hashicorp · ncabatoff · Jul 2, 2019 · May 21, 2019 · May 21, 2019 · May 21, 2019
diff --git a/api/go.sum b/api/go.sum
@@ -1,5 +1,6 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/Jeffail/gabs v1.1.1/go.mod h1:6xMvQMK4k33lb7GUUpaAPh6nKMmemQeg5d4gn7/bOXc=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da h1:8GUt8eRujhVEGZFFEjBj46YV4rDjvGrNxb0KMWYkL2I=
 github.com/armon/go-metrics v0.0.0-20180917152333-f0300d1749da/go.mod h1:Q73ZrmVTwzkszR9V5SSuryQ31EELlFMUz1kKyl939pY=
 github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
@@ -52,10 +53,12 @@ github.com/hashicorp/golang-lru v0.5.1 h1:0hERBMJE1eitiLkihrMvRVBYAkpHzc/J3QdDN+
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/vault v1.1.2/go.mod h1:KfSyffbKxoVyspOdlaGVjIuwLobi07qD1bAbosPMpP0=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=
 github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d h1:kJCB4vdITiW1eC1vq2e6IsrXKrZit1bv/TDYFGMp4BQ=
 github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
+github.com/jefferai/jsonx v1.0.0/go.mod h1:OGmqmi2tTeI/PS+qQfBDToLHHJIy/RMp24fPo8vFvoQ=
 github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=

diff --git a/audit/format.go b/audit/format.go
@@ -3,7 +3,6 @@ package audit
 import (
 	"context"
 	"crypto/tls"
-	"encoding/json"
 	"fmt"
 	"io"
 	"strings"
@@ -15,7 +14,6 @@ import (
 	"github.com/hashicorp/vault/helper/namespace"
 	"github.com/hashicorp/vault/sdk/helper/salt"
 	"github.com/hashicorp/vault/sdk/logical"
-	"github.com/mitchellh/copystructure"
 )
 
 type AuditFormatWriter interface {
@@ -54,79 +52,26 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
 	auth := in.Auth
 	req := in.Request
 	var connState *tls.ConnectionState
+	if auth == nil {
+		auth = new(logical.Auth)
+	}
 
 	if in.Request.Connection != nil && in.Request.Connection.ConnState != nil {
 		connState = in.Request.Connection.ConnState
 	}
 
 	if !config.Raw {
-		// Before we copy the structure we must nil out some data
-		// otherwise we will cause reflection to panic and die
-		if connState != nil {
-			in.Request.Connection.ConnState = nil
-			defer func() {
-				in.Request.Connection.ConnState = connState
-			}()
-		}
-
-		// Copy the auth structure
-		if in.Auth != nil {
-			cp, err := copystructure.Copy(in.Auth)
-			if err != nil {
-				return err
-			}
-			auth = cp.(*logical.Auth)
-		}
-
-		cp, err := copystructure.Copy(in.Request)
+		auth, err = HashAuth(salt, auth, config.HMACAccessor)
 		if err != nil {
 			return err
 		}
-		req = cp.(*logical.Request)
-		for k, v := range req.Data {
-			if o, ok := v.(logical.OptMarshaler); ok {
-				marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
-					ValueHasher: salt.GetIdentifiedHMAC,
-				})
-				if err != nil {
-					return err
-				}
-				req.Data[k] = json.RawMessage(marshaled)
-			}
-		}
 
-		// Hash any sensitive information
-		if auth != nil {
-			// Cache and restore accessor in the auth
-			var authAccessor string
-			if !config.HMACAccessor && auth.Accessor != "" {
-				authAccessor = auth.Accessor
-			}
-			if err := Hash(salt, auth, nil); err != nil {
-				return err
-			}
-			if authAccessor != "" {
-				auth.Accessor = authAccessor
-			}
-		}
-
-		// Cache and restore accessor in the request
-		var clientTokenAccessor string
-		if !config.HMACAccessor && req != nil && req.ClientTokenAccessor != "" {
-			clientTokenAccessor = req.ClientTokenAccessor
-		}
-		if err := Hash(salt, req, in.NonHMACReqDataKeys); err != nil {
+		req, err = HashRequest(salt, req, config.HMACAccessor, in.NonHMACReqDataKeys)
+		if err != nil {
 			return err
 		}
-		if clientTokenAccessor != "" {
-			req.ClientTokenAccessor = clientTokenAccessor
-		}
 	}
 
-	// If auth is nil, make an empty one
-	if auth == nil {
-		auth = new(logical.Auth)
-	}
 	var errString string
 	if in.OuterErr != nil {
 		errString = in.OuterErr.Error()
@@ -208,130 +153,36 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 	}
 
