Listeners: Redaction only for TCP (#23592)

* redaction should only work for TCP listeners, also fix bug that allowed custom response headers for unix listeners * fix failing test * updates from PR feedback
2025-11-02 11:38:02 +00:00 · 2023-10-11 17:38:05 +01:00
parent 525bf2f894
commit 813c786032
6 changed files with 113 additions and 24 deletions
--- a/command/server.go
+++ b/command/server.go
@@ -886,9 +886,9 @@ func (c *ServerCommand) InitListeners(config *server.Config, disableClustering b
 		}
 		if reloadFunc != nil {
-			relSlice := (*c.reloadFuncs)["listener|"+lnConfig.Type]
+			relSlice := (*c.reloadFuncs)[fmt.Sprintf("listener|%s", lnConfig.Type)]
 			relSlice = append(relSlice, reloadFunc)
-			(*c.reloadFuncs)["listener|"+lnConfig.Type] = relSlice
+			(*c.reloadFuncs)[fmt.Sprintf("listener|%s", lnConfig.Type)] = relSlice
 		}
 		if !disableClustering && lnConfig.Type == "tcp" {
--- a/command/server/config_test_helpers.go
+++ b/command/server/config_test_helpers.go
@@ -793,7 +793,7 @@ func testConfig_Sanitized(t *testing.T) {
 					"address":          "127.0.0.1:443",
 					"chroot_namespace": "admin/",
 				},
-				"type": "tcp",
+				"type": configutil.TCP,
 			},
 		},
 		"log_format":       "",
@@ -890,6 +890,15 @@ listener "tcp" {
  redact_addresses = true
  redact_cluster_name = true
  redact_version = true
 }
 listener "unix" {
  address = "/var/run/vault.sock"
  socket_mode = "644"
  socket_user = "1000"
  socket_group = "1000"
  redact_addresses = true
  redact_cluster_name = true
  redact_version = true
 }`))
 	config := Config{
@@ -903,16 +912,14 @@ listener "tcp" {
 	config.Listeners = listeners
 	// Track which types of listener were found.
 	for _, l := range config.Listeners {
-		config.found(l.Type, l.Type)
+		config.found(l.Type.String(), l.Type.String())
 	}
-	if len(config.Listeners) == 0 {
+	require.Len(t, config.Listeners, 2)
-		t.Fatalf("expected at least one listener in the config")
+	tcpListener := config.Listeners[0]
-	}
+	require.Equal(t, configutil.TCP, tcpListener.Type)
-	listener := config.Listeners[0]
+	unixListner := config.Listeners[1]
-	if listener.Type != "tcp" {
+	require.Equal(t, configutil.Unix, unixListner.Type)
 		t.Fatalf("expected tcp listener in the config")
 	}
 	expected := &Config{
 		SharedConfig: &configutil.SharedConfig{
@@ -946,6 +953,16 @@ listener "tcp" {
 					RedactClusterName:     true,
 					RedactVersion:         true,
 				},
 				{
 					Type:              "unix",
 					Address:           "/var/run/vault.sock",
 					SocketMode:        "644",
 					SocketUser:        "1000",
 					SocketGroup:       "1000",
 					RedactAddresses:   false,
 					RedactClusterName: false,
 					RedactVersion:     false,
 				},
 			},
 		},
 	}
--- a/command/server/listener.go
+++ b/command/server/listener.go
@@ -22,7 +22,7 @@ import (
 type ListenerFactory func(*configutil.Listener, io.Writer, cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error)
 // BuiltinListeners is the list of built-in listener types.
-var BuiltinListeners = map[string]ListenerFactory{
+var BuiltinListeners = map[configutil.ListenerType]ListenerFactory{
 	"tcp":  tcpListenerFactory,
 	"unix": unixListenerFactory,
 }
--- a/internalshared/configutil/config.go
+++ b/internalshared/configutil/config.go
@@ -141,7 +141,7 @@ func ParseConfig(d string) (*SharedConfig, error) {
 		// Track which types of listener were found.
 		for _, l := range result.Listeners {
-			result.found(l.Type, l.Type)
+			result.found(l.Type.String(), l.Type.String())
 		}
 	}
--- a/internalshared/configutil/listener.go
+++ b/internalshared/configutil/listener.go
@@ -22,6 +22,14 @@ import (
 	"github.com/hashicorp/vault/helper/namespace"
 )
 const (
 	TCP  ListenerType = "tcp"
 	Unix ListenerType = "unix"
 )
 // ListenerType represents the supported types of listener.
