VAULT-15668: fix windows issues with -dev-tls flag (#20257)

* fix -dev-tls flag on windows * changelog * fix only hcl config * fix import * fmt
2025-10-31 02:28:09 +00:00 · 2023-04-21 10:54:38 +02:00
parent 7f2deb1420
commit b0289d4472
4 changed files with 47 additions and 2 deletions
--- a/changelog/20257.txt
+++ b/changelog/20257.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+command/server: Fix incorrect paths in generated config for `-dev-tls` flag on Windows 
+```
--- a/command/server/config.go
+++ b/command/server/config.go
@@ -196,7 +196,10 @@ func DevTLSConfig(storageType, certDir string) (*Config, error) {
 	if err := os.WriteFile(fmt.Sprintf("%s/%s", certDir, VaultDevKeyFilename), []byte(key), 0o400); err != nil {
 		return nil, err
 	}
+	return parseDevTLSConfig(storageType, certDir)
+}

+func parseDevTLSConfig(storageType, certDir string) (*Config, error) {
 	hclStr := `
 disable_mlock = true

@@ -219,8 +222,8 @@ storage "%s" {

 ui = true
 `
-
-	hclStr = fmt.Sprintf(hclStr, certDir, certDir, storageType)
+	certDirEscaped := strings.Replace(certDir, "\\", "\\\\", -1)
+	hclStr = fmt.Sprintf(hclStr, certDirEscaped, certDirEscaped, storageType)
 	parsed, err := ParseConfig(hclStr, "")
 	if err != nil {
 		return nil, err
--- a/command/server/config_test.go
+++ b/command/server/config_test.go
@@ -8,6 +8,8 @@ import (
 	"reflect"
 	"strings"
 	"testing"
+
+	"github.com/stretchr/testify/require"
 )

 func TestLoadConfigFile(t *testing.T) {
@@ -186,3 +188,29 @@ func TestMerge(t *testing.T) {
 		})
 	}
 }
+
+// Test_parseDevTLSConfig verifies that both Windows and Unix directories are correctly escaped when creating a dev TLS
+// configuration in HCL
+func Test_parseDevTLSConfig(t *testing.T) {
+	tests := []struct {
+		name          string
+		certDirectory string
+	}{
+		{
+			name:          "windows path",
+			certDirectory: `C:\Users\ADMINI~1\AppData\Local\Temp\2\vault-tls4169358130`,
+		},
+		{
+			name:          "unix path",
+			certDirectory: "/tmp/vault-tls4169358130",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg, err := parseDevTLSConfig("file", tt.certDirectory)
+			require.NoError(t, err)
+			require.Equal(t, fmt.Sprintf("%s/%s", tt.certDirectory, VaultDevCertFilename), cfg.Listeners[0].TLSCertFile)
+			require.Equal(t, fmt.Sprintf("%s/%s", tt.certDirectory, VaultDevKeyFilename), cfg.Listeners[0].TLSKeyFile)
+		})
+	}
+}
--- a/command/server_test.go
+++ b/command/server_test.go
@@ -24,6 +24,7 @@ import (
 	"github.com/hashicorp/vault/sdk/physical"
 	physInmem "github.com/hashicorp/vault/sdk/physical/inmem"
 	"github.com/mitchellh/cli"
+	"github.com/stretchr/testify/require"
 )

 func init() {
@@ -317,3 +318,13 @@ func TestServer(t *testing.T) {
 		})
 	}
 }
+
+// TestServer_DevTLS verifies that a vault server starts up correctly with the -dev-tls flag
+func TestServer_DevTLS(t *testing.T) {
+	ui, cmd := testServerCommand(t)
+	args := []string{"-dev-tls", "-dev-listen-address=127.0.0.1:0", "-test-server-config"}
+	retCode := cmd.Run(args)
+	output := ui.ErrorWriter.String() + ui.OutputWriter.String()
+	require.Equal(t, 0, retCode, output)
+	require.Contains(t, output, `tls: "enabled"`)
+}