Merge branch 'release/1.9.x' into backport/vault3991CodeScanningAlert…

…s/trivially-glad-guppy
hashicorp · Jan 20, 2022 · 153b850 · 153b850
2 parents acb7d9c + ffa1f54
commit 153b850
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 23 deletions.
diff --git a/builtin/credential/ldap/backend_test.go b/builtin/credential/ldap/backend_test.go
@@ -597,6 +597,26 @@ func TestBackend_basic_authbind_userfilter(t *testing.T) {
 
 }
 
+func TestBackend_basic_authbind_metadata_name(t *testing.T) {
+
+	b := factory(t)
+	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
+	defer cleanup()
+
+	cfg.UserAttr = "cn"
+	cfg.UPNDomain = "planetexpress.com"
+
+	addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com")
+
+	logicaltest.Test(t, logicaltest.TestCase{
+		CredentialBackend: b,
+		Steps: []logicaltest.TestStep{
+			testAccStepConfigUrlWithAuthBind(t, cfg),
+			testAccStepLoginAliasMetadataName(t, "professor", "professor"),
+		},
+	})
+}
+
 func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry, testUserDN string, testUserUPN string) {
 	// Setup connection
 	client := &ldaputil.Client{
@@ -644,23 +664,6 @@ func addUPNAttributeToLDAPSchemaAndUser(t *testing.T, cfg *ldaputil.ConfigEntry,
 
 }
 
-func TestBackend_basic_authbind_upndomain(t *testing.T) {
-	b := factory(t)
-	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
-	defer cleanup()
-	cfg.UPNDomain = "planetexpress.com"
-
-	addUPNAttributeToLDAPSchemaAndUser(t, cfg, "cn=Hubert J. Farnsworth,ou=people,dc=planetexpress,dc=com", "professor@planetexpress.com")
-
-	logicaltest.Test(t, logicaltest.TestCase{
-		CredentialBackend: b,
-		Steps: []logicaltest.TestStep{
-			testAccStepConfigUrlWithAuthBind(t, cfg),
-			testAccStepLoginNoAttachedPolicies(t, "professor", "professor"),
-		},
-	})
-}
-
 func TestBackend_basic_discover(t *testing.T) {
 	b := factory(t)
 	cleanup, cfg := ldap.PrepareTestContainer(t, "latest")
@@ -990,6 +993,19 @@ func testAccStepLoginNoAttachedPolicies(t *testing.T, user string, pass string)
 	}
 }
 
+func testAccStepLoginAliasMetadataName(t *testing.T, user string, pass string) logicaltest.TestStep {
+	return logicaltest.TestStep{
+		Operation: logical.UpdateOperation,
+		Path:      "login/" + user,
+		Data: map[string]interface{}{
+			"password": pass,
+		},
+		Unauthenticated: true,
+
+		Check: logicaltest.TestCheckAuthEntityAliasMetadataName("name", user),
+	}
+}
+
 func testAccStepLoginFailure(t *testing.T, user string, pass string) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,

diff --git a/builtin/credential/ldap/path_login.go b/builtin/credential/ldap/path_login.go
@@ -97,6 +97,9 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		DisplayName: username,
 		Alias: &logical.Alias{
 			Name: effectiveUsername,
+			Metadata: map[string]string{
+				"name": username,
+			},
 		},
 	}
 

diff --git a/changelog/13669.txt b/changelog/13669.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: Add username to alias metadata
+```
diff --git a/changelog/13678.txt b/changelog/13678.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core: add support for go-sockaddr templates in the top-level cluster_addr field
+```
diff --git a/command/server.go b/command/server.go
@@ -724,7 +724,6 @@ func (c *ServerCommand) runRecoveryMode() int {
 			c.logger.Info("goroutine trace", "stack", string(buf[:n]))
 		}
 	}
-
 }
 
 func logProxyEnvironmentVariables(logger hclog.Logger) {
@@ -2407,6 +2406,11 @@ CLUSTER_SYNTHESIS_COMPLETE:
 	}
 
 	if coreConfig.ClusterAddr != "" {
+		rendered, err := configutil.ParseSingleIPTemplate(coreConfig.ClusterAddr)
+		if err != nil {
+			return fmt.Errorf("Error parsing cluster address %s: %v", coreConfig.ClusterAddr, err)
+		}
+		coreConfig.ClusterAddr = rendered
 		// Force https as we'll always be TLS-secured
 		u, err := url.ParseRequestURI(coreConfig.ClusterAddr)
 		if err != nil {

diff --git a/helper/testhelpers/logical/testing.go b/helper/testhelpers/logical/testing.go
@@ -457,13 +457,37 @@ func TestCheckAuthEntityId(entity_id *string) TestCheckFunc {
 			return fmt.Errorf("no auth in response")
 		}
 
-        if *entity_id == "" {
-            // If we don't know what the entity_id should be, just save it
-            *entity_id = resp.Auth.EntityID
-        } else if resp.Auth.EntityID != *entity_id {
+		if *entity_id == "" {
+			// If we don't know what the entity_id should be, just save it
+			*entity_id = resp.Auth.EntityID
+		} else if resp.Auth.EntityID != *entity_id {
 			return fmt.Errorf("entity_id %s does not match the expected value of %s", resp.Auth.EntityID, *entity_id)
-        }
+		}
+
+		return nil
+	}
+}
 
+// TestCheckAuthEntityAliasMetadataName is a helper to check that a request generated an
+// auth token with the expected alias metadata.
+func TestCheckAuthEntityAliasMetadataName(key string, value string) TestCheckFunc {
+	return func(resp *logical.Response) error {
+		if resp == nil || resp.Auth == nil {
+			return fmt.Errorf("no auth in response")
+		}
+
+		if key == "" || value == "" {
+			return fmt.Errorf("alias metadata key and value required")
+		}
+
+		name, ok := resp.Auth.Alias.Metadata[key]
+		if !ok {
+			return fmt.Errorf("metadata key %s does not exist, it should", key)
+		}
+
+		if name != value {
+			return fmt.Errorf("expected map value %s, got %s", value, name)
+		}
 		return nil
 	}
 }

diff --git a/vault/core.go b/vault/core.go
@@ -1368,6 +1368,9 @@ func (c *Core) getUnsealKey(ctx context.Context, seal Seal) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
+	if config == nil {
+		return nil, fmt.Errorf("failed to obtain seal/recovery configuration")
+	}
 
 	// Check if we don't have enough keys to unlock, proceed through the rest of
 	// the call only if we have met the threshold