_join stanzas are defined as blocks
stanzas = retryJoin
} else {
// retry_join stanzas are defined as attributes or attributes and blocks
retryJoin, ok := val.([]any)
if !ok {
// retry_join stanzas have not been configured correctly
return nil, fmt.Errorf("malformed retry_join stanza: %v", val)
}
for _, stanza := range retryJoin {
stanzaVal, ok := stanza.(map[string]any)
if !ok {
return nil, fmt.Errorf("malformed retry_join stanza: %v", stanza)
}
stanzas = append(stanzas, stanzaVal)
}
}
for _, stanza := range stanzas {
normalizedStanza := map[string]any{}
for k, v := range stanza {
switch k {
case "auto_join":
pairs := strings.Split(v.(string), " ")
for i, pair := range pairs {
pairParts := strings.Split(pair, "=")
if len(pairParts) != 2 {
return nil, fmt.Errorf("malformed auto_join pair %s, expected key=value", pair)
}
// These are auto_join keys that are valid for the provider in go-discover
if slices.Contains([]string{"domain", "auth_url", "url", "host"}, pairParts[0]) {
pairParts[1] = configutil.NormalizeAddr(pairParts[1])
pair = strings.Join(pairParts, "=")
pairs[i] = pair
}
}
normalizedStanza[k] = strings.Join(pairs, " ")
case "leader_api_addr":
normalizedStanza[k] = configutil.NormalizeAddr(v.(string))
default:
normalizedStanza[k] = v
}
}
res = append(res, normalizedStanza)
}
return json.Marshal(res)
}
func parseHAStorage(result *Config, list *ast.ObjectList, name string) error {
if len(list.Items) > 1 {
return fmt.Errorf("only one %q block is permitted", name)
@@ -1016,33 +1147,49 @@ func parseHAStorage(result *Config, list *ast.ObjectList, name string) error {
}
m := make(map[string]string)
for key, val := range config {
valStr, ok := val.(string)
for k, v := range config {
vStr, ok := v.(string)
if ok {
m[key] = valStr
var err error
m[k], err = normalizeStorageConfigAddresses(key, k, vStr)
if err != nil {
return err
}
continue
}
valBytes, err := json.Marshal(val)
if err != nil {
return err
var err error
var vBytes []byte
// Raft's retry_join requires special normalization due to its complexity
if key == "raft" && k == "retry_join" {
vBytes, err = normalizeRaftRetryJoin(v)
if err != nil {
return err
}
} else {
vBytes, err = json.Marshal(v)
if err != nil {
return err
}
}
m[key] = string(valBytes)
m[k] = string(vBytes)
}
// Pull out the redirect address since it's common to all backends
var redirectAddr string
if v, ok := m["redirect_addr"]; ok {
redirectAddr = v
redirectAddr = configutil.NormalizeAddr(v)
delete(m, "redirect_addr")
} else if v, ok := m["advertise_addr"]; ok {
redirectAddr = v
redirectAddr = configutil.NormalizeAddr(v)
delete(m, "advertise_addr")
}
// Pull out the cluster address since it's common to all backends
var clusterAddr string
if v, ok := m["cluster_addr"]; ok {
clusterAddr = v
clusterAddr = configutil.NormalizeAddr(v)
delete(m, "cluster_addr")
}
@@ -1096,6 +1243,12 @@ func parseServiceRegistration(result *Config, list *ast.ObjectList, name string)
return multierror.Prefix(err, fmt.Sprintf("%s.%s:", name, key))
}
if key == "consul" {
if addr, ok := m["address"]; ok {
m["address"] = configutil.NormalizeAddr(addr)
}
}
result.ServiceRegistration = &ServiceRegistration{
Type: strings.ToLower(key),
Config: m,

8
command/server/config_test.go
View File

@@ -65,6 +65,14 @@ func TestParseStorage(t *testing.T) {
testParseStorageTemplate(t)
}
// TestParseStorageURLConformance tests that all config attrs whose values can be
// URLs, IP addresses, or host:port addresses, when configured with an IPv6
// address, the normalized to be conformant with RFC-5942 §4
// See: https://rfc-editor.org/rfc/rfc5952.html
func TestParseStorageURLConformance(t *testing.T) {
testParseStorageURLConformance(t)
}
// TestConfigWithAdministrativeNamespace tests that .hcl and .json configurations are correctly parsed when the administrative_namespace_path is present.
func TestConfigWithAdministrativeNamespace(t *testing.T) {
testConfigWithAdministrativeNamespaceHcl(t)

374
command/server/config_test_helpers.go
View File

@@ -4,6 +4,7 @@
package server
import (
"encoding/json"
"fmt"
"reflect"
"sort"
@@ -29,36 +30,53 @@ func boolPointer(x bool) *bool {
return &x
}
// testConfigRaftRetryJoin decodes and normalizes retry_join stanzas.
func testConfigRaftRetryJoin(t *testing.T) {
config, err := LoadConfigFile("./test-fixtures/raft_retry_join.hcl")
if err != nil {
t.Fatal(err)
t.Parallel()
retryJoinExpected := []map[string]string{
{"leader_api_addr": "http://127.0.0.1:8200"},
{"leader_api_addr": "http://[2001:db8::2:1]:8200"},
{"auto_join": "provider=mdns service=consul domain=2001:db8::2:1"},
{"auto_join": "provider=os tag_key=consul tag_value=server username=foo password=bar auth_url=https://[2001:db8::2:1]/auth"},
{"auto_join": "provider=triton account=testaccount url=https://[2001:db8::2:1] key_id=1234 tag_key=consul-role tag_value=server"},
{"auto_join": "provider=packet auth_token=token project=uuid url=https://[2001:db8::2:1] address_type=public_v6"},
{"auto_join": "provider=vsphere category_name=consul-role tag_name=consul-server host=https://[2001:db8::2:1] user=foo password=bar insecure_ssl=false"},
}
retryJoinConfig := `[{"leader_api_addr":"http://127.0.0.1:8200"},{"leader_api_addr":"http://127.0.0.2:8200"},{"leader_api_addr":"http://127.0.0.3:8200"}]`
expected := &Config{
SharedConfig: &configutil.SharedConfig{
Listeners: []*configutil.Listener{
for _, cfg := range []string{
"attr",
"block",
"mixed",
} {
t.Run(cfg, func(t *testing.T) {
t.Parallel()
config, err := LoadConfigFile(fmt.Sprintf("./test-fixtures/raft_retry_join_%s.hcl", cfg))
require.NoError(t, err)
retryJoinJSON, err := json.Marshal(retryJoinExpected)
require.NoError(t, err)
expected := NewConfig()
expected.SharedConfig.Listeners = []*configutil.Listener{
{
Type: "tcp",
Address: "127.0.0.1:8200",
CustomResponseHeaders: DefaultCustomHeaders,
},
},
DisableMlock: true,
},
Storage: &Storage{
Type: "raft",
Config: map[string]string{
"path": "/storage/path/raft",
"node_id": "raft1",
"retry_join": retryJoinConfig,
},
},
}
config.Prune()
if diff := deep.Equal(config, expected); diff != nil {
t.Fatal(diff)
}
expected.SharedConfig.DisableMlock = true
expected.Storage = &Storage{
Type: "raft",
Config: map[string]string{
"path": "/storage/path/raft",
"node_id": "raft1",
"retry_join": string(retryJoinJSON),
},
}
config.Prune()
require.EqualValues(t, expected.SharedConfig, config.SharedConfig)
require.EqualValues(t, expected.Storage, config.Storage)
})
}
}
@@ -143,7 +161,8 @@ func testLoadConfigFile_topLevel(t *testing.T, entropy *configutil.Entropy) {
ServiceRegistration: &ServiceRegistration{
Type: "consul",
Config: map[string]string{
"foo": "bar",
"foo": "bar",
"address": "https://[2001:db8::1]:8500",
},
},
@@ -1124,6 +1143,313 @@ ha_storage "consul" {
}
}
// testParseStorageURLConformance verifies that any storage configuration that
// takes a URL, IP Address, or host:port address conforms to RFC-5942 §4 when
// configured with an IPv6 address. See: https://rfc-editor.org/rfc/rfc5952.html
func testParseStorageURLConformance(t *testing.T) {
t.Parallel()
for name, tc := range map[string]struct {
config string
expected *Storage
shouldFail bool
}{
"aerospike": {
config: `
storage "aerospike" {
hostname = "2001:db8:0:0:0:0:2:1"
port = "3000"
namespace = "test"
set = "vault"
username = "admin"
password = "admin"
}`,
expected: &Storage{
Type: "aerospike",
Config: map[string]string{
"hostname": "2001:db8::2:1",
"port": "3000",
"namespace": "test",
"set": "vault",
"username": "admin",
"password": "admin",
},
},
},
"alicloudoss": {
config: `
storage "alicloudoss" {
access_key = "abcd1234"
secret_key = "defg5678"
endpoint = "2001:db8:0:0:0:0:2:1"
bucket = "my-bucket"
}`,
expected: &Storage{
Type: "alicloudoss",
Config: map[string]string{
"access_key": "abcd1234",
"secret_key": "defg5678",
"endpoint": "2001:db8::2:1",
"bucket": "my-bucket",
},
},
},
"azure": {
config: `
storage "azure" {
accountName = "my-storage-account"
accountKey = "abcd1234"
arm_endpoint = "2001:db8:0:0:0:0:2:1"
container = "container-efgh5678"
environment = "AzurePublicCloud"
}`,
expected: &Storage{
Type: "azure",
Config: map[string]string{
"accountName": "my-storage-account",
"accountKey": "abcd1234",
"arm_endpoint": "2001:db8::2:1",
"container": "container-efgh5678",
"environment": "AzurePublicCloud",
},
},
},
"cassandra": {
config: `
storage "cassandra" {
hosts = "2001:db8:0:0:0:0:2:1"
consistency = "LOCAL_QUORUM"
protocol_version = 3
}`,
expected: &Storage{
Type: "cassandra",
Config: map[string]string{
"hosts": "2001:db8::2:1",
"consistency": "LOCAL_QUORUM",
