add OSS noop check for valid ent storage (#15894)

2022-06-08 17:15:28 -04:00 · 2022-06-08 17:15:28 -04:00 · 3ab00523a9
commit 3ab00523a9
parent 12bce35246
2 changed files with 34 additions and 5 deletions
--- a/command/server.go
+++ b/command/server.go
@ -42,6 +42,7 @@ import (
 	"github.com/hashicorp/vault/internalshared/listenerutil"
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/logging"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/helper/useragent"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/sdk/physical"
@ -75,8 +76,9 @@ const (

 	// Even though there are more types than the ones below, the following consts
 	// are declared internally for value comparison and reusability.
-	storageTypeRaft   = "raft"
-	storageTypeConsul = "consul"
+	storageTypeRaft            = "raft"
+	storageTypeConsul          = "consul"
+	disableStorageTypeCheckEnv = "VAULT_DISABLE_SUPPORTED_STORAGE_CHECK"
 )

 type ServerCommand struct {
@ -1324,6 +1326,24 @@ func (c *ServerCommand) Run(args []string) int {
 	// Apply any enterprise configuration onto the coreConfig.
 	adjustCoreConfigForEnt(config, &coreConfig)

+	if !c.flagDev && os.Getenv(disableStorageTypeCheckEnv) == "" {
+		inMemStorageTypes := []string{
+			"inmem", "inmem_ha", "inmem_transactional", "inmem_transactional_ha",
+		}
+
+		if strutil.StrListContains(inMemStorageTypes, coreConfig.StorageType) {
+			c.UI.Warn("")
+			c.UI.Warn(wrapAtLength(fmt.Sprintf("WARNING: storage configured to use %q which should NOT be used in production", coreConfig.StorageType)))
+			c.UI.Warn("")
+		} else {
+			err = checkStorageTypeForEnt(&coreConfig)
+			if err != nil {
+				c.UI.Error(fmt.Sprintf("Invalid storage type: %s", err))
+				return 1
+			}
+		}
+	}
+
 	// Initialize the core
 	core, newCoreError := vault.NewCore(&coreConfig)
 	if newCoreError != nil {
@ -2061,7 +2081,8 @@ func (c *ServerCommand) addPlugin(path, token string, core *vault.Core) error {

 // detectRedirect is used to attempt redirect address detection
 func (c *ServerCommand) detectRedirect(detect physical.RedirectDetect,
-	config *server.Config) (string, error) {
+	config *server.Config,
+) (string, error) {
 	// Get the hostname
 	host, err := detect.DetectHostAddr()
 	if err != nil {
@ -2506,7 +2527,8 @@ func runUnseal(c *ServerCommand, core *vault.Core, ctx context.Context) {
 }

 func createCoreConfig(c *ServerCommand, config *server.Config, backend physical.Backend, configSR sr.ServiceRegistration, barrierSeal, unwrapSeal vault.Seal,
-	metricsHelper *metricsutil.MetricsHelper, metricSink *metricsutil.ClusterMetricSink, secureRandomReader io.Reader) vault.CoreConfig {
+	metricsHelper *metricsutil.MetricsHelper, metricSink *metricsutil.ClusterMetricSink, secureRandomReader io.Reader,
+) vault.CoreConfig {
 	coreConfig := &vault.CoreConfig{
 		RawConfig:                      config,
 		Physical:                       backend,
--- a/command/server_util.go
+++ b/command/server_util.go
@ -5,7 +5,10 @@ import (
 	"github.com/hashicorp/vault/vault"
 )

-var adjustCoreConfigForEnt = adjustCoreConfigForEntNoop
+var (
+	adjustCoreConfigForEnt = adjustCoreConfigForEntNoop
+	checkStorageTypeForEnt = checkStorageTypeForEntNoop
+)

 func adjustCoreConfigForEntNoop(config *server.Config, coreConfig *vault.CoreConfig) {
 }
@ -15,3 +18,7 @@ var getFIPSInfoKey = getFIPSInfoKeyNoop
 func getFIPSInfoKeyNoop() string {
 	return ""
 }
+
+func checkStorageTypeForEntNoop(coreConfig *vault.CoreConfig) error {
+	return nil
+}