backport of commit 3b5ca69b62a3c59468754278f579610c0902fa05 (#20839)

Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
2023-05-30 12:41:07 -04:00 · 2023-05-30 12:41:07 -04:00 · c16d572ab8
parent 1fe6475c72
commit c16d572ab8
5 changed files with 3 additions and 101 deletions
--- a/changelog/20834.txt
+++ b/changelog/20834.txt
@ -0,0 +1,3 @@
+```release-note:change
+core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS.
+```
--- a/command/commands.go
+++ b/command/commands.go
@ -97,10 +97,6 @@ const (
 	// system being developed over multiple release cycles.
 	EnvVaultExperiments = "VAULT_EXPERIMENTS"

-	// DisableSSCTokens is an env var used to disable index bearing
-	// token functionality
-	DisableSSCTokens = "VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS"
-
 	// flagNameAddress is the flag used in the base command to read in the
 	// address of the Vault server.
 	flagNameAddress = "address"
--- a/command/server.go
+++ b/command/server.go
@ -1131,15 +1131,6 @@ func (c *ServerCommand) Run(args []string) int {
 	if envLicense := os.Getenv(EnvVaultLicense); envLicense != "" {
 		config.License = envLicense
 	}
-	if disableSSC := os.Getenv(DisableSSCTokens); disableSSC != "" {
-		var err error
-		config.DisableSSCTokens, err = strconv.ParseBool(disableSSC)
-		if err != nil {
-			c.UI.Warn(wrapAtLength("WARNING! failed to parse " +
-				"VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS env var: " +
-				"setting to default value false"))
-		}
-	}

 	if err := server.ExperimentsFromEnvAndCLI(config, EnvVaultExperiments, c.flagExperiments); err != nil {
 		c.UI.Error(err.Error())
--- a/http/sys_seal_test.go
+++ b/http/sys_seal_test.go
@ -67,80 +67,6 @@ func TestSysSealStatus(t *testing.T) {
 	}
 }

-func TestSysSealStatus_Warnings(t *testing.T) {
-	core := vault.TestCore(t)
-	vault.TestCoreInit(t, core)
-	ln, addr := TestServer(t, core)
-	defer ln.Close()
-
-	// Manually configure DisableSSCTokens to be true
-	core.GetCoreConfigInternal().DisableSSCTokens = true
-
-	resp, err := http.Get(addr + "/v1/sys/seal-status")
-	if err != nil {
-		t.Fatalf("err: %s", err)
-	}
-
-	var actual map[string]interface{}
-	expected := map[string]interface{}{
-		"sealed":        true,
-		"t":             json.Number("3"),
-		"n":             json.Number("3"),
-		"progress":      json.Number("0"),
-		"nonce":         "",
-		"type":          "shamir",
-		"recovery_seal": false,
-		"initialized":   true,
-		"migration":     false,
-		"build_date":    version.BuildDate,
-	}
-	testResponseStatus(t, resp, 200)
-	testResponseBody(t, resp, &actual)
-	if actual["version"] == nil {
-		t.Fatalf("expected version information")
-	}
-	expected["version"] = actual["version"]
-	if actual["cluster_name"] == nil {
-		delete(expected, "cluster_name")
-	} else {
-		expected["cluster_name"] = actual["cluster_name"]
-	}
-	if actual["cluster_id"] == nil {
-		delete(expected, "cluster_id")
-	} else {
-		expected["cluster_id"] = actual["cluster_id"]
-	}
-	actualWarnings := actual["warnings"]
-	if actualWarnings == nil {
-		t.Fatalf("expected warnings about SSCToken disabling")
-	}
-
-	actualWarningsArray, ok := actualWarnings.([]interface{})
-	if !ok {
-		t.Fatalf("expected warnings about SSCToken disabling were not in the right format")
-	}
-	if len(actualWarningsArray) != 1 {
-		t.Fatalf("too many warnings were given")
-	}
-	actualWarning, ok := actualWarningsArray[0].(string)
-	if !ok {
-		t.Fatalf("expected warning about SSCToken disabling was not in the right format")
-	}
-
-	expectedWarning := "Server Side Consistent Tokens are disabled, due to the " +
-		"VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS environment variable being set. " +
-		"It is not recommended to run Vault for an extended period of time with this configuration."
-	if actualWarning != expectedWarning {
-		t.Fatalf("actual warning was not as expected. Expected %s, but got %s", expectedWarning, actualWarning)
-	}
-
-	expected["warnings"] = actual["warnings"]
-
-	if diff := deep.Equal(actual, expected); diff != nil {
-		t.Fatal(diff)
-	}
-}
-
 func TestSysSealStatus_uninit(t *testing.T) {
 	core := vault.TestCore(t)
 	ln, addr := TestServer(t, core)
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@ -4708,19 +4708,6 @@ type SealStatusResponse struct {
 	Warnings          []string `json:"warnings,omitempty"`
 }

-// getStatusWarnings exposes potentially dangerous overrides in the status response
-// currently, this only warns about VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS,
-// but should be extended to report more warnings where appropriate
-func (core *Core) getStatusWarnings() []string {
-	var warnings []string
-	if core.GetCoreConfigInternal() != nil && core.GetCoreConfigInternal().DisableSSCTokens {
-		warnings = append(warnings, "Server Side Consistent Tokens are disabled, due to the "+
-			"VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS environment variable being set. "+
-			"It is not recommended to run Vault for an extended period of time with this configuration.")
-	}
-	return warnings
-}
-
 func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error) {
 	sealed := core.Sealed()

@ -4791,7 +4778,6 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error
 		ClusterID:    clusterID,
 		RecoverySeal: core.SealAccess().RecoveryKeySupported(),
 		StorageType:  core.StorageType(),
-		Warnings:     core.getStatusWarnings(),
 	}

 	if resourceIDonHCP != "" {