"protocol_version": "3",
},
},
},
"cockroachdb": {
config: `
storage "cockroachdb" {
connection_url = "postgres://user123:secret123!@2001:db8:0:0:0:0:2:1:5432/vault"
table = "vault_kv_store"
}`,
expected: &Storage{
Type: "cockroachdb",
Config: map[string]string{
"connection_url": "postgres://user123:secret123%21@[2001:db8::2:1]:5432/vault",
"table": "vault_kv_store",
},
},
},
"consul": {
config: `
storage "consul" {
address = "2001:db8:0:0:0:0:2:1:8500"
path = "vault/"
}`,
expected: &Storage{
Type: "consul",
Config: map[string]string{
"address": "2001:db8::2:1:8500",
"path": "vault/",
},
},
},
"couchdb": {
config: `
storage "couchdb" {
endpoint = "https://[2001:db8:0:0:0:0:2:1]:5984/my-database"
username = "admin"
password = "admin"
}`,
expected: &Storage{
Type: "couchdb",
Config: map[string]string{
"endpoint": "https://[2001:db8::2:1]:5984/my-database",
"username": "admin",
"password": "admin",
},
},
},
"dynamodb": {
config: `
storage "dynamodb" {
endpoint = "https://[2001:db8:0:0:0:0:2:1]:5984/my-aws-endpoint"
ha_enabled = "true"
region = "us-west-2"
table = "vault-data"
}`,
expected: &Storage{
Type: "dynamodb",
Config: map[string]string{
"endpoint": "https://[2001:db8::2:1]:5984/my-aws-endpoint",
"ha_enabled": "true",
"region": "us-west-2",
"table": "vault-data",
},
},
},
"etcd": {
config: `
storage "etcd" {
address = "https://[2001:db8:0:0:0:0:2:1]:2379"
discovery_srv = "https://[2001:db8:0:0:1:0:0:1]"
etcd_api = "v3"
}`,
expected: &Storage{
Type: "etcd",
Config: map[string]string{
"address": "https://[2001:db8::2:1]:2379",
"discovery_srv": "https://[2001:db8::1:0:0:1]",
"etcd_api": "v3",
},
},
},
"manta": {
config: `
storage "manta" {
directory = "manta-directory"
user = "myuser"
key_id = "40:9d:d3:f9:0b:86:62:48:f4:2e:a5:8e:43:00:2a:9b"
url = "https://[2001:db8:0:0:0:0:2:1]"
}`,
expected: &Storage{
Type: "manta",
Config: map[string]string{
"directory": "manta-directory",
"user": "myuser",
"key_id": "40:9d:d3:f9:0b:86:62:48:f4:2e:a5:8e:43:00:2a:9b",
"url": "https://[2001:db8::2:1]",
},
},
},
"mssql": {
config: `
storage "mssql" {
server = "2001:db8:0:0:0:0:2:1"
port = 1433
username = "user1234"
password = "secret123!"
database = "vault"
table = "vault"
appname = "vault"
schema = "dbo"
connectionTimeout = 30
logLevel = 0
}`,
expected: &Storage{
Type: "mssql",
Config: map[string]string{
"server": "2001:db8::2:1",
"port": "1433",
"username": "user1234",
"password": "secret123!",
"database": "vault",
"table": "vault",
"appname": "vault",
"schema": "dbo",
"connectionTimeout": "30",
"logLevel": "0",
},
},
},
"mysql": {
config: `
storage "mysql" {
address = "2001:db8:0:0:0:0:2:1:3306"
username = "user1234"
password = "secret123!"
database = "vault"
}`,
expected: &Storage{
Type: "mysql",
Config: map[string]string{
"address": "2001:db8::2:1:3306",
"username": "user1234",
"password": "secret123!",
"database": "vault",
},
},
},
"postgresql": {
config: `
storage "postgresql" {
connection_url = "postgres://user123:secret123!@2001:db8:0:0:0:0:2:1:5432/vault"
table = "vault_kv_store"
}`,
expected: &Storage{
Type: "postgresql",
Config: map[string]string{
"connection_url": "postgres://user123:secret123%21@[2001:db8::2:1]:5432/vault",
"table": "vault_kv_store",
},
},
},
"s3": {
config: `
storage "s3" {
endpoint = "https://[2001:db8:0:0:0:0:2:1]:5984/my-aws-endpoint"
access_key = "abcd1234"
secret_key = "defg5678"
bucket = "my-bucket"
}`,
expected: &Storage{
Type: "s3",
Config: map[string]string{
"endpoint": "https://[2001:db8::2:1]:5984/my-aws-endpoint",
"access_key": "abcd1234",
"secret_key": "defg5678",
"bucket": "my-bucket",
},
},
},
"swift": {
config: `
storage "swift" {
auth_url = "https://[2001:db8:0:0:0:0:2:1]/auth"
storage_url = "https://[2001:db8:0:0:0:0:2:1]/storage"
username = "admin"
password = "secret123!"
container = "my-storage-container"
}`,
expected: &Storage{
Type: "swift",
Config: map[string]string{
"auth_url": "https://[2001:db8::2:1]/auth",
"storage_url": "https://[2001:db8::2:1]/storage",
"username": "admin",
"password": "secret123!",
"container": "my-storage-container",
},
},
},
"zookeeper": {
config: `
storage "zookeeper" {
address = "2001:db8:0:0:0:0:2:1:2181"
path = "vault/"
}`,
expected: &Storage{
Type: "zookeeper",
Config: map[string]string{
"address": "2001:db8::2:1:2181",
"path": "vault/",
},
},
},
} {
t.Run(name, func(t *testing.T) {
t.Parallel()
config, err := ParseConfig(tc.config, "")
require.NoError(t, err)
require.EqualValues(t, tc.expected, config.Storage)
})
}
}
func testParseSeals(t *testing.T) {
config, err := LoadConfigFile("./test-fixtures/config_seals.hcl")
if err != nil {

51
command/server/test-fixtures/config2.hcl
View File

@@ -6,60 +6,61 @@ disable_mlock = true
ui = true
api_addr = "top_level_api_addr"
api_addr = "top_level_api_addr"
cluster_addr = "top_level_cluster_addr"
listener "tcp" {
address = "127.0.0.1:443"
address = "127.0.0.1:443"
}
storage "consul" {
foo = "bar"
redirect_addr = "foo"
foo = "bar"
redirect_addr = "foo"
}
ha_storage "consul" {
bar = "baz"
redirect_addr = "snafu"
disable_clustering = "true"
bar = "baz"
redirect_addr = "snafu"
disable_clustering = "true"
}
service_registration "consul" {
foo = "bar"
foo = "bar"
address = "https://[2001:0db8::0001]:8500"
}
telemetry {
statsd_address = "bar"
usage_gauge_period = "5m"
maximum_gauge_cardinality = 125
statsite_address = "foo"
dogstatsd_addr = "127.0.0.1:7254"
dogstatsd_tags = ["tag_1:val_1", "tag_2:val_2"]
prometheus_retention_time = "30s"
statsd_address = "bar"
usage_gauge_period = "5m"
maximum_gauge_cardinality = 125
statsite_address = "foo"
dogstatsd_addr = "127.0.0.1:7254"
dogstatsd_tags = ["tag_1:val_1", "tag_2:val_2"]
prometheus_retention_time = "30s"
}
entropy "seal" {
mode = "augmentation"
mode = "augmentation"
}
sentinel {
additional_enabled_modules = []
additional_enabled_modules = []
}
kms "commastringpurpose" {
purpose = "foo,bar"
purpose = "foo,bar"
}
kms "slicepurpose" {
purpose = ["zip", "zap"]
purpose = ["zip", "zap"]
}
seal "nopurpose" {
}
seal "stringpurpose" {
purpose = "foo"
purpose = "foo"
}
max_lease_ttl = "10h"
default_lease_ttl = "10h"
cluster_name = "testcluster"
pid_file = "./pidfile"
max_lease_ttl = "10h"
default_lease_ttl = "10h"
cluster_name = "testcluster"
pid_file = "./pidfile"
raw_storage_endpoint = true
disable_sealwrap = true
disable_sealwrap = true

