2023-03-15 16:00:52 +00:00
|
|
|
// Copyright (c) HashiCorp, Inc.
|
|
|
|
// SPDX-License-Identifier: MPL-2.0
|
|
|
|
|
2015-03-16 02:34:47 +00:00
|
|
|
package http
|
|
|
|
|
|
|
|
import (
|
2015-05-27 21:19:12 +00:00
|
|
|
"bytes"
|
2019-07-05 21:15:14 +00:00
|
|
|
"context"
|
2016-07-06 16:25:40 +00:00
|
|
|
"encoding/json"
|
2015-05-27 21:19:12 +00:00
|
|
|
"io"
|
2018-02-21 22:22:21 +00:00
|
|
|
"io/ioutil"
|
2017-02-17 04:23:32 +00:00
|
|
|
"net/http"
|
2018-02-21 22:22:21 +00:00
|
|
|
"net/http/httptest"
|
2023-04-06 07:41:07 +00:00
|
|
|
"os"
|
2015-03-16 02:34:47 +00:00
|
|
|
"reflect"
|
2016-07-06 16:25:40 +00:00
|
|
|
"strconv"
|
2017-02-17 04:23:32 +00:00
|
|
|
"strings"
|
2015-03-16 02:34:47 +00:00
|
|
|
"testing"
|
2015-04-05 00:42:19 +00:00
|
|
|
"time"
|
2015-03-16 02:34:47 +00:00
|
|
|
|
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available
The `request.remote_port` field is now present in the audit log when it
is available:
```
{
"time": "2021-10-10T13:53:51.760039Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service",
"token_issue_time": "2021-10-10T15:53:44+02:00"
},
"request": {
"id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
"operation": "update",
"mount_type": "system",
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"namespace": {
"id": "root"
},
"path": "sys/audit/file",
"data": {
"description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
"local": false,
"options": {
"file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
},
"type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
},
"remote_address": "127.0.0.1",
"remote_port": 54798
},
"response": {
"mount_type": "system"
}
}
```
Closes https://github.com/hashicorp/vault/issues/7716
* Add changelog entry
* Empty commit to trigger CI
* Add test and explicit error handling
* Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
|
|
|
kv "github.com/hashicorp/vault-plugin-secrets-kv"
|
|
|
|
"github.com/hashicorp/vault/api"
|
|
|
|
auditFile "github.com/hashicorp/vault/builtin/audit/file"
|
2022-03-30 13:08:02 +00:00
|
|
|
credUserpass "github.com/hashicorp/vault/builtin/credential/userpass"
|
2023-02-01 13:33:16 +00:00
|
|
|
"github.com/hashicorp/vault/helper/testhelpers/corehelpers"
|
2021-02-12 20:04:48 +00:00
|
|
|
"github.com/hashicorp/vault/internalshared/configutil"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/consts"
|
|
|
|
"github.com/hashicorp/vault/sdk/helper/logging"
|
|
|
|
"github.com/hashicorp/vault/sdk/logical"
|
|
|
|
"github.com/hashicorp/vault/sdk/physical"
|
|
|
|
"github.com/hashicorp/vault/sdk/physical/inmem"
|
|
|
|
|
2018-10-15 16:56:24 +00:00
|
|
|
"github.com/go-test/deep"
|
2018-04-03 00:46:59 +00:00
|
|
|
log "github.com/hashicorp/go-hclog"
|
2016-08-19 20:45:17 +00:00
|
|
|
|
2019-07-05 21:15:14 +00:00
|
|
|
"github.com/hashicorp/vault/audit"
|
2019-04-13 07:44:06 +00:00
|
|
|
"github.com/hashicorp/vault/helper/namespace"
|
2015-03-16 02:34:47 +00:00
|
|
|
"github.com/hashicorp/vault/vault"
|
|
|
|
)
|
|
|
|
|
|
|
|
func TestLogical(t *testing.T) {
|
2015-03-29 23:14:54 +00:00
|
|
|
core, _, token := vault.TestCoreUnsealed(t)
|
2015-03-16 02:34:47 +00:00
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
defer ln.Close()
|
2015-03-29 23:14:54 +00:00
|
|
|
TestServerAuth(t, addr, token)
|
2015-03-16 02:34:47 +00:00
|
|
|
|
2015-04-07 18:04:06 +00:00
|
|
|
// WRITE
|
2015-08-22 00:36:19 +00:00
|
|
|
resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
|
2015-03-16 02:34:47 +00:00
|
|
|
"data": "bar",
|
|
|
|
})
|
|
|
|
testResponseStatus(t, resp, 204)
|
|
|
|
|
2015-04-07 18:04:06 +00:00
|
|
|
// READ
|
2016-06-22 21:47:05 +00:00
|
|
|
// Bad token should return a 403
|
|
|
|
resp = testHttpGet(t, token+"bad", addr+"/v1/secret/foo")
|
|
|
|
testResponseStatus(t, resp, 403)
|
2015-03-16 02:34:47 +00:00
|
|
|
|
2016-06-22 21:47:05 +00:00
|
|
|
resp = testHttpGet(t, token, addr+"/v1/secret/foo")
|
2015-03-16 02:34:47 +00:00
|
|
|
var actual map[string]interface{}
|
2015-10-07 21:21:41 +00:00
|
|
|
var nilWarnings interface{}
|
2015-03-16 02:34:47 +00:00
|
|
|
expected := map[string]interface{}{
|
2015-03-16 20:29:51 +00:00
|
|
|
"renewable": false,
|
2016-09-28 22:32:49 +00:00
|
|
|
"lease_duration": json.Number(strconv.Itoa(int((32 * 24 * time.Hour) / time.Second))),
|
2015-03-16 02:34:47 +00:00
|
|
|
"data": map[string]interface{}{
|
|
|
|
"data": "bar",
|
|
|
|
},
|
2016-05-02 04:08:07 +00:00
|
|
|
"auth": nil,
|
|
|
|
"wrap_info": nil,
|
|
|
|
"warnings": nilWarnings,
|
2015-03-16 02:34:47 +00:00
|
|
|
}
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
testResponseBody(t, resp, &actual)
|
2015-04-08 20:35:32 +00:00
|
|
|
delete(actual, "lease_id")
|
2016-07-26 22:30:13 +00:00
|
|
|
expected["request_id"] = actual["request_id"]
|
2018-10-15 16:56:24 +00:00
|
|
|
if diff := deep.Equal(actual, expected); diff != nil {
