From 12e7c77ecc9d006bdff6b13a1b36cb5e07079a62 Mon Sep 17 00:00:00 2001
From: Peter Wilson <peter.wilson@hashicorp.com>
Date: Wed, 12 Jun 2024 16:30:19 +0100
Subject: [PATCH] TCP Listener: fix bug in parsing TCP listener settings for
 `proxy_protocol_behavior` (#27459)

* update code and test to support the documented config setting 'deny_unauthorized' rather than 'deny_authorized' which was incorrect

* changelog
---
 changelog/27459.txt                        | 4 ++++
 internalshared/configutil/listener.go      | 4 ++--
 internalshared/configutil/listener_test.go | 2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)
 create mode 100644 changelog/27459.txt

diff --git a/changelog/27459.txt b/changelog/27459.txt
new file mode 100644
index 0000000000..d46570f5a4
--- /dev/null
+++ b/changelog/27459.txt
@@ -0,0 +1,4 @@
+```release-note:bug
+config: Vault TCP listener config now correctly supports the documented proxy_protocol_behavior 
+setting of 'deny_unauthorized'
+```
diff --git a/internalshared/configutil/listener.go b/internalshared/configutil/listener.go
index 0504702028..1e959b5c86 100644
--- a/internalshared/configutil/listener.go
+++ b/internalshared/configutil/listener.go
@@ -562,9 +562,9 @@ func (l *Listener) parseProxySettings() error {
 
 	// Validation/sanity check on allowed settings for behavior.
 	switch l.ProxyProtocolBehavior {
-	case "allow_authorized", "deny_authorized", "use_always", "":
+	case "allow_authorized", "deny_unauthorized", "use_always", "":
 		// Ignore these cases, they're all valid values.
-		// In the case of 'allow_authorized' and 'deny_authorized', we don't need
+		// In the case of 'allow_authorized' and 'deny_unauthorized', we don't need
 		// to check how many addresses we have in ProxyProtocolAuthorizedAddrs
 		// as parseutil.ParseAddrs returns "one or more addresses" (or an error)
 		// so we'd have returned earlier.
diff --git a/internalshared/configutil/listener_test.go b/internalshared/configutil/listener_test.go
index bfd922faa8..51d0c094ed 100644
--- a/internalshared/configutil/listener_test.go
+++ b/internalshared/configutil/listener_test.go
@@ -529,7 +529,7 @@ func TestListener_parseProxySettings(t *testing.T) {
 		"behavior-deny": {
 			rawProxyProtocolAuthorizedAddrs: "10.0.0.1,10.0.2.1",
 			expectedNumAddrs:                2,
-			proxyBehavior:                   "deny_authorized",
+			proxyBehavior:                   "deny_unauthorized",
 			isErrorExpected:                 false,
 		},
 	}