open-vault/audit/format_json_test.go

package audit

import (
	"bytes"
	"context"
	"encoding/json"
	"strings"
	"testing"
	"time"

	"errors"

	"fmt"

	"github.com/hashicorp/vault/helper/namespace"
	"github.com/hashicorp/vault/sdk/helper/jsonutil"
	"github.com/hashicorp/vault/sdk/helper/salt"
	"github.com/hashicorp/vault/sdk/logical"
)

func TestFormatJSON_formatRequest(t *testing.T) {
	salter, err := salt.NewSalt(context.Background(), nil, nil)
	if err != nil {
		t.Fatal(err)
	}
	saltFunc := func(context.Context) (*salt.Salt, error) {
		return salter, nil
	}

	expectedResultStr := fmt.Sprintf(testFormatJSONReqBasicStrFmt, salter.GetIdentifiedHMAC("foo"))

	cases := map[string]struct {
		Auth        *logical.Auth
		Req         *logical.Request
		Err         error
		Prefix      string
		ExpectedStr string
	}{
		"auth, request": {
			&logical.Auth{
				ClientToken: "foo",
				Accessor:    "bar",
				DisplayName: "testtoken",
				Policies:    []string{"root"},
				TokenType:   logical.TokenTypeService,
			},
			&logical.Request{
				Operation: logical.UpdateOperation,
				Path:      "/foo",
				Connection: &logical.Connection{
					RemoteAddr: "127.0.0.1",
				},
				WrapInfo: &logical.RequestWrapInfo{
					TTL: 60 * time.Second,
				},
				Headers: map[string][]string{
					"foo": []string{"bar"},
				},
			},
			errors.New("this is an error"),
			"",
			expectedResultStr,
		},
		"auth, request with prefix": {
			&logical.Auth{
				ClientToken: "foo",
				Accessor:    "bar",
				DisplayName: "testtoken",
				Policies:    []string{"root"},
				TokenType:   logical.TokenTypeService,
			},
			&logical.Request{
				Operation: logical.UpdateOperation,
				Path:      "/foo",
				Connection: &logical.Connection{
					RemoteAddr: "127.0.0.1",
				},
				WrapInfo: &logical.RequestWrapInfo{
					TTL: 60 * time.Second,
				},
				Headers: map[string][]string{
					"foo": []string{"bar"},
				},
			},
			errors.New("this is an error"),
			"@cee: ",
			expectedResultStr,
		},
	}

	for name, tc := range cases {
		var buf bytes.Buffer
		formatter := AuditFormatter{
			AuditFormatWriter: &JSONFormatWriter{
				Prefix:   tc.Prefix,
				SaltFunc: saltFunc,
			},
		}
		config := FormatterConfig{
			HMACAccessor: false,
		}
		in := &LogInput{
			Auth:     tc.Auth,
			Request:  tc.Req,
			OuterErr: tc.Err,
		}
		if err := formatter.FormatRequest(namespace.RootContext(nil), &buf, config, in); err != nil {
			t.Fatalf("bad: %s\nerr: %s", name, err)
		}

		if !strings.HasPrefix(buf.String(), tc.Prefix) {
			t.Fatalf("no prefix: %s \n log: %s\nprefix: %s", name, expectedResultStr, tc.Prefix)
		}

		var expectedjson = new(AuditRequestEntry)

		if err := jsonutil.DecodeJSON([]byte(expectedResultStr), &expectedjson); err != nil {
			t.Fatalf("bad json: %s", err)
		}
		expectedjson.Request.Namespace = AuditNamespace{ID: "root"}

		var actualjson = new(AuditRequestEntry)
		if err := jsonutil.DecodeJSON([]byte(buf.String())[len(tc.Prefix):], &actualjson); err != nil {
			t.Fatalf("bad json: %s", err)
		}

		expectedjson.Time = actualjson.Time

		expectedBytes, err := json.Marshal(expectedjson)
		if err != nil {
			t.Fatalf("unable to marshal json: %s", err)
		}

		if !strings.HasSuffix(strings.TrimSpace(buf.String()), string(expectedBytes)) {
			t.Fatalf(
				"bad: %s\nResult:\n\n'%s'\n\nExpected:\n\n'%s'",
				name, buf.String(), string(expectedBytes))
		}
	}
}

const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"metadata":null,"entity_id":"","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`package audit`

			`import (`
			`"bytes"`
Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`"context"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00			`"encoding/json"`
update tests 2015-08-05 14:44:48 +00:00			`"strings"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`"testing"`
Add more tests 2016-05-08 01:08:13 +00:00			`"time"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00
Fixing tests 2015-06-19 03:14:20 +00:00			`"errors"`
Create more granular ACL capabilities. This commit splits ACL policies into more fine-grained capabilities. This both drastically simplifies the checking code and makes it possible to support needed workflows that are not possible with the previous method. It is backwards compatible; policies containing a "policy" string are simply converted to a set of capabilities matching previous behavior. Fixes #724 (and others). 2016-01-07 20:10:05 +00:00
Log auth info on permission denied due to ACL (#2754) 2017-06-05 22:04:31 +00:00			`"fmt"`
Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains 2018-03-02 17:18:39 +00:00
The big one (#5346) 2018-09-18 03:03:00 +00:00			`"github.com/hashicorp/vault/helper/namespace"`
Switch to go modules (#6585) * Switch to go modules * Make fmt 2019-04-13 07:44:06 +00:00			`"github.com/hashicorp/vault/sdk/helper/jsonutil"`
Create sdk/ and api/ submodules (#6583) 2019-04-12 21:54:35 +00:00			`"github.com/hashicorp/vault/sdk/helper/salt"`
			`"github.com/hashicorp/vault/sdk/logical"`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`)`

			`func TestFormatJSON_formatRequest(t *testing.T) {`
Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`salter, err := salt.NewSalt(context.Background(), nil, nil)`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
Add context to the NewSalt function (#4102) 2018-03-08 19:21:11 +00:00			`saltFunc := func(context.Context) (*salt.Salt, error) {`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`return salter, nil`
			`}`
Log auth info on permission denied due to ACL (#2754) 2017-06-05 22:04:31 +00:00
			`expectedResultStr := fmt.Sprintf(testFormatJSONReqBasicStrFmt, salter.GetIdentifiedHMAC("foo"))`

audit: JSON formatter 2015-04-13 21:12:03 +00:00			`cases := map[string]struct {`
Log auth info on permission denied due to ACL (#2754) 2017-06-05 22:04:31 +00:00			`Auth *logical.Auth`
			`Req *logical.Request`
			`Err error`
			`Prefix string`
			`ExpectedStr string`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`}{`
			`"auth, request": {`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`&logical.Auth{`
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a. 2019-02-01 16:23:40 +00:00			`ClientToken: "foo",`
			`Accessor: "bar",`
			`DisplayName: "testtoken",`
			`Policies: []string{"root"},`
			`TokenType: logical.TokenTypeService,`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`},`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`&logical.Request{`
WriteOperation -> UpdateOperation 2016-01-07 15:30:47 +00:00			`Operation: logical.UpdateOperation,`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`Path: "/foo",`
Fixing tests 2015-06-19 03:14:20 +00:00			`Connection: &logical.Connection{`
			`RemoteAddr: "127.0.0.1",`
			`},`
JWT wrapping tokens (#2172) 2017-01-04 21:44:03 +00:00			`WrapInfo: &logical.RequestWrapInfo{`
			`TTL: 60 * time.Second,`
			`},`
Configure the request headers that are output to the audit log (#2321) * Add /sys/config/audited-headers endpoint for configuring the headers that will be audited * Remove some debug lines * Add a persistant layer and refactor a bit * update the api endpoints to be more restful * Add comments and clean up a few functions * Remove unneeded hash structure functionaility * Fix existing tests * Add tests * Add test for Applying the header config * Add Benchmark for the ApplyConfig method * ResetTimer on the benchmark: * Update the headers comment * Add test for audit broker * Use hyphens instead of camel case * Add size paramater to the allocation of the result map * Fix the tests for the audit broker * PR feedback * update the path and permissions on config/* paths * Add docs file * Fix TestSystemBackend_RootPaths test 2017-02-02 19:49:20 +00:00			`Headers: map[string][]string{`
			`"foo": []string{"bar"},`
			`},`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`},`
Fixing tests 2015-06-19 03:14:20 +00:00			`errors.New("this is an error"),`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`"",`
Log auth info on permission denied due to ACL (#2754) 2017-06-05 22:04:31 +00:00			`expectedResultStr,`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`},`
			`"auth, request with prefix": {`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`&logical.Auth{`
Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a. 2019-02-01 16:23:40 +00:00			`ClientToken: "foo",`
			`Accessor: "bar",`
			`DisplayName: "testtoken",`
			`Policies: []string{"root"},`
			`TokenType: logical.TokenTypeService,`
Batch tokens (#755) 2018-10-15 16:56:24 +00:00			`},`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`&logical.Request{`
			`Operation: logical.UpdateOperation,`
			`Path: "/foo",`
			`Connection: &logical.Connection{`
			`RemoteAddr: "127.0.0.1",`
			`},`
			`WrapInfo: &logical.RequestWrapInfo{`
			`TTL: 60 * time.Second,`
			`},`
			`Headers: map[string][]string{`
			`"foo": []string{"bar"},`
			`},`
			`},`
			`errors.New("this is an error"),`
			`"@cee: ",`
Log auth info on permission denied due to ACL (#2754) 2017-06-05 22:04:31 +00:00			`expectedResultStr,`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`},`
			`}`

			`for name, tc := range cases {`
			`var buf bytes.Buffer`
Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`formatter := AuditFormatter{`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`AuditFormatWriter: &JSONFormatWriter{`
Delay salt initialization for audit backends 2017-05-24 00:36:20 +00:00			`Prefix: tc.Prefix,`
			`SaltFunc: saltFunc,`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`},`
Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`}`
Log auth info on permission denied due to ACL (#2754) 2017-06-05 22:04:31 +00:00			`config := FormatterConfig{`
			`HMACAccessor: false,`
			`}`
Non-HMAC audit values (#4033) * Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains 2018-03-02 17:18:39 +00:00			`in := &LogInput{`
			`Auth: tc.Auth,`
			`Request: tc.Req,`
			`OuterErr: tc.Err,`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`if err := formatter.FormatRequest(namespace.RootContext(nil), &buf, config, in); err != nil {`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`t.Fatalf("bad: %s\nerr: %s", name, err)`
			`}`

audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`if !strings.HasPrefix(buf.String(), tc.Prefix) {`
Log auth info on permission denied due to ACL (#2754) 2017-06-05 22:04:31 +00:00			`t.Fatalf("no prefix: %s \n log: %s\nprefix: %s", name, expectedResultStr, tc.Prefix)`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`}`

Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`var expectedjson = new(AuditRequestEntry)`
Log auth info on permission denied due to ACL (#2754) 2017-06-05 22:04:31 +00:00
			`if err := jsonutil.DecodeJSON([]byte(expectedResultStr), &expectedjson); err != nil {`
update tests 2015-08-05 14:44:48 +00:00			`t.Fatalf("bad json: %s", err)`
			`}`
The big one (#5346) 2018-09-18 03:03:00 +00:00			`expectedjson.Request.Namespace = AuditNamespace{ID: "root"}`
update tests 2015-08-05 14:44:48 +00:00
Transit and audit enhancements 2016-09-21 14:29:42 +00:00			`var actualjson = new(AuditRequestEntry)`
audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`if err := jsonutil.DecodeJSON([]byte(buf.String())[len(tc.Prefix):], &actualjson); err != nil {`
update tests 2015-08-05 14:44:48 +00:00			`t.Fatalf("bad json: %s", err)`
			`}`

			`expectedjson.Time = actualjson.Time`

			`expectedBytes, err := json.Marshal(expectedjson)`
			`if err != nil {`
			`t.Fatalf("unable to marshal json: %s", err)`
			`}`

audit: support a configurable prefix string to write before each message (#2359) A static token at the beginning of a log line can help systems parse logs better. For example, rsyslog and syslog-ng will recognize the '@cee: ' prefix and will parse the rest of the line as a valid json message. This is useful in environments where there is a mix of structured and unstructured logs. 2017-02-11 00:56:28 +00:00			`if !strings.HasSuffix(strings.TrimSpace(buf.String()), string(expectedBytes)) {`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`t.Fatalf(`
update tests 2015-08-05 14:44:48 +00:00			`"bad: %s\nResult:\n\n'%s'\n\nExpected:\n\n'%s'",`
			`name, buf.String(), string(expectedBytes))`
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`}`
			`}`
			`}`

Revert "Refactor common token fields and operations into a helper (#5953)" This reverts commit 66c226c593bb1cd48cfd8364ac8510cb42b7d67a. 2019-02-01 16:23:40 +00:00			const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"metadata":null,"entity_id":"","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
audit: JSON formatter 2015-04-13 21:12:03 +00:00			`