2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
|
2015-03-27 20:43:23 +00:00
|
|
|
package audit
|
|
|
|
|
|
2015-09-18 16:18:37 +00:00
|
|
|
import (
|
2018-01-19 06:44:44 +00:00
|
|
|
"context"
|
|
|
|
|
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/salt"
|
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2015-09-18 16:18:37 +00:00
|
|
|
)
|
2015-04-01 20:54:50 +00:00
|
|
|
|
2015-03-27 20:43:23 +00:00
|
|
|
// Backend interface must be implemented for an audit
|
|
|
|
|
// mechanism to be made available. Audit backends can be enabled to
|
|
|
|
|
// sink information to different backends such as logs, file, databases,
|
|
|
|
|
// or other external services.
|
|
|
|
|
type Backend interface {
|
2016-05-15 16:58:36 +00:00
|
|
|
// LogRequest is used to synchronously log a request. This is done after the
|
2015-04-27 21:24:11 +00:00
|
|
|
// request is authorized but before the request is executed. The arguments
|
|
|
|
|
// MUST not be modified in anyway. They should be deep copied if this is
|
|
|
|
|
// a possibility.
|
2019-05-22 22:52:53 +00:00
|
|
|
LogRequest(context.Context, *logical.LogInput) error
|
2015-04-01 20:54:50 +00:00
|
|
|
|
2016-05-15 16:58:36 +00:00
|
|
|
// LogResponse is used to synchronously log a response. This is done after
|
2015-04-27 21:24:11 +00:00
|
|
|
// the request is processed but before the response is sent. The arguments
|
|
|
|
|
// MUST not be modified in anyway. They should be deep copied if this is
|
|
|
|
|
// a possibility.
|
2019-05-22 22:52:53 +00:00
|
|
|
LogResponse(context.Context, *logical.LogInput) error
|
2015-11-19 01:26:03 +00:00
|
|
|
|
2020-12-16 22:00:32 +00:00
|
|
|
// LogTestMessage is used to check an audit backend before adding it
|
|
|
|
|
// permanently. It should attempt to synchronously log the given test
|
|
|
|
|
// message, WITHOUT using the normal Salt (which would require a storage
|
|
|
|
|
// operation on creation, which is currently disallowed.)
|
|
|
|
|
LogTestMessage(context.Context, *logical.LogInput, map[string]string) error
|
|
|
|
|
|
2015-11-19 01:26:03 +00:00
|
|
|
// GetHash is used to return the given data with the backend's hash,
|
|
|
|
|
// so that a caller can determine if a value in the audit log matches
|
|
|
|
|
// an expected plaintext value
|
2018-03-08 19:21:11 +00:00
|
|
|
GetHash(context.Context, string) (string, error)
|
2016-09-30 19:04:50 +00:00
|
|
|
|
|
|
|
|
// Reload is called on SIGHUP for supporting backends.
|
2018-01-19 06:44:44 +00:00
|
|
|
Reload(context.Context) error
|
2017-05-24 00:36:20 +00:00
|
|
|
|
|
|
|
|
// Invalidate is called for path invalidation
|
2018-01-19 06:44:44 +00:00
|
|
|
Invalidate(context.Context)
|
2015-03-27 20:43:23 +00:00
|
|
|
}
|
|
|
|
|
|
2018-03-02 17:18:39 +00:00
|
|
|
// BackendConfig contains configuration parameters used in the factory func to
|
|
|
|
|
// instantiate audit backends
|
2015-09-18 16:18:37 +00:00
|
|
|
type BackendConfig struct {
|
2017-05-24 00:36:20 +00:00
|
|
|
// The view to store the salt
|
|
|
|
|
SaltView logical.Storage
|
|
|
|
|
|
|
|
|
|
// The salt config that should be used for any secret obfuscation
|
|
|
|
|
SaltConfig *salt.Config
|
2015-09-18 16:18:37 +00:00
|
|
|
|
|
|
|
|
// Config is the opaque user configuration provided when mounting
|
|
|
|
|
Config map[string]string
|
|
|
|
|
}
|
|
|
|
|
|
2015-03-27 20:43:23 +00:00
|
|
|
// Factory is the factory function to create an audit backend.
|
2018-01-19 06:44:44 +00:00
|
|
|
type Factory func(context.Context, *BackendConfig) (Backend, error)
|
