open-vault/builtin/audit/syslog/backend.go

package syslog

import (
	"bytes"
	"context"
	"fmt"
	"strconv"
	"sync"

	"github.com/hashicorp/go-syslog"
	"github.com/hashicorp/vault/audit"
	"github.com/hashicorp/vault/helper/salt"
	"github.com/hashicorp/vault/logical"
)

func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, error) {
	if conf.SaltConfig == nil {
		return nil, fmt.Errorf("nil salt config")
	}
	if conf.SaltView == nil {
		return nil, fmt.Errorf("nil salt view")
	}

	// Get facility or default to AUTH
	facility, ok := conf.Config["facility"]
	if !ok {
		facility = "AUTH"
	}

	// Get tag or default to 'vault'
	tag, ok := conf.Config["tag"]
	if !ok {
		tag = "vault"
	}

	format, ok := conf.Config["format"]
	if !ok {
		format = "json"
	}
	switch format {
	case "json", "jsonx":
	default:
		return nil, fmt.Errorf("unknown format type %s", format)
	}

	// Check if hashing of accessor is disabled
	hmacAccessor := true
	if hmacAccessorRaw, ok := conf.Config["hmac_accessor"]; ok {
		value, err := strconv.ParseBool(hmacAccessorRaw)
		if err != nil {
			return nil, err
		}
		hmacAccessor = value
	}

	// Check if raw logging is enabled
	logRaw := false
	if raw, ok := conf.Config["log_raw"]; ok {
		b, err := strconv.ParseBool(raw)
		if err != nil {
			return nil, err
		}
		logRaw = b
	}

	// Get the logger
	logger, err := gsyslog.NewLogger(gsyslog.LOG_INFO, facility, tag)
	if err != nil {
		return nil, err
	}

	b := &Backend{
		logger:     logger,
		saltConfig: conf.SaltConfig,
		saltView:   conf.SaltView,
		formatConfig: audit.FormatterConfig{
			Raw:          logRaw,
			HMACAccessor: hmacAccessor,
		},
	}

	switch format {
	case "json":
		b.formatter.AuditFormatWriter = &audit.JSONFormatWriter{
			Prefix:   conf.Config["prefix"],
			SaltFunc: b.Salt,
		}
	case "jsonx":
		b.formatter.AuditFormatWriter = &audit.JSONxFormatWriter{
			Prefix:   conf.Config["prefix"],
			SaltFunc: b.Salt,
		}
	}

	return b, nil
}

// Backend is the audit backend for the syslog-based audit store.
type Backend struct {
	logger gsyslog.Syslogger

	formatter    audit.AuditFormatter
	formatConfig audit.FormatterConfig

	saltMutex  sync.RWMutex
	salt       *salt.Salt
	saltConfig *salt.Config
	saltView   logical.Storage
}

var _ audit.Backend = (*Backend)(nil)

func (b *Backend) GetHash(ctx context.Context, data string) (string, error) {
	salt, err := b.Salt(ctx)
	if err != nil {
		return "", err
	}
	return audit.HashString(salt, data), nil
}

func (b *Backend) LogRequest(ctx context.Context, in *audit.LogInput) error {
	var buf bytes.Buffer
	if err := b.formatter.FormatRequest(ctx, &buf, b.formatConfig, in); err != nil {
		return err
	}

	// Write out to syslog
	_, err := b.logger.Write(buf.Bytes())
	return err
}

func (b *Backend) LogResponse(ctx context.Context, in *audit.LogInput) error {
	var buf bytes.Buffer
	if err := b.formatter.FormatResponse(ctx, &buf, b.formatConfig, in); err != nil {
		return err
	}

	// Write out to syslog
	_, err := b.logger.Write(buf.Bytes())
	return err
}

func (b *Backend) Reload(_ context.Context) error {
	return nil
}

func (b *Backend) Salt(ctx context.Context) (*salt.Salt, error) {
	b.saltMutex.RLock()
	if b.salt != nil {
		defer b.saltMutex.RUnlock()
		return b.salt, nil
	}
	b.saltMutex.RUnlock()
	b.saltMutex.Lock()
	defer b.saltMutex.Unlock()
	if b.salt != nil {
		return b.salt, nil
	}
	salt, err := salt.NewSalt(ctx, b.saltView, b.saltConfig)
	if err != nil {
		return nil, err
	}
	b.salt = salt
	return salt, nil
}

func (b *Backend) Invalidate(_ context.Context) {
	b.saltMutex.Lock()
	defer b.saltMutex.Unlock()
	b.salt = nil
}
Minor cleanup in audit backend (#2194) 2016-12-19 20:35:55 +00:00			`package syslog`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00
			`import (`
			`"bytes"`
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`"context"`
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 16:18:37 +00:00			`"fmt"`
audit/syslog: Hash everything by default, optionally disable 2015-04-24 18:16:28 +00:00			`"strconv"`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`"sync"`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00
			`"github.com/hashicorp/go-syslog"`
			`"github.com/hashicorp/vault/audit"`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`"github.com/hashicorp/vault/helper/salt"`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`"github.com/hashicorp/vault/logical"`
			`)`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func Factory(ctx context.Context, conf *audit.BackendConfig) (audit.Backend, error) {`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`if conf.SaltConfig == nil {`
			`return nil, fmt.Errorf("nil salt config")`
			`}`
			`if conf.SaltView == nil {`
			`return nil, fmt.Errorf("nil salt view")`
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 16:18:37 +00:00			`}`

audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`// Get facility or default to AUTH`
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 16:18:37 +00:00			`facility, ok := conf.Config["facility"]`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`if !ok {`
			`facility = "AUTH"`
			`}`

			`// Get tag or default to 'vault'`
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 16:18:37 +00:00			`tag, ok := conf.Config["tag"]`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`if !ok {`
			`tag = "vault"`
			`}`

Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`format, ok := conf.Config["format"]`
			`if !ok {`
			`format = "json"`
			`}`
			`switch format {`
			`case "json", "jsonx":`
			`default:`
			`return nil, fmt.Errorf("unknown format type %s", format)`
			`}`

Added hash_accessor option to audit backends 2016-03-12 00:28:06 +00:00			`// Check if hashing of accessor is disabled`
s/hash_accessor/hmac_accessor/g 2016-03-14 18:52:29 +00:00			`hmacAccessor := true`
			`if hmacAccessorRaw, ok := conf.Config["hmac_accessor"]; ok {`
			`value, err := strconv.ParseBool(hmacAccessorRaw)`
Added hash_accessor option to audit backends 2016-03-12 00:28:06 +00:00			`if err != nil {`
			`return nil, err`
			`}`
s/hash_accessor/hmac_accessor/g 2016-03-14 18:52:29 +00:00			`hmacAccessor = value`
Added hash_accessor option to audit backends 2016-03-12 00:28:06 +00:00			`}`

audit/syslog: Hash everything by default, optionally disable 2015-04-24 18:16:28 +00:00			`// Check if raw logging is enabled`
audit/syslog: switch defaults 2015-04-26 01:26:08 +00:00			`logRaw := false`
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 16:18:37 +00:00			`if raw, ok := conf.Config["log_raw"]; ok {`
audit/syslog: Hash everything by default, optionally disable 2015-04-24 18:16:28 +00:00			`b, err := strconv.ParseBool(raw)`
			`if err != nil {`
			`return nil, err`
			`}`
			`logRaw = b`
			`}`

audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`// Get the logger`
			`logger, err := gsyslog.NewLogger(gsyslog.LOG_INFO, facility, tag)`
			`if err != nil {`
			`return nil, err`
			`}`

			`b := &Backend{`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`logger: logger,`
			`saltConfig: conf.SaltConfig,`
			`saltView: conf.SaltView,`
Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`formatConfig: audit.FormatterConfig{`
			`Raw: logRaw,`
			`HMACAccessor: hmacAccessor,`
			`},`
			`}`

			`switch format {`
			`case "json":`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`b.formatter.AuditFormatWriter = &audit.JSONFormatWriter{`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`Prefix: conf.Config["prefix"],`
			`SaltFunc: b.Salt,`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`}`
Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`case "jsonx":`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`b.formatter.AuditFormatWriter = &audit.JSONxFormatWriter{`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`Prefix: conf.Config["prefix"],`
			`SaltFunc: b.Salt,`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`}`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`}`
Transit and audit enhancements 2016-09-21 14:29:42 +00:00
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`return b, nil`
			`}`

			`// Backend is the audit backend for the syslog-based audit store.`
			`type Backend struct {`
Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`logger gsyslog.Syslogger`

			`formatter audit.AuditFormatter`
			`formatConfig audit.FormatterConfig`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00
			`saltMutex sync.RWMutex`
			`salt *salt.Salt`
			`saltConfig *salt.Config`
			`saltView logical.Storage`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`}`

Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains 2018-03-02 17:18:39 +00:00			`var _ audit.Backend = (*Backend)(nil)`

Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`func (b *Backend) GetHash(ctx context.Context, data string) (string, error) {`
			`salt, err := b.Salt(ctx)`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`if err != nil {`
			`return "", err`
			`}`
			`return audit.HashString(salt, data), nil`
Reintroduce the ability to look up obfuscated values in the audit log with a new endpoint '/sys/audit-hash', which returns the given input string hashed with the given audit backend's hash function and salt (currently, always HMAC-SHA256 and a backend-specific salt). In the process of adding the HTTP handler, this also removes the custom HTTP handlers for the other audit endpoints, which were simply forwarding to the logical system backend. This means that the various audit functions will now redirect correctly from a standby to master. (Tests all pass.) Fixes #784 2015-11-19 01:26:03 +00:00			`}`

Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`func (b Backend) LogRequest(ctx context.Context, in audit.LogInput) error {`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`var buf bytes.Buffer`
Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`if err := b.formatter.FormatRequest(ctx, &buf, b.formatConfig, in); err != nil {`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`return err`
			`}`
audit/syslog: Copy structure before hashing to avoid breaking result 2015-04-24 18:39:43 +00:00
			`// Write out to syslog`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`_, err := b.logger.Write(buf.Bytes())`
			`return err`
			`}`

Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`func (b Backend) LogResponse(ctx context.Context, in audit.LogInput) error {`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`var buf bytes.Buffer`
Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`if err := b.formatter.FormatResponse(ctx, &buf, b.formatConfig, in); err != nil {`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`return err`
			`}`
audit/syslog: Copy structure before hashing to avoid breaking result 2015-04-24 18:39:43 +00:00
Minor cleanup in audit backend (#2194) 2016-12-19 20:35:55 +00:00			`// Write out to syslog`
Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains 2018-03-02 17:18:39 +00:00			`_, err := b.logger.Write(buf.Bytes())`
audit/syslog: first pass 2015-04-24 18:06:19 +00:00			`return err`
			`}`
Adds HUP support for audit log files to close and reopen. (#1953) Adds HUP support for audit log files to close and reopen. This makes it much easier to deal with normal log rotation methods. As part of testing this I noticed that HUP and other items that come out of command/server.go are going to stderr, which is where our normal log lines go. This isn't so much problematic with our normal output but as we officially move to supporting other formats this can cause interleaving issues, so I moved those to stdout instead. 2016-09-30 19:04:50 +00:00
Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b *Backend) Reload(_ context.Context) error {`
Adds HUP support for audit log files to close and reopen. (#1953) Adds HUP support for audit log files to close and reopen. This makes it much easier to deal with normal log rotation methods. As part of testing this I noticed that HUP and other items that come out of command/server.go are going to stderr, which is where our normal log lines go. This isn't so much problematic with our normal output but as we officially move to supporting other formats this can cause interleaving issues, so I moved those to stdout instead. 2016-09-30 19:04:50 +00:00			`return nil`
			`}`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00
Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`func (b Backend) Salt(ctx context.Context) (salt.Salt, error) {`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`b.saltMutex.RLock()`
			`if b.salt != nil {`
			`defer b.saltMutex.RUnlock()`
			`return b.salt, nil`
			`}`
			`b.saltMutex.RUnlock()`
			`b.saltMutex.Lock()`
			`defer b.saltMutex.Unlock()`
			`if b.salt != nil {`
			`return b.salt, nil`
			`}`
Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`salt, err := salt.NewSalt(ctx, b.saltView, b.saltConfig)`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`if err != nil {`
			`return nil, err`
			`}`
			`b.salt = salt`
			`return salt, nil`
			`}`

Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 06:44:44 +00:00			`func (b *Backend) Invalidate(_ context.Context) {`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`b.saltMutex.Lock()`
			`defer b.saltMutex.Unlock()`
			`b.salt = nil`
			`}`