VAULT-33008: ipv6: always display RFC-5952 §4 conformant addresses #29228
Conversation
github-actions
bot
added
the
hashicorp-contributed-pr
|
CI Results: |
|
Build Results: |
ryancragun
force-pushed
the
ryan/vault-33009
branch
2 times, most recently
from
f499d57 to
477e93b
Compare
| // If the addr is a URL, IP Address, or host:port address that includes an IPv6 | ||
| // address, the normalized copy will be conformant with RFC-5942 §4 | ||
| // See: https://rfc-editor.org/rfc/rfc5952.html | ||
| func NormalizeAddr(u string) string { |
There was a problem hiding this comment.
I know you're not looking for nits here, but I couldn't help myself! 😆
Everything about this (description, commit message, etc.) mentions ipv6, but the methods and file names do not reflect that. Would it make sense to make these more ipv6-oriented? IMO that'd make it clearer that this is specifically for ipv6 normalization? I realize this detail is also documented in godocs, but it feels right to make the "interface" more self-documenting...
There was a problem hiding this comment.
I agree that the name makes more sense to be more specific about what kinds of addresses it's normalizing. What about
NormalizeAddressIfIPV6 or similar?
There was a problem hiding this comment.
Maybe I'm missing something but it looks like this function is designed to take any type of address and if it happens to contain an IPv6 address, then that gets normalized to be RFC-5942 compliant, so from that perspective, I agree with how it's currently named. Otherwise, if we name everything it might be normalizing, the name becomes enormous and unwieldy. If we just call out IPv6 and nothing else, then that's slightly misleading, since it's handling other types of addresses too. I like it the way it is 👌
There was a problem hiding this comment.
My thought is that it doesn't touch non-IPv6 addresses, so I would prefer that called out, and why I thought maybe NormalizeAddressIfIPV6 would fit better. I wouldn't love NormalizeIPV6Address for the reasons you called out, Josh, it doesn't touch non-IPv6 addresses.
All that being said, this is far from a hill I want to die on, and it's totally not too bad/confusing the way it is now :)
There was a problem hiding this comment.
My thought is that it doesn't touch non-IPv6 addresses
It does though. There's a branch in one of the if statements that deals with IPv4 addresses. @ryancragun can correct me if I'm wrong, but my read through of this function suggests that its intent is you can pass any type of address to it, whether it's IPv4, IPv6, host:port pair, whatever, and it will always do the right thing.
There was a problem hiding this comment.
@VioletHynes was correct in that the branch that touches IPv4 can just return the input, which I've done, so we don't actually change anything in ipv4 land.
Regarding the function name, my thinking was that we can safely pass any sort of address to it and receive a normalized version it, regardless of the address type or format. At the moment it only really normalizes addresses that are IPv6 but the name leaves it open to changing in the future if necessary.
Obviously my preference is implicit in the naming choice I made but I definitely don't care. Whatever group consensus is is fine with me.
There was a problem hiding this comment.
This looks great! I've got a few comments that I'd consider non-blocking (other than the make fmt) since the tests assure me that this thing works as we expect. However, I think there are probably some clarity improvements we should make before we merge this.
I really appreciate all of the attention to detail on the tests here.
| // can be URLs, IP addresses, or host:port addresses, when configured with an | ||
| // an IPv6 address, the normalized to be conformant with RFC-5942 §4 | ||
| // See: https://rfc-editor.org/rfc/rfc5952.html | ||
| func TestMergeKMSEnvConfigAddrConformance(t *testing.T) { |
There was a problem hiding this comment.
I really appreciate all of the tests added for this functionality. Thank you!
| // If the addr is a URL, IP Address, or host:port address that includes an IPv6 | ||
| // address, the normalized copy will be conformant with RFC-5942 §4 | ||
| // See: https://rfc-editor.org/rfc/rfc5952.html | ||
| func NormalizeAddr(u string) string { |
There was a problem hiding this comment.
I agree that the name makes more sense to be more specific about what kinds of addresses it's normalizing. What about
NormalizeAddressIfIPV6 or similar?
| // If the addr is a URL, IP Address, or host:port address that includes an IPv6 | ||
| // address, the normalized copy will be conformant with RFC-5942 §4 | ||
| // See: https://rfc-editor.org/rfc/rfc5952.html | ||
| func NormalizeAddr(u string) string { |
There was a problem hiding this comment.
I'd like if we chose different variable name than u here. Maybe addressToNormalize?
There was a problem hiding this comment.
I decided to go with address here as it was certainly better than u (a relic of the genesis of the func when it only took URLs) but less typey than addressToNormalize.
| @@ -934,33 +936,49 @@ func ParseStorage(result *Config, list *ast.ObjectList, name string) error { | |||
| } | |||
|
|
|||
| m := make(map[string]string) | |||
| for key, val := range config { | |||
| valStr, ok := val.(string) | |||
| for k, v := range config { | |||
There was a problem hiding this comment.