 type ListenerType string
 type ListenerTelemetry struct {
 	UnusedKeys                      UnusedKeyMap `hcl:",unusedKeyPositions"`
 	UnauthenticatedMetricsAccess    bool         `hcl:"-"`
@@ -45,7 +53,7 @@ type Listener struct {
 	UnusedKeys UnusedKeyMap `hcl:",unusedKeyPositions"`
 	RawConfig  map[string]interface{}
-	Type       string
+	Type       ListenerType
 	Purpose    []string    `hcl:"-"`
 	PurposeRaw interface{} `hcl:"purpose"`
 	Role       string      `hcl:"role"`
@@ -254,6 +262,16 @@ func parseListener(item *ast.ObjectItem) (*Listener, error) {
 	return l, nil
 }
 // Normalize returns the lower case string version of a listener type.
 func (t ListenerType) Normalize() ListenerType {
 	return ListenerType(strings.ToLower(string(t)))
 }
 // String returns the string version of a listener type.
 func (t ListenerType) String() string {
 	return string(t.Normalize())
 }
 // parseChrootNamespace attempts to parse the raw listener chroot namespace settings.
 // The state of the listener will be modified, raw data will be cleared upon
 // successful parsing.
@@ -286,20 +304,21 @@ func (l *Listener) parseType(fallback string) error {
 	}
 	// Use type if available, otherwise fall back.
-	result := l.Type
+	rawType := l.Type
-	if result == "" {
+	if rawType == "" {
-		result = fallback
+		rawType = ListenerType(fallback)
 	}
-	result = strings.ToLower(result)
+
 	parsedType := rawType.Normalize()
 	// Sanity check the values
-	switch result {
+	switch parsedType {
-	case "tcp", "unix":
+	case TCP, Unix:
 	default:
-		return fmt.Errorf("unsupported listener type %q", result)
+		return fmt.Errorf("unsupported listener type %q", parsedType)
 	}
-	l.Type = result
+	l.Type = parsedType
 	return nil
 }
@@ -396,6 +415,13 @@ func (l *Listener) parseTLSSettings() error {
 // The state of the listener will be modified, raw data will be cleared upon
 // successful parsing.
 func (l *Listener) parseHTTPHeaderSettings() error {
 	// Custom response headers are only supported by TCP listeners.
 	// Clear raw data and return early if it was something else.
 	if l.Type != TCP {
 		l.CustomResponseHeadersRaw = nil
 		return nil
 	}
 	// if CustomResponseHeadersRaw is nil, we still need to set the default headers
 	customHeadersMap, err := ParseCustomResponseHeaders(l.CustomResponseHeadersRaw)
 	if err != nil {
@@ -604,6 +630,16 @@ func (l *Listener) parseCORSSettings() error {
 // The state of the listener will be modified, raw data will be cleared upon
 // successful parsing.
 func (l *Listener) parseRedactionSettings() error {
 	// Redaction is only supported on TCP listeners.
 	// Clear raw data and return early if it was something else.
 	if l.Type != TCP {
 		l.RedactAddressesRaw = nil
 		l.RedactClusterNameRaw = nil
 		l.RedactVersionRaw = nil
 		return nil
 	}
 	var err error
 	if l.RedactAddressesRaw != nil {
--- a/internalshared/configutil/listener_test.go
+++ b/internalshared/configutil/listener_test.go
@@ -159,7 +159,7 @@ func TestListener_parseType(t *testing.T) {
 		tc := tc
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
-			l := &Listener{Type: tc.inputType}
+			l := &Listener{Type: ListenerType(tc.inputType)}
 			err := l.parseType(tc.inputFallback)
 			switch {
 			case tc.isErrorExpected:
@@ -167,7 +167,7 @@ func TestListener_parseType(t *testing.T) {
 				require.ErrorContains(t, err, tc.errorMessage)
 			default:
 				require.NoError(t, err)
-				require.Equal(t, tc.expectedValue, l.Type)
+				require.Equal(t, tc.expectedValue, l.Type.String())
 			}
 		})
 	}
@@ -861,16 +861,19 @@ func TestListener_parseCORSSettings(t *testing.T) {
 // assign the relevant value on the SharedConfig struct.
 func TestListener_parseHTTPHeaderSettings(t *testing.T) {
 	tests := map[string]struct {
 		listenerType                     ListenerType
 		rawCustomResponseHeaders         []map[string]any
 		expectedNumCustomResponseHeaders int
 		isErrorExpected                  bool
 		errorMessage                     string
 	}{
 		"nil": {
 			listenerType:                     TCP,
 			isErrorExpected:                  false,
 			expectedNumCustomResponseHeaders: 1, // default: Strict-Transport-Security
 		},
 		"custom-headers-bad": {
 			listenerType: TCP,
 			rawCustomResponseHeaders: []map[string]any{
 				{"juan": false},
 			},
@@ -878,6 +881,7 @@ func TestListener_parseHTTPHeaderSettings(t *testing.T) {
 			errorMessage:    "failed to parse custom_response_headers",
 		},
 		"custom-headers-good": {
 			listenerType: TCP,
 			rawCustomResponseHeaders: []map[string]any{
 				{
 					"2xx": []map[string]any{
@@ -888,6 +892,18 @@ func TestListener_parseHTTPHeaderSettings(t *testing.T) {
 			expectedNumCustomResponseHeaders: 2,
 			isErrorExpected:                  false,
 		},
 		"unix-no-headers": {
 			listenerType: Unix,
 			rawCustomResponseHeaders: []map[string]any{
 				{
 					"2xx": []map[string]any{
 						{"X-Custom-Header": []any{"Custom Header Value 1", "Custom Header Value 2"}},
 					},
 				},
 			},
 			expectedNumCustomResponseHeaders: 0,
 			isErrorExpected:                  false,
 		},
 	}
 	for name, tc := range tests {
@@ -898,6 +914,7 @@ func TestListener_parseHTTPHeaderSettings(t *testing.T) {
 			// Configure listener with raw values
 			l := &Listener{
 				Type:                     tc.listenerType,
 				CustomResponseHeadersRaw: tc.rawCustomResponseHeaders,
 			}
@@ -978,6 +995,7 @@ func TestListener_parseChrootNamespaceSettings(t *testing.T) {
 // assign the relevant value on the SharedConfig struct.
 func TestListener_parseRedactionSettings(t *testing.T) {
 	tests := map[string]struct {
 		listenerType              ListenerType
 		rawRedactAddresses        any
 		expectedRedactAddresses   bool
 		rawRedactClusterName      any
@@ -988,41 +1006,58 @@ func TestListener_parseRedactionSettings(t *testing.T) {
 		errorMessage              string
 	}{
 		"missing": {
 			listenerType:              TCP,
 			isErrorExpected:           false,
 			expectedRedactAddresses:   false,
 			expectedRedactClusterName: false,
 			expectedRedactVersion:     false,
 		},
 		"redact-addresses-bad": {
 			listenerType:       TCP,
 			rawRedactAddresses: "juan",
 			isErrorExpected:    true,
 			errorMessage:       "invalid value for redact_addresses",
 		},
 		"redact-addresses-good": {
 			listenerType:            TCP,
 			rawRedactAddresses:      "true",
 			expectedRedactAddresses: true,
 			isErrorExpected:         false,
 		},
 		"redact-cluster-name-bad": {
 			listenerType:         TCP,
 			rawRedactClusterName: "juan",
 			isErrorExpected:      true,
 			errorMessage:         "invalid value for redact_cluster_name",
 		},
 		"redact-cluster-name-good": {
 			listenerType:              TCP,
 			rawRedactClusterName:      "true",
 			expectedRedactClusterName: true,
 			isErrorExpected:           false,
 		},
 		"redact-version-bad": {
 			listenerType:     TCP,
 			rawRedactVersion: "juan",
 			isErrorExpected:  true,
 			errorMessage:     "invalid value for redact_version",
 		},
 		"redact-version-good": {
 			listenerType:          TCP,
 			rawRedactVersion:      "true",
 			expectedRedactVersion: true,
 			isErrorExpected:       false,
 		},
 		"redact-unix-na": {
 			listenerType:              Unix,
 			rawRedactAddresses:        "true",
 			expectedRedactAddresses:   false,
 			rawRedactClusterName:      "true",
 			expectedRedactClusterName: false,
 			rawRedactVersion:          "true",
 			expectedRedactVersion:     false,
 			isErrorExpected:           false,
 		},
 	}
 	for name, tc := range tests {
@@ -1033,6 +1068,7 @@ func TestListener_parseRedactionSettings(t *testing.T) {
 			// Configure listener with raw values
 			l := &Listener{
 				Type:                 tc.listenerType,
 				RedactAddressesRaw:   tc.rawRedactAddresses,
 				RedactClusterNameRaw: tc.rawRedactClusterName,
 				RedactVersionRaw:     tc.rawRedactVersion,