VAULT-33758: IPv6 address conformance for proxy and agent (#29517)

This is a follow-up to our initial work[0] to address RFC-5952 §4 conformance for IPv6 addresses in Vault. The initial pass focused on the vault server configuration and start-up routines. This follow-up focuses on Agent and Proxy, with a few minor improvements for server. The approach generally mirrors the server implementation but also adds support for normalization with CLI configuration overrides. One aspect we do not normalize currently is Agent/Proxy client creation to the Vault server with credentials taken from environment variables, as it would require larger changes to the `api` module. In practice this ought to be fine for the majority of cases. [0]: https://github.com/hashicorp/vault/pull/29228
2025-10-31 10:37:56 +00:00 · 2025-02-27 15:57:46 -07:00
parent 69646127df
commit 58a49e6ce0
32 changed files with 1474 additions and 315 deletions
--- a/command/agent_test.go
+++ b/command/agent_test.go
@@ -3569,6 +3569,113 @@ template {
 	}
 }

+// TestAgent_Config_AddrConformance verifies that the vault address is correctly
+// normalized to conform to RFC-5942 §4 when configured by a config file,
+// environment variables, or CLI flags.
+// See: https://rfc-editor.org/rfc/rfc5952.html
+func TestAgent_Config_AddrConformance(t *testing.T) {
+	for name, test := range map[string]struct {
+		args     []string
+		envVars  map[string]string
+		cfg      string
+		expected *agentConfig.Config
+	}{
+		"ipv4 config": {
+			cfg: `
+vault {
+  address = "https://127.0.0.1:8200"
+}`,
+			expected: &agentConfig.Config{
+				Vault: &agentConfig.Vault{
+					Address: "https://127.0.0.1:8200",
+				},
+			},
+		},
+		"ipv6 config": {
+			cfg: `
+vault {
+  address = "https://[2001:0db8::0001]:8200"
+}`,
+			expected: &agentConfig.Config{
+				Vault: &agentConfig.Vault{
+					// Use the normalized version in the config
+					Address: "https://[2001:db8::1]:8200",
+				},
+			},
+		},
+		"ipv6 cli arg overrides": {
+			args: []string{"-address=https://[2001:0:0:1:0:0:0:1]:8200"},
+			cfg: `
+vault {
+  address = "https://[2001:0db8::0001]:8200"
+}`,
+			expected: &agentConfig.Config{
+				Vault: &agentConfig.Vault{
+					// Use a normalized version of the args address
+					Address: "https://[2001:0:0:1::1]:8200",
+				},
+			},
+		},
+		"ipv6 env var overrides": {
+			envVars: map[string]string{
+				"VAULT_ADDR": "https://[2001:DB8:AC3:FE4::1]:8200",
+			},
+			cfg: `
+vault {
+  address = "https://[2001:0db8::0001]:8200"
+}`,
+			expected: &agentConfig.Config{
+				Vault: &agentConfig.Vault{
+					// Use a normalized version of the env var address
+					Address: "https://[2001:db8:ac3:fe4::1]:8200",
+				},
+			},
+		},
+		"ipv6 all uses cli overrides": {
+			args: []string{"-address=https://[2001:0:0:1:0:0:0:1]:8200"},
+			envVars: map[string]string{
+				"VAULT_ADDR": "https://[2001:DB8:AC3:FE4::1]:8200",
+			},
+			cfg: `
+vault {
+  address = "https://[2001:0db8::0001]:8200"
+}`,
+			expected: &agentConfig.Config{
+				Vault: &agentConfig.Vault{
+					// Use a normalized version of the args address
+					Address: "https://[2001:0:0:1::1]:8200",
+				},
+			},
+		},
+	} {
+		t.Run(name, func(t *testing.T) {
+			// In CI our tests are run with VAULT_ADDR=, which will break our tests
+			// because it'll default to an unset address. Ensure that's cleared out
+			// of the environment.
+			t.Cleanup(func() {
+				os.Setenv(api.EnvVaultAddress, os.Getenv(api.EnvVaultAddress))
+			})
+			os.Unsetenv(api.EnvVaultAddress)
+			for k, v := range test.envVars {
+				t.Setenv(k, v)
+			}
+
+			configFile := populateTempFile(t, "agent-"+strings.ReplaceAll(name, " ", "-"), test.cfg)
+			cfg, err := agentConfig.LoadConfigFile(configFile.Name())
+			require.NoError(t, err)
+			require.NotEmptyf(t, cfg.Vault.Address, "agent config is missing address: %+v", cfg.Vault)
+
+			cmd := &AgentCommand{BaseCommand: &BaseCommand{}}
+			f := cmd.Flags()
+			args := append([]string{}, test.args...)
+			require.NoError(t, f.Parse(args))
+
+			cmd.applyConfigOverrides(f, cfg)
+			require.Equalf(t, test.expected.Vault.Address, cfg.Vault.Address, "agent config is missing address: config: %+v, flags: %+v", cfg.Vault, f)
+		})
+	}
+}
+
 // Get a randomly assigned port and then free it again before returning it.
 // There is still a race when trying to use it, but should work better
 // than a static port.