luxolus
/
open-vault
2
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
open-vault/audit/hashstructure_test.go

401 lines
9.7 KiB
Go
Raw Normal View History

adding copyright header (#19555) * adding copyright header * fix fmt and a test
2023-03-15 16:00:52 +00:00
// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0
audit: add hashstructure
2015-04-21 15:02:03 +00:00
package audit
import (
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
"context"
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
"crypto/sha256"
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
"encoding/json"
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
"fmt"
audit: add hashstructure
2015-04-21 15:02:03 +00:00
"reflect"
"testing"
audit: add more tests for copying
2015-04-27 22:54:14 +00:00
"time"
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
Call goimports as well as gofmt when doing a `make fmt` (#7148) Closes #7147
2019-07-19 01:04:56 +00:00
"github.com/go-test/deep"
Create sdk/ and api/ submodules (#6583)
2019-04-12 21:54:35 +00:00
"github.com/hashicorp/vault/sdk/helper/certutil"
"github.com/hashicorp/vault/sdk/helper/salt"
"github.com/hashicorp/vault/sdk/helper/wrapping"
"github.com/hashicorp/vault/sdk/logical"
audit: add more tests for copying
2015-04-27 22:54:14 +00:00
"github.com/mitchellh/copystructure"
audit: add hashstructure
2015-04-21 15:02:03 +00:00
)
audit: add more tests for copying
2015-04-27 22:54:14 +00:00
func TestCopy_auth(t *testing.T) {
// Make a non-pointer one so that it can't be modified directly
expected := logical.Auth{
LeaseOptions: logical.LeaseOptions{
Core handling of TTLs (#4230) * govet cleanup in token store * adding general ttl handling to login requests * consolidating TTL calculation to system view * deprecate LeaseExtend * deprecate LeaseExtend * set the increment to the correct value * move calculateTTL out of SystemView * remove unused value * add back clearing of lease id * implement core ttl in some backends * removing increment and issue time from lease options * adding ttl tests, fixing some compile issue * adding ttl tests * fixing some explicit max TTL logic * fixing up some tests * removing unneeded test * off by one errors... * adding back some logic for bc * adding period to return on renewal * tweaking max ttl capping slightly * use the appropriate precision for ttl calculation * deprecate proto fields instead of delete * addressing feedback * moving TTL handling for backends to core * mongo is a secret backend not auth * adding estimated ttl for backends that also manage the expiration time * set the estimate values before calling the renew request * moving calculate TTL to framework, revert removal of increment and issue time from logical * minor edits * addressing feedback * address more feedback
2018-04-03 16:20:20 +00:00
TTL: 1 * time.Hour,
audit: add more tests for copying
2015-04-27 22:54:14 +00:00
},
ClientToken: "foo",
}
auth := expected
// Copy it
dup, err := copystructure.Copy(&auth)
if err != nil {
t.Fatalf("err: %s", err)
}
// Check equality
auth2 := dup.(*logical.Auth)
if !reflect.DeepEqual(*auth2, expected) {
t.Fatalf("bad:\n\n%#v\n\n%#v", *auth2, expected)
}
}
func TestCopy_request(t *testing.T) {
// Make a non-pointer one so that it can't be modified directly
expected := logical.Request{
Data: map[string]interface{}{
"foo": "bar",
},
JWT wrapping tokens (#2172)
2017-01-04 21:44:03 +00:00
WrapInfo: &logical.RequestWrapInfo{
TTL: 60 * time.Second,
},
audit: add more tests for copying
2015-04-27 22:54:14 +00:00
}
arg := expected
// Copy it
dup, err := copystructure.Copy(&arg)
if err != nil {
t.Fatalf("err: %s", err)
}
// Check equality
arg2 := dup.(*logical.Request)
if !reflect.DeepEqual(*arg2, expected) {
t.Fatalf("bad:\n\n%#v\n\n%#v", *arg2, expected)
}
}
func TestCopy_response(t *testing.T) {
// Make a non-pointer one so that it can't be modified directly
expected := logical.Response{
Data: map[string]interface{}{
"foo": "bar",
},
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 19:15:01 +00:00
WrapInfo: &wrapping.ResponseWrapInfo{
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
TTL: 60,
Token: "foo",
CreationTime: time.Now(),
WrappedAccessor: "abcd1234",
Add more tests
2016-05-08 01:08:13 +00:00
},
audit: add more tests for copying
2015-04-27 22:54:14 +00:00
}
arg := expected
// Copy it
dup, err := copystructure.Copy(&arg)
if err != nil {
t.Fatalf("err: %s", err)
}
// Check equality
arg2 := dup.(*logical.Response)
if !reflect.DeepEqual(*arg2, expected) {
t.Fatalf("bad:\n\n%#v\n\n%#v", *arg2, expected)
}
}
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
func TestHashString(t *testing.T) {
inmemStorage := &logical.InmemStorage{}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
inmemStorage.Put(context.Background(), &logical.StorageEntry{
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
Key: "salt",
Value: []byte("foo"),
})
Add context to the NewSalt function (#4102)
2018-03-08 19:21:11 +00:00
localSalt, err := salt.NewSalt(context.Background(), inmemStorage, &salt.Config{
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784
2015-11-19 01:26:03 +00:00
HMAC: sha256.New,
HMACType: "hmac-sha256",
})
if err != nil {
t.Fatalf("Error instantiating salt: %s", err)
