open-vault/audit/format_json.go

package audit

import (
	"encoding/json"
	"io"
	"time"

	"github.com/hashicorp/vault/logical"
)

// FormatJSON is a Formatter implementation that structures data into
// a JSON format.
type FormatJSON struct{}

func (f *FormatJSON) FormatRequest(
	w io.Writer,
	auth *logical.Auth,
	req *logical.Request,
	err error) error {

	// If auth is nil, make an empty one
	if auth == nil {
		auth = new(logical.Auth)
	}
	var errString string
	if err != nil {
		errString = err.Error()
	}

	// Encode!
	enc := json.NewEncoder(w)
	return enc.Encode(&JSONRequestEntry{
		Time:  time.Now().UTC().Format(time.RFC3339Nano),
		Type:  "request",
		Error: errString,

		Auth: JSONAuth{
			DisplayName: auth.DisplayName,
			Policies:    auth.Policies,
			Metadata:    auth.Metadata,
		},

		Request: JSONRequest{
			ClientToken: req.ClientToken,
			ID:          req.ID,
			Operation:   req.Operation,
			Path:        req.Path,
			Data:        req.Data,
			RemoteAddr:  getRemoteAddr(req),
			WrapTTL:     int(req.WrapTTL / time.Second),
		},
	})
}

func (f *FormatJSON) FormatResponse(
	w io.Writer,
	auth *logical.Auth,
	req *logical.Request,
	resp *logical.Response,
	err error) error {
	// If things are nil, make empty to avoid panics
	if auth == nil {
		auth = new(logical.Auth)
	}
	if resp == nil {
		resp = new(logical.Response)
	}
	var errString string
	if err != nil {
		errString = err.Error()
	}

	var respAuth *JSONAuth
	if resp.Auth != nil {
		respAuth = &JSONAuth{
			ClientToken: resp.Auth.ClientToken,
			Accessor:    resp.Auth.Accessor,
			DisplayName: resp.Auth.DisplayName,
			Policies:    resp.Auth.Policies,
			Metadata:    resp.Auth.Metadata,
		}
	}

	var respSecret *JSONSecret
	if resp.Secret != nil {
		respSecret = &JSONSecret{
			LeaseID: resp.Secret.LeaseID,
		}
	}

	var respWrapInfo *JSONWrapInfo
	if resp.WrapInfo != nil {
		respWrapInfo = &JSONWrapInfo{
			TTL:             int(resp.WrapInfo.TTL / time.Second),
			Token:           resp.WrapInfo.Token,
			CreationTime:    resp.WrapInfo.CreationTime,
			WrappedAccessor: resp.WrapInfo.WrappedAccessor,
		}
	}

	// Encode!
	enc := json.NewEncoder(w)
	return enc.Encode(&JSONResponseEntry{
		Time:  time.Now().UTC().Format(time.RFC3339Nano),
		Type:  "response",
		Error: errString,

		Auth: JSONAuth{
			DisplayName: auth.DisplayName,
			Policies:    auth.Policies,
			Metadata:    auth.Metadata,
		},

		Request: JSONRequest{
			ClientToken: req.ClientToken,
			ID:          req.ID,
			Operation:   req.Operation,
			Path:        req.Path,
			Data:        req.Data,
			RemoteAddr:  getRemoteAddr(req),
			WrapTTL:     int(req.WrapTTL / time.Second),
		},

		Response: JSONResponse{
			Auth:     respAuth,
			Secret:   respSecret,
			Data:     resp.Data,
			Redirect: resp.Redirect,
			WrapInfo: respWrapInfo,
		},
	})
}

// JSONRequest is the structure of a request audit log entry in JSON.
type JSONRequestEntry struct {
	Time    string      `json:"time"`
	Type    string      `json:"type"`
	Auth    JSONAuth    `json:"auth"`
	Request JSONRequest `json:"request"`
	Error   string      `json:"error"`
}