|
|
|
|
t.Fatal(diff)
|
2015-03-16 02:34:47 +00:00
|
|
|
}
|
2015-04-07 18:04:06 +00:00
|
|
|
|
|
|
|
// DELETE
|
2015-08-22 00:36:19 +00:00
|
|
|
resp = testHttpDelete(t, token, addr+"/v1/secret/foo")
|
2015-04-07 18:04:06 +00:00
|
|
|
testResponseStatus(t, resp, 204)
|
|
|
|
|
2015-08-22 00:36:19 +00:00
|
|
|
resp = testHttpGet(t, token, addr+"/v1/secret/foo")
|
2015-04-07 18:04:06 +00:00
|
|
|
testResponseStatus(t, resp, 404)
|
2015-03-16 02:34:47 +00:00
|
|
|
}
|
2015-03-16 02:42:24 +00:00
|
|
|
|
|
|
|
func TestLogical_noExist(t *testing.T) {
|
2015-03-29 23:14:54 +00:00
|
|
|
core, _, token := vault.TestCoreUnsealed(t)
|
2015-03-16 02:42:24 +00:00
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
defer ln.Close()
|
2015-03-29 23:14:54 +00:00
|
|
|
TestServerAuth(t, addr, token)
|
2015-03-16 02:42:24 +00:00
|
|
|
|
2015-08-22 00:36:19 +00:00
|
|
|
resp := testHttpGet(t, token, addr+"/v1/secret/foo")
|
2015-03-16 02:42:24 +00:00
|
|
|
testResponseStatus(t, resp, 404)
|
|
|
|
}
|
2015-04-19 20:18:09 +00:00
|
|
|
|
|
|
|
func TestLogical_StandbyRedirect(t *testing.T) {
|
|
|
|
ln1, addr1 := TestListener(t)
|
|
|
|
defer ln1.Close()
|
|
|
|
ln2, addr2 := TestListener(t)
|
|
|
|
defer ln2.Close()
|
|
|
|
|
|
|
|
// Create an HA Vault
|
2018-04-03 00:46:59 +00:00
|
|
|
logger := logging.NewVaultLogger(log.Debug)
|
2016-08-19 20:45:17 +00:00
|
|
|
|
2017-08-03 17:24:27 +00:00
|
|
|
inmha, err := inmem.NewInmemHA(nil, logger)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2015-04-29 01:12:57 +00:00
|
|
|
conf := &vault.CoreConfig{
|
2016-08-15 13:42:42 +00:00
|
|
|
Physical: inmha,
|
2017-08-03 17:24:27 +00:00
|
|
|
HAPhysical: inmha.(physical.HABackend),
|
2016-08-15 13:42:42 +00:00
|
|
|
RedirectAddr: addr1,
|
|
|
|
DisableMlock: true,
|
2015-04-29 01:12:57 +00:00
|
|
|
}
|
2015-04-19 20:18:09 +00:00
|
|
|
core1, err := vault.NewCore(conf)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2021-02-12 20:04:48 +00:00
|
|
|
defer core1.Shutdown()
|
2017-01-17 20:43:10 +00:00
|
|
|
keys, root := vault.TestCoreInit(t, core1)
|
|
|
|
for _, key := range keys {
|
|
|
|
if _, err := core1.Unseal(vault.TestKeyCopy(key)); err != nil {
|
|
|
|
t.Fatalf("unseal err: %s", err)
|
|
|
|
}
|
2015-04-19 20:18:09 +00:00
|
|
|
}
|
|
|
|
|
2016-03-02 17:06:16 +00:00
|
|
|
// Attempt to fix raciness in this test by giving the first core a chance
|
|
|
|
// to grab the lock
|
2017-02-16 20:15:02 +00:00
|
|
|
time.Sleep(2 * time.Second)
|
2016-03-02 17:06:16 +00:00
|
|
|
|
2015-04-19 20:18:09 +00:00
|
|
|
// Create a second HA Vault
|
2015-04-29 01:12:57 +00:00
|
|
|
conf2 := &vault.CoreConfig{
|
2016-08-15 13:42:42 +00:00
|
|
|
Physical: inmha,
|
2017-08-03 17:24:27 +00:00
|
|
|
HAPhysical: inmha.(physical.HABackend),
|
2016-08-15 13:42:42 +00:00
|
|
|
RedirectAddr: addr2,
|
|
|
|
DisableMlock: true,
|
2015-04-29 01:12:57 +00:00
|
|
|
}
|
2015-04-19 20:18:09 +00:00
|
|
|
core2, err := vault.NewCore(conf2)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("err: %v", err)
|
|
|
|
}
|
2021-02-12 20:04:48 +00:00
|
|
|
defer core2.Shutdown()
|
2017-01-17 20:43:10 +00:00
|
|
|
for _, key := range keys {
|
|
|
|
if _, err := core2.Unseal(vault.TestKeyCopy(key)); err != nil {
|
|
|
|
t.Fatalf("unseal err: %s", err)
|
|
|
|
}
|
2015-04-19 20:18:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
TestServerWithListener(t, ln1, addr1, core1)
|
|
|
|
TestServerWithListener(t, ln2, addr2, core2)
|
|
|
|
TestServerAuth(t, addr1, root)
|
|
|
|
|
|
|
|
// WRITE to STANDBY
|
2017-01-17 20:43:10 +00:00
|
|
|
resp := testHttpPutDisableRedirect(t, root, addr2+"/v1/secret/foo", map[string]interface{}{
|
2015-04-19 20:18:09 +00:00
|
|
|
"data": "bar",
|
|
|
|
})
|
2018-04-03 00:46:59 +00:00
|
|
|
logger.Debug("307 test one starting")
|
2015-04-19 20:18:09 +00:00
|
|
|
testResponseStatus(t, resp, 307)
|
2018-04-03 00:46:59 +00:00
|
|
|
logger.Debug("307 test one stopping")
|
2015-04-19 20:18:09 +00:00
|
|
|
|
|
|
|
//// READ to standby
|
2015-08-22 00:36:19 +00:00
|
|
|
resp = testHttpGet(t, root, addr2+"/v1/auth/token/lookup-self")
|
2015-04-19 20:18:09 +00:00
|
|
|
var actual map[string]interface{}
|
2015-10-07 21:21:41 +00:00
|
|
|
var nilWarnings interface{}
|
2015-04-19 20:18:09 +00:00
|
|
|
expected := map[string]interface{}{
|
|
|
|
"renewable": false,
|
2016-07-06 16:25:40 +00:00
|
|
|
"lease_duration": json.Number("0"),
|
2015-04-19 20:18:09 +00:00
|
|
|
"data": map[string]interface{}{
|
2016-05-11 20:51:18 +00:00
|
|
|
"meta": nil,
|
2016-07-06 16:25:40 +00:00
|
|
|
"num_uses": json.Number("0"),
|
2016-05-11 20:51:18 +00:00
|
|
|
"path": "auth/token/root",
|
|
|
|
"policies": []interface{}{"root"},
|
|
|
|
"display_name": "root",
|
|
|
|
"orphan": true,
|
|
|
|
"id": root,
|
2016-07-06 16:25:40 +00:00
|
|
|
"ttl": json.Number("0"),
|
|
|
|
"creation_ttl": json.Number("0"),
|
|
|
|
