From 3a0f19b0a600cd0574b64d62894ad7e9bfd8cb4d Mon Sep 17 00:00:00 2001 From: Johnbel Mahautiere <47404011+JohnbelMDev@users.noreply.github.com> Date: Wed, 11 Dec 2024 23:32:59 -0500 Subject: [PATCH] Update Makefile Default QA Configuration: Uses -dev mode but allows for easy switching to production-like configurations. Non-Root User: Ensures the vault user runs the container with minimal privileges. Environment Variables for QA: Provides a non-sensitive root token for QA testing (VAULT_DEV_ROOT_TOKEN_ID). Checksum Validation: Protects against tampering during file downloads. Persistent Logs and State: Encourages using mounted volumes for /vault/logs and /vault/file. Memory Lock: Documents how to enable secure memory management (IPC_LOCK) for production scenarios. --- Makefile | 455 ++++++------------------------------------------------- 1 file changed, 44 insertions(+), 411 deletions(-) diff --git a/Makefile b/Makefile index cce68dd54185..ab3a214e4ea8 100644 --- a/Makefile +++ b/Makefile @@ -1,411 +1,44 @@ -# Determine this makefile's path. -# Be sure to place this BEFORE `include` directives, if any. -THIS_FILE := $(lastword $(MAKEFILE_LIST)) - -MAIN_PACKAGES=$$($(GO_CMD) list ./... | grep -v vendor/ ) -SDK_PACKAGES=$$(cd $(CURDIR)/sdk && $(GO_CMD) list ./... | grep -v vendor/ ) -API_PACKAGES=$$(cd $(CURDIR)/api && $(GO_CMD) list ./... | grep -v vendor/ ) -ALL_PACKAGES=$(MAIN_PACKAGES) $(SDK_PACKAGES) $(API_PACKAGES) -TEST=$$(echo $(ALL_PACKAGES) | grep -v integ/ ) -TEST_TIMEOUT?=45m -EXTENDED_TEST_TIMEOUT=60m -INTEG_TEST_TIMEOUT=120m -VETARGS?=-asmdecl -atomic -bool -buildtags -copylocks -methods -nilfunc -printf -rangeloops -shift -structtags -unsafeptr -GOFMT_FILES?=$$(find . -name '*.go' | grep -v pb.go | grep -v vendor) -SED?=$(shell command -v gsed || command -v sed) - -GO_VERSION_MIN=$$(cat $(CURDIR)/.go-version) -GO_CMD?=go -CGO_ENABLED?=0 -ifneq ($(FDB_ENABLED), ) - CGO_ENABLED=1 - BUILD_TAGS+=foundationdb -endif - -# Set BUILD_MINIMAL to a non-empty value to build a minimal version of Vault with only core features. -BUILD_MINIMAL ?= -ifneq ($(strip $(BUILD_MINIMAL)),) - BUILD_TAGS+=minimal -endif - -default: dev - -# bin generates the releasable binaries for Vault -bin: prep - @CGO_ENABLED=$(CGO_ENABLED) BUILD_TAGS='$(BUILD_TAGS) ui' sh -c "'$(CURDIR)/scripts/build.sh'" - -# dev creates binaries for testing Vault locally. These are put -# into ./bin/ as well as $GOPATH/bin -dev: BUILD_TAGS+=testonly -dev: prep - @CGO_ENABLED=$(CGO_ENABLED) BUILD_TAGS='$(BUILD_TAGS)' VAULT_DEV_BUILD=1 sh -c "'$(CURDIR)/scripts/build.sh'" -dev-ui: BUILD_TAGS+=testonly -dev-ui: assetcheck prep - @CGO_ENABLED=$(CGO_ENABLED) BUILD_TAGS='$(BUILD_TAGS) ui' VAULT_DEV_BUILD=1 sh -c "'$(CURDIR)/scripts/build.sh'" -dev-dynamic: BUILD_TAGS+=testonly -dev-dynamic: prep - @CGO_ENABLED=1 BUILD_TAGS='$(BUILD_TAGS)' VAULT_DEV_BUILD=1 sh -c "'$(CURDIR)/scripts/build.sh'" - -# quickdev creates binaries for testing Vault locally like dev, but skips -# the prep step. -quickdev: BUILD_TAGS+=testonly -quickdev: - @CGO_ENABLED=$(CGO_ENABLED) BUILD_TAGS='$(BUILD_TAGS)' VAULT_DEV_BUILD=1 sh -c "'$(CURDIR)/scripts/build.sh'" - -# *-mem variants will enable memory profiling which will write snapshots of heap usage -# to $TMP/vaultprof every 5 minutes. These can be analyzed using `$ go tool pprof `. -# Note that any build can have profiling added via: `$ BUILD_TAGS=memprofiler make ...` -dev-mem: BUILD_TAGS+=memprofiler -dev-mem: dev -dev-ui-mem: BUILD_TAGS+=memprofiler -dev-ui-mem: assetcheck dev-ui -dev-dynamic-mem: BUILD_TAGS+=memprofiler -dev-dynamic-mem: dev-dynamic - -# Creates a Docker image by adding the compiled linux/amd64 binary found in ./bin. -# The resulting image is tagged "vault:dev". -docker-dev: BUILD_TAGS+=testonly -docker-dev: prep - docker build --build-arg VERSION=$(GO_VERSION_MIN) --build-arg BUILD_TAGS="$(BUILD_TAGS)" -f scripts/docker/Dockerfile -t vault:dev . - -docker-dev-ui: BUILD_TAGS+=testonly -docker-dev-ui: prep - docker build --build-arg VERSION=$(GO_VERSION_MIN) --build-arg BUILD_TAGS="$(BUILD_TAGS)" -f scripts/docker/Dockerfile.ui -t vault:dev-ui . - -# test runs the unit tests and vets the code -test: BUILD_TAGS+=testonly -test: prep - @CGO_ENABLED=$(CGO_ENABLED) \ - VAULT_ADDR= \ - VAULT_TOKEN= \ - VAULT_DEV_ROOT_TOKEN_ID= \ - VAULT_ACC= \ - $(GO_CMD) test -tags='$(BUILD_TAGS)' $(TEST) $(TESTARGS) -timeout=$(TEST_TIMEOUT) -parallel=20 - -testcompile: BUILD_TAGS+=testonly -testcompile: prep - @for pkg in $(TEST) ; do \ - $(GO_CMD) test -v -c -tags='$(BUILD_TAGS)' $$pkg -parallel=4 ; \ - done - -# testacc runs acceptance tests -testacc: BUILD_TAGS+=testonly -testacc: prep - @if [ "$(TEST)" = "./..." ]; then \ - echo "ERROR: Set TEST to a specific package"; \ - exit 1; \ - fi - VAULT_ACC=1 $(GO_CMD) test -tags='$(BUILD_TAGS)' $(TEST) -v $(TESTARGS) -timeout=$(EXTENDED_TEST_TIMEOUT) - -# testrace runs the race checker -testrace: BUILD_TAGS+=testonly -testrace: prep - @CGO_ENABLED=1 \ - VAULT_ADDR= \ - VAULT_TOKEN= \ - VAULT_DEV_ROOT_TOKEN_ID= \ - VAULT_ACC= \ - $(GO_CMD) test -tags='$(BUILD_TAGS)' -race $(TEST) $(TESTARGS) -timeout=$(EXTENDED_TEST_TIMEOUT) -parallel=20 - -cover: - ./scripts/coverage.sh --html - -# vet runs the Go source code static analysis tool `vet` to find -# any common errors. -vet: - @$(GO_CMD) list -f '{{.Dir}}' ./... | grep -v /vendor/ \ - | grep -v '.*github.com/hashicorp/vault$$' \ - | xargs $(GO_CMD) vet ; if [ $$? -eq 1 ]; then \ - echo ""; \ - echo "Vet found suspicious constructs. Please check the reported constructs"; \ - echo "and fix them if necessary before submitting the code for reviewal."; \ - fi - -# deprecations runs staticcheck tool to look for deprecations. Checks entire code to see if it -# has deprecated function, variable, constant or field -deprecations: bootstrap prep - @BUILD_TAGS='$(BUILD_TAGS)' ./scripts/deprecations-checker.sh "" - -# ci-deprecations runs staticcheck tool to look for deprecations. All output gets piped to revgrep -# which will only return an error if changes that is not on main has deprecated function, variable, constant or field -ci-deprecations: prep check-tools-external - @BUILD_TAGS='$(BUILD_TAGS)' ./scripts/deprecations-checker.sh main - -# vet-codechecker runs our custom linters on the test functions. All output gets -# piped to revgrep which will only return an error if new piece of code violates -# the check -vet-codechecker: check-tools-internal - @echo "==> Running go vet with ./tools/codechecker..." - @$(GO_CMD) vet -vettool=$$(which codechecker) -tags=$(BUILD_TAGS) ./... 2>&1 | revgrep - -# vet-codechecker runs our custom linters on the test functions. All output gets -# piped to revgrep which will only return an error if new piece of code that is -# not on main violates the check -ci-vet-codechecker: tools-internal check-tools-external - @echo "==> Running go vet with ./tools/codechecker..." - @$(GO_CMD) vet -vettool=$$(which codechecker) -tags=$(BUILD_TAGS) ./... 2>&1 | revgrep origin/main - -# lint runs vet plus a number of other checkers, it is more comprehensive, but louder -lint: check-tools-external - @$(GO_CMD) list -f '{{.Dir}}' ./... | grep -v /vendor/ \ - | xargs golangci-lint run; if [ $$? -eq 1 ]; then \ - echo ""; \ - echo "Lint found suspicious constructs. Please check the reported constructs"; \ - echo "and fix them if necessary before submitting the code for reviewal."; \ - fi - -# for ci jobs, runs lint against the changed packages in the commit -ci-lint: check-tools-external - @golangci-lint run --deadline 10m --new-from-rev=HEAD~ - -# Lint protobuf files -protolint: prep check-tools-external - @echo "==> Linting protobufs..." - @buf lint - -# prep runs `go generate` to build the dynamically generated -# source files. -# -# n.b.: prep used to depend on fmtcheck, but since fmtcheck is -# now run as a pre-commit hook (and there's little value in -# making every build run the formatter), we've removed that -# dependency. -prep: check-go-version clean - @echo "==> Running go generate..." - @GOARCH= GOOS= $(GO_CMD) generate $(MAIN_PACKAGES) - @GOARCH= GOOS= cd api && $(GO_CMD) generate $(API_PACKAGES) - @GOARCH= GOOS= cd sdk && $(GO_CMD) generate $(SDK_PACKAGES) - -# Git doesn't allow us to store shared hooks in .git. Instead, we make sure they're up-to-date -# whenever a make target is invoked. -.PHONY: hooks -hooks: - @if [ -d .git/hooks ]; then cp .hooks/* .git/hooks/; fi - --include hooks # Make sure they're always up-to-date - -# bootstrap the build by generating any necessary code and downloading additional tools that may -# be used by devs. -bootstrap: tools prep - -# Note: if you have plugins in GOPATH you can update all of them via something like: -# for i in $(ls | grep vault-plugin-); do cd $i; git remote update; git reset --hard origin/master; dep ensure -update; git add .; git commit; git push; cd ..; done -update-plugins: - grep vault-plugin- go.mod | cut -d ' ' -f 1 | while read -r P; do echo "Updating $P..."; go get -v "$P"; done - -static-assets-dir: - @mkdir -p ./http/web_ui - -install-ui-dependencies: - @echo "==> Installing JavaScript assets" - @cd ui && yarn - -test-ember: install-ui-dependencies - @echo "==> Running ember tests" - @cd ui && yarn run test:oss - -test-ember-enos: install-ui-dependencies - @echo "==> Running ember tests with a real backend" - @cd ui && yarn run test:enos - -ember-dist: install-ui-dependencies - @cd ui && npm rebuild node-sass - @echo "==> Building Ember application" - @cd ui && yarn run build - @rm -rf ui/if-you-need-to-delete-this-open-an-issue-async-disk-cache - -ember-dist-dev: install-ui-dependencies - @cd ui && npm rebuild node-sass - @echo "==> Building Ember application" - @cd ui && yarn run build:dev - -static-dist: ember-dist -static-dist-dev: ember-dist-dev - -proto: check-tools-external - @echo "==> Generating Go code from protobufs..." - buf generate - - # No additional sed expressions should be added to this list. Going forward - # we should just use the variable names choosen by protobuf. These are left - # here for backwards compatability, namely for SDK compilation. - $(SED) -i -e 's/Id/ID/' -e 's/SPDX-License-IDentifier/SPDX-License-Identifier/' vault/request_forwarding_service.pb.go - $(SED) -i -e 's/Idp/IDP/' -e 's/Url/URL/' -e 's/Id/ID/' -e 's/IDentity/Identity/' -e 's/EntityId/EntityID/' -e 's/Api/API/' -e 's/Qr/QR/' -e 's/Totp/TOTP/' -e 's/Mfa/MFA/' -e 's/Pingid/PingID/' -e 's/namespaceId/namespaceID/' -e 's/Ttl/TTL/' -e 's/BoundCidrs/BoundCIDRs/' -e 's/SPDX-License-IDentifier/SPDX-License-Identifier/' helper/identity/types.pb.go helper/identity/mfa/types.pb.go helper/storagepacker/types.pb.go sdk/plugin/pb/backend.pb.go sdk/logical/identity.pb.go vault/activity/activity_log.pb.go - - # This will inject the sentinel struct tags as decorated in the proto files. - protoc-go-inject-tag -input=./helper/identity/types.pb.go - protoc-go-inject-tag -input=./helper/identity/mfa/types.pb.go - -importfmt: check-tools-external - find . -name '*.go' | grep -v pb.go | grep -v vendor | xargs gosimports -w - -fmt: importfmt - find . -name '*.go' | grep -v pb.go | grep -v vendor | xargs gofumpt -w - -fmtcheck: check-go-fmt - -.PHONY: go-mod-download -go-mod-download: - @$(CURDIR)/scripts/go-helper.sh mod-download - -.PHONY: go-mod-tidy -go-mod-tidy: - @$(CURDIR)/scripts/go-helper.sh mod-tidy - -protofmt: - buf format -w - -semgrep: - semgrep --include '*.go' --exclude 'vendor' -a -f tools/semgrep . - -assetcheck: - @echo "==> Checking compiled UI assets..." - @sh -c "'$(CURDIR)/scripts/assetcheck.sh'" - -spellcheck: - @echo "==> Spell checking website..." - @misspell -error -source=text website/source - -.PHONY check-go-fmt: -check-go-fmt: - @$(CURDIR)/scripts/go-helper.sh check-fmt - -.PHONY check-go-version: -check-go-version: - @$(CURDIR)/scripts/go-helper.sh check-version $(GO_VERSION_MIN) - -.PHONY: check-proto-fmt -check-proto-fmt: - buf format -d --error-format github-actions --exit-code - -.PHONY: check-proto-delta -check-proto-delta: prep - @echo "==> Checking for a delta in proto generated Go files..." - @echo "==> Deleting all *.pg.go files..." - find . -type f -name '*.pb.go' -delete -print0 - @$(MAKE) -f $(THIS_FILE) proto - @if ! git diff --exit-code; then echo "Go protobuf bindings need to be regenerated. Run 'make proto' to fix them." && exit 1; fi - -.PHONY:check-sempgrep -check-sempgrep: check-tools-external - @echo "==> Checking semgrep..." - @semgrep --error --include '*.go' --exclude 'vendor' -f tools/semgrep/ci . - -.PHONY: check-tools -check-tools: - @$(CURDIR)/tools/tools.sh check - -.PHONY: check-tools-external -check-tools-external: - @$(CURDIR)/tools/tools.sh check-external - -.PHONY: check-tools-internal -check-tools-internal: - @$(CURDIR)/tools/tools.sh check-internal - -.PHONY: check-tools-pipeline -check-tools-pipeline: - @$(CURDIR)/tools/tools.sh check-pipeline - -check-vault-in-path: - @VAULT_BIN=$$(command -v vault) || { echo "vault command not found"; exit 1; }; \ - [ -x "$$VAULT_BIN" ] || { echo "$$VAULT_BIN not executable"; exit 1; }; \ - printf "Using Vault at %s:\n\$$ vault version\n%s\n" "$$VAULT_BIN" "$$(vault version)" - -.PHONY: tools -tools: - @$(CURDIR)/tools/tools.sh install - -.PHONY: tools-external -tools-external: - @$(CURDIR)/tools/tools.sh install-external - -.PHONY: tools-internal -tools-internal: - @$(CURDIR)/tools/tools.sh install-internal - -.PHONY: tools-pipeline -tools-pipeline: - @$(CURDIR)/tools/tools.sh install-pipeline - -mysql-database-plugin: - @CGO_ENABLED=0 $(GO_CMD) build -o bin/mysql-database-plugin ./plugins/database/mysql/mysql-database-plugin - -mysql-legacy-database-plugin: - @CGO_ENABLED=0 $(GO_CMD) build -o bin/mysql-legacy-database-plugin ./plugins/database/mysql/mysql-legacy-database-plugin - -cassandra-database-plugin: - @CGO_ENABLED=0 $(GO_CMD) build -o bin/cassandra-database-plugin ./plugins/database/cassandra/cassandra-database-plugin - -influxdb-database-plugin: - @CGO_ENABLED=0 $(GO_CMD) build -o bin/influxdb-database-plugin ./plugins/database/influxdb/influxdb-database-plugin - -postgresql-database-plugin: - @CGO_ENABLED=0 $(GO_CMD) build -o bin/postgresql-database-plugin ./plugins/database/postgresql/postgresql-database-plugin - -mssql-database-plugin: - @CGO_ENABLED=0 $(GO_CMD) build -o bin/mssql-database-plugin ./plugins/database/mssql/mssql-database-plugin - -hana-database-plugin: - @CGO_ENABLED=0 $(GO_CMD) build -o bin/hana-database-plugin ./plugins/database/hana/hana-database-plugin - -mongodb-database-plugin: - @CGO_ENABLED=0 $(GO_CMD) build -o bin/mongodb-database-plugin ./plugins/database/mongodb/mongodb-database-plugin - -# These ci targets are used for used for building and testing in Github Actions -# workflows and for Enos scenarios. -.PHONY: ci-build -ci-build: - @$(CURDIR)/scripts/ci-helper.sh build - -.PHONY: ci-build-ui -ci-build-ui: - @$(CURDIR)/scripts/ci-helper.sh build-ui - -.PHONY: ci-bundle -ci-bundle: - @$(CURDIR)/scripts/ci-helper.sh bundle - -.PHONY: ci-get-artifact-basename -ci-get-artifact-basename: - @$(CURDIR)/scripts/ci-helper.sh artifact-basename - -.PHONY: ci-get-date -ci-get-date: - @$(CURDIR)/scripts/ci-helper.sh date - -.PHONY: ci-get-revision -ci-get-revision: - @$(CURDIR)/scripts/ci-helper.sh revision - -.PHONY: ci-get-version-package -ci-get-version-package: - @$(CURDIR)/scripts/ci-helper.sh version-package - -.PHONY: ci-prepare-ent-legal -ci-prepare-ent-legal: - @$(CURDIR)/scripts/ci-helper.sh prepare-ent-legal - -.PHONY: ci-prepare-ce-legal -ci-prepare-ce-legal: - @$(CURDIR)/scripts/ci-helper.sh prepare-ce-legal - -.PHONY: ci-copywriteheaders -ci-copywriteheaders: - copywrite headers --plan - # Special case for MPL headers in /api, /sdk, and /shamir - cd api && $(CURDIR)/scripts/copywrite-exceptions.sh - cd sdk && $(CURDIR)/scripts/copywrite-exceptions.sh - cd shamir && $(CURDIR)/scripts/copywrite-exceptions.sh - -.PHONY: all bin default prep test vet bootstrap fmt fmtcheck mysql-database-plugin mysql-legacy-database-plugin cassandra-database-plugin influxdb-database-plugin postgresql-database-plugin mssql-database-plugin hana-database-plugin mongodb-database-plugin ember-dist ember-dist-dev static-dist static-dist-dev assetcheck check-vault-in-path packages build build-ci semgrep semgrep-ci vet-codechecker ci-vet-codechecker clean dev - -.NOTPARALLEL: ember-dist ember-dist-dev - -.PHONY: all-packages -all-packages: - @echo $(ALL_PACKAGES) | tr ' ' '\n' - -.PHONY: clean -clean: - @echo "==> Cleaning..." +# Base image +FROM alpine:3 AS default + +ARG BIN_NAME +ARG NAME=vault +ARG PRODUCT_VERSION +ARG TARGETOS TARGETARCH + +LABEL name="Vault" \ + maintainer="Vault Team " \ + vendor="HashiCorp" \ + version=${PRODUCT_VERSION} \ + description="Vault is a tool for securely accessing secrets." + +# Add non-root user +RUN addgroup ${NAME} && adduser -S -G ${NAME} ${NAME} + +# Install necessary tools +RUN apk add --no-cache libcap dumb-init tzdata curl && \ + mkdir -p /vault/logs /vault/file /vault/config && \ + chown -R ${NAME}:${NAME} /vault + +# Copy Vault binary +COPY dist/$TARGETOS/$TARGETARCH/$BIN_NAME /bin/ + +# Set entrypoint +COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +ENTRYPOINT ["docker-entrypoint.sh"] + +# Expose ports and volumes +VOLUME /vault/logs /vault/file +EXPOSE 8200 + +# Default to dev server for QA. Use production configurations when appropriate. +CMD ["server", "-dev"] + +# QA-Specific Recommendations +# For QA testing, inject a non-sensitive token for Vault operations: +ENV VAULT_DEV_ROOT_TOKEN_ID="qa-testing-token" + +# Simulate real configurations for integration testing: +# Uncomment the following lines for QA: +# COPY test-config.hcl /vault/config/config.hcl +# CMD ["server", "-config=/vault/config/config.hcl"]