mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-06 14:47:01 +02:00
012cd5a42a
USGv6[0] requires implementing §4.1.1 of the NISTv6-r1 profile[1] for IPv6-Only capabilities. This section requires that whenever Vault displays IPv6 addresses (including CLI output, Web UI, logs, etc.) that _all_ IPv6 addresses must conform to RFC-5952 §4 text representation recommendations[2]. These recommendations do not prevent us from accepting RFC-4241[3] IPv6 addresses, however, whenever these same addresses are displayed they must conform to the strict RFC-5952 §4 guidelines. This PR implements handling of IPv6 address conformance in our `vault server` routine. We handle conformance normalization for all server, http_proxy, listener, seal, storage and telemetry configuration where an input could contain an IPv6 address, whether configured via an HCL file or via corresponding environment variables. The approach I've taken is to handle conformance normalization at parse time to ensure that all log output and subsequent usage inside of Vaults various subsystems always reference a conformant address, that way we don't need concern ourselves with conformance later. This approach ought to be backwards compatible to prior loose address configuration requirements, with the understanding that going forward all IPv6 representation will be strict regardless of what has been configured. In many cases I've updated our various parser functions to call the new `configutil.NormalizeAddr()` to apply conformance normalization. Others required no changes because they rely on standard library URL string output, which always displays IPv6 URLs in a conformant way. Not included in this changes is any other vault exec mode other than server. Client, operator commands, agent mode, proxy mode, etc. will be included in subsequent changes if necessary. [0]: https://www.nist.gov/publications/usgv6-profile [1]: https://www.nist.gov/publications/nist-ipv6-profile [2]: https://www.rfc-editor.org/rfc/rfc5952.html#section-4 [3]: https://www.rfc-editor.org/rfc/rfc4291 Signed-off-by: Ryan Cragun <me@ryan.ec> |
||
|---|---|---|
| .. | ||
| test-fixtures | ||
| config_custom_response_headers_test.go | ||
| config_oss_test.go | ||
| config_oss.go | ||
| config_telemetry_test.go | ||
| config_test_helpers_stubs_oss.go | ||
| config_test_helpers.go | ||
| config_test.go | ||
| config_util_test.go | ||
| config_util.go | ||
| config.go | ||
| hcp_link_config_test.go | ||
| listener_tcp_test.go | ||
| listener_tcp.go | ||
| listener_test.go | ||
| listener_unix_test.go | ||
| listener_unix.go | ||
| listener.go | ||
| server_seal_transit_acc_test.go | ||
| server_stubs_oss.go | ||
| tls_util_test.go | ||
| tls_util.go | ||