scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

VAULT-33008: ipv6: always display RFC-5952 §4 conformant addresses (#29228)

Browse Source 
USGv6[0] requires implementing §4.1.1 of the NISTv6-r1 profile[1] for
IPv6-Only capabilities. This section requires that whenever Vault
displays IPv6 addresses (including CLI output, Web UI, logs, etc.) that
_all_ IPv6 addresses must conform to RFC-5952 §4 text representation
recommendations[2].

These recommendations do not prevent us from accepting RFC-4241[3] IPv6
addresses, however, whenever these same addresses are displayed they
must conform to the strict RFC-5952 §4 guidelines.

This PR implements handling of IPv6 address conformance in our
`vault server` routine. We handle conformance normalization for all
server, http_proxy, listener, seal, storage and telemetry
configuration where an input could contain an IPv6 address, whether
configured via an HCL file or via corresponding environment variables.

The approach I've taken is to handle conformance normalization at
parse time to ensure that all log output and subsequent usage
inside of Vaults various subsystems always reference a conformant
address, that way we don't need concern ourselves with conformance
later. This approach ought to be backwards compatible to prior loose
address configuration requirements, with the understanding that
going forward all IPv6 representation will be strict regardless of
what has been configured.

In many cases I've updated our various parser functions to call the
new `configutil.NormalizeAddr()` to apply conformance normalization.
Others required no changes because they rely on standard library URL
string output, which always displays IPv6 URLs in a conformant way.

Not included in this changes is any other vault exec mode other than
server. Client, operator commands, agent mode, proxy mode, etc. will
be included in subsequent changes if necessary.

[0]: https://www.nist.gov/publications/usgv6-profile
[1]: https://www.nist.gov/publications/nist-ipv6-profile
[2]: https://www.rfc-editor.org/rfc/rfc5952.html#section-4
[3]: https://www.rfc-editor.org/rfc/rfc4291

Signed-off-by: Ryan Cragun <me@ryan.ec>
This commit is contained in:
Ryan Cragun
2025-01-27 14:14:28 -07:00
committed by GitHub
parent 9456671f04
commit 012cd5a42a
20 changed files with 1423 additions and 141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