// JSONResponseEntry is the structure of a response audit log entry in JSON.
type JSONResponseEntry struct {
	Time     string       `json:"time"`
	Type     string       `json:"type"`
	Error    string       `json:"error"`
	Auth     JSONAuth     `json:"auth"`
	Request  JSONRequest  `json:"request"`
	Response JSONResponse `json:"response"`
}

type JSONRequest struct {
	ID          string                 `json:"id"`
	Operation   logical.Operation      `json:"operation"`
	ClientToken string                 `json:"client_token"`
	Path        string                 `json:"path"`
	Data        map[string]interface{} `json:"data"`
	RemoteAddr  string                 `json:"remote_address"`
	WrapTTL     int                    `json:"wrap_ttl"`
}

type JSONResponse struct {
	Auth     *JSONAuth              `json:"auth,omitempty"`
	Secret   *JSONSecret            `json:"secret,emitempty"`
	Data     map[string]interface{} `json:"data"`
	Redirect string                 `json:"redirect"`
	WrapInfo *JSONWrapInfo          `json:"wrap_info,omitempty"`
}

type JSONAuth struct {
	ClientToken string            `json:"client_token,omitempty"`
	Accessor    string            `json:"accessor,omitempty"`
	DisplayName string            `json:"display_name"`
	Policies    []string          `json:"policies"`
	Metadata    map[string]string `json:"metadata"`
}

type JSONSecret struct {
	LeaseID string `json:"lease_id"`
}

type JSONWrapInfo struct {
	TTL             int       `json:"ttl"`
	Token           string    `json:"token"`
	CreationTime    time.Time `json:"creation_time"`
	WrappedAccessor string    `json:"wrapped_accessor,omitempty"`
}

// getRemoteAddr safely gets the remote address avoiding a nil pointer
func getRemoteAddr(req *logical.Request) string {
	if req != nil && req.Connection != nil {
		return req.Connection.RemoteAddr
	}
	return ""
}
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`package audit`

			`import (`
			`"encoding/json"`
			`"io"`
add a time field to the log entries 2015-08-05 13:47:39 +00:00			`"time"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00
			`"github.com/hashicorp/vault/logical"`
			`)`

Logging authentication errors and bad token usage 2015-06-19 01:30:18 +00:00			`// FormatJSON is a Formatter implementation that structures data into`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`// a JSON format.`
			`type FormatJSON struct{}`

			`func (f *FormatJSON) FormatRequest(`
			`w io.Writer,`
Logging authentication errors and bad token usage 2015-06-19 01:30:18 +00:00			`auth *logical.Auth,`
			`req *logical.Request,`
			`err error) error {`

audit: JSON formatter 2015-04-13 21:12:03 +00:00			`// If auth is nil, make an empty one`
			`if auth == nil {`
			`auth = new(logical.Auth)`
			`}`
vault: cleanups for the audit log changes 2015-06-29 22:27:28 +00:00			`var errString string`
			`if err != nil {`
			`errString = err.Error()`
Logging authentication errors and bad token usage 2015-06-19 01:30:18 +00:00			`}`
audit: JSON formatter 2015-04-13 21:12:03 +00:00
			`// Encode!`
			`enc := json.NewEncoder(w)`
			`return enc.Encode(&JSONRequestEntry{`
Use RFC3339Nano for better precision 2016-07-25 18:11:57 +00:00			`Time: time.Now().UTC().Format(time.RFC3339Nano),`
vault: cleanups for the audit log changes 2015-06-29 22:27:28 +00:00			`Type: "request",`
			`Error: errString,`
audit/file: append 2015-04-20 05:43:39 +00:00
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`Auth: JSONAuth{`
audit: add display name to auth [GH-176] 2015-05-11 17:40:32 +00:00			`DisplayName: auth.DisplayName,`
			`Policies: auth.Policies,`
			`Metadata: auth.Metadata,`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`},`

