From 6a6444e607fe78912ba54c5152933df3553017ea Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Fri, 21 Apr 2023 05:48:22 -0400 Subject: [PATCH] backport of commit b0289d4472f41c468c276747979af95046a9ff11 (#20288) Co-authored-by: miagilepner --- changelog/20257.txt | 3 +++ command/server/config.go | 7 +++++-- command/server/config_test.go | 28 ++++++++++++++++++++++++++++ command/server_test.go | 11 +++++++++++ 4 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 changelog/20257.txt diff --git a/changelog/20257.txt b/changelog/20257.txt new file mode 100644 index 000000000000..c2dba4579126 --- /dev/null +++ b/changelog/20257.txt @@ -0,0 +1,3 @@ +```release-note:bug +command/server: Fix incorrect paths in generated config for `-dev-tls` flag on Windows +``` diff --git a/command/server/config.go b/command/server/config.go index 7338923525b1..d3f4d0755eb5 100644 --- a/command/server/config.go +++ b/command/server/config.go @@ -193,7 +193,10 @@ func DevTLSConfig(storageType, certDir string) (*Config, error) { if err := os.WriteFile(fmt.Sprintf("%s/%s", certDir, VaultDevKeyFilename), []byte(key), 0o400); err != nil { return nil, err } + return parseDevTLSConfig(storageType, certDir) +} +func parseDevTLSConfig(storageType, certDir string) (*Config, error) { hclStr := ` disable_mlock = true @@ -216,8 +219,8 @@ storage "%s" { ui = true ` - - hclStr = fmt.Sprintf(hclStr, certDir, certDir, storageType) + certDirEscaped := strings.Replace(certDir, "\\", "\\\\", -1) + hclStr = fmt.Sprintf(hclStr, certDirEscaped, certDirEscaped, storageType) parsed, err := ParseConfig(hclStr, "") if err != nil { return nil, err diff --git a/command/server/config_test.go b/command/server/config_test.go index 5b3aeb54b21c..ed40f2667640 100644 --- a/command/server/config_test.go +++ b/command/server/config_test.go @@ -5,6 +5,8 @@ import ( "reflect" "strings" "testing" + + "github.com/stretchr/testify/require" ) func TestLoadConfigFile(t *testing.T) { @@ -183,3 +185,29 @@ func TestMerge(t *testing.T) { }) } } + +// Test_parseDevTLSConfig verifies that both Windows and Unix directories are correctly escaped when creating a dev TLS +// configuration in HCL +func Test_parseDevTLSConfig(t *testing.T) { + tests := []struct { + name string + certDirectory string + }{ + { + name: "windows path", + certDirectory: `C:\Users\ADMINI~1\AppData\Local\Temp\2\vault-tls4169358130`, + }, + { + name: "unix path", + certDirectory: "/tmp/vault-tls4169358130", + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + cfg, err := parseDevTLSConfig("file", tt.certDirectory) + require.NoError(t, err) + require.Equal(t, fmt.Sprintf("%s/%s", tt.certDirectory, VaultDevCertFilename), cfg.Listeners[0].TLSCertFile) + require.Equal(t, fmt.Sprintf("%s/%s", tt.certDirectory, VaultDevKeyFilename), cfg.Listeners[0].TLSKeyFile) + }) + } +} diff --git a/command/server_test.go b/command/server_test.go index 4ffdd17a62fc..e114cc105a54 100644 --- a/command/server_test.go +++ b/command/server_test.go @@ -21,6 +21,7 @@ import ( "github.com/hashicorp/vault/sdk/physical" physInmem "github.com/hashicorp/vault/sdk/physical/inmem" "github.com/mitchellh/cli" + "github.com/stretchr/testify/require" ) func init() { @@ -314,3 +315,13 @@ func TestServer(t *testing.T) { }) } } + +// TestServer_DevTLS verifies that a vault server starts up correctly with the -dev-tls flag +func TestServer_DevTLS(t *testing.T) { + ui, cmd := testServerCommand(t) + args := []string{"-dev-tls", "-dev-listen-address=127.0.0.1:0", "-test-server-config"} + retCode := cmd.Run(args) + output := ui.ErrorWriter.String() + ui.OutputWriter.String() + require.Equal(t, 0, retCode, output) + require.Contains(t, output, `tls: "enabled"`) +}