backport of commit c045538

hashicorp · May 29, 2024 · f365da8 · f365da8
1 parent c986d20
commit f365da8
Show file tree

Hide file tree

Showing 57 changed files with 400 additions and 827 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -293,7 +293,7 @@ jobs:
     needs:
       - product-metadata
       - set-product-version
-    runs-on: ${{ fromJSON(vars.BUILDER_LINUX) }}
+    runs-on: ${{ fromJSON(vars.BUILDER_MACOS) }}
     strategy:
       matrix:
         goos: [ darwin ]

diff --git a/.release/docker/README_docker_io.md b/.release/docker/README_docker_io.md
@@ -38,9 +38,9 @@ The postgres URL setting is defined with `env://BOUNDARY_POSTGRES_URL` so it can
 
 ```bash
 docker run \
-    --network host \
-    -e 'BOUNDARY_POSTGRES_URL=postgresql://postgres:[email protected]:5432/postgres?sslmode=disable' \
-    hashicorp/boundary
+    --network host
+    -e 'BOUNDARY_POSTGRES_URL=postgresql://postgres:[email protected]:5432/postgres?sslmode=disable'
+    boundary
 ```
 
 ### Database Init
@@ -53,7 +53,7 @@ initialize the database using the default `config.hcl`:
 docker run \
   --network host \
   -e 'BOUNDARY_POSTGRES_URL=postgresql://postgres:[email protected]:5432/postgres?sslmode=disable' \
-  hashicorp/boundary database init -config /boundary/config.hcl
+  boundary database init -config /boundary/config.hcl
 ```
 
 If you want to run this with your own `config.hcl` (assuming `config.hcl` is located at `$(pwd)/config.hcl`):
@@ -63,7 +63,7 @@ docker run \
   --network host \
   -e 'BOUNDARY_POSTGRES_URL=postgresql://postgres:[email protected]:5432/postgres?sslmode=disable' \
   -v "$(pwd)":/boundary/ \
-  hashicorp/boundary database init -config /boundary/config.hcl
+  boundary database init -config /boundary/config.hcl
 ```
 
 ### Database Migration
@@ -76,7 +76,7 @@ you will need to apply the database migrations:
 docker run \
   --network host \
   -e 'BOUNDARY_POSTGRES_URL=postgresql://postgres:[email protected]:5432/postgres?sslmode=disable' \
-  hashicorp/boundary database migrate -config /boundary/config.hcl
+  boundary database migrate -config /boundary/config.hcl
 ```
 
 If you want to run this with your own `config.hcl` (assuming `config.hcl` is located at `$(pwd)/config.hcl`):
@@ -86,7 +86,7 @@ docker run \
   --network host \
   -e 'BOUNDARY_POSTGRES_URL=postgresql://postgres:[email protected]:5432/postgres?sslmode=disable' \
   -v "$(pwd)":/boundary/ \
-  hashicorp/boundary database migrate -config /boundary/config.hcl
+  boundary database migrate -config /boundary/config.hcl
 ```
 
 ### Server
@@ -100,7 +100,7 @@ docker run \
   -p 9201:9201 \
   -p 9202:9202 \
   -e 'BOUNDARY_POSTGRES_URL=postgresql://postgres:[email protected]:5432/postgres?sslmode=disable' \
-  hashicorp/boundary
+  boundary
 ```
 
 Start a Boundary server using your own `config.hcl`, assuming it's located at `$(pwd)/config.hcl`:
@@ -113,5 +113,5 @@ docker run \
   -p 9202:9202 \
   -v "$(pwd)":/boundary/ \
   -e 'BOUNDARY_POSTGRES_URL=postgresql://postgres:[email protected]:5432/postgres?sslmode=disable' \
-  hashicorp/boundary
+  boundary
 ```
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -33,11 +33,6 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
   the cluster's listener configuration.
   ([PR](https://github.com/hashicorp/boundary/pull/4803) and
   [PR](https://github.com/hashicorp/boundary/pull/4805))
-* LDAP account attribute maps. Account attribute maps have been supported since
-  the introduction of LDAP authentication, however a bug was present where we
-  wouldn't take those into account upon authenticating (when receiving the
-  information from the LDAP server). This is now resolved
-  ([PR]((https://github.com/hashicorp/boundary/pull/4788))).
 
 ## 0.16.0 (2024/04/30)
 

diff --git a/api/apierror.go b/api/apierror.go
@@ -15,9 +15,6 @@ var (
 	ErrInvalidArgument  = &Error{Kind: codes.InvalidArgument.String(), response: &Response{resp: &http.Response{StatusCode: http.StatusBadRequest}}}
 	ErrPermissionDenied = &Error{Kind: codes.PermissionDenied.String(), response: &Response{resp: &http.Response{StatusCode: http.StatusForbidden}}}
 	ErrUnauthorized     = &Error{Kind: codes.Unauthenticated.String(), response: &Response{resp: &http.Response{StatusCode: http.StatusUnauthorized}}}
-	// internal/daemon/controller/handlers/errors.go detects status.Code(inErr) == codes.Unimplemented
-	// and sets http status http.StatusMethodNotAllowed
-	ErrUnimplemented    = &Error{Kind: codes.Unimplemented.String(), response: &Response{resp: &http.Response{StatusCode: http.StatusMethodNotAllowed}}}
 	ErrInvalidListToken = &Error{Kind: "invalid list token", response: &Response{resp: &http.Response{StatusCode: http.StatusBadRequest}}}
 )
 

diff --git a/api/proxy/option.go b/api/proxy/option.go
@@ -7,6 +7,7 @@ import (
 	"errors"
 	"net"
 	"net/netip"
+	"time"
 
