Merge branch 'master' into ui-fix-select-arrow
This commit is contained in:
commit
9a31e039c9
|
@ -13,6 +13,7 @@ IMPROVEMENTS:
|
||||||
|
|
||||||
BUG FIXES:
|
BUG FIXES:
|
||||||
|
|
||||||
|
* core: Correctly honor non-HMAC request keys when auditing requests [GH-6653]
|
||||||
* replication: Fix an issue causing startup problems if a namespace policy
|
* replication: Fix an issue causing startup problems if a namespace policy
|
||||||
wasn't replicated properly
|
wasn't replicated properly
|
||||||
* replication: Properly update mount entry cache on a secondary to apply all
|
* replication: Properly update mount entry cache on a secondary to apply all
|
||||||
|
|
|
@ -709,7 +709,14 @@ func valueInParameterList(v interface{}, list []interface{}) bool {
|
||||||
|
|
||||||
func valueInSlice(v interface{}, list []interface{}) bool {
|
func valueInSlice(v interface{}, list []interface{}) bool {
|
||||||
for _, el := range list {
|
for _, el := range list {
|
||||||
if reflect.TypeOf(el).String() == "string" && reflect.TypeOf(v).String() == "string" {
|
if el == nil || v == nil {
|
||||||
|
// It doesn't seem possible to set up a nil entry in the list, but it is possible
|
||||||
|
// to pass in a null entry in the API request being checked. Just in case,
|
||||||
|
// nil will match nil.
|
||||||
|
if el == v {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
} else if reflect.TypeOf(el).String() == "string" && reflect.TypeOf(v).String() == "string" {
|
||||||
item := el.(string)
|
item := el.(string)
|
||||||
val := v.(string)
|
val := v.(string)
|
||||||
|
|
||||||
|
|
|
@ -549,6 +549,8 @@ func testACLValuePermissions(t *testing.T, ns *namespace.Namespace) {
|
||||||
{"foo/bar", []string{"deny"}, []interface{}{"bad glob"}, false},
|
{"foo/bar", []string{"deny"}, []interface{}{"bad glob"}, false},
|
||||||
{"foo/bar", []string{"deny"}, []interface{}{"good"}, true},
|
{"foo/bar", []string{"deny"}, []interface{}{"good"}, true},
|
||||||
{"foo/bar", []string{"allow"}, []interface{}{"good"}, true},
|
{"foo/bar", []string{"allow"}, []interface{}{"good"}, true},
|
||||||
|
{"foo/bar", []string{"deny"}, []interface{}{nil}, true},
|
||||||
|
{"foo/bar", []string{"allow"}, []interface{}{nil}, true},
|
||||||
{"foo/baz", []string{"aLLow"}, []interface{}{"good"}, true},
|
{"foo/baz", []string{"aLLow"}, []interface{}{"good"}, true},
|
||||||
{"foo/baz", []string{"deny"}, []interface{}{"bad"}, false},
|
{"foo/baz", []string{"deny"}, []interface{}{"bad"}, false},
|
||||||
{"foo/baz", []string{"deny"}, []interface{}{"good"}, false},
|
{"foo/baz", []string{"deny"}, []interface{}{"good"}, false},
|
||||||
|
@ -557,6 +559,7 @@ func testACLValuePermissions(t *testing.T, ns *namespace.Namespace) {
|
||||||
{"foo/baz", []string{"deNy", "allow"}, []interface{}{"bad", "good"}, false},
|
{"foo/baz", []string{"deNy", "allow"}, []interface{}{"bad", "good"}, false},
|
||||||
{"foo/baz", []string{"aLLow"}, []interface{}{"bad"}, false},
|
{"foo/baz", []string{"aLLow"}, []interface{}{"bad"}, false},
|
||||||
{"foo/baz", []string{"Neither"}, []interface{}{"bad"}, false},
|
{"foo/baz", []string{"Neither"}, []interface{}{"bad"}, false},
|
||||||
|
{"foo/baz", []string{"allow"}, []interface{}{nil}, false},
|
||||||
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good"}, true},
|
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good"}, true},
|
||||||
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good1"}, true},
|
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good1"}, true},
|
||||||
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good2"}, true},
|
{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good2"}, true},
|
||||||
|
|
|
@ -914,9 +914,17 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
|
||||||
|
|
||||||
req.Unauthenticated = true
|
req.Unauthenticated = true
|
||||||
|
|
||||||
var auth *logical.Auth
|
var nonHMACReqDataKeys []string
|
||||||
|
entry := c.router.MatchingMountEntry(ctx, req.Path)
|
||||||
|
if entry != nil {
|
||||||
|
// Get and set ignored HMAC'd value.
|
||||||
|
if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
|
||||||
|
nonHMACReqDataKeys = rawVals.([]string)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Do an unauth check. This will cause EGP policies to be checked
|
// Do an unauth check. This will cause EGP policies to be checked
|
||||||
|
var auth *logical.Auth
|
||||||
var ctErr error
|
var ctErr error
|
||||||
auth, _, ctErr = c.checkToken(ctx, req, true)
|
auth, _, ctErr = c.checkToken(ctx, req, true)
|
||||||
if ctErr == logical.ErrPerfStandbyPleaseForward {
|
if ctErr == logical.ErrPerfStandbyPleaseForward {
|
||||||
|
@ -933,15 +941,6 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
|
||||||
errType = logical.ErrInvalidRequest
|
errType = logical.ErrInvalidRequest
|
||||||
}
|
}
|
||||||
|
|
||||||
var nonHMACReqDataKeys []string
|
|
||||||
entry := c.router.MatchingMountEntry(ctx, req.Path)
|
|
||||||
if entry != nil {
|
|
||||||
// Get and set ignored HMAC'd value.
|
|
||||||
if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
|
|
||||||
nonHMACReqDataKeys = rawVals.([]string)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
logInput := &audit.LogInput{
|
logInput := &audit.LogInput{
|
||||||
Auth: auth,
|
Auth: auth,
|
||||||
Request: req,
|
Request: req,
|
||||||
|
@ -967,6 +966,7 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re
|
||||||
logInput := &audit.LogInput{
|
logInput := &audit.LogInput{
|
||||||
Auth: auth,
|
Auth: auth,
|
||||||
Request: req,
|
Request: req,
|
||||||
|
NonHMACReqDataKeys: nonHMACReqDataKeys,
|
||||||
}
|
}
|
||||||
if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
|
if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil {
|
||||||
c.logger.Error("failed to audit request", "path", req.Path, "error", err)
|
c.logger.Error("failed to audit request", "path", req.Path, "error", err)
|
||||||
|
|
Loading…
Reference in a new issue