Wow, nice job removing the variable shadowing here. That was subtle.
| if err := os.Setenv(envName, envVal); err != nil { | ||
| t.Errorf("error setting environment vars for test: %s", err) | ||
| } | ||
| t.Setenv(envName, envVal) |
There was a problem hiding this comment.
So much better, thank you 🙌
| // If the addr is a URL, IP Address, or host:port address that includes an IPv6 | ||
| // address, the normalized copy will be conformant with RFC-5942 §4 | ||
| // See: https://rfc-editor.org/rfc/rfc5952.html | ||
| func NormalizeAddr(u string) string { |
There was a problem hiding this comment.
Maybe I'm missing something but it looks like this function is designed to take any type of address and if it happens to contain an IPv6 address, then that gets normalized to be RFC-5942 compliant, so from that perspective, I agree with how it's currently named. Otherwise, if we name everything it might be normalizing, the name becomes enormous and unwieldy. If we just call out IPv6 and nothing else, then that's slightly misleading, since it's handling other types of addresses too. I like it the way it is 👌
| require.Equal(t, tc.expected, NormalizeAddr(tc.addr)) | ||
| }) | ||
| } | ||
| } |
There was a problem hiding this comment.
I appreciate how comprehensive this is, thank you 🙌
USGv6[0] requires implementing §4.1.1 of the NISTv6-r1 profile[1] for IPv6-Only capabilities. This section requires that whenever Vault displays IPv6 addresses (including CLI output, Web UI, logs, etc.) that _all_ IPv6 addresses must conform to RFC-5952 §4 text representation recommendations[2]. These recommendations do not prevent us from accepting RFC-4241 IPv6 addresses, however, whenever these same addresses are displayed they must conform to the strict RFC-5952 §4 guidelines. This PR implements handling of IPv6 address conformance in our `vault server` routine. We handling conformance normalization in all server, http_proxy, listener, seal, storage and telemetry configuration where an input could contain an IPv6 address, whether configued via an HCL file or via corresponding environment variables. The approach I've taken is to handle conformance normalization at parse time to ensure that all output log output and subsequent usage inside of Vaults various subsystems always reference a conformant address, that way we don't need concern ourselves with conformance later. This approach ought to be backwards compatible to prior loose address configuration requirements, with the understanding that goinging forward all IPv6 representation will be strict regardless of what has been configured. In many cases I've updated our various parser functions to call the new `configutil.NormalizeAddr()` to apply conformance normalization. Others required no changes because they rely on standard library URL string output, which always displays IPv6 URLs in a conformant way. Not included in this changes is any other vault exec mode other than server. Client, operator commands, agent mode, proxy mode, etc. will be included in subsequent changes if necessary. [0]: https://www.nist.gov/publications/usgv6-profile [1]: https://www.nist.gov/publications/nist-ipv6-profile [2]: https://www.rfc-editor.org/rfc/rfc5952.html#section-4 [3]: https://www.rfc-editor.org/rfc/rfc4291 Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Always use the type when verifying storage and seals. We'll also update an older test that didn't use real storage types during migration to use real storage types. Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
Signed-off-by: Ryan Cragun <[email protected]>
ryancragun
force-pushed
the
ryan/vault-33009
branch
from
377db0c to
3a127c6
Compare
Signed-off-by: Ryan Cragun <[email protected]>
Description
USGv60 requires implementing §4.1.1 of the NISTv6-r1 profile1 for
IPv6-Only capabilities. This section requires that whenever Vault
displays IPv6 addresses (including CLI output, Web UI, logs, etc.) that
all IPv6 addresses must conform to RFC-5952 §4 text representation
recommendations2.
These recommendations do not prevent us from accepting RFC-42413 IPv6
addresses, however, whenever these same addresses are displayed they
must conform to the strict RFC-5952 §4 guidelines.
This PR implements handling of IPv6 address conformance in our
vault serverroutine. We handle conformance normalization for allserver, http_proxy, listener, seal, storage and telemetry
configuration where an input could contain an IPv6 address, whether
configured via an HCL file or via corresponding environment variables.
The approach I've taken is to handle conformance normalization at
parse time to ensure that all log output and subsequent usage
inside of Vaults various subsystems always reference a conformant
address, that way we don't need concern ourselves with conformance
later. This approach ought to be backwards compatible to prior loose
address configuration requirements, with the understanding that
going forward all IPv6 representation will be strict regardless of
what has been configured.
In many cases I've updated our various parser functions to call the
new
configutil.NormalizeAddr()to apply conformance normalization.Others required no changes because they rely on standard library URL
string output, which always displays IPv6 URLs in a conformant way.
Not included in this changes is any other vault exec mode other than
server. Client, operator commands, agent mode, proxy mode, etc. will
be included in subsequent changes if necessary.
Signed-off-by: Ryan Cragun [email protected]
TODO only if you're a HashiCorp employee
backport/label that matches the desired release branch. Note that in the CE repo, the latest release branch will look likebackport/x.x.x, but older release branches will bebackport/ent/x.x.x+ent.of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.