			`Request: JSONRequest{`
Write HMAC-SHA256'd client token to audited requests Fixes #713 2015-10-29 17:24:30 +00:00			`ClientToken: req.ClientToken,`
fixes based proper interpretation of comments 2016-07-26 16:20:27 +00:00			`ID: req.ID,`
Write HMAC-SHA256'd client token to audited requests Fixes #713 2015-10-29 17:24:30 +00:00			`Operation: req.Operation,`
			`Path: req.Path,`
			`Data: req.Data,`
			`RemoteAddr: getRemoteAddr(req),`
Add creation time to returned wrapped token info This makes it easier to understand the expected lifetime without a lookup call that uses the single use left on the token. This also adds a couple of safety checks and for JSON uses int, rather than int64, for the TTL for the wrapped token. 2016-06-07 19:00:35 +00:00			`WrapTTL: int(req.WrapTTL / time.Second),`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`},`
			`})`
			`}`

			`func (f *FormatJSON) FormatResponse(`
			`w io.Writer,`
			`auth *logical.Auth,`
			`req *logical.Request,`
			`resp *logical.Response,`
			`err error) error {`
			`// If things are nil, make empty to avoid panics`
			`if auth == nil {`
			`auth = new(logical.Auth)`
			`}`
			`if resp == nil {`
			`resp = new(logical.Response)`
			`}`
vault: cleanups for the audit log changes 2015-06-29 22:27:28 +00:00			`var errString string`
			`if err != nil {`
			`errString = err.Error()`
Adding error and remote_address to audit log lines 2015-06-19 00:17:18 +00:00			`}`
audit: JSON formatter 2015-04-13 21:12:03 +00:00
Actually not logging auth in the response if nil 2015-06-19 02:48:00 +00:00			`var respAuth *JSONAuth`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`if resp.Auth != nil {`
Actually not logging auth in the response if nil 2015-06-19 02:48:00 +00:00			`respAuth = &JSONAuth{`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`ClientToken: resp.Auth.ClientToken,`
Enable printing of accessor in audit logs 2016-03-09 21:18:36 +00:00			`Accessor: resp.Auth.Accessor,`
audit: add display name to auth [GH-176] 2015-05-11 17:40:32 +00:00			`DisplayName: resp.Auth.DisplayName,`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`Policies: resp.Auth.Policies,`
			`Metadata: resp.Auth.Metadata,`
			`}`
			`}`

Actually not logging auth in the response if nil 2015-06-19 02:48:00 +00:00			`var respSecret *JSONSecret`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`if resp.Secret != nil {`
Actually not logging auth in the response if nil 2015-06-19 02:48:00 +00:00			`respSecret = &JSONSecret{`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`LeaseID: resp.Secret.LeaseID,`
			`}`
			`}`

Audit wrap info 2016-05-07 23:19:19 +00:00			`var respWrapInfo *JSONWrapInfo`
			`if resp.WrapInfo != nil {`
			`respWrapInfo = &JSONWrapInfo{`
Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			`TTL: int(resp.WrapInfo.TTL / time.Second),`
			`Token: resp.WrapInfo.Token,`
			`CreationTime: resp.WrapInfo.CreationTime,`
			`WrappedAccessor: resp.WrapInfo.WrappedAccessor,`
Audit wrap info 2016-05-07 23:19:19 +00:00			`}`
			`}`

audit: JSON formatter 2015-04-13 21:12:03 +00:00			`// Encode!`
			`enc := json.NewEncoder(w)`
			`return enc.Encode(&JSONResponseEntry{`
Use RFC3339Nano for better precision 2016-07-25 18:11:57 +00:00			`Time: time.Now().UTC().Format(time.RFC3339Nano),`
vault: cleanups for the audit log changes 2015-06-29 22:27:28 +00:00			`Type: "response",`
			`Error: errString,`
audit/file: append 2015-04-20 05:43:39 +00:00
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`Auth: JSONAuth{`
Add DisplayName to request audit object in response audit object 2016-05-07 22:57:38 +00:00			`DisplayName: auth.DisplayName,`
			`Policies: auth.Policies,`
			`Metadata: auth.Metadata,`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`},`

			`Request: JSONRequest{`
Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			`ClientToken: req.ClientToken,`
fixes based proper interpretation of comments 2016-07-26 16:20:27 +00:00			`ID: req.ID,`
Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			`Operation: req.Operation,`
			`Path: req.Path,`
			`Data: req.Data,`
			`RemoteAddr: getRemoteAddr(req),`
			`WrapTTL: int(req.WrapTTL / time.Second),`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`},`

