2015-03-31 20:22:40 +00:00
|
|
|
package vault
|
|
|
|
|
|
|
|
import (
|
2018-01-19 06:44:44 +00:00
|
|
|
"context"
|
2015-04-01 20:55:07 +00:00
|
|
|
"fmt"
|
2015-03-31 20:22:40 +00:00
|
|
|
"reflect"
|
2017-05-24 00:36:20 +00:00
|
|
|
"strings"
|
|
|
|
"sync"
|
2015-03-31 20:22:40 +00:00
|
|
|
"testing"
|
2015-04-01 20:55:07 +00:00
|
|
|
"time"
|
2015-03-31 22:26:03 +00:00
|
|
|
|
2015-08-21 00:47:17 +00:00
|
|
|
"errors"
|
|
|
|
|
2016-07-26 22:30:13 +00:00
|
|
|
"github.com/hashicorp/errwrap"
|
2018-04-03 00:46:59 +00:00
|
|
|
log "github.com/hashicorp/go-hclog"
|
2019-01-09 00:48:57 +00:00
|
|
|
uuid "github.com/hashicorp/go-uuid"
|
2015-03-31 22:26:03 +00:00
|
|
|
"github.com/hashicorp/vault/audit"
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/helper/namespace"
|
2019-04-12 21:54:35 +00:00
|
|
|
"github.com/hashicorp/vault/sdk/helper/jsonutil"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/logging"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/salt"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
2017-02-02 19:49:20 +00:00
|
|
|
"github.com/mitchellh/copystructure"
|
2015-03-31 20:22:40 +00:00
|
|
|
)
|
|
|
|
|
2015-04-01 20:55:07 +00:00
|
|
|
type NoopAudit struct {
|
2018-03-02 17:18:39 +00:00
|
|
|
Config *audit.BackendConfig
|
|
|
|
ReqErr error
|
|
|
|
ReqAuth []*logical.Auth
|
|
|
|
Req []*logical.Request
|
|
|
|
ReqHeaders []map[string][]string
|
|
|
|
ReqNonHMACKeys []string
|
|
|
|
ReqErrs []error
|
|
|
|
|
|
|
|
RespErr error
|
|
|
|
RespAuth []*logical.Auth
|
|
|
|
RespReq []*logical.Request
|
|
|
|
Resp []*logical.Response
|
|
|
|
RespNonHMACKeys []string
|
|
|
|
RespReqNonHMACKeys []string
|
|
|
|
RespErrs []error
|
2017-05-24 00:36:20 +00:00
|
|
|
|
|
|
|
salt *salt.Salt
|
|
|
|
saltMutex sync.RWMutex
|
2015-04-01 20:55:07 +00:00
|
|
|
}
|
|
|
|
|
2018-03-02 17:18:39 +00:00
|
|
|
func (n *NoopAudit) LogRequest(ctx context.Context, in *audit.LogInput) error {
|
|
|
|
n.ReqAuth = append(n.ReqAuth, in.Auth)
|
|
|
|
n.Req = append(n.Req, in.Request)
|
|
|
|
n.ReqHeaders = append(n.ReqHeaders, in.Request.Headers)
|
|
|
|
n.ReqNonHMACKeys = in.NonHMACReqDataKeys
|
|
|
|
n.ReqErrs = append(n.ReqErrs, in.OuterErr)
|
2015-04-01 20:55:07 +00:00
|
|
|
return n.ReqErr
|
|
|
|
}
|
|
|
|
|
2018-03-02 17:18:39 +00:00
|
|
|
func (n *NoopAudit) LogResponse(ctx context.Context, in *audit.LogInput) error {
|
|
|
|
n.RespAuth = append(n.RespAuth, in.Auth)
|
|
|
|
n.RespReq = append(n.RespReq, in.Request)
|
|
|
|
n.Resp = append(n.Resp, in.Response)
|
|
|
|
n.RespErrs = append(n.RespErrs, in.OuterErr)
|
|
|
|
|
|
|
|
if in.Response != nil {
|
|
|
|
n.RespNonHMACKeys = in.NonHMACRespDataKeys
|
|
|
|
n.RespReqNonHMACKeys = in.NonHMACReqDataKeys
|
|
|
|
}
|
|
|
|
|
2015-04-01 20:55:07 +00:00
|
|
|
return n.RespErr
|
|
|
|
}
|
2015-03-31 22:26:03 +00:00
|
|
|
|
2018-03-08 19:21:11 +00:00
|
|
|
func (n *NoopAudit) Salt(ctx context.Context) (*salt.Salt, error) {
|
2017-05-24 00:36:20 +00:00
|
|
|
n.saltMutex.RLock()
|
|
|
|
if n.salt != nil {
|
|
|
|
defer n.saltMutex.RUnlock()
|
|
|
|
return n.salt, nil
|
|
|
|
}
|
|
|
|
n.saltMutex.RUnlock()
|
|
|
|
n.saltMutex.Lock()
|
|
|
|
defer n.saltMutex.Unlock()
|
|
|
|
if n.salt != nil {
|
|
|
|
return n.salt, nil
|
|
|
|
}
|
2018-03-08 19:21:11 +00:00
|
|
|
