From e4854ca59bcbf473207508ab81206881df99a366 Mon Sep 17 00:00:00 2001
From: Armon Dadgar <armon.dadgar@gmail.com>
Date: Fri, 3 Apr 2015 14:27:33 -0700
Subject: [PATCH] vault: Allow deep paths for audit backends

---
 vault/audit.go               | 24 ++++++++++++++++++------
 vault/audit_test.go          |  4 ++--
 vault/logical_system_test.go |  2 +-
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/vault/audit.go b/vault/audit.go
index 68e1eb3ae..765e8c9f2 100644
--- a/vault/audit.go
+++ b/vault/audit.go
@@ -33,17 +33,24 @@ func (c *Core) enableAudit(entry *MountEntry) error {
 	c.audit.Lock()
 	defer c.audit.Unlock()
 
-	// Ensure there is a name
-	if entry.Path == "" {
-		return fmt.Errorf("backend path must be specified")
+	// Ensure we end the path in a slash
+	if !strings.HasSuffix(entry.Path, "/") {
+		entry.Path += "/"
 	}
-	if strings.Contains(entry.Path, "/") {
-		return fmt.Errorf("backend path cannot have a forward slash")
+
+	// Ensure there is a name
+	if entry.Path == "/" {
+		return fmt.Errorf("backend path must be specified")
 	}
 
 	// Look for matching name
 	for _, ent := range c.audit.Entries {
-		if ent.Path == entry.Path {
+		switch {
+		// Existing is sql/mysql/ new is sql/ or
+		// existing is sql/ and new is sql/mysql/
+		case strings.HasPrefix(ent.Path, entry.Path):
+			fallthrough
+		case strings.HasPrefix(entry.Path, ent.Path):
 			return fmt.Errorf("path already in use")
 		}
 	}
@@ -78,6 +85,11 @@ func (c *Core) disableAudit(path string) error {
 	c.audit.Lock()
 	defer c.audit.Unlock()
 
+	// Ensure we end the path in a slash
+	if !strings.HasSuffix(path, "/") {
+		path += "/"
+	}
+
 	// Remove the entry from the mount table
 	found := false
 	newTable := c.audit.Clone()
diff --git a/vault/audit_test.go b/vault/audit_test.go
index c9bdd3103..ac4e7e6c1 100644
--- a/vault/audit_test.go
+++ b/vault/audit_test.go
@@ -53,7 +53,7 @@ func TestCore_EnableAudit(t *testing.T) {
 		t.Fatalf("err: %v", err)
 	}
 
-	if !c.auditBroker.IsRegistered("foo") {
+	if !c.auditBroker.IsRegistered("foo/") {
 		t.Fatalf("missing audit backend")
 	}
 
@@ -82,7 +82,7 @@ func TestCore_EnableAudit(t *testing.T) {
 	}
 
 	// Check for registration
-	if !c2.auditBroker.IsRegistered("foo") {
+	if !c2.auditBroker.IsRegistered("foo/") {
 		t.Fatalf("missing audit backend")
 	}
 }
diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go
index 7e931e6a6..13633dc72 100644
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@@ -551,7 +551,7 @@ func TestSystemBackend_auditTable(t *testing.T) {
 	}
 
 	exp := map[string]interface{}{
-		"foo": map[string]interface{}{
+		"foo/": map[string]interface{}{
 			"type":        "noop",
 			"description": "testing",
 			"options": map[string]string{