}
out := HashString(localSalt, "foo")
if out != "hmac-sha256:08ba357e274f528065766c770a639abf6809b39ccfd37c2a3157c7f51954da0a" {
t.Fatalf("err: HashString output did not match expected")
}
}
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
func TestHashAuth(t *testing.T) {
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
cases := []struct {
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
Input *logical.Auth
Output *logical.Auth
HMACAccessor bool
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
}{
{
&logical.Auth{ClientToken: "foo"},
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
&logical.Auth{ClientToken: "hmac-sha256:08ba357e274f528065766c770a639abf6809b39ccfd37c2a3157c7f51954da0a"},
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
false,
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
},
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
{
&logical.Auth{
LeaseOptions: logical.LeaseOptions{
TTL: 1 * time.Hour,
},
ClientToken: "foo",
},
&logical.Auth{
LeaseOptions: logical.LeaseOptions{
TTL: 1 * time.Hour,
},
ClientToken: "hmac-sha256:08ba357e274f528065766c770a639abf6809b39ccfd37c2a3157c7f51954da0a",
},
false,
},
}
inmemStorage := &logical.InmemStorage{}
inmemStorage.Put(context.Background(), &logical.StorageEntry{
Key: "salt",
Value: []byte("foo"),
})
localSalt, err := salt.NewSalt(context.Background(), inmemStorage, &salt.Config{
HMAC: sha256.New,
HMACType: "hmac-sha256",
})
if err != nil {
t.Fatalf("Error instantiating salt: %s", err)
}
for _, tc := range cases {
input := fmt.Sprintf("%#v", tc.Input)
out, err := HashAuth(localSalt, tc.Input, tc.HMACAccessor)
if err != nil {
t.Fatalf("err: %s\n\n%s", err, input)
}
if !reflect.DeepEqual(out, tc.Output) {
t.Fatalf("bad:\nInput:\n%s\nOutput:\n%#v\nExpected output:\n%#v", input, out, tc.Output)
}
}
}
type testOptMarshaler struct {
S string
I int
}
func (o *testOptMarshaler) MarshalJSONWithOptions(options *logical.MarshalOptions) ([]byte, error) {
return json.Marshal(&testOptMarshaler{S: options.ValueHasher(o.S), I: o.I})
}
var _ logical.OptMarshaler = &testOptMarshaler{}
func TestHashRequest(t *testing.T) {
cases := []struct {
Input *logical.Request
Output *logical.Request
NonHMACDataKeys []string
HMACAccessor bool
}{
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
{
&logical.Request{
Data: map[string]interface{}{
Add unit test for audit change
2016-01-26 17:47:04 +00:00
"foo": "bar",
Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains
2018-03-02 17:18:39 +00:00
"baz": "foobar",
Add unit test for audit change
2016-01-26 17:47:04 +00:00
"private_key_type": certutil.PrivateKeyType("rsa"),
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
"om": &testOptMarshaler{S: "bar", I: 1},
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
},
},
&logical.Request{
Data: map[string]interface{}{
Add unit test for audit change
2016-01-26 17:47:04 +00:00
"foo": "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317",
Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains
2018-03-02 17:18:39 +00:00
"baz": "foobar",
Add unit test for audit change
2016-01-26 17:47:04 +00:00
"private_key_type": "hmac-sha256:995230dca56fffd310ff591aa404aab52b2abb41703c787cfa829eceb4595bf1",
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
"om": json.RawMessage(`{"S":"hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317","I":1}`),
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
},
},
Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains
2018-03-02 17:18:39 +00:00
[]string{"baz"},
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
false,
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
},
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
}
inmemStorage := &logical.InmemStorage{}
inmemStorage.Put(context.Background(), &logical.StorageEntry{
Key: "salt",
Value: []byte("foo"),
})
localSalt, err := salt.NewSalt(context.Background(), inmemStorage, &salt.Config{
HMAC: sha256.New,
HMACType: "hmac-sha256",
})
if err != nil {
t.Fatalf("Error instantiating salt: %s", err)
}
for _, tc := range cases {
input := fmt.Sprintf("%#v", tc.Input)
out, err := HashRequest(localSalt, tc.Input, tc.HMACAccessor, tc.NonHMACDataKeys)
if err != nil {
t.Fatalf("err: %s\n\n%s", err, input)
}
if diff := deep.Equal(out, tc.Output); len(diff) > 0 {
t.Fatalf("bad:\nInput:\n%s\nDiff:\n%#v", input, diff)
}
}
}
func TestHashResponse(t *testing.T) {
now := time.Now()
cases := []struct {
Input *logical.Response
Output *logical.Response
NonHMACDataKeys []string
HMACAccessor bool
}{
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
{
&logical.Response{
Data: map[string]interface{}{
"foo": "bar",
Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains
2018-03-02 17:18:39 +00:00
"baz": "foobar",
audit: hash time.Time values in map fields (#2689) This enables audit.Hash to hash time.Time values that may exist as direct fields in the map. This will error (instead of panic) for any time.Time values that don't occur within map values. For example, this does not support a time.Time within a slice. If that needs to be supported then modifications will need to be made. This also requires an update to reflectwalk (included in this PR). This is a minimal change that allows SkipEntry to signal to skip an entire struct. We do this because we don't want to walk any of time.Time since we handle it directly.
2017-05-08 18:06:08 +00:00
// Responses can contain time values, so test that with
// a known fixed value.
Don't hash time.Time values in return data maps, they may be useful for reconciling values and are not generally secret
2017-05-08 18:19:42 +00:00
"bar": now,
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
"om": &testOptMarshaler{S: "bar", I: 1},
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
},
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 19:15:01 +00:00
WrapInfo: &wrapping.ResponseWrapInfo{
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
TTL: 60,
Token: "bar",
Port over bits (#3575)
2017-11-13 20:31:32 +00:00
Accessor: "flimflam",
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
CreationTime: now,
WrappedAccessor: "bar",
Add more tests
2016-05-08 01:08:13 +00:00
},
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
},
&logical.Response{
Data: map[string]interface{}{
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
"foo": "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317",
Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains
2018-03-02 17:18:39 +00:00
"baz": "foobar",
Don't hash time.Time values in return data maps, they may be useful for reconciling values and are not generally secret
2017-05-08 18:19:42 +00:00
"bar": now.Format(time.RFC3339Nano),
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
"om": json.RawMessage(`{"S":"hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317","I":1}`),
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
},
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 19:15:01 +00:00
WrapInfo: &wrapping.ResponseWrapInfo{
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
TTL: 60,
Token: "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317",
Port over bits (#3575)
2017-11-13 20:31:32 +00:00
Accessor: "hmac-sha256:7c9c6fe666d0af73b3ebcfbfabe6885015558213208e6635ba104047b22f6390",
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
CreationTime: now,
WrappedAccessor: "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317",
Add more tests
2016-05-08 01:08:13 +00:00
},
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
},
Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains
2018-03-02 17:18:39 +00:00
[]string{"baz"},
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
true,
audit: some tests
2015-06-19 10:31:19 +00:00
},
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
}
Use hmac-sha256 for protecting secrets in audit entries
2015-09-19 15:29:31 +00:00
inmemStorage := &logical.InmemStorage{}
Add context to storage backends and wire it through a lot of places (#3817)
2018-01-19 06:44:44 +00:00
inmemStorage.Put(context.Background(), &logical.StorageEntry{
Use hmac-sha256 for protecting secrets in audit entries
2015-09-19 15:29:31 +00:00
Key: "salt",
Value: []byte("foo"),
})
Add context to the NewSalt function (#4102)
2018-03-08 19:21:11 +00:00
localSalt, err := salt.NewSalt(context.Background(), inmemStorage, &salt.Config{
Use hmac-sha256 for protecting secrets in audit entries
2015-09-19 15:29:31 +00:00
HMAC: sha256.New,
HMACType: "hmac-sha256",
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
})
if err != nil {
t.Fatalf("Error instantiating salt: %s", err)
}
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
for _, tc := range cases {
input := fmt.Sprintf("%#v", tc.Input)
Add option 'elide_list_responses' to audit backends (#18128) This PR relates to a feature request logged through HashiCorp commercial support. Vault lacks pagination in its APIs. As a result, certain list operations can return **very** large responses. The user's chosen audit sinks may experience difficulty consuming audit records that swell to tens of megabytes of JSON. In our case, one of the systems consuming audit log data could not cope, and failed. The responses of list operations are typically not very interesting, as they are mostly lists of keys, or, even when they include a "key_info" field, are not returning confidential information. They become even less interesting once HMAC-ed by the audit system. Some example Vault "list" operations that are prone to becoming very large in an active Vault installation are: auth/token/accessors/ identity/entity/id/ identity/entity-alias/id/ pki/certs/ In response, I've coded a new option that can be applied to audit backends, `elide_list_responses`. When enabled, response data is elided from audit logs, only when the operation type is "list". For added safety, the elision only applies to the "keys" and "key_info" fields within the response data - these are conventionally the only fields present in a list response - see logical.ListResponse, and logical.ListResponseWithInfo. However, other fields are technically possible if a plugin author writes unusual code, and these will be preserved in the audit log even with this option enabled. The elision replaces the values of the "keys" and "key_info" fields with an integer count of the number of entries. This allows even the elided audit logs to still be useful for answering questions like "Was any data returned?" or "How many records were listed?".
2023-01-11 21:15:52 +00:00
out, err := HashResponse(localSalt, tc.Input, tc.HMACAccessor, tc.NonHMACDataKeys, false)
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
if err != nil {
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
t.Fatalf("err: %s\n\n%s", err, input)
}
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
if diff := deep.Equal(out, tc.Output); len(diff) > 0 {
t.Fatalf("bad:\nInput:\n%s\nDiff:\n%#v", input, diff)
audit: separate hashing from formatting to facilitate raw
2015-04-22 05:41:53 +00:00
}
}
}
audit: add hashstructure
2015-04-21 15:02:03 +00:00
func TestHashWalker(t *testing.T) {
replaceText := "foo"
cases := []struct {
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
Input map[string]interface{}
Output map[string]interface{}
audit: add hashstructure
2015-04-21 15:02:03 +00:00
}{
{
map[string]interface{}{
"hello": "foo",
},
map[string]interface{}{
"hello": replaceText,
},
},
{
map[string]interface{}{
"hello": []interface{}{"world"},
},
map[string]interface{}{
"hello": []interface{}{replaceText},
},
},
}
for _, tc := range cases {
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
err := HashStructure(tc.Input, func(string) string {
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 21:36:42 +00:00
return replaceText
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
}, nil)
audit: add hashstructure
2015-04-21 15:02:03 +00:00
if err != nil {
t.Fatalf("err: %s\n\n%#v", err, tc.Input)
}
Add support for hashing time.Time within slices (#6767) Add support for hashing time.Time within slices, which unbreaks auditing of requests returning the request counters. Break Hash into struct-specific func like HashAuth, HashRequest. Move all the copying/hashing logic from FormatRequest/FormatResponse into the new Hash* funcs. HashStructure now modifies in place instead of copying. Instead of returning an error when trying to hash map keys of type time.Time, ignore them, i.e. pass them through unhashed. Enable auditing on test clusters by default if the caller didn't specify any audit backends. If they do, they're responsible for setting it up.
2019-07-02 22:18:40 +00:00
if !reflect.DeepEqual(tc.Input, tc.Output) {
t.Fatalf("bad:\n\n%#v\n\n%#v", tc.Input, tc.Output)
}
}
}
func TestHashWalker_TimeStructs(t *testing.T) {
replaceText := "bar"
now := time.Now()
cases := []struct {
Input map[string]interface{}
Output map[string]interface{}
}{
// Should not touch map keys of type time.Time.
{
map[string]interface{}{
"hello": map[time.Time]struct{}{
now: {},
},
},
map[string]interface{}{
"hello": map[time.Time]struct{}{
now: {},
},
},
},
// Should handle map values of type time.Time.
{
map[string]interface{}{
"hello": now,
},
map[string]interface{}{
"hello": now.Format(time.RFC3339Nano),
},
},
// Should handle slice values of type time.Time.
{
map[string]interface{}{
"hello": []interface{}{"foo", now, "foo2"},
},
map[string]interface{}{
"hello": []interface{}{"foobar", now.Format(time.RFC3339Nano), "foo2bar"},
},
},
}
for _, tc := range cases {
err := HashStructure(tc.Input, func(s string) string {
return s + replaceText
}, nil)
if err != nil {
t.Fatalf("err: %v\n\n%#v", err, tc.Input)
}
if !reflect.DeepEqual(tc.Input, tc.Output) {
t.Fatalf("bad:\n\n%#v\n\n%#v", tc.Input, tc.Output)
audit: add hashstructure
2015-04-21 15:02:03 +00:00
}
}
}