 	// Set these to the input values at first
-	auth := in.Auth
-	req := in.Request
-	resp := in.Response
+	auth, req, resp := in.Auth, in.Request, in.Response
+	if auth == nil {
+		auth = new(logical.Auth)
+	}
+	if resp == nil {
+		resp = new(logical.Response)
+	}
 	var connState *tls.ConnectionState
 
 	if in.Request.Connection != nil && in.Request.Connection.ConnState != nil {
 		connState = in.Request.Connection.ConnState
 	}
 
 	if !config.Raw {
-		// Before we copy the structure we must nil out some data
-		// otherwise we will cause reflection to panic and die
-		if connState != nil {
-			in.Request.Connection.ConnState = nil
-			defer func() {
-				in.Request.Connection.ConnState = connState
-			}()
-		}
-
-		// Copy the auth structure
-		if in.Auth != nil {
-			cp, err := copystructure.Copy(in.Auth)
-			if err != nil {
-				return err
-			}
-			auth = cp.(*logical.Auth)
-		}
-
-		cp, err := copystructure.Copy(in.Request)
+		auth, err = HashAuth(salt, auth, config.HMACAccessor)
 		if err != nil {
 			return err
 		}
-		req = cp.(*logical.Request)
-		for k, v := range req.Data {
-			if o, ok := v.(logical.OptMarshaler); ok {
-				marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
-					ValueHasher: salt.GetIdentifiedHMAC,
-				})
-				if err != nil {
-					return err
-				}
-				req.Data[k] = json.RawMessage(marshaled)
-			}
-		}
-
-		if in.Response != nil {
-			cp, err := copystructure.Copy(in.Response)
-			if err != nil {
-				return err
-			}
-			resp = cp.(*logical.Response)
-			for k, v := range resp.Data {
-				if o, ok := v.(logical.OptMarshaler); ok {
-					marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
-						ValueHasher: salt.GetIdentifiedHMAC,
-					})
-					if err != nil {
-						return err
-					}
-					resp.Data[k] = json.RawMessage(marshaled)
-				}
-			}
-		}
-
-		// Hash any sensitive information
-
-		// Cache and restore accessor in the auth
-		if auth != nil {
-			var accessor string
-			if !config.HMACAccessor && auth.Accessor != "" {
-				accessor = auth.Accessor
-			}
-			if err := Hash(salt, auth, nil); err != nil {
-				return err
-			}
-			if accessor != "" {
-				auth.Accessor = accessor
-			}
-		}
 
-		// Cache and restore accessor in the request
-		var clientTokenAccessor string
-		if !config.HMACAccessor && req != nil && req.ClientTokenAccessor != "" {
-			clientTokenAccessor = req.ClientTokenAccessor
-		}
-		if err := Hash(salt, req, in.NonHMACReqDataKeys); err != nil {
+		req, err = HashRequest(salt, req, config.HMACAccessor, in.NonHMACReqDataKeys)
+		if err != nil {
 			return err
 		}
-		if clientTokenAccessor != "" {
-			req.ClientTokenAccessor = clientTokenAccessor
-		}
 
-		// Cache and restore accessor in the response
-		if resp != nil {
-			var accessor, wrappedAccessor, wrappingAccessor string
-			if !config.HMACAccessor && resp != nil && resp.Auth != nil && resp.Auth.Accessor != "" {
-				accessor = resp.Auth.Accessor
-			}
-			if !config.HMACAccessor && resp != nil && resp.WrapInfo != nil && resp.WrapInfo.WrappedAccessor != "" {
-				wrappedAccessor = resp.WrapInfo.WrappedAccessor
-				wrappingAccessor = resp.WrapInfo.Accessor
-			}
-			if err := Hash(salt, resp, in.NonHMACRespDataKeys); err != nil {
-				return err
-			}
-			if accessor != "" {
-				resp.Auth.Accessor = accessor
-			}
-			if wrappedAccessor != "" {
-				resp.WrapInfo.WrappedAccessor = wrappedAccessor
-			}
-			if wrappingAccessor != "" {
-				resp.WrapInfo.Accessor = wrappingAccessor
-			}
+		resp, err = HashResponse(salt, resp, config.HMACAccessor, in.NonHMACRespDataKeys)
+		if err != nil {
+			return err
 		}
 	}
 
-	// If things are nil, make empty to avoid panics
-	if auth == nil {
-		auth = new(logical.Auth)
-	}
-	if resp == nil {
-		resp = new(logical.Response)
-	}
 	var errString string
 	if in.OuterErr != nil {
 		errString = in.OuterErr.Error()