salt, err := salt.NewSalt(ctx, n.Config.SaltView, n.Config.SaltConfig)
|
2017-05-24 00:36:20 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
n.salt = salt
|
|
|
|
return salt, nil
|
|
|
|
}
|
|
|
|
|
2018-03-08 19:21:11 +00:00
|
|
|
func (n *NoopAudit) GetHash(ctx context.Context, data string) (string, error) {
|
|
|
|
salt, err := n.Salt(ctx)
|
2017-05-24 00:36:20 +00:00
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return salt.GetIdentifiedHMAC(data), nil
|
2015-11-19 01:26:03 +00:00
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
func (n *NoopAudit) Reload(ctx context.Context) error {
|
2016-09-30 19:04:50 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
func (n *NoopAudit) Invalidate(ctx context.Context) {
|
2017-05-24 00:36:20 +00:00
|
|
|
n.saltMutex.Lock()
|
|
|
|
defer n.saltMutex.Unlock()
|
|
|
|
n.salt = nil
|
|
|
|
}
|
|
|
|
|
2018-02-09 19:04:25 +00:00
|
|
|
func TestAudit_ReadOnlyViewDuringMount(t *testing.T) {
|
|
|
|
c, _, _ := TestCoreUnsealed(t)
|
|
|
|
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
|
|
|
err := config.SaltView.Put(ctx, &logical.StorageEntry{
|
|
|
|
Key: "bar",
|
|
|
|
Value: []byte("baz"),
|
|
|
|
})
|
|
|
|
if err == nil || !strings.Contains(err.Error(), logical.ErrSetupReadOnly.Error()) {
|
|
|
|
t.Fatalf("expected a read-only error")
|
|
|
|
}
|
|
|
|
return &NoopAudit{}, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
me := &MountEntry{
|
|
|
|
Table: auditTableType,
|
|
|
|
Path: "foo",
|
|
|
|
Type: "noop",
|
|
|
|
}
|
2018-11-05 16:11:32 +00:00
|
|
|
err := c.enableAudit(namespace.RootContext(nil), me, true)
|
2018-02-09 19:04:25 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-31 22:26:03 +00:00
|
|
|
func TestCore_EnableAudit(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
c, keys, _ := TestCoreUnsealed(t)
|
2018-01-19 06:44:44 +00:00
|
|
|
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
2015-09-18 21:36:42 +00:00
|
|
|
return &NoopAudit{
|
|
|
|
Config: config,
|
|
|
|
}, nil
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
me := &MountEntry{
|
2016-05-26 17:38:51 +00:00
|
|
|
Table: auditTableType,
|
|
|
|
Path: "foo",
|
|
|
|
Type: "noop",
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
2018-11-05 16:11:32 +00:00
|
|
|
err := c.enableAudit(namespace.RootContext(nil), me, true)
|
2015-03-31 22:26:03 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2015-04-03 21:27:33 +00:00
|
|
|
if !c.auditBroker.IsRegistered("foo/") {
|
2015-03-31 22:26:03 +00:00
|
|
|
t.Fatalf("missing audit backend")
|
|
|
|
}
|
|
|
|
|
|
|
|
conf := &CoreConfig{
|
|
|
|
Physical: c.physical,
|
|
|
|
AuditBackends: make(map[string]audit.Factory),
|
2015-04-29 01:12:57 +00:00
|
|
|
DisableMlock: true,
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
2018-01-19 06:44:44 +00:00
|
|
|
conf.AuditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
2015-09-18 21:36:42 +00:00
|
|
|
return &NoopAudit{
|
|
|
|
Config: config,
|
|
|
|
}, nil
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
|
|
|
c2, err := NewCore(conf)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-01-17 20:43:10 +00:00
|
|
|
for i, key := range keys {
|
|
|
|
unseal, err := TestCoreUnseal(c2, key)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if i+1 == len(keys) && !unseal {
|
|
|
|
t.Fatalf("should be unsealed")
|
|
|
|
}
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify matching audit tables
|
|
|
|
if !reflect.DeepEqual(c.audit, c2.audit) {
|
|
|
|
t.Fatalf("mismatch: %v %v", c.audit, c2.audit)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check for registration
|
2015-04-03 21:27:33 +00:00
|
|
|
if !c2.auditBroker.IsRegistered("foo/") {
|
2015-03-31 22:26:03 +00:00
|
|
|
t.Fatalf("missing audit backend")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-12-02 20:09:01 +00:00
|
|
|
func TestCore_EnableAudit_MixedFailures(t *testing.T) {
|
|
|
|
c, _, _ := TestCoreUnsealed(t)
|
2018-01-19 06:44:44 +00:00
|
|
|
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
2016-12-02 20:09:01 +00:00
|
|
|
return &NoopAudit{
|
|
|
|
Config: config,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
c.auditBackends["fail"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
2016-12-02 20:09:01 +00:00
|
|
|
return nil, fmt.Errorf("failing enabling")
|
|
|
|
}
|
|
|
|
|
|
|
|
c.audit = &MountTable{
|
|
|
|
Type: auditTableType,
|
|
|
|
Entries: []*MountEntry{
|
|
|
|
&MountEntry{
|
|
|
|
Table: auditTableType,
|
|
|
|
Path: "noop/",
|
|
|
|
Type: "noop",
|
|
|
|
UUID: "abcd",
|
|
|
|
},
|
|
|
|
&MountEntry{
|
|
|
|
Table: auditTableType,
|
|
|
|
Path: "noop2/",
|
|
|
|
Type: "noop",
|
|
|
|
UUID: "bcde",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
// Both should set up successfully
|
2018-01-19 06:44:44 +00:00
|
|
|
err := c.setupAudits(context.Background())
|
2016-12-02 20:09:01 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// We expect this to work because the other entry is still valid
|
|
|
|
c.audit.Entries[0].Type = "fail"
|
2018-01-19 06:44:44 +00:00
|
|
|
err = c.setupAudits(context.Background())
|
2016-12-02 20:09:01 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// No audit backend set up successfully, so expect error
|
|
|
|
c.audit.Entries[1].Type = "fail"
|
2018-01-19 06:44:44 +00:00
|
|
|
err = c.setupAudits(context.Background())
|
2016-12-02 20:09:01 +00:00
|
|
|
if err == nil {
|
|
|
|
t.Fatal("expected error")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-02-17 01:13:19 +00:00
|
|
|
// Test that the local table actually gets populated as expected with local
|
|
|
|
// entries, and that upon reading the entries from both are recombined
|
|
|
|
// correctly
|
|
|
|
func TestCore_EnableAudit_Local(t *testing.T) {
|
|
|
|
c, _, _ := TestCoreUnsealed(t)
|
2018-01-19 06:44:44 +00:00
|
|
|
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
2017-02-17 01:13:19 +00:00
|
|
|
return &NoopAudit{
|
|
|
|
Config: config,
|
|
|
|
}, nil
|
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
c.auditBackends["fail"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
2017-02-17 01:13:19 +00:00
|
|
|
return nil, fmt.Errorf("failing enabling")
|
|
|
|
}
|
|
|
|
|
|
|
|
c.audit = &MountTable{
|
|
|
|
Type: auditTableType,
|
|
|
|
Entries: []*MountEntry{
|
|
|
|
&MountEntry{
|
2018-09-18 03:03:00 +00:00
|
|
|
Table: auditTableType,
|
|
|
|
Path: "noop/",
|
|
|
|
Type: "noop",
|
|
|
|
UUID: "abcd",
|
|
|
|
Accessor: "noop-abcd",
|
|
|
|
NamespaceID: namespace.RootNamespaceID,
|
2018-11-05 16:11:32 +00:00
|
|
|
namespace: namespace.RootNamespace,
|
2017-02-17 01:13:19 +00:00
|
|
|
},
|
|
|
|
&MountEntry{
|
2018-09-18 03:03:00 +00:00
|
|
|
Table: auditTableType,
|
|
|
|
Path: "noop2/",
|
|
|
|
Type: "noop",
|
|
|
|
UUID: "bcde",
|
|
|
|
Accessor: "noop-bcde",
|
|
|
|
NamespaceID: namespace.RootNamespaceID,
|
2018-11-05 16:11:32 +00:00
|
|
|
namespace: namespace.RootNamespace,
|
2017-02-17 01:13:19 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
// Both should set up successfully
|
2018-01-19 06:44:44 +00:00
|
|
|
err := c.setupAudits(context.Background())
|
2017-02-17 01:13:19 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
rawLocal, err := c.barrier.Get(context.Background(), coreLocalAuditConfigPath)
|
2017-02-17 01:13:19 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if rawLocal == nil {
|
|
|
|
t.Fatal("expected non-nil local audit")
|
|
|
|
}
|
|
|
|
localAuditTable := &MountTable{}
|
|
|
|
if err := jsonutil.DecodeJSON(rawLocal.Value, localAuditTable); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if len(localAuditTable.Entries) > 0 {
|
|
|
|
t.Fatalf("expected no entries in local audit table, got %#v", localAuditTable)
|
|
|
|
}
|
|
|
|
|
|
|
|
c.audit.Entries[1].Local = true
|
2018-01-19 06:44:44 +00:00
|
|
|
if err := c.persistAudit(context.Background(), c.audit, false); err != nil {
|
2017-02-17 01:13:19 +00:00
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
2018-01-19 06:44:44 +00:00
|
|
|
rawLocal, err = c.barrier.Get(context.Background(), coreLocalAuditConfigPath)
|
2017-02-17 01:13:19 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if rawLocal == nil {
|
|
|
|
t.Fatal("expected non-nil local audit")
|
|
|
|
}
|
|
|
|
localAuditTable = &MountTable{}
|
|
|
|
if err := jsonutil.DecodeJSON(rawLocal.Value, localAuditTable); err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if len(localAuditTable.Entries) != 1 {
|
|
|
|
t.Fatalf("expected one entry in local audit table, got %#v", localAuditTable)
|
|
|
|
}
|
|
|
|
|
|
|
|
oldAudit := c.audit
|
2018-01-19 06:44:44 +00:00
|
|
|
if err := c.loadAudits(context.Background()); err != nil {
|
2017-02-17 01:13:19 +00:00
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !reflect.DeepEqual(oldAudit, c.audit) {
|
|
|
|
t.Fatalf("expected\n%#v\ngot\n%#v\n", oldAudit, c.audit)
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(c.audit.Entries) != 2 {
|
|
|
|
t.Fatalf("expected two audit entries, got %#v", localAuditTable)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-31 22:26:03 +00:00
|
|
|
func TestCore_DisableAudit(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
c, keys, _ := TestCoreUnsealed(t)
|
2018-01-19 06:44:44 +00:00
|
|
|
c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
2015-09-18 21:36:42 +00:00
|
|
|
return &NoopAudit{
|
|
|
|
Config: config,
|
|
|
|
}, nil
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
|
|
|
|
2018-11-05 16:11:32 +00:00
|
|
|
existed, err := c.disableAudit(namespace.RootContext(nil), "foo", true)
|
2016-09-19 17:02:25 +00:00
|
|
|
if existed && err != nil {
|
|
|
|
t.Fatalf("existed: %v; err: %v", existed, err)
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
me := &MountEntry{
|
2016-05-26 17:38:51 +00:00
|
|
|
Table: auditTableType,
|
|
|
|
Path: "foo",
|
|
|
|
Type: "noop",
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
2018-11-05 16:11:32 +00:00
