fixing github comments

hashicorp · akshya96 · Nov 1, 2022 · Sep 15, 2022 · Sep 21, 2022 · Sep 22, 2022
commit 30769563bd1056478d62169ad772a154ba6bbef4
diff --git a/api/sys_mounts.go b/api/sys_mounts.go
@@ -289,17 +289,17 @@ type MountOutput struct {
 }
 
 type MountConfigOutput struct {
- DefaultLeaseTTL int `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
- MaxLeaseTTL int `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
- ForceNoCache bool `json:"force_no_cache" mapstructure:"force_no_cache"`
- AuditNonHMACRequestKeys []string `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
- AuditNonHMACResponseKeys []string `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
- ListingVisibility string `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
- PassthroughRequestHeaders []string `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
- AllowedResponseHeaders []string `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
- TokenType string `json:"token_type,omitempty" mapstructure:"token_type"`
- AllowedManagedKeys []string `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
- UserLockoutConfig UserLockoutConfigOutput `json:"user_lockout_config"`
+ DefaultLeaseTTL int  `json:"default_lease_ttl" mapstructure:"default_lease_ttl"`
+ MaxLeaseTTL int  `json:"max_lease_ttl" mapstructure:"max_lease_ttl"`
+ ForceNoCache bool  `json:"force_no_cache" mapstructure:"force_no_cache"`
+ AuditNonHMACRequestKeys []string  `json:"audit_non_hmac_request_keys,omitempty" mapstructure:"audit_non_hmac_request_keys"`
+ AuditNonHMACResponseKeys []string  `json:"audit_non_hmac_response_keys,omitempty" mapstructure:"audit_non_hmac_response_keys"`
+ ListingVisibility string  `json:"listing_visibility,omitempty" mapstructure:"listing_visibility"`
+ PassthroughRequestHeaders []string  `json:"passthrough_request_headers,omitempty" mapstructure:"passthrough_request_headers"`
+ AllowedResponseHeaders []string  `json:"allowed_response_headers,omitempty" mapstructure:"allowed_response_headers"`
+ TokenType string  `json:"token_type,omitempty" mapstructure:"token_type"`
+ AllowedManagedKeys []string  `json:"allowed_managed_keys,omitempty" mapstructure:"allowed_managed_keys"`
+ UserLockoutConfig *UserLockoutConfigOutput `json:"user_lockout_config,,omitempty"`
  // Deprecated: This field will always be blank for newer server responses.
  PluginName string `json:"plugin_name,omitempty" mapstructure:"plugin_name"`
 }
@@ -312,7 +312,7 @@ type UserLockoutConfigInput struct {
 }
 
 type UserLockoutConfigOutput struct {
- LockoutThreshold int  `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
+ LockoutThreshold uint `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
  LockoutDuration int `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
  LockoutCounterReset int `json:"lockout_counter_reset,omitempty" structs:"lockout_counter_reset" mapstructure:"lockout_counter_reset"`
  DisableLockout bool `json:"disable_lockout,omitempty" structs:"disable_lockout" mapstructure:"disable_lockout"`

diff --git a/command/auth_tune.go b/command/auth_tune.go
@@ -32,7 +32,7 @@ type AuthTuneCommand struct {
  flagTokenType string
  flagVersion int
  flagPluginVersion string
- flagUserLockoutThreshold int
+ flagUserLockoutThreshold uint
  flagUserLockoutDuration time.Duration
  flagUserLockoutCounterResetDuration time.Duration
  flagUserLockoutDisable bool
@@ -149,7 +149,7 @@ func (c *AuthTuneCommand) Flags() *FlagSets {
  Usage: "Select the version of the auth method to run. Not supported by all auth methods.",
  })
 