22
command/server/test-fixtures/raft_retry_join.hcl
View File

@@ -1,22 +0,0 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
storage "raft" {
path = "/storage/path/raft"
node_id = "raft1"
retry_join = [
{
"leader_api_addr" = "http://127.0.0.1:8200"
},
{
"leader_api_addr" = "http://127.0.0.2:8200"
},
{
"leader_api_addr" = "http://127.0.0.3:8200"
}
]
}
listener "tcp" {
address = "127.0.0.1:8200"
}
disable_mlock = true

32
command/server/test-fixtures/raft_retry_join_attr.hcl Normal file
View File

@@ -0,0 +1,32 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
storage "raft" {
path = "/storage/path/raft"
node_id = "raft1"
retry_join = [
{ "leader_api_addr" = "http://127.0.0.1:8200" },
{ "leader_api_addr" = "http://[2001:db8:0:0:0:0:2:1]:8200" }
]
retry_join = [
{ "auto_join" = "provider=mdns service=consul domain=2001:db8:0:0:0:0:2:1" }
]
retry_join = [
{ "auto_join" = "provider=os tag_key=consul tag_value=server username=foo password=bar auth_url=https://[2001:db8:0:0:0:0:2:1]/auth" }
]
retry_join = [
{ "auto_join" = "provider=triton account=testaccount url=https://[2001:db8:0:0:0:0:2:1] key_id=1234 tag_key=consul-role tag_value=server" }
]
retry_join = [
{ "auto_join" = "provider=packet auth_token=token project=uuid url=https://[2001:db8:0:0:0:0:2:1] address_type=public_v6" }
]
retry_join = [
{ "auto_join" = "provider=vsphere category_name=consul-role tag_name=consul-server host=https://[2001:db8:0:0:0:0:2:1] user=foo password=bar insecure_ssl=false" }
]
}
listener "tcp" {
address = "127.0.0.1:8200"
}
disable_mlock = true

35
command/server/test-fixtures/raft_retry_join_block.hcl Normal file
View File

@@ -0,0 +1,35 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
storage "raft" {
path = "/storage/path/raft"
node_id = "raft1"
retry_join {
"leader_api_addr" = "http://127.0.0.1:8200"
}
retry_join {
"leader_api_addr" = "http://[2001:db8:0:0:0:0:2:1]:8200"
}
retry_join {
"auto_join" = "provider=mdns service=consul domain=2001:db8:0:0:0:0:2:1"
}
retry_join {
"auto_join" = "provider=os tag_key=consul tag_value=server username=foo password=bar auth_url=https://[2001:db8:0:0:0:0:2:1]/auth"
}
retry_join {
"auto_join" = "provider=triton account=testaccount url=https://[2001:db8:0:0:0:0:2:1] key_id=1234 tag_key=consul-role tag_value=server"
}
retry_join {
"auto_join" = "provider=packet auth_token=token project=uuid url=https://[2001:db8:0:0:0:0:2:1] address_type=public_v6"
}
retry_join {
"auto_join" = "provider=vsphere category_name=consul-role tag_name=consul-server host=https://[2001:db8:0:0:0:0:2:1] user=foo password=bar insecure_ssl=false"
}
}
listener "tcp" {
address = "127.0.0.1:8200"
}
disable_mlock = true

32
command/server/test-fixtures/raft_retry_join_mixed.hcl Normal file
View File

@@ -0,0 +1,32 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
storage "raft" {
path = "/storage/path/raft"
node_id = "raft1"
retry_join = [
{ "leader_api_addr" = "http://127.0.0.1:8200" },
{ "leader_api_addr" = "http://[2001:db8:0:0:0:0:2:1]:8200" }
]
retry_join {
"auto_join" = "provider=mdns service=consul domain=2001:db8:0:0:0:0:2:1"
}
retry_join = [
{ "auto_join" = "provider=os tag_key=consul tag_value=server username=foo password=bar auth_url=https://[2001:db8:0:0:0:0:2:1]/auth" }
]
retry_join {
"auto_join" = "provider=triton account=testaccount url=https://[2001:db8:0:0:0:0:2:1] key_id=1234 tag_key=consul-role tag_value=server"
}
retry_join = [
{ "auto_join" = "provider=packet auth_token=token project=uuid url=https://[2001:db8:0:0:0:0:2:1] address_type=public_v6" }
]
retry_join {
"auto_join" = "provider=vsphere category_name=consul-role tag_name=consul-server host=https://[2001:db8:0:0:0:0:2:1] user=foo password=bar insecure_ssl=false"
}
}
listener "tcp" {
address = "127.0.0.1:8200"
}
disable_mlock = true