|
|
|
err = c.enableAudit(namespace.RootContext(nil), me, true)
|
2015-03-31 22:26:03 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
2018-11-05 16:11:32 +00:00
|
|
|
existed, err = c.disableAudit(namespace.RootContext(nil), "foo", true)
|
2016-09-19 17:02:25 +00:00
|
|
|
if !existed || err != nil {
|
|
|
|
t.Fatalf("existed: %v; err: %v", existed, err)
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Check for registration
|
|
|
|
if c.auditBroker.IsRegistered("foo") {
|
|
|
|
t.Fatalf("audit backend present")
|
|
|
|
}
|
|
|
|
|
2015-04-29 01:12:57 +00:00
|
|
|
conf := &CoreConfig{
|
|
|
|
Physical: c.physical,
|
|
|
|
DisableMlock: true,
|
|
|
|
}
|
2015-03-31 22:26:03 +00:00
|
|
|
c2, err := NewCore(conf)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-01-17 20:43:10 +00:00
|
|
|
for i, key := range keys {
|
|
|
|
unseal, err := TestCoreUnseal(c2, key)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if i+1 == len(keys) && !unseal {
|
|
|
|
t.Fatalf("should be unsealed")
|
|
|
|
}
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify matching mount tables
|
|
|
|
if !reflect.DeepEqual(c.audit, c2.audit) {
|
2017-02-17 01:13:19 +00:00
|
|
|
t.Fatalf("mismatch:\n%#v\n%#v", c.audit, c2.audit)
|
2015-03-31 22:26:03 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-31 20:22:40 +00:00
|
|
|
func TestCore_DefaultAuditTable(t *testing.T) {
|
2017-01-17 20:43:10 +00:00
|
|
|
c, keys, _ := TestCoreUnsealed(t)
|
2015-03-31 20:22:40 +00:00
|
|
|
verifyDefaultAuditTable(t, c.audit)
|
|
|
|
|
|
|
|
// Verify we have an audit broker
|
|
|
|
if c.auditBroker == nil {
|
|
|
|
t.Fatalf("missing audit broker")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Start a second core with same physical
|
2015-04-29 01:12:57 +00:00
|
|
|
conf := &CoreConfig{
|
|
|
|
Physical: c.physical,
|
|
|
|
DisableMlock: true,
|
|
|
|
}
|
2015-03-31 20:22:40 +00:00
|
|
|
c2, err := NewCore(conf)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2017-01-17 20:43:10 +00:00
|
|
|
for i, key := range keys {
|
|
|
|
unseal, err := TestCoreUnseal(c2, key)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
if i+1 == len(keys) && !unseal {
|
|
|
|
t.Fatalf("should be unsealed")
|
|
|
|
}
|
2015-03-31 20:22:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Verify matching mount tables
|
|
|
|
if !reflect.DeepEqual(c.audit, c2.audit) {
|
|
|
|
t.Fatalf("mismatch: %v %v", c.audit, c2.audit)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestDefaultAuditTable(t *testing.T) {
|
|
|
|
table := defaultAuditTable()
|
|
|
|
verifyDefaultAuditTable(t, table)
|
|
|
|
}
|
|
|
|
|
|
|
|
func verifyDefaultAuditTable(t *testing.T, table *MountTable) {
|
|
|
|
if len(table.Entries) != 0 {
|
|
|
|
t.Fatalf("bad: %v", table.Entries)
|
|
|
|
}
|
2016-05-26 17:38:51 +00:00
|
|
|
if table.Type != auditTableType {
|
|
|
|
t.Fatalf("bad: %v", *table)
|
|
|
|
}
|
2015-03-31 20:22:40 +00:00
|
|
|
}
|
2015-04-01 20:55:07 +00:00
|
|
|
|
|
|
|
func TestAuditBroker_LogRequest(t *testing.T) {
|
2018-04-03 00:46:59 +00:00
|
|
|
l := logging.NewVaultLogger(log.Trace)
|
2015-04-01 20:55:07 +00:00
|
|
|
b := NewAuditBroker(l)
|
|
|
|
a1 := &NoopAudit{}
|
|
|
|
a2 := &NoopAudit{}
|
2018-09-18 03:03:00 +00:00
|
|
|
b.Register("foo", a1, nil, false)
|
|
|
|
