From 92e3758291d9005d3dee63458654ecfb4274b1f0 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 8 May 2017 14:19:42 -0400
Subject: [PATCH] Don't hash time.Time values in return data maps, they may be
 useful for reconciling values and are not generally secret

---
 audit/hashstructure.go      | 16 +++++-----------
 audit/hashstructure_test.go |  4 ++--
 2 files changed, 7 insertions(+), 13 deletions(-)

diff --git a/audit/hashstructure.go b/audit/hashstructure.go
index 3d38a0612..8caf3eb79 100644
--- a/audit/hashstructure.go
+++ b/audit/hashstructure.go
@@ -207,21 +207,15 @@ func (w *hashWalker) Struct(v reflect.Value) error {
 		return errors.New("time.Time value in a non map key cannot be hashed for audits")
 	}
 
-	// Override location to be a MapValue. loc is set to None since we
-	// already "entered" the struct. We could do better here by keeping
-	// a stack of locations and checking the last entry.
-	w.loc = reflectwalk.MapValue
-
 	// Create a string value of the time. IMPORTANT: this must never change
 	// across Vault versions or the hash value of equivalent time.Time will
 	// change.
-	strVal := v.Interface().(time.Time).UTC().Format(time.RFC3339Nano)
+	strVal := v.Interface().(time.Time).Format(time.RFC3339Nano)
 
-	// Walk it as if it were a primitive value with the string value.
-	// This will replace the currenty map value (which is a time.Time).
-	if err := w.Primitive(reflect.ValueOf(strVal)); err != nil {
-		return err
-	}
+	// Set the map value to the string instead of the time.Time object
+	m := w.cs[len(w.cs)-1]
+	mk := w.csData.(reflect.Value)
+	m.SetMapIndex(mk, reflect.ValueOf(strVal))
 
 	// Skip this entry so that we don't walk the struct.
 	return reflectwalk.SkipEntry
diff --git a/audit/hashstructure_test.go b/audit/hashstructure_test.go
index 5e6dafa54..49afa6eac 100644
--- a/audit/hashstructure_test.go
+++ b/audit/hashstructure_test.go
@@ -143,7 +143,7 @@ func TestHash(t *testing.T) {
 
 					// Responses can contain time values, so test that with
 					// a known fixed value.
-					"bar": time.Unix(1494264707, 0),
+					"bar": now,
 				},
 				WrapInfo: &wrapping.ResponseWrapInfo{
 					TTL:             60,
@@ -155,7 +155,7 @@ func TestHash(t *testing.T) {
 			&logical.Response{
 				Data: map[string]interface{}{
 					"foo": "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317",
-					"bar": "hmac-sha256:b09b815a7d1c3bbcf702f9c9a50ef6408d0935bea0154383a128ca8743eb06fc",
+					"bar": now.Format(time.RFC3339Nano),
 				},
 				WrapInfo: &wrapping.ResponseWrapInfo{
 					TTL:             60,