- f.IntVar(&IntVar{
+ f.UintVar(&UintVar{
  Name: flagNameUserLockoutThreshold,
  Target: &c.flagUserLockoutThreshold,
  Usage: "The threshold for user lockout for this auth method. If unspecified, this " +
@@ -277,7 +277,7 @@ func (c *AuthTuneCommand) Run(args []string) int {
  }
  if fl.Name == flagNameUserLockoutThreshold {
  if c.flagUserLockoutThreshold > 0 {
- mountConfigInput.UserLockoutConfig.LockoutThreshold = strconv.Itoa(c.flagUserLockoutThreshold)
+ mountConfigInput.UserLockoutConfig.LockoutThreshold = strconv.FormatUint(uint64(c.flagUserLockoutThreshold), 10)
  }
  }
  if fl.Name == flagNameUserLockoutDuration {

diff --git a/vault/logical_system.go b/vault/logical_system.go
@@ -1739,7 +1739,6 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
 
  userLockoutConfigMap := data.Get("user_lockout_config").(map[string]interface{})
  var err error
- // Augmenting userLockoutConfigMap for some config options to treat them as comma separated entries
  if userLockoutConfigMap != nil && len(userLockoutConfigMap) != 0 {
  err := mapstructure.Decode(userLockoutConfigMap, &apiuserLockoutConfig)
  if err != nil {
@@ -1749,9 +1748,8 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
  }
 
  // Supported auth methods for user lockout configuration: ldap, approle, userpass
- // "all" is used to apply the configuration to all supported auth methods
  switch strings.ToLower(mountEntry.Type) {
- case "all", "ldap", "approle", "userpass":
+ case "ldap", "approle", "userpass":
  default:
  return logical.ErrorResponse("tuning of user lockout configuration for auth type %q not allowed", mountEntry.Type),
  logical.ErrInvalidRequest
@@ -1763,26 +1761,21 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
  mountEntry.Config.UserLockoutConfig = &UserLockoutConfig{}
  }
 
- var oldUserLockoutThreshold int64
+ var oldUserLockoutThreshold uint64
  var newUserLockoutDuration, oldUserLockoutDuration time.Duration
  var newUserLockoutCounterReset, oldUserLockoutCounterReset time.Duration
  var oldUserLockoutDisable bool
 
- if _, ok := userLockoutConfigMap["lockout_threshold"]; ok {
- userLockoutThreshold, err := parseutil.ParseInt(apiuserLockoutConfig.LockoutThreshold)
+ if apiuserLockoutConfig.LockoutThreshold != "" {
+ userLockoutThreshold, err := strconv.ParseUint(apiuserLockoutConfig.LockoutThreshold, 10, 64)
  if err != nil {
  return nil, fmt.Errorf("unable to parse user lockout threshold: %w", err)
  }
  oldUserLockoutThreshold = mountEntry.Config.UserLockoutConfig.LockoutThreshold
- switch {
- case userLockoutThreshold < 0:
- mountEntry.Config.UserLockoutConfig.LockoutThreshold = oldUserLockoutThreshold
- default:
- mountEntry.Config.UserLockoutConfig.LockoutThreshold = userLockoutThreshold
- }
+ mountEntry.Config.UserLockoutConfig.LockoutThreshold = userLockoutThreshold
  }
 
- if _, ok := userLockoutConfigMap["lockout_duration"]; ok {
+ if apiuserLockoutConfig.LockoutDuration != "" {
  oldUserLockoutDuration = mountEntry.Config.UserLockoutConfig.LockoutDuration
  switch apiuserLockoutConfig.LockoutDuration {
  case "":
@@ -1800,7 +1793,7 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
  mountEntry.Config.UserLockoutConfig.LockoutDuration = newUserLockoutDuration
  }
 
- if _, ok := userLockoutConfigMap["lockout_counter_reset_duration"]; ok {
+ if apiuserLockoutConfig.LockoutCounterResetDuration != "" {
  oldUserLockoutCounterReset = mountEntry.Config.UserLockoutConfig.LockoutCounterReset
  switch apiuserLockoutConfig.LockoutCounterResetDuration {
  case "":
@@ -1818,10 +1811,10 @@ func (b *SystemBackend) handleTuneWriteCommon(ctx context.Context, path string,
  mountEntry.Config.UserLockoutConfig.LockoutCounterReset = newUserLockoutCounterReset
  }
 
- if rawVal, ok := userLockoutConfigMap["lockout_disable"]; ok {
- userLockoutDisable := rawVal.(bool)
+ if apiuserLockoutConfig.DisableLockout != nil {
  oldUserLockoutDisable = mountEntry.Config.UserLockoutConfig.DisableLockout
- mountEntry.Config.UserLockoutConfig.DisableLockout = userLockoutDisable
+ userLockoutDisable := apiuserLockoutConfig.DisableLockout
+ mountEntry.Config.UserLockoutConfig.DisableLockout = *userLockoutDisable
  }
 
  // Update the mount table

diff --git a/vault/mount.go b/vault/mount.go
@@ -360,7 +360,7 @@ type MountConfig struct {
 }
 
 type UserLockoutConfig struct {
- LockoutThreshold int64  `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
+ LockoutThreshold uint64 `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
  LockoutDuration time.Duration `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
  LockoutCounterReset time.Duration `json:"lockout_counter_reset,omitempty" structs:"lockout_counter_reset" mapstructure:"lockout_counter_reset"`
  DisableLockout bool `json:"disable_lockout,omitempty" structs:"disable_lockout" mapstructure:"disable_lockout"`
@@ -370,7 +370,7 @@ type APIUserLockoutConfig struct {
  LockoutThreshold string `json:"lockout_threshold,omitempty" structs:"lockout_threshold" mapstructure:"lockout_threshold"`
  LockoutDuration string `json:"lockout_duration,omitempty" structs:"lockout_duration" mapstructure:"lockout_duration"`
  LockoutCounterResetDuration string `json:"lockout_counter_reset_duration,omitempty" structs:"lockout_counter_reset_duration" mapstructure:"lockout_counter_reset_duration"`
- DisableLockout bool  `json:"lockout_disable,omitempty" structs:"lockout_disable" mapstructure:"lockout_disable"`
+ DisableLockout *bool `json:"lockout_disable,omitempty" structs:"lockout_disable" mapstructure:"lockout_disable"`
 }
 
 // APIMountConfig is an embedded struct of api.MountConfigInput

diff --git a/vault/request_handling.go b/vault/request_handling.go
@@ -17,7 +17,6 @@ import (
  "github.com/hashicorp/go-secure-stdlib/strutil"
  "github.com/hashicorp/go-sockaddr"
  "github.com/hashicorp/go-uuid"
- "github.com/hashicorp/vault/command/server"
  "github.com/hashicorp/vault/helper/identity"
  "github.com/hashicorp/vault/helper/identity/mfa"
  "github.com/hashicorp/vault/helper/metricsutil"
@@ -1993,34 +1992,3 @@ func (c *Core) checkSSCTokenInternal(ctx context.Context, token string, isPerfSt
  // status code.
  return "", logical.ErrMissingRequiredState
 }
-
-func (c *Core) GetUserLockoutFromConfig(logicalType string) UserLockoutConfig {
- conf := c.rawConfig.Load()
- if conf == nil {
- return UserLockoutConfig{}
- }
- userlockouts := conf.(*server.Config).UserLockouts
-
- if userlockouts == nil {
- return UserLockoutConfig{}
- }
-
- var commonUserLockoutConfig UserLockoutConfig
- var authUserLockoutConfig UserLockoutConfig
- for _, userLockoutConfig := range userlockouts {
- if userLockoutConfig.Type == logicalType {
- authUserLockoutConfig.LockoutThreshold = userLockoutConfig.LockoutThreshold
- authUserLockoutConfig.LockoutDuration = userLockoutConfig.LockoutDuration
- authUserLockoutConfig.LockoutCounterReset = userLockoutConfig.LockoutCounterReset
- authUserLockoutConfig.DisableLockout = userLockoutConfig.DisableLockout
- return authUserLockoutConfig
- }
- if userLockoutConfig.Type == "all" {
- commonUserLockoutConfig.LockoutThreshold = userLockoutConfig.LockoutThreshold
- commonUserLockoutConfig.LockoutDuration = userLockoutConfig.LockoutDuration
- commonUserLockoutConfig.LockoutCounterReset = userLockoutConfig.LockoutCounterReset
- commonUserLockoutConfig.DisableLockout = userLockoutConfig.DisableLockout
- }
- }
- return commonUserLockoutConfig
-}