scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-01 19:17:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

VAULT-33758: IPv6 address conformance for proxy and agent (#29517)

Browse Source 
This is a follow-up to our initial work[0] to address RFC-5952 §4 conformance for IPv6 addresses in Vault. The initial pass focused on the vault server configuration and start-up routines. This follow-up focuses on Agent and Proxy, with a few minor improvements for server.

The approach generally mirrors the server implementation but also adds support for normalization with CLI configuration overrides.

One aspect we do not normalize currently is Agent/Proxy client creation to the Vault server with credentials taken from environment variables, as it would require larger changes to the `api` module. In practice this ought to be fine for the majority of cases.

[0]: https://github.com/hashicorp/vault/pull/29228
This commit is contained in:
Ryan Cragun
2025-02-27 15:57:46 -07:00
committed by GitHub
parent 69646127df
commit 58a49e6ce0
32 changed files with 1474 additions and 315 deletions
Download Patch File Download Diff File Expand all files Collapse all files

174
command/agent/config/config_test.go
View File

@@ -14,6 +14,7 @@ import (
"github.com/hashicorp/vault/command/agentproxyshared"
"github.com/hashicorp/vault/internalshared/configutil"
"github.com/hashicorp/vault/sdk/helper/pointerutil"
"github.com/stretchr/testify/require"
"golang.org/x/exp/slices"
)
@@ -230,6 +231,9 @@ func TestLoadConfigDir_AgentCache(t *testing.T) {
t.Fatal(err)
}
config2, err := LoadConfigFile("./test-fixtures/config-dir-cache/config-cache2.hcl")
if err != nil {
t.Fatal(err)
}
mergedConfig := config.Merge(config2)
@@ -441,77 +445,117 @@ func TestLoadConfigFile_AgentCache_NoListeners(t *testing.T) {
}
}
func TestLoadConfigFile(t *testing.T) {
if err := os.Setenv("TEST_AAD_ENV", "aad"); err != nil {
t.Fatal(err)
}
defer func() {
if err := os.Unsetenv("TEST_AAD_ENV"); err != nil {
t.Fatal(err)
}
}()
// Test_LoadConfigFile_AutoAuth_AddrConformance verifies basic config file
// loading in addition to RFC-5942 §4 normalization of auto-auth methods.
// See: https://rfc-editor.org/rfc/rfc5952.html
func Test_LoadConfigFile_AutoAuth_AddrConformance(t *testing.T) {
t.Setenv("TEST_AAD_ENV", "aad")
config, err := LoadConfigFile("./test-fixtures/config.hcl")
if err != nil {
t.Fatalf("err: %s", err)
}
expected := &Config{
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
LogFile: "/var/log/vault/vault-agent.log",
},
AutoAuth: &AutoAuth{
Method: &Method{
Type: "aws",
MountPath: "auth/aws",
Namespace: "my-namespace/",
Config: map[string]interface{}{
"role": "foobar",
},
MaxBackoff: 0,
},
Sinks: []*Sink{
{
Type: "file",
DHType: "curve25519",
DHPath: "/tmp/file-foo-dhpath",
AAD: "foobar",
Config: map[string]interface{}{
"path": "/tmp/file-foo",
},
},
{
Type: "file",
WrapTTL: 5 * time.Minute,
DHType: "curve25519",
DHPath: "/tmp/file-foo-dhpath2",
AAD: "aad",
DeriveKey: true,
Config: map[string]interface{}{
"path": "/tmp/file-bar",
},
},
for name, method := range map[string]*Method{
"aws": {
Type: "aws",
MountPath: "auth/aws",
Namespace: "aws-namespace/",
Config: map[string]any{
"role": "foobar",
},
},
TemplateConfig: &TemplateConfig{
MaxConnectionsPerHost: DefaultTemplateConfigMaxConnsPerHost,
"azure": {
Type: "azure",
MountPath: "auth/azure",
Namespace: "azure-namespace/",
Config: map[string]any{
"authenticate_from_environment": true,
"role": "dev-role",
"resource": "https://[2001:0:0:1::1]",
},
},
}
"gcp": {
Type: "gcp",
MountPath: "auth/gcp",
Namespace: "gcp-namespace/",
Config: map[string]any{
"role": "dev-role",
"service_account": "https://[2001:db8:ac3:fe4::1]",
},
},
} {
t.Run(name, func(t *testing.T) {
config, err := LoadConfigFile("./test-fixtures/config-auto-auth-" + name + ".hcl")
require.NoError(t, err)
config.Prune()
if diff := deep.Equal(config, expected); diff != nil {
t.Fatal(diff)
}
expected := &Config{
SharedConfig: &configutil.SharedConfig{
PidFile: "./pidfile",
Listeners: []*configutil.Listener{
{
Type: "unix",
Address: "/path/to/socket",
TLSDisable: true,
AgentAPI: &configutil.AgentAPI{
EnableQuit: true,
},
},
{
Type: "tcp",
Address: "2001:db8::1:8200", // Normalized
TLSDisable: true,
},
{
Type: "tcp",
Address: "[2001:0:0:1::1]:3000", // Normalized
Role: "metrics_only",
TLSDisable: true,
},
{
Type: "tcp",
Role: "default",
Address: "2001:db8:0:1:1:1:1:1:8400", // Normalized
TLSKeyFile: "/path/to/cakey.pem",
TLSCertFile: "/path/to/cacert.pem",
},
},
LogFile: "/var/log/vault/vault-agent.log",
},
Vault: &Vault{
Address: "https://[2001:db8::1]:8200", // Address is normalized
Retry: &Retry{
NumRetries: 12, // Default number of retries when a vault stanza is set
},
},
AutoAuth: &AutoAuth{
Method: method, // Method properties are normalized correctly
Sinks: []*Sink{
{
Type: "file",
DHType: "curve25519",
DHPath: "/tmp/file-foo-dhpath",
AAD: "foobar",
Config: map[string]interface{}{
"path": "/tmp/file-foo",
},
},
{
Type: "file",
WrapTTL: 5 * time.Minute,
DHType: "curve25519",
DHPath: "/tmp/file-foo-dhpath2",
AAD: "aad",
DeriveKey: true,
Config: map[string]interface{}{
"path": "/tmp/file-bar",
},
},
},
},
TemplateConfig: &TemplateConfig{
MaxConnectionsPerHost: DefaultTemplateConfigMaxConnsPerHost,
},
}
config, err = LoadConfigFile("./test-fixtures/config-embedded-type.hcl")
if err != nil {
t.Fatalf("err: %s", err)
}
config.Prune()
if diff := deep.Equal(config, expected); diff != nil {
t.Fatal(diff)
config.Prune()
require.EqualValues(t, expected, config)
})
}
}