Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VAULT-6803: fix listener issue if using proxy_protocol_behavior with deny_unauthorized for untrusted upstream connections #27589

Merged

Conversation

peteski22
Copy link

@peteski22 peteski22 commented Jun 25, 2024

Description

This PR corrects an issue introduced when supported was added for PROXY v2 on TCP listeners using proxy_protocol_behavior.

This issue was introduced in Vault v1.10.0 and has impacted all subsequent versions other than v1.16.x (due to a bug parsing this config setting).

Any listener configured to deny_unauthorized will still close a connection when the upstream proxy is untrusted, but it will now continue to listen for connections until a valid one is found. It does this by returning ErrInvalidUpstream to the proxy library.

NOTE: the issue is only present if this config setting proxy_protocol_behavior is enabled and set to deny_unauthorized.

HashiCorp checklist

  • Labels: If this PR is the CE portion of an ENT change, and that ENT change is
    getting backported to N-2, use the new style backport/ent/x.x.x+ent labels
    instead of the old style backport/x.x.x labels.
  • Labels: If this PR is a CE only change, it can only be backported to N, so use
    the normal backport/x.x.x label (there should be only 1).
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.
  • ENT PR: If this change has an associated ENT PR, please link it in the
    description. Also, make sure the changelog is in this PR, not in your ENT PR.

@peteski22 peteski22 added bug Used to indicate a potential bug dependencies Pull requests that update a dependency file core/config hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed backport/ent/1.15.x+ent backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent labels Jun 25, 2024
@peteski22 peteski22 added this to the 1.17.2 milestone Jun 25, 2024
Copy link

github-actions bot commented Jun 25, 2024

CI Results:
All Go tests succeeded! ✅

@peteski22 peteski22 marked this pull request as ready for review June 25, 2024 09:25
Copy link

Build Results:
All builds succeeded! ✅

@peteski22 peteski22 requested review from a team, ncabatoff and hghaf099 June 25, 2024 09:50
Comment on lines +64 to +68
var server net.Conn
select {
case <-time.After(3 * time.Second):
case server = <-serverCh:
}
Copy link
Author

@peteski22 peteski22 Jun 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a timeout to the tests as the forked library now never stops listening until it can return a valid connection.

@@ -72,7 +71,7 @@ func WrapInProxyProto(listener net.Listener, config *ProxyProtoConfig) (net.List
return proxyproto.IGNORE, nil
}

return proxyproto.REJECT, errors.New(`upstream connection not trusted proxy_protocol_behavior is "deny_unauthorized"`)
return proxyproto.REJECT, proxyproto.ErrInvalidUpstream
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the change that keeps the listener waiting for a valid connection.

https://github.com/peteski22/go-proxyproto/blob/v1.0.0/protocol.go#L85-L88


// Support using the forked repository until https://github.com/pires/go-proxyproto/pull/110 merges
// and is released.
replace github.com/pires/go-proxyproto v1.0.0 => github.com/peteski22/go-proxyproto v1.0.0
Copy link
Author

@peteski22 peteski22 Jun 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Info on forked repo tag.

Keep listener listening if upstream connection address is not trusted (but close that connection).
Releases the changes requested on pires's go-proxyproto by pires/go-proxyproto#110.

Bumped to v1.0.0 which doesn't exist as a tag on the maintainer's repo but does on the forked repo. Suspect that if the maintainer accepts the PR and tags it, semver suggests the breaking change to Accept means v1.0.0 is likely.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change here can now be updated and the replace removed, as the PR was accepted, merged and tagged:

https://github.com/pires/go-proxyproto/releases/tag/v0.8.0

image

Copy link
Contributor

@VioletHynes VioletHynes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible to add a test that fails before this change but passes afterwards? I'm not particularly familiar with this area of the code so it would especially help increase my confidence both now and in the future if we could exercise this code path and bug fix in a test

@peteski22
Copy link
Author

Is it possible to add a test that fails before this change but passes afterwards? I'm not particularly familiar with this area of the code so it would especially help increase my confidence both now and in the future if we could exercise this code path and bug fix in a test

I had been testing this manually using https://github.com/muhtasimmaleque/Vault-docker-listener-bug and Linux Vault binaries I'd built before/after the change.

@VioletHynes
Copy link
Contributor

VioletHynes commented Jun 25, 2024

Sorry, I think I could have worded that better: is it possible to add an automated Go test for this bug? That would also increase confidence if/when we move from the fork that it still works, without needing to re-do the manual testing

@peteski22
Copy link
Author

Sorry, I think I could have worded that better: is it possible to add an automated Go test for this bug? That would also increase confidence if/when we move from the fork that it still works, without needing to re-do the manual testing

Sorry, I think I could have worded that better: is it possible to add an automated Go test for this bug? That would also increase confidence if/when we move from the fork that it still works, without needing to re-do the manual testing

👍🏼 added https://github.com/hashicorp/vault/pull/27589/files#diff-b14d5cc2a3b63b6d1e6990ec3933ac2339bfe5a825ac166048387614a4b6862cR440

This fails before the change, and passes afterwards. Between this and the manual testing steps in the Jira associated with the branch we should be able to prevent a regression and reproduce any issues.

@peteski22 peteski22 requested a review from VioletHynes June 25, 2024 16:17
Copy link
Contributor

@VioletHynes VioletHynes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Thanks for adding a nice test for this too, it'll help if/when we move from the fork.

Awesome job with this one -- complicated area of code!

@peteski22 peteski22 enabled auto-merge (squash) June 26, 2024 07:35
@peteski22 peteski22 merged commit 89276a5 into main Jun 26, 2024
83 checks passed
@peteski22 peteski22 deleted the peteski22/VAULT-6803/listener-proxy-behavior-bug-allow-deny branch June 26, 2024 07:52
@peteski22 peteski22 added backport/ent/1.15.x+ent backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent and removed backport/ent/1.15.x+ent backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent labels Jun 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent bug Used to indicate a potential bug core/config dependencies Pull requests that update a dependency file hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants