Ensure that http_raw_body is always passed to the audit redaction system as a string

Before this it was passed as a []byte, which doesn't get HMAC'd.  The original non-HMACing behaviour can be obtained by adding "http_raw_body" to audit_non_hmac_response_keys. (#8130)
This commit is contained in:
ncabatoff 2020-02-03 11:53:02 -05:00 committed by GitHub
parent 9f99ff4912
commit 23c13f24f0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 32 additions and 27 deletions

View File

@ -65,42 +65,36 @@ func HashRequest(salter *salt.Salt, in *logical.Request, HMACAccessor bool, nonH
req.ClientTokenAccessor = fn(req.ClientTokenAccessor) req.ClientTokenAccessor = fn(req.ClientTokenAccessor)
} }
data, err := hashMap(fn, req.Data, nonHMACDataKeys) if req.Data != nil {
copy, err := copystructure.Copy(req.Data)
if err != nil { if err != nil {
return nil, err return nil, err
} }
req.Data = data err = hashMap(fn, copy.(map[string]interface{}), nonHMACDataKeys)
if err != nil {
return nil, err
}
req.Data = copy.(map[string]interface{})
}
return &req, nil return &req, nil
} }
func hashMap(fn func(string) string, data map[string]interface{}, nonHMACDataKeys []string) (map[string]interface{}, error) { func hashMap(fn func(string) string, data map[string]interface{}, nonHMACDataKeys []string) error {
if data == nil { for k, v := range data {
return nil, nil
}
copy, err := copystructure.Copy(data)
if err != nil {
return nil, err
}
newData := copy.(map[string]interface{})
for k, v := range newData {
if o, ok := v.(logical.OptMarshaler); ok { if o, ok := v.(logical.OptMarshaler); ok {
marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{ marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
ValueHasher: fn, ValueHasher: fn,
}) })
if err != nil { if err != nil {
return nil, err return err
} }
newData[k] = json.RawMessage(marshaled) data[k] = json.RawMessage(marshaled)
} }
} }
if err := HashStructure(newData, fn, nonHMACDataKeys); err != nil { return HashStructure(data, fn, nonHMACDataKeys)
return nil, err
}
return newData, nil
} }
// HashResponse returns a hashed copy of the logical.Request input. // HashResponse returns a hashed copy of the logical.Request input.
@ -124,12 +118,23 @@ func HashResponse(salter *salt.Salt, in *logical.Response, HMACAccessor bool, no
} }
} }
data, err := hashMap(fn, resp.Data, nonHMACDataKeys) if resp.Data != nil {
copy, err := copystructure.Copy(resp.Data)
if err != nil { if err != nil {
return nil, err return nil, err
} }
resp.Data = data
mapCopy := copy.(map[string]interface{})
if b, ok := mapCopy[logical.HTTPRawBody].([]byte); ok {
mapCopy[logical.HTTPRawBody] = string(b)
}
err = hashMap(fn, mapCopy, nonHMACDataKeys)
if err != nil {
return nil, err
}
resp.Data = mapCopy
}
if resp.WrapInfo != nil { if resp.WrapInfo != nil {
var err error var err error
resp.WrapInfo, err = HashWrapInfo(salter, resp.WrapInfo, HMACAccessor) resp.WrapInfo, err = HashWrapInfo(salter, resp.WrapInfo, HMACAccessor)