Merge pull request #1980 from hashicorp/audit-update

Audit file update
2016-10-10 14:34:53 -04:00 · 2016-10-10 14:34:53 -04:00 · dcf44a8fc7
parent 53efd18dda 0da9d1ac0c
commit dcf44a8fc7
3 changed files with 112 additions and 2 deletions
--- a/builtin/audit/file/backend.go
+++ b/builtin/audit/file/backend.go
@ -54,8 +54,19 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
 		logRaw = b
 	}

+	// Check if mode is provided
+	mode := os.FileMode(0600)
+	if modeRaw, ok := conf.Config["mode"]; ok {
+		m, err := strconv.ParseUint(modeRaw, 8, 32)
+		if err != nil {
+			return nil, err
+		}
+		mode = os.FileMode(m)
+	}
+
 	b := &Backend{
 		path: path,
+		mode: mode,
 		formatConfig: audit.FormatterConfig{
 			Raw:          logRaw,
 			Salt:         conf.Salt,
@ -93,6 +104,7 @@ type Backend struct {

 	fileLock sync.RWMutex
 	f        *os.File
+	mode     os.FileMode
 }

 func (b *Backend) GetHash(data string) string {
@ -131,12 +143,18 @@ func (b *Backend) open() error {
 	if b.f != nil {
 		return nil
 	}
-	if err := os.MkdirAll(filepath.Dir(b.path), 0600); err != nil {
+	if err := os.MkdirAll(filepath.Dir(b.path), b.mode); err != nil {
 		return err
 	}

 	var err error
-	b.f, err = os.OpenFile(b.path, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600)
+	b.f, err = os.OpenFile(b.path, os.O_APPEND|os.O_WRONLY|os.O_CREATE, b.mode)
+	if err != nil {
+		return err
+	}
+
+	// Change the file mode in case the log file already existed
+	err = os.Chmod(b.path, b.mode)
 	if err != nil {
 		return err
 	}
--- a/builtin/audit/file/backend_test.go
+++ b/builtin/audit/file/backend_test.go
@ -0,0 +1,85 @@
+package file
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"testing"
+
+	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/helper/salt"
+)
+
+func TestAuditFile_fileModeNew(t *testing.T) {
+	salter, _ := salt.NewSalt(nil, nil)
+
+	modeStr := "0777"
+	mode, err := strconv.ParseUint(modeStr, 8, 32)
+
+	path, err := ioutil.TempDir("", "vault-test_audit_file-file_mode_new")
+	defer os.RemoveAll(path)
+
+	file := filepath.Join(path, "auditTest.txt")
+
+	config := map[string]string{
+		"path": file,
+		"mode": modeStr,
+	}
+
+	_, err = Factory(&audit.BackendConfig{
+		Salt:   salter,
+		Config: config,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := os.Stat(file)
+	if err != nil {
+		t.Fatalf("Cannot retrieve file mode from `Stat`")
+	}
+	if info.Mode() != os.FileMode(mode) {
+		t.Fatalf("File mode does not match.")
+	}
+}
+
+func TestAuditFile_fileModeExisting(t *testing.T) {
+	salter, _ := salt.NewSalt(nil, nil)
+
+	f, err := ioutil.TempFile("", "test")
+	if err != nil {
+		t.Fatalf("Failure to create test file.")
+	}
+	defer os.Remove(f.Name())
+
+	err = os.Chmod(f.Name(), 0777)
+	if err != nil {
+		t.Fatalf("Failure to chmod temp file for testing.")
+	}
+
+	err = f.Close()
+	if err != nil {
+		t.Fatalf("Failure to close temp file for test.")
+	}
+
+	config := map[string]string{
+		"path": f.Name(),
+	}
+
+	_, err = Factory(&audit.BackendConfig{
+		Salt:   salter,
+		Config: config,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := os.Stat(f.Name())
+	if err != nil {
+		t.Fatalf("cannot retrieve file mode from `Stat`")
+	}
+	if info.Mode() != os.FileMode(0600) {
+		t.Fatalf("File mode does not match.")
+	}
+}
--- a/website/source/docs/audit/file.html.md
+++ b/website/source/docs/audit/file.html.md
@ -69,6 +69,13 @@ Following are the configuration options available for the backend.
        <span class="param-flags">optional</span>
            A boolean, if set, enables the hashing of token accessor. Defaults
            to `true`. This option is useful only when `log_raw` is `false`.
+      </li>
+	  <li>
+        <span class="param">mode</span>
+        <span class="param-flags">optional</span>
+            A string containing an octal number representing the bit pattern
+            for the file mode, similar to `chmod`. This option defaults to
+            `0600`.
      </li>
      <li>
        <span class="param">format</span>