Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for hashing time.Time within slices, which unbreaks auditing #6767

Merged
merged 19 commits into from
Jul 2, 2019
Merged
Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
dd9a363
Add support for hashing time.Time within slices, which unbreaks auditing
ncabatoff May 21, 2019
dd3c221
Break Hash into struct-specific func like HashAuth, HashRequest.
ncabatoff May 21, 2019
e0dce92
Instead of returning an error when trying to hash map keys of type
ncabatoff May 21, 2019
ada8200
Enable auditing on test clusters by default.
ncabatoff May 21, 2019
d86e6b6
Only enable auditing automatically if the caller didn't specify any
ncabatoff May 22, 2019
f6490f4
Fix nil panic when no base provided.
ncabatoff May 22, 2019
ddf78fe
Merge branch 'master' of vault into fix-auditing-counter-requests. As
ncabatoff May 28, 2019
90ba51e
Merge branch 'master' into fix-auditing-counter-requests
jefferai May 28, 2019
8483c5e
Fix some tests that were failing as a result of my previous changes.
ncabatoff Jun 3, 2019
a4437d7
Revert unnecessary change to how we hash data maps.
ncabatoff Jun 3, 2019
abdbdc8
noop auditing
ncabatoff Jun 10, 2019
77354c3
Cleanup sdk module now that I've removed the audit file backend dep.
ncabatoff Jun 11, 2019
7562f0f
Cleanup api module now that I've removed the audit file backend dep.
ncabatoff Jun 11, 2019
c8ec52c
Merge branches 'fix-auditing-counter-requests' and 'master' of ssh://…
ncabatoff Jun 11, 2019
d1ae223
Fix users of testCoreConfig.
ncabatoff Jun 11, 2019
9fa7da3
Merge branch 'master' into fix-auditing-counter-requests
ncabatoff Jul 2, 2019
4b31235
Add godoc for AuditFormatWriter methods.
ncabatoff Jul 2, 2019
aa85762
Update godoc.
ncabatoff Jul 2, 2019
d92c798
Merge branch 'master' of github.com/hashicorp/vault into fix-auditing…
ncabatoff Jul 2, 2019
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
187 changes: 19 additions & 168 deletions audit/format.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package audit
import (
"context"
"crypto/tls"
"encoding/json"
"fmt"
"io"
"strings"
Expand All @@ -15,7 +14,6 @@ import (
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/helper/salt"
"github.com/hashicorp/vault/sdk/logical"
"github.com/mitchellh/copystructure"
)

type AuditFormatWriter interface {
Expand Down Expand Up @@ -54,79 +52,26 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
auth := in.Auth
req := in.Request
var connState *tls.ConnectionState
if auth == nil {
auth = new(logical.Auth)
}

if in.Request.Connection != nil && in.Request.Connection.ConnState != nil {
connState = in.Request.Connection.ConnState
}

if !config.Raw {
// Before we copy the structure we must nil out some data
// otherwise we will cause reflection to panic and die
if connState != nil {
in.Request.Connection.ConnState = nil
defer func() {
in.Request.Connection.ConnState = connState
}()
}

// Copy the auth structure
if in.Auth != nil {
cp, err := copystructure.Copy(in.Auth)
if err != nil {
return err
}
auth = cp.(*logical.Auth)
}

cp, err := copystructure.Copy(in.Request)
auth, err = HashAuth(salt, auth, config.HMACAccessor)
if err != nil {
return err
}
req = cp.(*logical.Request)
for k, v := range req.Data {
if o, ok := v.(logical.OptMarshaler); ok {
marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
ValueHasher: salt.GetIdentifiedHMAC,
})
if err != nil {
return err
}
req.Data[k] = json.RawMessage(marshaled)
}
}

// Hash any sensitive information
if auth != nil {
// Cache and restore accessor in the auth
var authAccessor string
if !config.HMACAccessor && auth.Accessor != "" {
authAccessor = auth.Accessor
}
if err := Hash(salt, auth, nil); err != nil {
return err
}
if authAccessor != "" {
auth.Accessor = authAccessor
}
}

// Cache and restore accessor in the request
var clientTokenAccessor string
if !config.HMACAccessor && req != nil && req.ClientTokenAccessor != "" {
clientTokenAccessor = req.ClientTokenAccessor
}
if err := Hash(salt, req, in.NonHMACReqDataKeys); err != nil {
req, err = HashRequest(salt, req, config.HMACAccessor, in.NonHMACReqDataKeys)
if err != nil {
return err
}
if clientTokenAccessor != "" {
req.ClientTokenAccessor = clientTokenAccessor
}
}

