Don't hash time.Time values in return data maps, they may be useful for reconciling values and are not generally secret

audit/hashstructure.go

@@ -207,21 +207,15 @@ func (w *hashWalker) Struct(v reflect.Value) error {
 		return errors.New("time.Time value in a non map key cannot be hashed for audits")
 	}
 
-	// Override location to be a MapValue. loc is set to None since we
-	// already "entered" the struct. We could do better here by keeping
-	// a stack of locations and checking the last entry.
-	w.loc = reflectwalk.MapValue
-
 	// Create a string value of the time. IMPORTANT: this must never change
 	// across Vault versions or the hash value of equivalent time.Time will
 	// change.
-	strVal := v.Interface().(time.Time).UTC().Format(time.RFC3339Nano)
+	strVal := v.Interface().(time.Time).Format(time.RFC3339Nano)
 
-	// Walk it as if it were a primitive value with the string value.
+	// Set the map value to the string instead of the time.Time object
-	// This will replace the currenty map value (which is a time.Time).
+	m := w.cs[len(w.cs)-1]
-	if err := w.Primitive(reflect.ValueOf(strVal)); err != nil {
+	mk := w.csData.(reflect.Value)
-		return err
+	m.SetMapIndex(mk, reflect.ValueOf(strVal))
-	}
 
 	// Skip this entry so that we don't walk the struct.
 	return reflectwalk.SkipEntry

audit/hashstructure_test.go

@@ -143,7 +143,7 @@ func TestHash(t *testing.T) {
 
 					// Responses can contain time values, so test that with
 					// a known fixed value.
-					"bar": time.Unix(1494264707, 0),
+					"bar": now,
 				},
 				WrapInfo: &wrapping.ResponseWrapInfo{
 					TTL:             60,
@@ -155,7 +155,7 @@ func TestHash(t *testing.T) {
 			&logical.Response{
 				Data: map[string]interface{}{
 					"foo": "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317",
-					"bar": "hmac-sha256:b09b815a7d1c3bbcf702f9c9a50ef6408d0935bea0154383a128ca8743eb06fc",
+					"bar": now.Format(time.RFC3339Nano),
 				},
 				WrapInfo: &wrapping.ResponseWrapInfo{
 					TTL:             60,