Move to go 1.17 (hashicorp#12868)

Also ensure that the go 1.17 breaking changes to net.ParseCIDR don't make us choke on stored CIDRs that were acceptable to older Go versions.

.circleci/config/commands/go_test.yml

@@ -14,7 +14,7 @@ parameters:
     default: false
   go_image:
     type: string
-    default: "docker.mirror.hashicorp.services/circleci/golang:1.16.7-buster"
+    default: "docker.mirror.hashicorp.services/circleci/golang:1.17.2-buster"
   use_docker:
     type: boolean
     default: false

.circleci/config/executors/@executors.yml

@@ -3,7 +3,7 @@ go-machine:
   shell: /usr/bin/env bash -euo pipefail -c
   environment:
     CIRCLECI_CLI_VERSION: 0.1.5546  # Pin CircleCI CLI to patch version (ex: 1.2.3)
-    GO_VERSION: 1.16.7  # Pin Go to patch version (ex: 1.2.3)
+    GO_VERSION: 1.17.2  # Pin Go to patch version (ex: 1.2.3)
     GOTESTSUM_VERSION: 0.5.2  # Pin gotestsum to patch version (ex: 1.2.3)
     GO_TAGS: ""
   working_directory: /go/src/github.com/hashicorp/vault
@@ -25,23 +25,23 @@ alpine:
 docker-env-go-test-remote-docker:
   resource_class: medium
   docker:
-    - image: "docker.mirror.hashicorp.services/circleci/golang:1.16.7-buster"
+    - image: "docker.mirror.hashicorp.services/circleci/golang:1.17.2-buster"
   environment:
     CIRCLECI_CLI_VERSION: 0.1.5546  # Pin CircleCI CLI to patch version (ex: 1.2.3)
     GO_TAGS: ""
   working_directory: /go/src/github.com/hashicorp/vault
 docker-env-go-test:
   resource_class: large
   docker:
-    - image: "docker.mirror.hashicorp.services/circleci/golang:1.16.7-buster"
+    - image: "docker.mirror.hashicorp.services/circleci/golang:1.17.2-buster"
   environment:
     CIRCLECI_CLI_VERSION: 0.1.5546  # Pin CircleCI CLI to patch version (ex: 1.2.3)
     GO_TAGS: ""
   working_directory: /go/src/github.com/hashicorp/vault
 docker-env-go-test-race:
   resource_class: xlarge
   docker:
-    - image: "docker.mirror.hashicorp.services/circleci/golang:1.16.7-buster"
+    - image: "docker.mirror.hashicorp.services/circleci/golang:1.17.2-buster"
   environment:
     CIRCLECI_CLI_VERSION: 0.1.5546  # Pin CircleCI CLI to patch version (ex: 1.2.3)
     GO_TAGS: ""

Makefile

@@ -15,7 +15,7 @@ EXTERNAL_TOOLS=\
 GOFMT_FILES?=$$(find . -name '*.go' | grep -v pb.go | grep -v vendor)
 
 
-GO_VERSION_MIN=1.16.7
+GO_VERSION_MIN=1.17.2
 GO_CMD?=go
 CGO_ENABLED?=0
 ifneq ($(FDB_ENABLED), )

README.md

@@ -72,7 +72,7 @@ Developing Vault
 
 If you wish to work on Vault itself or any of its built-in systems, you'll
 first need [Go](https://www.golang.org) installed on your machine. Go version
-1.16.7+ is *required*.
+1.17.2+ is *required*.
 
 For local dev first make sure Go is properly installed, including setting up a
 [GOPATH](https://golang.org/doc/code.html#GOPATH). Ensure that `$GOPATH/bin` is in

builtin/credential/approle/path_role.go

@@ -11,6 +11,7 @@ import (
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/go-secure-stdlib/strutil"
 	uuid "github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/parseip"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/cidrutil"
 	"github.com/hashicorp/vault/sdk/helper/consts"
@@ -818,6 +819,10 @@ func (b *backend) roleEntry(ctx context.Context, s logical.Storage, roleName str
 		needsUpgrade = true
 	}
 
+	for i, cidr := range role.SecretIDBoundCIDRs {
+		role.SecretIDBoundCIDRs[i] = parseip.TrimLeadingZeroesCIDR(cidr)
+	}
+
 	if role.TokenPeriod == 0 && role.Period > 0 {
 		role.TokenPeriod = role.Period
 	}

builtin/credential/approle/validation.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	uuid "github.com/hashicorp/go-uuid"
+	"github.com/hashicorp/vault/helper/parseip"
 	"github.com/hashicorp/vault/sdk/helper/cidrutil"
 	"github.com/hashicorp/vault/sdk/helper/locksutil"
 	"github.com/hashicorp/vault/sdk/logical"
@@ -110,6 +111,25 @@ func (b *backend) secretIDAccessorLock(secretIDAccessor string) *locksutil.LockE
 	return locksutil.LockForKey(b.secretIDAccessorLocks, secretIDAccessor)
 }
 
+func decodeSecretIDStorageEntry(entry *logical.StorageEntry) (*secretIDStorageEntry, error) {
+	result := secretIDStorageEntry{}
+	if err := entry.DecodeJSON(&result); err != nil {
+		return nil, err
+	}
+
+	cleanup := func(in []string) []string {
+		var out []string
+		for _, s := range in {
+			out = append(out, parseip.TrimLeadingZeroesCIDR(s))
+		}
+		return out
+	}
+
+	result.CIDRList = cleanup(result.CIDRList)
+	result.TokenBoundCIDRs = cleanup(result.TokenBoundCIDRs)
+	return &result, nil
+}
+
 // nonLockedSecretIDStorageEntry fetches the secret ID properties from physical
 // storage. The entry will be indexed based on the given HMACs of both role
 // name and the secret ID. This method will not acquire secret ID lock to fetch
@@ -134,8 +154,8 @@ func (b *backend) nonLockedSecretIDStorageEntry(ctx context.Context, s logical.S
 		return nil, nil
 	}
 
-	result := secretIDStorageEntry{}
-	if err := entry.DecodeJSON(&result); err != nil {
+	result, err := decodeSecretIDStorageEntry(entry)
+	if err != nil {
 		return nil, err
 	}
 
@@ -154,12 +174,12 @@ func (b *backend) nonLockedSecretIDStorageEntry(ctx context.Context, s logical.S
 	}
 
 	if persistNeeded {
-		if err := b.nonLockedSetSecretIDStorageEntry(ctx, s, roleSecretIDPrefix, roleNameHMAC, secretIDHMAC, &result); err != nil {
+		if err := b.nonLockedSetSecretIDStorageEntry(ctx, s, roleSecretIDPrefix, roleNameHMAC, secretIDHMAC, result); err != nil {
 			return nil, fmt.Errorf("failed to upgrade role storage entry %w", err)
 		}
 	}
 
-	return &result, nil
+	return result, nil
 }
 
 // nonLockedSetSecretIDStorageEntry creates or updates a secret ID entry at the

builtin/logical/ssh/util.go

@@ -13,10 +13,9 @@ import (
 	"strings"
 	"time"
 
+	log "github.com/hashicorp/go-hclog"
 	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/vault/sdk/logical"
-
-	log "github.com/hashicorp/go-hclog"
 	"golang.org/x/crypto/ssh"
 )
 

changelog/12868.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+core: build with Go 1.17, and mitigate a breaking change they made that could impact how approle and ssh interpret IPs/CIDRs
+```