374
command/server/config_test_helpers.go
View File

@@ -4,6 +4,7 @@
package server
import (
"encoding/json"
"fmt"
"reflect"
"sort"
@@ -29,36 +30,53 @@ func boolPointer(x bool) *bool {
return &x
}
// testConfigRaftRetryJoin decodes and normalizes retry_join stanzas.
func testConfigRaftRetryJoin(t *testing.T) {
config, err := LoadConfigFile("./test-fixtures/raft_retry_join.hcl")
if err != nil {
t.Fatal(err)
t.Parallel()
retryJoinExpected := []map[string]string{
{"leader_api_addr": "http://127.0.0.1:8200"},
{"leader_api_addr": "http://[2001:db8::2:1]:8200"},
{"auto_join": "provider=mdns service=consul domain=2001:db8::2:1"},
{"auto_join": "provider=os tag_key=consul tag_value=server username=foo password=bar auth_url=https://[2001:db8::2:1]/auth"},
{"auto_join": "provider=triton account=testaccount url=https://[2001:db8::2:1] key_id=1234 tag_key=consul-role tag_value=server"},
{"auto_join": "provider=packet auth_token=token project=uuid url=https://[2001:db8::2:1] address_type=public_v6"},
{"auto_join": "provider=vsphere category_name=consul-role tag_name=consul-server host=https://[2001:db8::2:1] user=foo password=bar insecure_ssl=false"},
}
retryJoinConfig := `[{"leader_api_addr":"http://127.0.0.1:8200"},{"leader_api_addr":"http://127.0.0.2:8200"},{"leader_api_addr":"http://127.0.0.3:8200"}]`
expected := &Config{
SharedConfig: &configutil.SharedConfig{
Listeners: []*configutil.Listener{
for _, cfg := range []string{
"attr",
"block",
"mixed",
} {
t.Run(cfg, func(t *testing.T) {
t.Parallel()
config, err := LoadConfigFile(fmt.Sprintf("./test-fixtures/raft_retry_join_%s.hcl", cfg))
require.NoError(t, err)
retryJoinJSON, err := json.Marshal(retryJoinExpected)
require.NoError(t, err)
expected := NewConfig()
expected.SharedConfig.Listeners = []*configutil.Listener{
{
Type: "tcp",
Address: "127.0.0.1:8200",
CustomResponseHeaders: DefaultCustomHeaders,
},
},
DisableMlock: true,
},
Storage: &Storage{
Type: "raft",
Config: map[string]string{
"path": "/storage/path/raft",
"node_id": "raft1",
"retry_join": retryJoinConfig,
},
},
}
config.Prune()
if diff := deep.Equal(config, expected); diff != nil {
t.Fatal(diff)
}
expected.SharedConfig.DisableMlock = true
expected.Storage = &Storage{
Type: "raft",
Config: map[string]string{
"path": "/storage/path/raft",
"node_id": "raft1",
"retry_join": string(retryJoinJSON),
},
}
config.Prune()
require.EqualValues(t, expected.SharedConfig, config.SharedConfig)
require.EqualValues(t, expected.Storage, config.Storage)
})
}
}
@@ -143,7 +161,8 @@ func testLoadConfigFile_topLevel(t *testing.T, entropy *configutil.Entropy) {
ServiceRegistration: &ServiceRegistration{
Type: "consul",
Config: map[string]string{
"foo": "bar",
"foo": "bar",
"address": "https://[2001:db8::1]:8500",
},
},
@@ -1124,6 +1143,313 @@ ha_storage "consul" {
}
}
// testParseStorageURLConformance verifies that any storage configuration that
// takes a URL, IP Address, or host:port address conforms to RFC-5942 §4 when
// configured with an IPv6 address. See: https://rfc-editor.org/rfc/rfc5952.html
func testParseStorageURLConformance(t *testing.T) {
t.Parallel()
for name, tc := range map[string]struct {
config string
expected *Storage
shouldFail bool
}{
"aerospike": {
config: `
storage "aerospike" {
hostname = "2001:db8:0:0:0:0:2:1"
port = "3000"
namespace = "test"
set = "vault"
username = "admin"
password = "admin"
}`,
expected: &Storage{
Type: "aerospike",
Config: map[string]string{
"hostname": "2001:db8::2:1",
"port": "3000",
"namespace": "test",
"set": "vault",
"username": "admin",
"password": "admin",
},
},
},
"alicloudoss": {
config: `
storage "alicloudoss" {
access_key = "abcd1234"
secret_key = "defg5678"
endpoint = "2001:db8:0:0:0:0:2:1"
bucket = "my-bucket"
}`,
expected: &Storage{
Type: "alicloudoss",
Config: map[string]string{
"access_key": "abcd1234",
"secret_key": "defg5678",
"endpoint": "2001:db8::2:1",
"bucket": "my-bucket",
},
},
},
"azure": {
config: `
storage "azure" {
accountName = "my-storage-account"
accountKey = "abcd1234"
arm_endpoint = "2001:db8:0:0:0:0:2:1"
container = "container-efgh5678"
environment = "AzurePublicCloud"
}`,
expected: &Storage{
Type: "azure",
Config: map[string]string{
"accountName": "my-storage-account",
"accountKey": "abcd1234",
"arm_endpoint": "2001:db8::2:1",
"container": "container-efgh5678",
"environment": "AzurePublicCloud",
},
},
},
"cassandra": {
config: `
storage "cassandra" {
hosts = "2001:db8:0:0:0:0:2:1"
consistency = "LOCAL_QUORUM"
protocol_version = 3
}`,
expected: &Storage{
Type: "cassandra",
Config: map[string]string{
"hosts": "2001:db8::2:1",
"consistency": "LOCAL_QUORUM",
"protocol_version": "3",
},
},
},
"cockroachdb": {
config: `
storage "cockroachdb" {
connection_url = "postgres://user123:secret123!@2001:db8:0:0:0:0:2:1:5432/vault"
table = "vault_kv_store"
}`,
expected: &Storage{
Type: "cockroachdb",
Config: map[string]string{
"connection_url": "postgres://user123:secret123%21@[2001:db8::2:1]:5432/vault",
"table": "vault_kv_store",
},
},
},
"consul": {
config: `
storage "consul" {
address = "2001:db8:0:0:0:0:2:1:8500"
path = "vault/"
}`,
expected: &Storage{
Type: "consul",
Config: map[string]string{
"address": "2001:db8::2:1:8500",
"path": "vault/",
},
},
},
"couchdb": {
config: `
storage "couchdb" {
endpoint = "https://[2001:db8:0:0:0:0:2:1]:5984/my-database"
username = "admin"
password = "admin"
}`,
expected: &Storage{
Type: "couchdb",
Config: map[string]string{
"endpoint": "https://[2001:db8::2:1]:5984/my-database",
"username": "admin",
"password": "admin",
},
},
},
"dynamodb": {
config: `
storage "dynamodb" {
endpoint = "https://[2001:db8:0:0:0:0:2:1]:5984/my-aws-endpoint"
ha_enabled = "true"
region = "us-west-2"
table = "vault-data"
}`,
expected: &Storage{
Type: "dynamodb",
Config: map[string]string{
"endpoint": "https://[2001:db8::2:1]:5984/my-aws-endpoint",
"ha_enabled": "true",
"region": "us-west-2",
"table": "vault-data",
},
},
},
"etcd": {
config: `
storage "etcd" {
address = "https://[2001:db8:0:0:0:0:2:1]:2379"
discovery_srv = "https://[2001:db8:0:0:1:0:0:1]"
etcd_api = "v3"
}`,
expected: &Storage{
Type: "etcd",
Config: map[string]string{
"address": "https://[2001:db8::2:1]:2379",
"discovery_srv": "https://[2001:db8::1:0:0:1]",
"etcd_api": "v3",
},
},
},
"manta": {
config: `
storage "manta" {
directory = "manta-directory"
user = "myuser"
key_id = "40:9d:d3:f9:0b:86:62:48:f4:2e:a5:8e:43:00:2a:9b"
url = "https://[2001:db8:0:0:0:0:2:1]"
}`,
expected: &Storage{
Type: "manta",
Config: map[string]string{
"directory": "manta-directory",
"user": "myuser",
"key_id": "40:9d:d3:f9:0b:86:62:48:f4:2e:a5:8e:43:00:2a:9b",
"url": "https://[2001:db8::2:1]",
},
},
},
"mssql": {
config: `
storage "mssql" {
server = "2001:db8:0:0:0:0:2:1"
port = 1433
username = "user1234"
password = "secret123!"
database = "vault"
table = "vault"
appname = "vault"
schema = "dbo"
connectionTimeout = 30
logLevel = 0
}`,
expected: &Storage{
Type: "mssql",
Config: map[string]string{
"server": "2001:db8::2:1",
"port": "1433",
"username": "user1234",
"password": "secret123!",
"database": "vault",
"table": "vault",
"appname": "vault",
"schema": "dbo",
"connectionTimeout": "30",
"logLevel": "0",
},
},
},
"mysql": {
config: `
storage "mysql" {
address = "2001:db8:0:0:0:0:2:1:3306"
username = "user1234"
password = "secret123!"
database = "vault"
}`,
expected: &Storage{
Type: "mysql",
Config: map[string]string{
"address": "2001:db8::2:1:3306",
"username": "user1234",
"password": "secret123!",
"database": "vault",
},
},
},
"postgresql": {
config: `
storage "postgresql" {
connection_url = "postgres://user123:secret123!@2001:db8:0:0:0:0:2:1:5432/vault"
table = "vault_kv_store"
}`,
expected: &Storage{
Type: "postgresql",
Config: map[string]string{
"connection_url": "postgres://user123:secret123%21@[2001:db8::2:1]:5432/vault",
"table": "vault_kv_store",
},
},
},
"s3": {
config: `
storage "s3" {
endpoint = "https://[2001:db8:0:0:0:0:2:1]:5984/my-aws-endpoint"
access_key = "abcd1234"
secret_key = "defg5678"
bucket = "my-bucket"
}`,
expected: &Storage{
Type: "s3",
Config: map[string]string{
"endpoint": "https://[2001:db8::2:1]:5984/my-aws-endpoint",
"access_key": "abcd1234",
"secret_key": "defg5678",
"bucket": "my-bucket",
},
},
},
"swift": {
config: `
storage "swift" {
auth_url = "https://[2001:db8:0:0:0:0:2:1]/auth"
storage_url = "https://[2001:db8:0:0:0:0:2:1]/storage"
username = "admin"
password = "secret123!"
container = "my-storage-container"
}`,
expected: &Storage{
Type: "swift",
Config: map[string]string{
"auth_url": "https://[2001:db8::2:1]/auth",
"storage_url": "https://[2001:db8::2:1]/storage",
"username": "admin",
"password": "secret123!",
"container": "my-storage-container",
},
},
},
"zookeeper": {
config: `
storage "zookeeper" {
address = "2001:db8:0:0:0:0:2:1:2181"
path = "vault/"
}`,
expected: &Storage{
Type: "zookeeper",
Config: map[string]string{
"address": "2001:db8::2:1:2181",
"path": "vault/",
},
},
},
} {
t.Run(name, func(t *testing.T) {
t.Parallel()
config, err := ParseConfig(tc.config, "")
require.NoError(t, err)
require.EqualValues(t, tc.expected, config.Storage)
})
}
}
func testParseSeals(t *testing.T) {
config, err := LoadConfigFile("./test-fixtures/config_seals.hcl")
if err != nil {