Add Ability to Disable Replication Status Endpoints in Listener Configuration

.github/scripts/verify_changes.sh

@@ -29,8 +29,9 @@ else
 fi
 
 # git diff with ... shows the differences between base_commit and head_commit starting at the last common commit
-changed_dir=$(git diff $base_commit...$head_commit --name-only | awk -F"/" '{ print $1}' | uniq)
-change_count=$(git diff $base_commit...$head_commit --name-only | awk -F"/" '{ print $1}' | uniq | wc -l)
+# excluding the changelog directory
+changed_dir=$(git diff $base_commit...$head_commit --name-only | awk -F"/" '{ print $1}' | uniq | sed '/changelog/d')
+change_count=$(git diff $base_commit...$head_commit --name-only | awk -F"/" '{ print $1}' | uniq | sed '/changelog/d' | wc -l)
 
 # There are 4 main conditions to check:
 #

.github/workflows/security-scan.yml

@@ -41,7 +41,7 @@ jobs:
         repository: hashicorp/security-scanner
         token: ${{ secrets.HASHIBOT_PRODSEC_GITHUB_TOKEN }}
         path: security-scanner
-        ref: 52d94588851f38a416f11c1e727131b3c8b0dd4d
+        ref: 6c530f211c0a1b1da078a9c80341ebe2dca4200c
 
     - name: Install dependencies
       shell: bash

.github/workflows/test-go.yml

@@ -476,6 +476,7 @@ jobs:
           name: test-results
           path: test-results/go-test
       - run: |
+          rm -rf test-results/go-test/logs
           ls -lhR test-results/go-test
           find test-results/go-test -mindepth 1 -mtime +3 -delete
 

builtin/audit/file/backend.go

@@ -391,27 +391,39 @@ func (b *Backend) open() error {
 }
 
 func (b *Backend) Reload(_ context.Context) error {
-	switch b.path {
-	case stdout, discard:
+	// When there are nodes created in the map, use the eventlogger behavior.
+	if len(b.nodeMap) > 0 {
+		for _, n := range b.nodeMap {
+			if n.Type() == eventlogger.NodeTypeSink {
+				return n.Reopen()
+			}
+		}
+
 		return nil
-	}
+	} else {
+		// old non-eventlogger behavior
+		switch b.path {
+		case stdout, discard:
+			return nil
+		}
 
-	b.fileLock.Lock()
-	defer b.fileLock.Unlock()
+		b.fileLock.Lock()
+		defer b.fileLock.Unlock()
 
-	if b.f == nil {
-		return b.open()
-	}
+		if b.f == nil {
+			return b.open()
+		}
 
-	err := b.f.Close()
-	// Set to nil here so that even if we error out, on the next access open()
-	// will be tried
-	b.f = nil
-	if err != nil {
-		return err
-	}
+		err := b.f.Close()
+		// Set to nil here so that even if we error out, on the next access open()
+		// will be tried
+		b.f = nil
+		if err != nil {
+			return err
+		}
 
-	return b.open()
+		return b.open()
+	}
 }
 
 func (b *Backend) Invalidate(_ context.Context) {

builtin/logical/aws/path_static_roles.go

@@ -212,6 +212,20 @@ func (b *backend) pathStaticRolesWrite(ctx context.Context, req *logical.Request
 		if err != nil {
 			return nil, fmt.Errorf("failed to add item into the rotation queue for role %q: %w", config.Name, err)
 		}
+	} else {
+		// creds already exist, so all we need to do is update the rotation
+		// what here stays the same and what changes? Can we change the name?
+		i, err := b.credRotationQueue.PopByKey(config.Name)
+		if err != nil {
+			return nil, fmt.Errorf("expected an item with name %q, but got an error: %w", config.Name, err)
+		}
+		i.Value = config
+		// update the next rotation to occur at now + the new rotation period
+		i.Priority = time.Now().Add(config.RotationPeriod).Unix()
+		err = b.credRotationQueue.Push(i)
+		if err != nil {
+			return nil, fmt.Errorf("failed to add updated item into the rotation queue for role %q: %w", config.Name, err)
+		}
 	}
 
 	return &logical.Response{

builtin/logical/aws/path_static_roles_test.go

@@ -124,12 +124,21 @@ func TestStaticRolesWrite(t *testing.T) {
 	bgCTX := context.Background()
 
 	cases := []struct {
-		name          string
-		opts          []awsutil.MockIAMOption
+		name string
+		// objects to return from mock IAM.
+		// You'll need a GetUserOutput (to validate the existence of the user being written,
+		// the keys the user has already been assigned,
+		// and the new key vault requests.
+		opts []awsutil.MockIAMOption // objects to return from the mock IAM
+		// the name, username if updating, and rotation_period of the user. This is the inbound request the cod would get.
 		data          map[string]interface{}
 		expectedError bool
 		findUser      bool
-		isUpdate      bool
+		// if data is sent the name "johnny", then we'll match an existing user with rotation period 24 hours.
+		isUpdate    bool
+		newPriority int64 // update time of new item in queue, skip if isUpdate false. There is a wiggle room of 5 seconds
+		// so the deltas between the old and the new update time should be larger than that to ensure the difference
+		// can be detected.
 	}{
 		{
 			name: "happy path",
@@ -168,7 +177,7 @@ func TestStaticRolesWrite(t *testing.T) {
 			expectedError: true,
 		},
 		{
-			name: "update existing user",
+			name: "update existing user, decreased rotation duration",
 			opts: []awsutil.MockIAMOption{
 				awsutil.WithGetUserOutput(&iam.GetUserOutput{User: &iam.User{UserName: aws.String("john-doe"), UserId: aws.String("unique-id")}}),
 				awsutil.WithListAccessKeysOutput(&iam.ListAccessKeysOutput{
@@ -187,8 +196,33 @@ func TestStaticRolesWrite(t *testing.T) {
 				"name":            "johnny",
 				"rotation_period": "19m",
 			},
-			findUser: true,
-			isUpdate: true,
+			findUser:    true,
+			isUpdate:    true,
+			newPriority: time.Now().Add(19 * time.Minute).Unix(),
+		},
+		{
+			name: "update existing user, increased rotation duration",
+			opts: []awsutil.MockIAMOption{
+				awsutil.WithGetUserOutput(&iam.GetUserOutput{User: &iam.User{UserName: aws.String("john-doe"), UserId: aws.String("unique-id")}}),
+				awsutil.WithListAccessKeysOutput(&iam.ListAccessKeysOutput{
+					AccessKeyMetadata: []*iam.AccessKeyMetadata{},
+					IsTruncated:       aws.Bool(false),
+				}),
+				awsutil.WithCreateAccessKeyOutput(&iam.CreateAccessKeyOutput{
+					AccessKey: &iam.AccessKey{
+						AccessKeyId:     aws.String("abcdefghijklmnopqrstuvwxyz"),
+						SecretAccessKey: aws.String("zyxwvutsrqponmlkjihgfedcba"),
+						UserName:        aws.String("john-doe"),
+					},
+				}),
+			},
+			data: map[string]interface{}{
+				"name":            "johnny",
+				"rotation_period": "40h",
+			},
+			findUser:    true,
+			isUpdate:    true,
+			newPriority: time.Now().Add(40 * time.Hour).Unix(),
 		},
 	}
 
@@ -269,6 +303,11 @@ func TestStaticRolesWrite(t *testing.T) {
 				expectedData = staticRole
 			}
 
+			var actualItem *queue.Item
+			if c.isUpdate {
+				actualItem, _ = b.credRotationQueue.PopByKey(expectedData.Name)
+			}
+
 			if u, ok := fieldData.GetOk("username"); ok {
 				expectedData.Username = u.(string)
 			}
@@ -289,6 +328,20 @@ func TestStaticRolesWrite(t *testing.T) {
 			if en, an := expectedData.Name, actualData.Name; en != an {
 				t.Fatalf("mismatched role name, expected %q, but got %q", en, an)
 			}
+
+			// one-off to avoid importing/casting
+			abs := func(x int64) int64 {
+				if x < 0 {
+					return -x
+				}
+				return x
+			}
+
+			if c.isUpdate {
+				if ep, ap := c.newPriority, actualItem.Priority; abs(ep-ap) > 5 { // 5 second wiggle room for how long the test takes
+					t.Fatalf("mismatched updated priority, expected %d but got %d", ep, ap)
+				}
+			}
 		})
 	}
 }

changelog/23528.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/aws: update credential rotation deadline when static role rotation period is updated
+```

changelog/23547.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+config/listener: allow per-listener configuration setting to disable replication status endpoints.
+```

changelog/23565.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+ui: Fix regression that broke the oktaNumberChallenge on the ui.
+```

changelog/23598.txt

@@ -0,0 +1,3 @@
+```release-note:bug
+audit: Fix bug reopening 'file' audit devices on SIGHUP.
+```

command/server.go

@@ -886,9 +886,9 @@ func (c *ServerCommand) InitListeners(config *server.Config, disableClustering b
 		}
 
 		if reloadFunc != nil {
-			relSlice := (*c.reloadFuncs)["listener|"+lnConfig.Type]
+			relSlice := (*c.reloadFuncs)[fmt.Sprintf("listener|%s", lnConfig.Type)]
 			relSlice = append(relSlice, reloadFunc)
-			(*c.reloadFuncs)["listener|"+lnConfig.Type] = relSlice
+			(*c.reloadFuncs)[fmt.Sprintf("listener|%s", lnConfig.Type)] = relSlice
 		}
 
 		if !disableClustering && lnConfig.Type == "tcp" {

command/server/config_test_helpers.go

@@ -793,7 +793,7 @@ func testConfig_Sanitized(t *testing.T) {
 					"address":          "127.0.0.1:443",
 					"chroot_namespace": "admin/",
 				},
-				"type": "tcp",
+				"type": configutil.TCP,
 			},
 		},
 		"log_format":       "",
@@ -890,6 +890,15 @@ listener "tcp" {
   redact_addresses = true
   redact_cluster_name = true
   redact_version = true
+}
+listener "unix" {
+  address = "/var/run/vault.sock"
+  socket_mode = "644"
+  socket_user = "1000"
+  socket_group = "1000"
+  redact_addresses = true
+  redact_cluster_name = true
+  redact_version = true
 }`))
 
 	config := Config{
@@ -903,16 +912,14 @@ listener "tcp" {
 	config.Listeners = listeners
 	// Track which types of listener were found.
 	for _, l := range config.Listeners {
-		config.found(l.Type, l.Type)
+		config.found(l.Type.String(), l.Type.String())
 	}
 
-	if len(config.Listeners) == 0 {
-		t.Fatalf("expected at least one listener in the config")
-	}
-	listener := config.Listeners[0]
-	if listener.Type != "tcp" {
-		t.Fatalf("expected tcp listener in the config")
-	}
+	require.Len(t, config.Listeners, 2)
+	tcpListener := config.Listeners[0]
+	require.Equal(t, configutil.TCP, tcpListener.Type)
+	unixListner := config.Listeners[1]
+	require.Equal(t, configutil.Unix, unixListner.Type)
 
 	expected := &Config{
 		SharedConfig: &configutil.SharedConfig{
@@ -946,6 +953,16 @@ listener "tcp" {
 					RedactClusterName:     true,
 					RedactVersion:         true,
 				},
+				{
+					Type:              "unix",
+					Address:           "/var/run/vault.sock",
+					SocketMode:        "644",
+					SocketUser:        "1000",
+					SocketGroup:       "1000",
+					RedactAddresses:   false,
+					RedactClusterName: false,
+					RedactVersion:     false,
+				},
 			},
 		},
 	}

command/server/listener.go

@@ -22,7 +22,7 @@ import (
 type ListenerFactory func(*configutil.Listener, io.Writer, cli.Ui) (net.Listener, map[string]string, reloadutil.ReloadFunc, error)
 
 // BuiltinListeners is the list of built-in listener types.
-var BuiltinListeners = map[string]ListenerFactory{
+var BuiltinListeners = map[configutil.ListenerType]ListenerFactory{
 	"tcp":  tcpListenerFactory,
 	"unix": unixListenerFactory,
 }

http/handler.go

@@ -237,20 +237,27 @@ func handler(props *vault.HandlerProperties) http.Handler {
 		additionalRoutes(mux, core)
 	}
 
-	// Wrap the handler in another handler to trigger all help paths.
-	helpWrappedHandler := wrapHelpHandler(mux, core)
-	corsWrappedHandler := wrapCORSHandler(helpWrappedHandler, core)
-	quotaWrappedHandler := rateLimitQuotaWrapping(corsWrappedHandler, core)
-	genericWrappedHandler := genericWrapping(core, quotaWrappedHandler, props)
-
-	// Wrap the handler with PrintablePathCheckHandler to check for non-printable
-	// characters in the request path.
-	printablePathCheckHandler := genericWrappedHandler
+	// Build up a chain of wrapping handlers.
+	wrappedHandler := wrapHelpHandler(mux, core)
+	wrappedHandler = wrapCORSHandler(wrappedHandler, core)
+	wrappedHandler = rateLimitQuotaWrapping(wrappedHandler, core)
+	wrappedHandler = genericWrapping(core, wrappedHandler, props)
+
+	// Add an extra wrapping handler if the DisablePrintableCheck listener
+	// setting isn't true that checks for non-printable characters in the
+	// request path.
 	if !props.DisablePrintableCheck {
-		printablePathCheckHandler = cleanhttp.PrintablePathCheckHandler(genericWrappedHandler, nil)
+		wrappedHandler = cleanhttp.PrintablePathCheckHandler(wrappedHandler, nil)
 	}
 
-	return printablePathCheckHandler
+	// Add an extra wrapping handler if the DisableReplicationStatusEndpoints
+	// setting is true that will create a new request with a context that has
+	// a value indicating that the replication status endpoints are disabled.
+	if props.ListenerConfig != nil && props.ListenerConfig.DisableReplicationStatusEndpoints {
+		wrappedHandler = disableReplicationStatusEndpointWrapping(wrappedHandler)
+	}
+
+	return wrappedHandler
 }
 
 type copyResponseWriter struct {

http/util.go

@@ -133,6 +133,14 @@ func rateLimitQuotaWrapping(handler http.Handler, core *vault.Core) http.Handler
 	})
 }
 
+func disableReplicationStatusEndpointWrapping(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		request := r.WithContext(context.WithValue(r.Context(), "disable_replication_status_endpoints", true))
+
+		h.ServeHTTP(w, request)
+	})
+}
+
 func parseRemoteIPAddress(r *http.Request) string {
 	ip, _, err := net.SplitHostPort(r.RemoteAddr)
 	if err != nil {

internalshared/configutil/config.go

@@ -141,7 +141,7 @@ func ParseConfig(d string) (*SharedConfig, error) {
 
 		// Track which types of listener were found.
 		for _, l := range result.Listeners {
-			result.found(l.Type, l.Type)
+			result.found(l.Type.String(), l.Type.String())
 		}
 	}