Ensure that http_raw_body is always passed to the audit redaction system as a string
Before this it was passed as a []byte, which doesn't get HMAC'd. The original non-HMACing behaviour can be obtained by adding "http_raw_body" to audit_non_hmac_response_keys. (#8130)
This commit is contained in:
ncabatoff
GitHub
parent
9f99ff4912
commit
23c13f24f0
|
|
@ -65,42 +65,36 @@ func HashRequest(salter *salt.Salt, in *logical.Request, HMACAccessor bool, nonH
|
|||
req.ClientTokenAccessor = fn(req.ClientTokenAccessor)
|
||||
}
|
||||
|
||||
data, err := hashMap(fn, req.Data, nonHMACDataKeys)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
if req.Data != nil {
|
||||
copy, err := copystructure.Copy(req.Data)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err = hashMap(fn, copy.(map[string]interface{}), nonHMACDataKeys)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
req.Data = copy.(map[string]interface{})
|
||||
}
|
||||
|
||||
req.Data = data
|
||||
return &req, nil
|
||||
}
|
||||
|
||||
func hashMap(fn func(string) string, data map[string]interface{}, nonHMACDataKeys []string) (map[string]interface{}, error) {
|
||||
if data == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
copy, err := copystructure.Copy(data)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
newData := copy.(map[string]interface{})
|
||||
for k, v := range newData {
|
||||
func hashMap(fn func(string) string, data map[string]interface{}, nonHMACDataKeys []string) error {
|
||||
for k, v := range data {
|
||||
if o, ok := v.(logical.OptMarshaler); ok {
|
||||
marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
|
||||
ValueHasher: fn,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return err
|
||||
}
|
||||
newData[k] = json.RawMessage(marshaled)
|
||||
data[k] = json.RawMessage(marshaled)
|
||||
}
|
||||
}
|
||||
|
||||
if err := HashStructure(newData, fn, nonHMACDataKeys); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return newData, nil
|
||||
return HashStructure(data, fn, nonHMACDataKeys)
|
||||
}
|
||||
|
||||
// HashResponse returns a hashed copy of the logical.Request input.
|
||||
|
|
@ -124,12 +118,23 @@ func HashResponse(salter *salt.Salt, in *logical.Response, HMACAccessor bool, no
|
|||
}
|
||||
}
|
||||
|
||||
data, err := hashMap(fn, resp.Data, nonHMACDataKeys)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
resp.Data = data
|
||||
if resp.Data != nil {
|
||||
copy, err := copystructure.Copy(resp.Data)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
mapCopy := copy.(map[string]interface{})
|
||||
if b, ok := mapCopy[logical.HTTPRawBody].([]byte); ok {
|
||||
mapCopy[logical.HTTPRawBody] = string(b)
|
||||
}
|
||||
|
||||
err = hashMap(fn, mapCopy, nonHMACDataKeys)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
resp.Data = mapCopy
|
||||
}
|
||||
if resp.WrapInfo != nil {
|
||||
var err error
|
||||
resp.WrapInfo, err = HashWrapInfo(salter, resp.WrapInfo, HMACAccessor)
|
||||
|
|
|
|||
Loading…
Reference in New Issue