"explicit_max_ttl": json.Number("0"),
|
2017-05-04 02:03:42 +00:00
|
|
|
"expire_time": nil,
|
2017-10-11 17:21:20 +00:00
|
|
|
"entity_id": "",
|
2018-10-15 16:56:24 +00:00
|
|
|
"type": "service",
|
2015-04-19 20:18:09 +00:00
|
|
|
},
|
2016-05-02 04:08:07 +00:00
|
|
|
"warnings": nilWarnings,
|
|
|
|
"wrap_info": nil,
|
|
|
|
"auth": nil,
|
2015-04-19 20:18:09 +00:00
|
|
|
}
|
2015-08-22 00:36:19 +00:00
|
|
|
|
2015-04-19 20:18:09 +00:00
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
testResponseBody(t, resp, &actual)
|
2015-09-18 20:33:52 +00:00
|
|
|
actualDataMap := actual["data"].(map[string]interface{})
|
|
|
|
delete(actualDataMap, "creation_time")
|
2016-03-09 18:45:36 +00:00
|
|
|
delete(actualDataMap, "accessor")
|
2015-09-18 20:33:52 +00:00
|
|
|
actual["data"] = actualDataMap
|
2016-07-26 22:30:13 +00:00
|
|
|
expected["request_id"] = actual["request_id"]
|
2015-04-19 20:18:09 +00:00
|
|
|
delete(actual, "lease_id")
|
2018-10-15 16:56:24 +00:00
|
|
|
if diff := deep.Equal(actual, expected); diff != nil {
|
|
|
|
t.Fatal(diff)
|
2015-04-19 20:18:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
//// DELETE to standby
|
2017-01-17 20:43:10 +00:00
|
|
|
resp = testHttpDeleteDisableRedirect(t, root, addr2+"/v1/secret/foo")
|
2018-04-03 00:46:59 +00:00
|
|
|
logger.Debug("307 test two starting")
|
2015-04-19 20:18:09 +00:00
|
|
|
testResponseStatus(t, resp, 307)
|
2018-04-03 00:46:59 +00:00
|
|
|
logger.Debug("307 test two stopping")
|
2015-04-19 20:18:09 +00:00
|
|
|
}
|
2015-04-27 22:17:59 +00:00
|
|
|
|
|
|
|
func TestLogical_CreateToken(t *testing.T) {
|
|
|
|
core, _, token := vault.TestCoreUnsealed(t)
|
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
TestServerAuth(t, addr, token)
|
|
|
|
|
|
|
|
// WRITE
|
2015-08-22 00:36:19 +00:00
|
|
|
resp := testHttpPut(t, token, addr+"/v1/auth/token/create", map[string]interface{}{
|
2015-04-27 22:17:59 +00:00
|
|
|
"data": "bar",
|
|
|
|
})
|
|
|
|
|
|
|
|
var actual map[string]interface{}
|
|
|
|
expected := map[string]interface{}{
|
|
|
|
"lease_id": "",
|
|
|
|
"renewable": false,
|
2016-07-06 16:25:40 +00:00
|
|
|
"lease_duration": json.Number("0"),
|
2015-04-27 22:17:59 +00:00
|
|
|
"data": nil,
|
2016-05-02 04:08:07 +00:00
|
|
|
"wrap_info": nil,
|
2015-04-27 22:17:59 +00:00
|
|
|
"auth": map[string]interface{}{
|
2022-02-17 21:08:51 +00:00
|
|
|
"policies": []interface{}{"root"},
|
|
|
|
"token_policies": []interface{}{"root"},
|
|
|
|
"metadata": nil,
|
|
|
|
"lease_duration": json.Number("0"),
|
|
|
|
"renewable": false,
|
|
|
|
"entity_id": "",
|
|
|
|
"token_type": "service",
|
|
|
|
"orphan": false,
|
|
|
|
"mfa_requirement": nil,
|
|
|
|
"num_uses": json.Number("0"),
|
2015-04-27 22:17:59 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
testResponseBody(t, resp, &actual)
|
|
|
|
delete(actual["auth"].(map[string]interface{}), "client_token")
|
2016-03-09 18:45:36 +00:00
|
|
|
delete(actual["auth"].(map[string]interface{}), "accessor")
|
2022-04-11 13:57:12 +00:00
|
|
|
delete(actual, "warnings")
|
2016-07-26 22:30:13 +00:00
|
|
|
expected["request_id"] = actual["request_id"]
|
2015-04-27 22:17:59 +00:00
|
|
|
if !reflect.DeepEqual(actual, expected) {
|
2015-10-07 21:21:41 +00:00
|
|
|
t.Fatalf("bad:\nexpected:\n%#v\nactual:\n%#v", expected, actual)
|
2015-04-27 22:17:59 +00:00
|
|
|
}
|
|
|
|
}
|
2015-05-27 21:19:12 +00:00
|
|
|
|
|
|
|
func TestLogical_RawHTTP(t *testing.T) {
|
|
|
|
core, _, token := vault.TestCoreUnsealed(t)
|
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
TestServerAuth(t, addr, token)
|
|
|
|
|
2015-08-22 00:36:19 +00:00
|
|
|
resp := testHttpPost(t, token, addr+"/v1/sys/mounts/foo", map[string]interface{}{
|
2015-05-27 21:19:12 +00:00
|
|
|
"type": "http",
|
|
|
|
})
|
|
|
|
testResponseStatus(t, resp, 204)
|
|
|
|
|
|
|
|
// Get the raw response
|
2015-08-22 00:36:19 +00:00
|
|
|
resp = testHttpGet(t, token, addr+"/v1/foo/raw")
|
2015-05-27 21:19:12 +00:00
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
|
|
|
|
// Test the headers
|
|
|
|
if resp.Header.Get("Content-Type") != "plain/text" {
|
|
|
|
t.Fatalf("Bad: %#v", resp.Header)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Get the body
|
|
|
|
body := new(bytes.Buffer)
|
|
|
|
io.Copy(body, resp.Body)
|
|
|
|
if string(body.Bytes()) != "hello world" {
|
|
|
|
t.Fatalf("Bad: %s", body.Bytes())
|
|
|
|
}
|
|
|
|
}
|
2016-11-17 20:06:43 +00:00
|
|
|
|
|
|
|
func TestLogical_RequestSizeLimit(t *testing.T) {
|
|
|
|
core, _, token := vault.TestCoreUnsealed(t)
|
|
|
|
ln, addr := TestServer(t, core)
|
|
|
|
defer ln.Close()
|
|
|
|
TestServerAuth(t, addr, token)
|
|
|
|
|
2020-05-14 13:19:27 +00:00
|
|
|
// Write a very large object, should fail. This test works because Go will
|
|
|
|
// convert the byte slice to base64, which makes it significantly larger
|
|
|
|
// than the default max request size.
|
2016-11-17 20:06:43 +00:00
|
|
|
resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
|
2018-07-06 19:44:56 +00:00
|
|
|
"data": make([]byte, DefaultMaxRequestSize),
|
2016-11-17 20:06:43 +00:00
|
|
|
})
|
2021-01-19 19:28:28 +00:00
|
|
|
testResponseStatus(t, resp, http.StatusRequestEntityTooLarge)
|
2016-11-17 20:06:43 +00:00
|
|
|
}
|
2021-04-08 16:43:39 +00:00
|
|
|
|
2021-01-19 19:28:28 +00:00
|
|
|
func TestLogical_RequestSizeDisableLimit(t *testing.T) {
|
|
|
|
core, _, token := vault.TestCoreUnsealed(t)
|
|
|
|
ln, addr := TestListener(t)
|
|
|
|
props := &vault.HandlerProperties{
|
|
|
|
Core: core,
|
|
|
|
ListenerConfig: &configutil.Listener{
|
|
|
|
MaxRequestSize: -1,
|
2021-02-12 20:04:48 +00:00
|
|
|
Address: "127.0.0.1",
|
|
|
|
TLSDisable: true,
|
2021-01-19 19:28:28 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
TestServerWithListenerAndProperties(t, ln, addr, core, props)
|
|
|
|
|
|
|
|
defer ln.Close()
|
|
|
|
TestServerAuth(t, addr, token)
|
|
|
|
|
|
|
|
// Write a very large object, should pass as MaxRequestSize set to -1/Negative value
|
|
|
|
|
|
|
|
resp := testHttpPut(t, token, addr+"/v1/secret/foo", map[string]interface{}{
|
|
|
|
"data": make([]byte, DefaultMaxRequestSize),
|
|
|
|
})
|
2021-02-12 20:04:48 +00:00
|
|
|
testResponseStatus(t, resp, http.StatusNoContent)
|
2021-01-19 19:28:28 +00:00
|
|
|
}
|
|
|
|
|
2017-02-17 04:23:32 +00:00
|
|
|
func TestLogical_ListSuffix(t *testing.T) {
|
2018-09-18 03:03:00 +00:00
|
|
|
core, _, rootToken := vault.TestCoreUnsealed(t)
|
2017-02-17 04:23:32 +00:00
|
|
|
req, _ := http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo", nil)
|
2018-09-18 03:03:00 +00:00
|
|
|
req = req.WithContext(namespace.RootContext(nil))
|
|
|
|
req.Header.Add(consts.AuthHeaderName, rootToken)
|
2020-06-26 21:13:16 +00:00
|
|
|
|
2020-07-07 04:05:28 +00:00
|
|
|
lreq, _, status, err := buildLogicalRequest(core, nil, req)
|
2017-02-17 04:23:32 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if status != 0 {
|
|
|
|
t.Fatalf("got status %d", status)
|
|
|
|
}
|
|
|
|
if strings.HasSuffix(lreq.Path, "/") {
|
|
|
|
t.Fatal("trailing slash found on path")
|
|
|
|
}
|
|
|
|
|
|
|
|
req, _ = http.NewRequest("GET", "http://127.0.0.1:8200/v1/secret/foo?list=true", nil)
|
2018-09-18 03:03:00 +00:00
|
|
|
req = req.WithContext(namespace.RootContext(nil))
|
|
|
|
req.Header.Add(consts.AuthHeaderName, rootToken)
|
2020-07-07 04:05:28 +00:00
|
|
|
|
|
|
|
lreq, _, status, err = buildLogicalRequest(core, nil, req)
|
2017-02-17 04:23:32 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if status != 0 {
|
|
|
|
t.Fatalf("got status %d", status)
|
|
|
|
}
|
|
|
|
if !strings.HasSuffix(lreq.Path, "/") {
|
|
|
|
t.Fatal("trailing slash not found on path")
|
|
|
|
}
|
|
|
|
|
|
|
|
req, _ = http.NewRequest("LIST", "http://127.0.0.1:8200/v1/secret/foo", nil)
|
2018-09-18 03:03:00 +00:00
|
|
|
req = req.WithContext(namespace.RootContext(nil))
|
|
|
|
req.Header.Add(consts.AuthHeaderName, rootToken)
|
2020-07-07 04:05:28 +00:00
|
|
|
|
|
|
|
_, _, status, err = buildLogicalRequestNoAuth(core.PerfStandby(), nil, req)
|
2020-06-26 21:13:16 +00:00
|
|
|
if err != nil || status != 0 {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
2020-07-07 04:05:28 +00:00
|
|
|
|
|
|
|
lreq, _, status, err = buildLogicalRequest(core, nil, req)
|
2017-02-17 04:23:32 +00:00
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if status != 0 {
|
|
|
|
t.Fatalf("got status %d", status)
|
|
|
|
}
|
|
|
|
if !strings.HasSuffix(lreq.Path, "/") {
|
|
|
|
t.Fatal("trailing slash not found on path")
|
|
|
|
}
|
|
|
|
}
|
2018-02-21 22:22:21 +00:00
|
|
|
|
2022-09-02 21:21:25 +00:00
|
|
|
func TestLogical_ListWithQueryParameters(t *testing.T) {
|
|
|
|
core, _, rootToken := vault.TestCoreUnsealed(t)
|
|
|
|
|
|
|
|
tests := []struct {
|
|
|
|
name string
|
|
|
|
requestMethod string
|
|
|
|
url string
|
|
|
|
expectedData map[string]interface{}
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
name: "LIST request method parses query parameter",
|
|
|
|
requestMethod: "LIST",
|
|
|
|
url: "http://127.0.0.1:8200/v1/secret/foo?key1=value1",
|
|
|
|
expectedData: map[string]interface{}{
|
|
|
|
"key1": "value1",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "LIST request method parses query multiple parameters",
|
|
|
|
requestMethod: "LIST",
|
|
|
|
url: "http://127.0.0.1:8200/v1/secret/foo?key1=value1&key2=value2",
|
|
|
|
expectedData: map[string]interface{}{
|
|
|
|
"key1": "value1",
|
|
|
|
"key2": "value2",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "GET request method with list=true parses query parameter",
|
|
|
|
requestMethod: "GET",
|
|
|
|
url: "http://127.0.0.1:8200/v1/secret/foo?list=true&key1=value1",
|
|
|
|
expectedData: map[string]interface{}{
|
|
|
|
"key1": "value1",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "GET request method with list=true parses multiple query parameters",
|
|
|
|
requestMethod: "GET",
|
|
|
|
url: "http://127.0.0.1:8200/v1/secret/foo?list=true&key1=value1&key2=value2",
|
|
|
|
expectedData: map[string]interface{}{
|
|
|
|
"key1": "value1",
|
|
|
|
"key2": "value2",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
{
|
|
|
|
name: "GET request method with alternate order list=true parses multiple query parameters",
|
|
|
|
requestMethod: "GET",
|
|
|
|
url: "http://127.0.0.1:8200/v1/secret/foo?key1=value1&list=true&key2=value2",
|
|
|
|
expectedData: map[string]interface{}{
|
|
|
|
"key1": "value1",
|
|
|
|
"key2": "value2",
|
|
|
|
},
|
|
|
|
},
|
|
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
|
|
req, _ := http.NewRequest(tc.requestMethod, tc.url, nil)
|
|
|
|
req = req.WithContext(namespace.RootContext(nil))
|
|
|
|
req.Header.Add(consts.AuthHeaderName, rootToken)
|
|
|
|
|
|
|
|
lreq, _, status, err := buildLogicalRequest(core, nil, req)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
if status != 0 {
|
|
|
|
t.Fatalf("got status %d", status)
|
|
|
|
}
|
|
|
|
if !strings.HasSuffix(lreq.Path, "/") {
|
|
|
|
t.Fatal("trailing slash not found on path")
|
|
|
|
}
|
|
|
|
if lreq.Operation != logical.ListOperation {
|
|
|
|
t.Fatalf("expected logical.ListOperation, got %v", lreq.Operation)
|
|
|
|
}
|
|
|
|
if !reflect.DeepEqual(tc.expectedData, lreq.Data) {
|
|
|
|
t.Fatalf("expected query parameter data %v, got %v", tc.expectedData, lreq.Data)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-02-21 22:22:21 +00:00
|
|
|
func TestLogical_RespondWithStatusCode(t *testing.T) {
|
|
|
|
resp := &logical.Response{
|
|
|
|
Data: map[string]interface{}{
|
|
|
|
"test-data": "foo",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
resp404, err := logical.RespondWithStatusCode(resp, &logical.Request{ID: "id"}, http.StatusNotFound)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
w := httptest.NewRecorder()
|
2021-02-24 11:58:10 +00:00
|
|
|
respondLogical(nil, w, nil, nil, resp404, false)
|
2018-02-21 22:22:21 +00:00
|
|
|
|
|
|
|
if w.Code != 404 {
|
|
|
|
t.Fatalf("Bad Status code: %d", w.Code)
|
|
|
|
}
|
|
|
|
|
|
|
|
bodyRaw, err := ioutil.ReadAll(w.Body)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
expected := `{"request_id":"id","lease_id":"","renewable":false,"lease_duration":0,"data":{"test-data":"foo"},"wrap_info":null,"warnings":null,"auth":null}`
|
|
|
|
|
|
|
|
if string(bodyRaw[:]) != strings.Trim(expected, "\n") {
|
|
|
|
t.Fatalf("bad response: %s", string(bodyRaw[:]))
|
|
|
|
}
|
|
|
|
}
|
2019-07-05 21:15:14 +00:00
|
|
|
|
|
|
|
func TestLogical_Audit_invalidWrappingToken(t *testing.T) {
|
|
|
|
// Create a noop audit backend
|
2023-02-01 13:33:16 +00:00
|
|
|
noop := corehelpers.TestNoopAudit(t, nil)
|
2019-07-05 21:15:14 +00:00
|
|
|
c, _, root := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{
|
|
|
|
AuditBackends: map[string]audit.Factory{
|
|
|
|
"noop": func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
|
|
|
|
return noop, nil
|
|
|
|
},
|
|
|
|
},
|
|
|
|
})
|
|
|
|
ln, addr := TestServer(t, c)
|
|
|
|
defer ln.Close()
|
|
|
|
|
|
|
|
// Enable the audit backend
|
|
|
|
|
|
|
|
resp := testHttpPost(t, root, addr+"/v1/sys/audit/noop", map[string]interface{}{
|
|
|
|
"type": "noop",
|
|
|
|
})
|
|
|
|
testResponseStatus(t, resp, 204)
|
|
|
|
|
|
|
|
{
|
|
|
|
// Make a wrapping/unwrap request with an invalid token
|
|
|
|
resp := testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
|
|
|
|
"token": "foo",
|
|
|
|
})
|
|
|
|
testResponseStatus(t, resp, 400)
|
|
|
|
body := map[string][]string{}
|
|
|
|
testResponseBody(t, resp, &body)
|
|
|
|
if body["errors"][0] != "wrapping token is not valid or does not exist" {
|
|
|
|
t.Fatal(body)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check the audit trail on request and response
|
|
|
|
if len(noop.ReqAuth) != 1 {
|
|
|
|
t.Fatalf("bad: %#v", noop)
|
|
|
|
}
|
|
|
|
auth := noop.ReqAuth[0]
|
|
|
|
if auth.ClientToken != root {
|
|
|
|
t.Fatalf("bad client token: %#v", auth)
|
|
|
|
}
|
|
|
|
if len(noop.Req) != 1 || noop.Req[0].Path != "sys/wrapping/unwrap" {
|
|
|
|
t.Fatalf("bad:\ngot:\n%#v", noop.Req[0])
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(noop.ReqErrs) != 1 {
|
|
|
|
t.Fatalf("bad: %#v", noop.RespErrs)
|
|
|
|
}
|
|
|
|
if noop.ReqErrs[0] != consts.ErrInvalidWrappingToken {
|
|
|
|
t.Fatalf("bad: %#v", noop.ReqErrs)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
resp := testHttpPostWrapped(t, root, addr+"/v1/auth/token/create", nil, 10*time.Second)
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
body := map[string]interface{}{}
|
|
|
|
testResponseBody(t, resp, &body)
|
|
|
|
|
|
|
|
wrapToken := body["wrap_info"].(map[string]interface{})["token"].(string)
|
|
|
|
|
|
|
|
// Make a wrapping/unwrap request with an invalid token
|
|
|
|
resp = testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
|
|
|
|
"token": wrapToken,
|
|
|
|
})
|
|
|
|
testResponseStatus(t, resp, 200)
|
|
|
|
|
|
|
|
// Check the audit trail on request and response
|
|
|
|
if len(noop.ReqAuth) != 3 {
|
|
|
|
t.Fatalf("bad: %#v", noop)
|
|
|
|
}
|
|
|
|
auth := noop.ReqAuth[2]
|
|
|
|
if auth.ClientToken != root {
|
|
|
|
t.Fatalf("bad client token: %#v", auth)
|
|
|
|
}
|
|
|
|
if len(noop.Req) != 3 || noop.Req[2].Path != "sys/wrapping/unwrap" {
|
|
|
|
t.Fatalf("bad:\ngot:\n%#v", noop.Req[2])
|
|
|
|
}
|
|
|
|
|
|
|
|
// Make sure there is only one error in the logs
|
|
|
|
if noop.ReqErrs[1] != nil || noop.ReqErrs[2] != nil {
|
|
|
|
t.Fatalf("bad: %#v", noop.RespErrs)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-02-12 22:20:22 +00:00
|
|
|
|
|
|
|
func TestLogical_ShouldParseForm(t *testing.T) {
|
|
|
|
const formCT = "application/x-www-form-urlencoded"
|
|
|
|
|
|
|
|
tests := map[string]struct {
|
|
|
|
prefix string
|
|
|
|
contentType string
|
|
|
|
isForm bool
|
|
|
|
}{
|
|
|
|
"JSON": {`{"a":42}`, formCT, false},
|
|
|
|
"JSON 2": {`[42]`, formCT, false},
|
|
|
|
"JSON w/leading space": {" \n\n\r\t [42] ", formCT, false},
|
|
|
|
"Form": {"a=42&b=dog", formCT, true},
|
|
|
|
"Form w/wrong CT": {"a=42&b=dog", "application/json", false},
|
|
|
|
}
|
|
|
|
|
|
|
|
for name, test := range tests {
|
|
|
|
isForm := isForm([]byte(test.prefix), test.contentType)
|
|
|
|
|
|
|
|
if isForm != test.isForm {
|
|
|
|
t.Fatalf("%s fail: expected isForm %t, got %t", name, test.isForm, isForm)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available
The `request.remote_port` field is now present in the audit log when it
is available:
```
{
"time": "2021-10-10T13:53:51.760039Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service",
"token_issue_time": "2021-10-10T15:53:44+02:00"
},
"request": {
"id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
"operation": "update",
"mount_type": "system",
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"namespace": {
"id": "root"
},
"path": "sys/audit/file",
"data": {
"description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
"local": false,
"options": {
"file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
},
"type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
},
"remote_address": "127.0.0.1",
"remote_port": 54798
},
"response": {
"mount_type": "system"
}
}
```
Closes https://github.com/hashicorp/vault/issues/7716
* Add changelog entry
* Empty commit to trigger CI
* Add test and explicit error handling
* Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
|
|
|
|
|
|
|
func TestLogical_AuditPort(t *testing.T) {
|
|
|
|
coreConfig := &vault.CoreConfig{
|
|
|
|
LogicalBackends: map[string]logical.Factory{
|
|
|
|
"kv": kv.VersionedKVFactory,
|
|
|
|
},
|
|
|
|
AuditBackends: map[string]audit.Factory{
|
|
|
|
"file": auditFile.Factory,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: Handler,
|
|
|
|
})
|
|
|
|
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
|
|
|
|
cores := cluster.Cores
|
|
|
|
|
|
|
|
core := cores[0].Core
|
|
|
|
c := cluster.Cores[0].Client
|
|
|
|
vault.TestWaitActive(t, core)
|
|
|
|
|
|
|
|
if err := c.Sys().Mount("kv/", &api.MountInput{
|
|
|
|
Type: "kv-v2",
|
|
|
|
}); err != nil {
|
|
|
|
t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
auditLogFile, err := ioutil.TempFile("", "auditport")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
|
|
|
|
Type: "file",
|
|
|
|
Options: map[string]string{
|
|
|
|
"file_path": auditLogFile.Name(),
|
|
|
|
},
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to enable audit file, err: %#v\n", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
writeData := map[string]interface{}{
|
|
|
|
"data": map[string]interface{}{
|
|
|
|
"bar": "a",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
2022-08-03 14:14:17 +00:00
|
|
|
// workaround kv-v2 initialization upgrade errors
|
|
|
|
numFailures := 0
|
2023-02-01 13:33:16 +00:00
|
|
|
corehelpers.RetryUntil(t, 10*time.Second, func() error {
|
2022-08-03 14:14:17 +00:00
|
|
|
resp, err := c.Logical().Write("kv/data/foo", writeData)
|
|
|
|
if err != nil {
|
|
|
|
if strings.Contains(err.Error(), "Upgrading from non-versioned to versioned data") {
|
|
|
|
t.Logf("Retrying fetch KV data due to upgrade error")
|
|
|
|
time.Sleep(100 * time.Millisecond)
|
|
|
|
numFailures += 1
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
t.Fatalf("write request failed, err: %#v, resp: %#v\n", err, resp)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
})
|
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available
The `request.remote_port` field is now present in the audit log when it
is available:
```
{
"time": "2021-10-10T13:53:51.760039Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service",
"token_issue_time": "2021-10-10T15:53:44+02:00"
},
"request": {
"id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
"operation": "update",
"mount_type": "system",
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"namespace": {
"id": "root"
},
"path": "sys/audit/file",
"data": {
"description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
"local": false,
"options": {
"file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
},
"type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
},
"remote_address": "127.0.0.1",
"remote_port": 54798
},
"response": {
"mount_type": "system"
}
}
```
Closes https://github.com/hashicorp/vault/issues/7716
* Add changelog entry
* Empty commit to trigger CI
* Add test and explicit error handling
* Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
|
|
|
|
|
|
|
decoder := json.NewDecoder(auditLogFile)
|
|
|
|
|
|
|
|
var auditRecord map[string]interface{}
|
|
|
|
count := 0
|
|
|
|
for decoder.Decode(&auditRecord) == nil {
|
|
|
|
count += 1
|
|
|
|
|
|
|
|
// Skip the first line
|
|
|
|
if count == 1 {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
auditRequest := map[string]interface{}{}
|
|
|
|
|
|
|
|
if req, ok := auditRecord["request"]; ok {
|
|
|
|
auditRequest = req.(map[string]interface{})
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, ok := auditRequest["remote_address"].(string); !ok {
|
2022-08-03 14:14:17 +00:00
|
|
|
t.Fatalf("remote_address should be a string, not %T", auditRequest["remote_address"])
|
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available
The `request.remote_port` field is now present in the audit log when it
is available:
```
{
"time": "2021-10-10T13:53:51.760039Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service",
"token_issue_time": "2021-10-10T15:53:44+02:00"
},
"request": {
"id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
"operation": "update",
"mount_type": "system",
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"namespace": {
"id": "root"
},
"path": "sys/audit/file",
"data": {
"description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
"local": false,
"options": {
"file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
},
"type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
},
"remote_address": "127.0.0.1",
"remote_port": 54798
},
"response": {
"mount_type": "system"
}
}
```
Closes https://github.com/hashicorp/vault/issues/7716
* Add changelog entry
* Empty commit to trigger CI
* Add test and explicit error handling
* Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if _, ok := auditRequest["remote_port"].(float64); !ok {
|
|
|
|
t.Fatalf("remote_port should be a number, not %T", auditRequest["remote_port"])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-08-03 14:14:17 +00:00
|
|
|
// We expect the following items in the audit log:
|
|
|
|
// audit log header + an entry for updating sys/audit/file
|
|
|
|
// + request/response per failure (if any) + request/response for creating kv
|
|
|
|
numExpectedEntries := (numFailures * 2) + 4
|
|
|
|
if count != numExpectedEntries {
|
|
|
|
t.Fatalf("wrong number of audit entries expected: %d got: %d", numExpectedEntries, count)
|
Add remote_port in the audit logs when it is available (#12790)
* Add remote_port in the audit logs when it is available
The `request.remote_port` field is now present in the audit log when it
is available:
```
{
"time": "2021-10-10T13:53:51.760039Z",
"type": "response",
"auth": {
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"display_name": "root",
"policies": [
"root"
],
"token_policies": [
"root"
],
"token_type": "service",
"token_issue_time": "2021-10-10T15:53:44+02:00"
},
"request": {
"id": "829c04a1-0352-2d9d-9bc9-00b928d33df5",
"operation": "update",
"mount_type": "system",
"client_token": "hmac-sha256:1304aab0ac65747684e1b58248cc16715fa8f558f8d27e90fcbcb213220c0edf",
"client_token_accessor": "hmac-sha256:f8cf0601dadd19aac84f205ded44c62898e3746a42108a51105a92ccc39baa43",
"namespace": {
"id": "root"
},
"path": "sys/audit/file",
"data": {
"description": "hmac-sha256:321a1d105f8c6fd62be4f34c4da4f0e6d1cdee9eb2ff4af0b59e1410950fe86b",
"local": false,
"options": {
"file_path": "hmac-sha256:2421b5bf8dab1f9775b2e6e66e58d7bca99ab729f3f311782fda50717eee55b3"
},
"type": "hmac-sha256:30dff9607b4087e3ae6808b4a3aa395b1fc064e467748c55c25ddf0e9b150fcc"
},
"remote_address": "127.0.0.1",
"remote_port": 54798
},
"response": {
"mount_type": "system"
}
}
```
Closes https://github.com/hashicorp/vault/issues/7716
* Add changelog entry
* Empty commit to trigger CI
* Add test and explicit error handling
* Change temporary file pattern in test
2022-01-26 23:47:15 +00:00
|
|
|
}
|
|
|
|
}
|
2022-03-30 13:08:02 +00:00
|
|
|
|
|
|
|
func TestLogical_ErrRelativePath(t *testing.T) {
|
|
|
|
coreConfig := &vault.CoreConfig{
|
|
|
|
CredentialBackends: map[string]logical.Factory{
|
|
|
|
"userpass": credUserpass.Factory,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: Handler,
|
|
|
|
})
|
|
|
|
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
|
|
|
|
cores := cluster.Cores
|
|
|
|
|
|
|
|
core := cores[0].Core
|
|
|
|
c := cluster.Cores[0].Client
|
|
|
|
vault.TestWaitActive(t, core)
|
|
|
|
|
|
|
|
err := c.Sys().EnableAuthWithOptions("userpass", &api.EnableAuthOptions{
|
|
|
|
Type: "userpass",
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("failed to enable userpass, err: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err := c.Logical().Read("auth/userpass/users/user..aaa")
|
|
|
|
|
|
|
|
if err == nil || resp != nil {
|
|
|
|
t.Fatalf("expected read request to fail, resp: %#v, err: %v", resp, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
respErr, ok := err.(*api.ResponseError)
|
|
|
|
|
|
|
|
if !ok {
|
|
|
|
t.Fatalf("unexpected error type, err: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if respErr.StatusCode != 400 {
|
|
|
|
t.Errorf("expected 400 response for read, actual: %d", respErr.StatusCode)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !strings.Contains(respErr.Error(), logical.ErrRelativePath.Error()) {
|
|
|
|
t.Errorf("expected response for read to include %q", logical.ErrRelativePath.Error())
|
|
|
|
}
|
|
|
|
|
|
|
|
data := map[string]interface{}{
|
|
|
|
"password": "abc123",
|
|
|
|
}
|
|
|
|
|
|
|
|
resp, err = c.Logical().Write("auth/userpass/users/user..aaa", data)
|
|
|
|
|
|
|
|
if err == nil || resp != nil {
|
|
|
|
t.Fatalf("expected write request to fail, resp: %#v, err: %v", resp, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
respErr, ok = err.(*api.ResponseError)
|
|
|
|
|
|
|
|
if !ok {
|
|
|
|
t.Fatalf("unexpected error type, err: %#v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if respErr.StatusCode != 400 {
|
|
|
|
t.Errorf("expected 400 response for write, actual: %d", respErr.StatusCode)
|
|
|
|
}
|
|
|
|
|
|
|
|
if !strings.Contains(respErr.Error(), logical.ErrRelativePath.Error()) {
|
|
|
|
t.Errorf("expected response for write to include %q", logical.ErrRelativePath.Error())
|
|
|
|
}
|
|
|
|
}
|
2023-04-06 07:41:07 +00:00
|
|
|
|
|
|
|
func testBuiltinPluginMetadataAuditLog(t *testing.T, log map[string]interface{}, expectedMountClass string) {
|
|
|
|
if mountClass, ok := log["mount_class"].(string); !ok {
|
|
|
|
t.Fatalf("mount_class should be a string, not %T", log["mount_class"])
|
|
|
|
} else if mountClass != expectedMountClass {
|
|
|
|
t.Fatalf("bad: mount_class should be %s, not %s", expectedMountClass, mountClass)
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, ok := log["mount_running_version"].(string); !ok {
|
|
|
|
t.Fatalf("mount_running_version should be a string, not %T", log["mount_running_version"])
|
|
|
|
}
|
|
|
|
|
|
|
|
if _, ok := log["mount_running_sha256"].(string); ok {
|
|
|
|
t.Fatalf("mount_running_sha256 should be nil, not %T", log["mount_running_sha256"])
|
|
|
|
}
|
|
|
|
|
|
|
|
if mountIsExternalPlugin, ok := log["mount_is_external_plugin"].(bool); ok && mountIsExternalPlugin {
|
|
|
|
t.Fatalf("mount_is_external_plugin should be nil or false, not %T", log["mount_is_external_plugin"])
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestLogical_AuditEnabled_ShouldLogPluginMetadata_Auth tests that we have plugin metadata of a builtin auth plugin
|
|
|
|
// in audit log when it is enabled
|
|
|
|
func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Auth(t *testing.T) {
|
|
|
|
coreConfig := &vault.CoreConfig{
|
|
|
|
AuditBackends: map[string]audit.Factory{
|
|
|
|
"file": auditFile.Factory,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: Handler,
|
|
|
|
})
|
|
|
|
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
|
|
|
|
cores := cluster.Cores
|
|
|
|
|
|
|
|
core := cores[0].Core
|
|
|
|
c := cluster.Cores[0].Client
|
|
|
|
vault.TestWaitActive(t, core)
|
|
|
|
|
|
|
|
// Enable the audit backend
|
|
|
|
tempDir := t.TempDir()
|
|
|
|
auditLogFile, err := os.CreateTemp(tempDir, "")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
|
|
|
|
Type: "file",
|
|
|
|
Options: map[string]string{
|
|
|
|
"file_path": auditLogFile.Name(),
|
|
|
|
},
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = c.Logical().Write("auth/token/create", map[string]interface{}{
|
|
|
|
"ttl": "10s",
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check the audit trail on request and response
|
|
|
|
decoder := json.NewDecoder(auditLogFile)
|
|
|
|
var auditRecord map[string]interface{}
|
|
|
|
for decoder.Decode(&auditRecord) == nil {
|
|
|
|
auditRequest := map[string]interface{}{}
|
|
|
|
if req, ok := auditRecord["request"]; ok {
|
|
|
|
auditRequest = req.(map[string]interface{})
|
|
|
|
if auditRequest["path"] != "auth/token/create" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
testBuiltinPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeCredential.String())
|
|
|
|
|
|
|
|
auditResponse := map[string]interface{}{}
|
|
|
|
if req, ok := auditRecord["response"]; ok {
|
|
|
|
auditRequest = req.(map[string]interface{})
|
|
|
|
if auditResponse["path"] != "auth/token/create" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
testBuiltinPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeCredential.String())
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestLogical_AuditEnabled_ShouldLogPluginMetadata_Secret tests that we have plugin metadata of a builtin secret plugin
|
|
|
|
// in audit log when it is enabled
|
|
|
|
func TestLogical_AuditEnabled_ShouldLogPluginMetadata_Secret(t *testing.T) {
|
|
|
|
coreConfig := &vault.CoreConfig{
|
|
|
|
LogicalBackends: map[string]logical.Factory{
|
|
|
|
"kv": kv.VersionedKVFactory,
|
|
|
|
},
|
|
|
|
AuditBackends: map[string]audit.Factory{
|
|
|
|
"file": auditFile.Factory,
|
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
cluster := vault.NewTestCluster(t, coreConfig, &vault.TestClusterOptions{
|
|
|
|
HandlerFunc: Handler,
|
|
|
|
})
|
|
|
|
|
|
|
|
cluster.Start()
|
|
|
|
defer cluster.Cleanup()
|
|
|
|
|
|
|
|
cores := cluster.Cores
|
|
|
|
|
|
|
|
core := cores[0].Core
|
|
|
|
c := cluster.Cores[0].Client
|
|
|
|
vault.TestWaitActive(t, core)
|
|
|
|
|
|
|
|
if err := c.Sys().Mount("kv/", &api.MountInput{
|
|
|
|
Type: "kv-v2",
|
|
|
|
}); err != nil {
|
|
|
|
t.Fatalf("kv-v2 mount attempt failed - err: %#v\n", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Enable the audit backend
|
|
|
|
tempDir := t.TempDir()
|
|
|
|
auditLogFile, err := os.CreateTemp(tempDir, "")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
err = c.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
|
|
|
|
Type: "file",
|
|
|
|
Options: map[string]string{
|
|
|
|
"file_path": auditLogFile.Name(),
|
|
|
|
},
|
|
|
|
})
|
|
|
|
if err != nil {
|
|
|
|
t.Fatal(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
{
|
|
|
|
writeData := map[string]interface{}{
|
|
|
|
"data": map[string]interface{}{
|
|
|
|
"bar": "a",
|
|
|
|
},
|
|
|
|
}
|
|
|
|
corehelpers.RetryUntil(t, 10*time.Second, func() error {
|
|
|
|
resp, err := c.Logical().Write("kv/data/foo", writeData)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("write request failed, err: %#v, resp: %#v\n", err, resp)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
// Check the audit trail on request and response
|
|
|
|
decoder := json.NewDecoder(auditLogFile)
|
|
|
|
var auditRecord map[string]interface{}
|
|
|
|
for decoder.Decode(&auditRecord) == nil {
|
|
|
|
auditRequest := map[string]interface{}{}
|
|
|
|
if req, ok := auditRecord["request"]; ok {
|
|
|
|
auditRequest = req.(map[string]interface{})
|
|
|
|
if auditRequest["path"] != "kv/data/foo" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
testBuiltinPluginMetadataAuditLog(t, auditRequest, consts.PluginTypeSecrets.String())
|
|
|
|
|
|
|
|
auditResponse := map[string]interface{}{}
|
|
|
|
if req, ok := auditRecord["response"]; ok {
|
|
|
|
auditRequest = req.(map[string]interface{})
|
|
|
|
if auditResponse["path"] != "kv/data/foo" {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
}
|
|
|
|
testBuiltinPluginMetadataAuditLog(t, auditResponse, consts.PluginTypeSecrets.String())
|
|
|
|
}
|
|
|
|
}
|