b.Register("bar", a2, nil, false)
|
2015-04-01 20:55:07 +00:00
|
|
|
|
|
|
|
auth := &logical.Auth{
|
|
|
|
ClientToken: "foo",
|
|
|
|
Policies: []string{"dev", "ops"},
|
|
|
|
Metadata: map[string]string{
|
|
|
|
"user": "armon",
|
|
|
|
"source": "github",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
req := &logical.Request{
|
|
|
|
Operation: logical.ReadOperation,
|
|
|
|
Path: "sys/mounts",
|
|
|
|
}
|
2016-07-24 01:46:28 +00:00
|
|
|
|
2018-03-02 17:18:39 +00:00
|
|
|
// Copy so we can verify nothing changed
|
2017-02-02 19:49:20 +00:00
|
|
|
authCopyRaw, err := copystructure.Copy(auth)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
authCopy := authCopyRaw.(*logical.Auth)
|
|
|
|
|
|
|
|
reqCopyRaw, err := copystructure.Copy(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
reqCopy := reqCopyRaw.(*logical.Request)
|
|
|
|
|
2016-07-24 01:46:28 +00:00
|
|
|
// Create an identifier for the request to verify against
|
|
|
|
req.ID, err = uuid.GenerateUUID()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to generate identifier for the request: path%s err: %v", req.Path, err)
|
|
|
|
}
|
2017-02-02 19:49:20 +00:00
|
|
|
reqCopy.ID = req.ID
|
2016-07-24 01:46:28 +00:00
|
|
|
|
2015-06-19 03:14:20 +00:00
|
|
|
reqErrs := errors.New("errs")
|
2015-04-01 20:55:07 +00:00
|
|
|
|
2017-02-02 19:49:20 +00:00
|
|
|
headersConf := &AuditedHeadersConfig{
|
|
|
|
Headers: make(map[string]*auditedHeaderSettings),
|
|
|
|
}
|
|
|
|
|
2018-03-02 17:18:39 +00:00
|
|
|
logInput := &audit.LogInput{
|
|
|
|
Auth: authCopy,
|
|
|
|
Request: reqCopy,
|
|
|
|
OuterErr: reqErrs,
|
|
|
|
}
|
|
|
|
err = b.LogRequest(context.Background(), logInput, headersConf)
|
2015-04-01 20:55:07 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, a := range []*NoopAudit{a1, a2} {
|
|
|
|
if !reflect.DeepEqual(a.ReqAuth[0], auth) {
|
|
|
|
t.Fatalf("Bad: %#v", a.ReqAuth[0])
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(a.Req[0], req) {
|
2017-02-02 19:49:20 +00:00
|
|
|
t.Fatalf("Bad: %#v\n wanted %#v", a.Req[0], req)
|
2015-04-01 20:55:07 +00:00
|
|
|
}
|
2015-06-19 03:14:20 +00:00
|
|
|
if !reflect.DeepEqual(a.ReqErrs[0], reqErrs) {
|
|
|
|
t.Fatalf("Bad: %#v", a.ReqErrs[0])
|
|
|
|
}
|
2015-04-01 20:55:07 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Should still work with one failing backend
|
|
|
|
a1.ReqErr = fmt.Errorf("failed")
|
2018-03-02 17:18:39 +00:00
|
|
|
logInput = &audit.LogInput{
|
|
|
|
Auth: auth,
|
|
|
|
Request: req,
|
|
|
|
}
|
|
|
|
if err := b.LogRequest(context.Background(), logInput, headersConf); err != nil {
|
2015-04-01 20:55:07 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should FAIL work with both failing backends
|
|
|
|
a2.ReqErr = fmt.Errorf("failed")
|
2018-03-02 17:18:39 +00:00
|
|
|
if err := b.LogRequest(context.Background(), logInput, headersConf); !errwrap.Contains(err, "no audit backend succeeded in logging the request") {
|
2015-04-01 20:55:07 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuditBroker_LogResponse(t *testing.T) {
|
2018-04-03 00:46:59 +00:00
|
|
|
l := logging.NewVaultLogger(log.Trace)
|
2015-04-01 20:55:07 +00:00
|
|
|
b := NewAuditBroker(l)
|
|
|
|
a1 := &NoopAudit{}
|
|
|
|
a2 := &NoopAudit{}
|
2018-09-18 03:03:00 +00:00
|
|
|
b.Register("foo", a1, nil, false)
|
|
|
|
b.Register("bar", a2, nil, false)
|
2015-04-01 20:55:07 +00:00
|
|
|
|
|
|
|
auth := &logical.Auth{
|
2017-03-08 22:36:50 +00:00
|
|
|
NumUses: 10,
|
2015-04-01 20:55:07 +00:00
|
|
|
ClientToken: "foo",
|
|
|
|
Policies: []string{"dev", "ops"},
|
|
|
|
Metadata: map[string]string{
|
|
|
|
"user": "armon",
|
|
|
|
"source": "github",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
req := &logical.Request{
|
|
|
|
Operation: logical.ReadOperation,
|
|
|
|
Path: "sys/mounts",
|
|
|
|
}
|
|
|
|
resp := &logical.Response{
|
|
|
|
Secret: &logical.Secret{
|
2015-04-09 19:14:04 +00:00
|
|
|
LeaseOptions: logical.LeaseOptions{
|
2015-08-21 00:47:17 +00:00
|
|
|
TTL: 1 * time.Hour,
|
2015-04-09 19:14:04 +00:00
|
|
|
},
|
2015-04-01 20:55:07 +00:00
|
|
|
},
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"user": "root",
|
|
|
|
"password": "password",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
respErr := fmt.Errorf("permission denied")
|
|
|
|
|
2018-03-20 18:54:10 +00:00
|
|
|
// Copy so we can verify nothing changed
|
2017-02-02 19:49:20 +00:00
|
|
|
authCopyRaw, err := copystructure.Copy(auth)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
authCopy := authCopyRaw.(*logical.Auth)
|
|
|
|
|
|
|
|
reqCopyRaw, err := copystructure.Copy(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
reqCopy := reqCopyRaw.(*logical.Request)
|
|
|
|
|
|
|
|
respCopyRaw, err := copystructure.Copy(resp)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
respCopy := respCopyRaw.(*logical.Response)
|
|
|
|
|
|
|
|
headersConf := &AuditedHeadersConfig{
|
|
|
|
Headers: make(map[string]*auditedHeaderSettings),
|
|
|
|
}
|
|
|
|
|
2018-03-02 17:18:39 +00:00
|
|
|
logInput := &audit.LogInput{
|
|
|
|
Auth: authCopy,
|
|
|
|
Request: reqCopy,
|
|
|
|
Response: respCopy,
|
|
|
|
OuterErr: respErr,
|
|
|
|
}
|
|
|
|
err = b.LogResponse(context.Background(), logInput, headersConf)
|
2015-04-01 20:55:07 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, a := range []*NoopAudit{a1, a2} {
|
|
|
|
if !reflect.DeepEqual(a.RespAuth[0], auth) {
|
|
|
|
t.Fatalf("Bad: %#v", a.ReqAuth[0])
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(a.RespReq[0], req) {
|
|
|
|
t.Fatalf("Bad: %#v", a.Req[0])
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(a.Resp[0], resp) {
|
|
|
|
t.Fatalf("Bad: %#v", a.Resp[0])
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(a.RespErrs[0], respErr) {
|
2017-05-24 00:36:20 +00:00
|
|
|
t.Fatalf("Expected\n%v\nGot\n%#v", respErr, a.RespErrs[0])
|
2015-04-01 20:55:07 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should still work with one failing backend
|
|
|
|
a1.RespErr = fmt.Errorf("failed")
|
2018-03-02 17:18:39 +00:00
|
|
|
logInput = &audit.LogInput{
|
|
|
|
Auth: auth,
|
|
|
|
Request: req,
|
|
|
|
Response: resp,
|
|
|
|
OuterErr: respErr,
|
|
|
|
}
|
|
|
|
err = b.LogResponse(context.Background(), logInput, headersConf)
|
2015-04-01 20:55:07 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should FAIL work with both failing backends
|
|
|
|
a2.RespErr = fmt.Errorf("failed")
|
2018-03-02 17:18:39 +00:00
|
|
|
err = b.LogResponse(context.Background(), logInput, headersConf)
|
2017-05-24 00:36:20 +00:00
|
|
|
if !strings.Contains(err.Error(), "no audit backend succeeded in logging the response") {
|
2015-04-01 20:55:07 +00:00
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|
2017-02-02 19:49:20 +00:00
|
|
|
|
|
|
|
func TestAuditBroker_AuditHeaders(t *testing.T) {
|
2018-04-03 00:46:59 +00:00
|
|
|
logger := logging.NewVaultLogger(log.Trace)
|
2017-02-16 05:44:20 +00:00
|
|
|
b := NewAuditBroker(logger)
|
|
|
|
_, barrier, _ := mockBarrier(t)
|
|
|
|
view := NewBarrierView(barrier, "headers/")
|
2017-02-02 19:49:20 +00:00
|
|
|
a1 := &NoopAudit{}
|
|
|
|
a2 := &NoopAudit{}
|
2018-09-18 03:03:00 +00:00
|
|
|
b.Register("foo", a1, nil, false)
|
|
|
|
b.Register("bar", a2, nil, false)
|
2017-02-02 19:49:20 +00:00
|
|
|
|
|
|
|
auth := &logical.Auth{
|
|
|
|
ClientToken: "foo",
|
|
|
|
Policies: []string{"dev", "ops"},
|
|
|
|
Metadata: map[string]string{
|
|
|
|
"user": "armon",
|
|
|
|
"source": "github",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
req := &logical.Request{
|
|
|
|
Operation: logical.ReadOperation,
|
|
|
|
Path: "sys/mounts",
|
|
|
|
Headers: map[string][]string{
|
|
|
|
"X-Test-Header": []string{"foo"},
|
|
|
|
"X-Vault-Header": []string{"bar"},
|
|
|
|
"Content-Type": []string{"baz"},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
respErr := fmt.Errorf("permission denied")
|
|
|
|
|
2018-03-20 18:54:10 +00:00
|
|
|
// Copy so we can verify nothing changed
|
2017-02-02 19:49:20 +00:00
|
|
|
reqCopyRaw, err := copystructure.Copy(req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
reqCopy := reqCopyRaw.(*logical.Request)
|
|
|
|
|
|
|
|
headersConf := &AuditedHeadersConfig{
|
2017-02-16 05:44:20 +00:00
|
|
|
view: view,
|
2017-02-02 19:49:20 +00:00
|
|
|
}
|
2018-01-19 06:44:44 +00:00
|
|
|
headersConf.add(context.Background(), "X-Test-Header", false)
|
|
|
|
headersConf.add(context.Background(), "X-Vault-Header", false)
|
2017-02-02 19:49:20 +00:00
|
|
|
|
2018-03-02 17:18:39 +00:00
|
|
|
logInput := &audit.LogInput{
|
|
|
|
Auth: auth,
|
|
|
|
Request: reqCopy,
|
|
|
|
OuterErr: respErr,
|
|
|
|
}
|
|
|
|
err = b.LogRequest(context.Background(), logInput, headersConf)
|
2017-02-02 19:49:20 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
expected := map[string][]string{
|
2017-02-16 05:44:20 +00:00
|
|
|
"x-test-header": []string{"foo"},
|
|
|
|
"x-vault-header": []string{"bar"},
|
2017-02-02 19:49:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, a := range []*NoopAudit{a1, a2} {
|
|
|
|
if !reflect.DeepEqual(a.ReqHeaders[0], expected) {
|
|
|
|
t.Fatalf("Bad audited headers: %#v", a.Req[0].Headers)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should still work with one failing backend
|
|
|
|
a1.ReqErr = fmt.Errorf("failed")
|
2018-03-02 17:18:39 +00:00
|
|
|
logInput = &audit.LogInput{
|
|
|
|
Auth: auth,
|
|
|
|
Request: req,
|
|
|
|
OuterErr: respErr,
|
|
|
|
}
|
|
|
|
err = b.LogRequest(context.Background(), logInput, headersConf)
|
2017-02-02 19:49:20 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Should FAIL work with both failing backends
|
|
|
|
a2.ReqErr = fmt.Errorf("failed")
|
2018-03-02 17:18:39 +00:00
|
|
|
err = b.LogRequest(context.Background(), logInput, headersConf)
|
2017-02-02 19:49:20 +00:00
|
|
|
if !errwrap.Contains(err, "no audit backend succeeded in logging the request") {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
|
|
|
}
|