// If auth is nil, make an empty one
if auth == nil {
auth = new(logical.Auth)
}
var errString string
if in.OuterErr != nil {
errString = in.OuterErr.Error()
Expand Down Expand Up @@ -209,130 +154,36 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
}

// Set these to the input values at first
auth := in.Auth
req := in.Request
resp := in.Response
auth, req, resp := in.Auth, in.Request, in.Response
if auth == nil {
auth = new(logical.Auth)
}
if resp == nil {
resp = new(logical.Response)
}
var connState *tls.ConnectionState

if in.Request.Connection != nil && in.Request.Connection.ConnState != nil {
connState = in.Request.Connection.ConnState
}

if !config.Raw {
// Before we copy the structure we must nil out some data
// otherwise we will cause reflection to panic and die
if connState != nil {
in.Request.Connection.ConnState = nil
defer func() {
in.Request.Connection.ConnState = connState
}()
}

// Copy the auth structure
if in.Auth != nil {
cp, err := copystructure.Copy(in.Auth)
if err != nil {
return err
}
auth = cp.(*logical.Auth)
}

cp, err := copystructure.Copy(in.Request)
auth, err = HashAuth(salt, auth, config.HMACAccessor)
if err != nil {
return err
}
req = cp.(*logical.Request)
for k, v := range req.Data {
if o, ok := v.(logical.OptMarshaler); ok {
marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
ValueHasher: salt.GetIdentifiedHMAC,
})
if err != nil {
return err
}
req.Data[k] = json.RawMessage(marshaled)
}
}

if in.Response != nil {
cp, err := copystructure.Copy(in.Response)
if err != nil {
return err
}
resp = cp.(*logical.Response)
for k, v := range resp.Data {
if o, ok := v.(logical.OptMarshaler); ok {
marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
ValueHasher: salt.GetIdentifiedHMAC,
})
if err != nil {
return err
}
resp.Data[k] = json.RawMessage(marshaled)
}
}
}

// Hash any sensitive information

// Cache and restore accessor in the auth
if auth != nil {
var accessor string
if !config.HMACAccessor && auth.Accessor != "" {
accessor = auth.Accessor
}
if err := Hash(salt, auth, nil); err != nil {
return err
}
if accessor != "" {
auth.Accessor = accessor
}
}

// Cache and restore accessor in the request
var clientTokenAccessor string
if !config.HMACAccessor && req != nil && req.ClientTokenAccessor != "" {
clientTokenAccessor = req.ClientTokenAccessor
}
if err := Hash(salt, req, in.NonHMACReqDataKeys); err != nil {
req, err = HashRequest(salt, req, config.HMACAccessor, in.NonHMACReqDataKeys)
if err != nil {
return err
}
if clientTokenAccessor != "" {
req.ClientTokenAccessor = clientTokenAccessor
}

// Cache and restore accessor in the response
if resp != nil {
var accessor, wrappedAccessor, wrappingAccessor string
if !config.HMACAccessor && resp != nil && resp.Auth != nil && resp.Auth.Accessor != "" {
accessor = resp.Auth.Accessor
}
if !config.HMACAccessor && resp != nil && resp.WrapInfo != nil && resp.WrapInfo.WrappedAccessor != "" {
wrappedAccessor = resp.WrapInfo.WrappedAccessor
wrappingAccessor = resp.WrapInfo.Accessor
}
if err := Hash(salt, resp, in.NonHMACRespDataKeys); err != nil {
return err
}
if accessor != "" {
resp.Auth.Accessor = accessor
}
if wrappedAccessor != "" {
resp.WrapInfo.WrappedAccessor = wrappedAccessor
}
if wrappingAccessor != "" {
resp.WrapInfo.Accessor = wrappingAccessor
}
resp, err = HashResponse(salt, resp, config.HMACAccessor, in.NonHMACRespDataKeys)
if err != nil {
return err
}
}

// If things are nil, make empty to avoid panics
if auth == nil {
auth = new(logical.Auth)
}
if resp == nil {
resp = new(logical.Response)
}
var errString string
if in.OuterErr != nil {
errString = in.OuterErr.Error()
Expand Down
Loading