Ensure that http_raw_body is always passed to the audit redaction system as a string
Before this it was passed as a []byte, which doesn't get HMAC'd. The original non-HMACing behaviour can be obtained by adding "http_raw_body" to audit_non_hmac_response_keys. (#8130)
This commit is contained in:
ncabatoff
GitHub
parent
9f99ff4912
commit
23c13f24f0
|
|
@ -65,42 +65,36 @@ func HashRequest(salter *salt.Salt, in *logical.Request, HMACAccessor bool, nonH
|
||||||
req.ClientTokenAccessor = fn(req.ClientTokenAccessor)
|
req.ClientTokenAccessor = fn(req.ClientTokenAccessor)
|
||||||
}
|
}
|
||||||
|
|
||||||
data, err := hashMap(fn, req.Data, nonHMACDataKeys)
|
if req.Data != nil {
|
||||||
if err != nil {
|
copy, err := copystructure.Copy(req.Data)
|
||||||
return nil, err
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
|
||||||
|
err = hashMap(fn, copy.(map[string]interface{}), nonHMACDataKeys)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
req.Data = copy.(map[string]interface{})
|
||||||
}
|
}
|
||||||
|
|
||||||
req.Data = data
|
|
||||||
return &req, nil
|
return &req, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func hashMap(fn func(string) string, data map[string]interface{}, nonHMACDataKeys []string) (map[string]interface{}, error) {
|
func hashMap(fn func(string) string, data map[string]interface{}, nonHMACDataKeys []string) error {
|
||||||
if data == nil {
|
for k, v := range data {
|
||||||
return nil, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
copy, err := copystructure.Copy(data)
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
newData := copy.(map[string]interface{})
|
|
||||||
for k, v := range newData {
|
|
||||||
if o, ok := v.(logical.OptMarshaler); ok {
|
if o, ok := v.(logical.OptMarshaler); ok {
|
||||||
marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
|
marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
|
||||||
ValueHasher: fn,
|
ValueHasher: fn,
|
||||||
})
|
})
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return err
|
||||||
}
|
}
|
||||||
newData[k] = json.RawMessage(marshaled)
|
data[k] = json.RawMessage(marshaled)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := HashStructure(newData, fn, nonHMACDataKeys); err != nil {
|
return HashStructure(data, fn, nonHMACDataKeys)
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
|
|
||||||
return newData, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// HashResponse returns a hashed copy of the logical.Request input.
|
// HashResponse returns a hashed copy of the logical.Request input.
|
||||||
|
|
@ -124,12 +118,23 @@ func HashResponse(salter *salt.Salt, in *logical.Response, HMACAccessor bool, no
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
data, err := hashMap(fn, resp.Data, nonHMACDataKeys)
|
if resp.Data != nil {
|
||||||
if err != nil {
|
copy, err := copystructure.Copy(resp.Data)
|
||||||
return nil, err
|
if err != nil {
|
||||||
}
|
return nil, err
|
||||||
resp.Data = data
|
}
|
||||||
|
|
||||||
|
mapCopy := copy.(map[string]interface{})
|
||||||
|
if b, ok := mapCopy[logical.HTTPRawBody].([]byte); ok {
|
||||||
|
mapCopy[logical.HTTPRawBody] = string(b)
|
||||||
|
}
|
||||||
|
|
||||||
|
err = hashMap(fn, mapCopy, nonHMACDataKeys)
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
resp.Data = mapCopy
|
||||||
|
}
|
||||||
if resp.WrapInfo != nil {
|
if resp.WrapInfo != nil {
|
||||||
var err error
|
var err error
|
||||||
resp.WrapInfo, err = HashWrapInfo(salter, resp.WrapInfo, HMACAccessor)
|
resp.WrapInfo, err = HashWrapInfo(salter, resp.WrapInfo, HMACAccessor)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue