From c16d572ab83f74addce597de1bf60e39ab0f808e Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Tue, 30 May 2023 12:41:07 -0400 Subject: [PATCH] backport of commit 3b5ca69b62a3c59468754278f579610c0902fa05 (#20839) Co-authored-by: Nick Cabatoff --- changelog/20834.txt | 3 ++ command/commands.go | 4 --- command/server.go | 9 ----- http/sys_seal_test.go | 74 ----------------------------------------- vault/logical_system.go | 14 -------- 5 files changed, 3 insertions(+), 101 deletions(-) create mode 100644 changelog/20834.txt diff --git a/changelog/20834.txt b/changelog/20834.txt new file mode 100644 index 000000000..f17f1d326 --- /dev/null +++ b/changelog/20834.txt @@ -0,0 +1,3 @@ +```release-note:change +core: Remove feature toggle for SSCTs, i.e. the env var VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS. +``` \ No newline at end of file diff --git a/command/commands.go b/command/commands.go index ba264a293..68e2542b0 100644 --- a/command/commands.go +++ b/command/commands.go @@ -97,10 +97,6 @@ const ( // system being developed over multiple release cycles. EnvVaultExperiments = "VAULT_EXPERIMENTS" - // DisableSSCTokens is an env var used to disable index bearing - // token functionality - DisableSSCTokens = "VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS" - // flagNameAddress is the flag used in the base command to read in the // address of the Vault server. flagNameAddress = "address" diff --git a/command/server.go b/command/server.go index 5d2b144ce..73b6659e9 100644 --- a/command/server.go +++ b/command/server.go @@ -1131,15 +1131,6 @@ func (c *ServerCommand) Run(args []string) int { if envLicense := os.Getenv(EnvVaultLicense); envLicense != "" { config.License = envLicense } - if disableSSC := os.Getenv(DisableSSCTokens); disableSSC != "" { - var err error - config.DisableSSCTokens, err = strconv.ParseBool(disableSSC) - if err != nil { - c.UI.Warn(wrapAtLength("WARNING! failed to parse " + - "VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS env var: " + - "setting to default value false")) - } - } if err := server.ExperimentsFromEnvAndCLI(config, EnvVaultExperiments, c.flagExperiments); err != nil { c.UI.Error(err.Error()) diff --git a/http/sys_seal_test.go b/http/sys_seal_test.go index cb8fc8bb7..ef5922d52 100644 --- a/http/sys_seal_test.go +++ b/http/sys_seal_test.go @@ -67,80 +67,6 @@ func TestSysSealStatus(t *testing.T) { } } -func TestSysSealStatus_Warnings(t *testing.T) { - core := vault.TestCore(t) - vault.TestCoreInit(t, core) - ln, addr := TestServer(t, core) - defer ln.Close() - - // Manually configure DisableSSCTokens to be true - core.GetCoreConfigInternal().DisableSSCTokens = true - - resp, err := http.Get(addr + "/v1/sys/seal-status") - if err != nil { - t.Fatalf("err: %s", err) - } - - var actual map[string]interface{} - expected := map[string]interface{}{ - "sealed": true, - "t": json.Number("3"), - "n": json.Number("3"), - "progress": json.Number("0"), - "nonce": "", - "type": "shamir", - "recovery_seal": false, - "initialized": true, - "migration": false, - "build_date": version.BuildDate, - } - testResponseStatus(t, resp, 200) - testResponseBody(t, resp, &actual) - if actual["version"] == nil { - t.Fatalf("expected version information") - } - expected["version"] = actual["version"] - if actual["cluster_name"] == nil { - delete(expected, "cluster_name") - } else { - expected["cluster_name"] = actual["cluster_name"] - } - if actual["cluster_id"] == nil { - delete(expected, "cluster_id") - } else { - expected["cluster_id"] = actual["cluster_id"] - } - actualWarnings := actual["warnings"] - if actualWarnings == nil { - t.Fatalf("expected warnings about SSCToken disabling") - } - - actualWarningsArray, ok := actualWarnings.([]interface{}) - if !ok { - t.Fatalf("expected warnings about SSCToken disabling were not in the right format") - } - if len(actualWarningsArray) != 1 { - t.Fatalf("too many warnings were given") - } - actualWarning, ok := actualWarningsArray[0].(string) - if !ok { - t.Fatalf("expected warning about SSCToken disabling was not in the right format") - } - - expectedWarning := "Server Side Consistent Tokens are disabled, due to the " + - "VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS environment variable being set. " + - "It is not recommended to run Vault for an extended period of time with this configuration." - if actualWarning != expectedWarning { - t.Fatalf("actual warning was not as expected. Expected %s, but got %s", expectedWarning, actualWarning) - } - - expected["warnings"] = actual["warnings"] - - if diff := deep.Equal(actual, expected); diff != nil { - t.Fatal(diff) - } -} - func TestSysSealStatus_uninit(t *testing.T) { core := vault.TestCore(t) ln, addr := TestServer(t, core) diff --git a/vault/logical_system.go b/vault/logical_system.go index 4773f9de8..35707f680 100644 --- a/vault/logical_system.go +++ b/vault/logical_system.go @@ -4708,19 +4708,6 @@ type SealStatusResponse struct { Warnings []string `json:"warnings,omitempty"` } -// getStatusWarnings exposes potentially dangerous overrides in the status response -// currently, this only warns about VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS, -// but should be extended to report more warnings where appropriate -func (core *Core) getStatusWarnings() []string { - var warnings []string - if core.GetCoreConfigInternal() != nil && core.GetCoreConfigInternal().DisableSSCTokens { - warnings = append(warnings, "Server Side Consistent Tokens are disabled, due to the "+ - "VAULT_DISABLE_SERVER_SIDE_CONSISTENT_TOKENS environment variable being set. "+ - "It is not recommended to run Vault for an extended period of time with this configuration.") - } - return warnings -} - func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error) { sealed := core.Sealed() @@ -4791,7 +4778,6 @@ func (core *Core) GetSealStatus(ctx context.Context) (*SealStatusResponse, error ClusterID: clusterID, RecoverySeal: core.SealAccess().RecoveryKeySupported(), StorageType: core.StorageType(), - Warnings: core.getStatusWarnings(), } if resourceIDonHCP != "" {