			`Response: JSONResponse{`
			`Auth: respAuth,`
			`Secret: respSecret,`
			`Data: resp.Data,`
			`Redirect: resp.Redirect,`
Audit wrap info 2016-05-07 23:19:19 +00:00			`WrapInfo: respWrapInfo,`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`},`
			`})`
			`}`

			`// JSONRequest is the structure of a request audit log entry in JSON.`
			`type JSONRequestEntry struct {`
Write HMAC-SHA256'd client token to audited requests Fixes #713 2015-10-29 17:24:30 +00:00			Time string `json:"time"`
			Type string `json:"type"`
			Auth JSONAuth `json:"auth"`
			Request JSONRequest `json:"request"`
			Error string `json:"error"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`}`

			`// JSONResponseEntry is the structure of a response audit log entry in JSON.`
			`type JSONResponseEntry struct {`
add a time field to the log entries 2015-08-05 13:47:39 +00:00			Time string `json:"time"`
audit/file: append 2015-04-20 05:43:39 +00:00			Type string `json:"type"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			Error string `json:"error"`
			Auth JSONAuth `json:"auth"`
			Request JSONRequest `json:"request"`
audit/file: append 2015-04-20 05:43:39 +00:00			Response JSONResponse `json:"response"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`}`

			`type JSONRequest struct {`
fixes based proper interpretation of comments 2016-07-26 16:20:27 +00:00			ID string `json:"id"`
Write HMAC-SHA256'd client token to audited requests Fixes #713 2015-10-29 17:24:30 +00:00			Operation logical.Operation `json:"operation"`
			ClientToken string `json:"client_token"`
			Path string `json:"path"`
			Data map[string]interface{} `json:"data"`
			RemoteAddr string `json:"remote_address"`
Add creation time to returned wrapped token info This makes it easier to understand the expected lifetime without a lookup call that uses the single use left on the token. This also adds a couple of safety checks and for JSON uses int, rather than int64, for the TTL for the wrapped token. 2016-06-07 19:00:35 +00:00			WrapTTL int `json:"wrap_ttl"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`}`

			`type JSONResponse struct {`
vault: cleanups for the audit log changes 2015-06-29 22:27:28 +00:00			Auth *JSONAuth `json:"auth,omitempty"`
			Secret *JSONSecret `json:"secret,emitempty"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			Data map[string]interface{} `json:"data"`
			Redirect string `json:"redirect"`
Audit wrap info 2016-05-07 23:19:19 +00:00			WrapInfo *JSONWrapInfo `json:"wrap_info,omitempty"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`}`

			`type JSONAuth struct {`
audit: add display name to auth [GH-176] 2015-05-11 17:40:32 +00:00			ClientToken string `json:"client_token,omitempty"`
Enable printing of accessor in audit logs 2016-03-09 21:18:36 +00:00			Accessor string `json:"accessor,omitempty"`
audit: add display name to auth [GH-176] 2015-05-11 17:40:32 +00:00			DisplayName string `json:"display_name"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			Policies []string `json:"policies"`
			Metadata map[string]string `json:"metadata"`
			`}`

			`type JSONSecret struct {`
			LeaseID string `json:"lease_id"`
			`}`
vault: cleanups for the audit log changes 2015-06-29 22:27:28 +00:00
Audit wrap info 2016-05-07 23:19:19 +00:00			`type JSONWrapInfo struct {`
Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00			TTL int `json:"ttl"`
			Token string `json:"token"`
			CreationTime time.Time `json:"creation_time"`
			WrappedAccessor string `json:"wrapped_accessor,omitempty"`
Audit wrap info 2016-05-07 23:19:19 +00:00			`}`

vault: cleanups for the audit log changes 2015-06-29 22:27:28 +00:00			`// getRemoteAddr safely gets the remote address avoiding a nil pointer`
			`func getRemoteAddr(req *logical.Request) string {`
			`if req != nil && req.Connection != nil {`
			`return req.Connection.RemoteAddr`
			`}`
			`return ""`
			`}`