 	"github.com/hashicorp/boundary/api/targets"
 )
@@ -35,6 +36,7 @@ type Options struct {
 	WithWorkerHost               string
 	WithSessionAuthorizationData *targets.SessionAuthorizationData
 	WithSkipSessionTeardown      bool
+	withSessionTeardownTimeout   time.Duration
 }
 
 // Option is a function that takes in an options struct and sets values or
@@ -118,3 +120,12 @@ func WithSkipSessionTeardown(with bool) Option {
 		return nil
 	}
 }
+
+// WithSessionTeardownTimeout provides an optional duration which overwrites
+// the default session teardown timeout.
+func WithSessionTeardownTimeout(with time.Duration) Option {
+	return func(o *Options) error {
+		o.withSessionTeardownTimeout = with
+		return nil
+	}
+}
diff --git a/api/proxy/option_test.go b/api/proxy/option_test.go
@@ -7,6 +7,7 @@ import (
 	"net"
 	"net/netip"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/boundary/api/targets"
 	"github.com/stretchr/testify/assert"
@@ -86,4 +87,13 @@ func Test_GetOpts(t *testing.T) {
 		require.NoError(t, err)
 		assert.True(opts.WithSkipSessionTeardown)
 	})
+	t.Run("withSessionTeardownTimeout", func(t *testing.T) {
+		assert := assert.New(t)
+		opts, err := getOpts()
+		require.NoError(t, err)
+		assert.Empty(opts.withSessionTeardownTimeout)
+		opts, err = getOpts(WithSessionTeardownTimeout(3 * time.Millisecond))
+		require.NoError(t, err)
+		assert.Equal(3*time.Millisecond, opts.withSessionTeardownTimeout)
+	})
 }
diff --git a/api/proxy/proxy.go b/api/proxy/proxy.go
@@ -168,13 +168,21 @@ func New(ctx context.Context, authzToken string, opt ...Option) (*ClientProxy, e
 //
 // EXPERIMENTAL: While this API is not expected to change, it is new and
 // feedback from users may necessitate changes.
-func (p *ClientProxy) Start() (retErr error) {
+func (p *ClientProxy) Start(opt ...Option) (retErr error) {
+	opts, err := getOpts(opt...)
+	if err != nil {
+		return fmt.Errorf("could not parse options: %w", err)
+	}
 	if !p.started.CompareAndSwap(false, true) {
 		return errors.New("proxy was already started")
 	}
 
 	defer p.cancel()
 
+	if opts.withSessionTeardownTimeout == 0 {
+		opts.withSessionTeardownTimeout = sessionCancelTimeout
+	}
+
 	if p.listener.Load() == nil {
 		var err error
 		ln, err := net.ListenTCP("tcp", &net.TCPAddr{
@@ -317,7 +325,7 @@ func (p *ClientProxy) Start() (retErr error) {
 		return nil
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), sessionCancelTimeout)
+	ctx, cancel := context.WithTimeout(context.Background(), opts.withSessionTeardownTimeout)
 	defer cancel()
 	if err := p.sendSessionTeardown(ctx); err != nil {
 		return fmt.Errorf("error sending session teardown request to worker: %w", err)

diff --git a/go.mod b/go.mod
@@ -16,8 +16,8 @@ require (
 	github.com/google/go-cmp v0.6.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1
-	github.com/hashicorp/boundary/api v0.0.49
-	github.com/hashicorp/boundary/sdk v0.0.46
+	github.com/hashicorp/boundary/api v0.0.45
+	github.com/hashicorp/boundary/sdk v0.0.42
 	github.com/hashicorp/cap v0.5.1-0.20240315182732-faa330bfb8df
 	github.com/hashicorp/dawdle v0.5.0
 	github.com/hashicorp/eventlogger v0.2.9

diff --git a/internal/auth/ldap/repository_authenticate.go b/internal/auth/ldap/repository_authenticate.go
@@ -108,35 +108,11 @@ func (r *Repository) Authenticate(ctx context.Context, authMethodId, loginName,
 	acct.Dn = authResult.UserDN
 
 	if authResult.UserAttributes != nil {
-		emailAttr := DefaultEmailAttribute
-		fullNameAttr := DefaultFullNameAttribute
-
-		attrMaps, err := am.convertAccountAttributeMaps(ctx)
-		if err != nil {
-			return nil, errors.Wrap(ctx, err, op, errors.WithMsg("failed to convert account attribute maps"))
-		}
-
-		for _, attrMap := range attrMaps {
-			aam, ok := attrMap.(*AccountAttributeMap)
-			if !ok {
-				return nil, errors.New(ctx, errors.Internal, op, "failed to convert attribute map into AccountAttributeMap type")
-			}
-
-			switch aam.ToAttribute {
-			case DefaultEmailAttribute:
-				emailAttr = aam.FromAttribute
-			case DefaultFullNameAttribute:
-				fullNameAttr = aam.FromAttribute
-			default:
-				return nil, errors.New(ctx, errors.InvalidParameter, op, fmt.Sprintf("invalid to attribute %q", aam.ToAttribute))
-			}
-		}
-
-		found, email := caseInsensitiveAttributeSearch(emailAttr, authResult.UserAttributes)
+		found, email := caseInsensitiveAttributeSearch(DefaultEmailAttribute, authResult.UserAttributes)
 		if found {
 			acct.Email = email[0]
 		}
-		found, fullName := caseInsensitiveAttributeSearch(fullNameAttr, authResult.UserAttributes)
+		found, fullName := caseInsensitiveAttributeSearch(DefaultFullNameAttribute, authResult.UserAttributes)
 		if found {
 			acct.FullName = fullName[0]
 		}