From ff2e8053e80ddafbacd13685425e0b3e61d9b5c0 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Tue, 28 May 2019 16:24:30 -0500
Subject: [PATCH] Fully omitempty audit (#6727)

---
 audit/format.go            | 94 +++++++++++++++++++-------------------
 audit/format_json_test.go  |  6 ++-
 audit/format_jsonx_test.go | 26 +++++++----
 3 files changed, 69 insertions(+), 57 deletions(-)

diff --git a/audit/format.go b/audit/format.go
index 796ffe4a0..aaa4edf82 100644
--- a/audit/format.go
+++ b/audit/format.go
@@ -145,7 +145,7 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
 		Type:  reqType,
 		Error: errString,
 
-		Auth: AuditAuth{
+		Auth: &AuditAuth{
 			ClientToken:               auth.ClientToken,
 			Accessor:                  auth.Accessor,
 			DisplayName:               auth.DisplayName,
@@ -159,12 +159,12 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
 			TokenType:                 auth.TokenType.String(),
 		},
 
-		Request: AuditRequest{
+		Request: &AuditRequest{
 			ID:                  req.ID,
 			ClientToken:         req.ClientToken,
 			ClientTokenAccessor: req.ClientTokenAccessor,
 			Operation:           req.Operation,
-			Namespace: AuditNamespace{
+			Namespace: &AuditNamespace{
 				ID:   ns.ID,
 				Path: ns.Path,
 			},
@@ -389,7 +389,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 	respEntry := &AuditResponseEntry{
 		Type:  respType,
 		Error: errString,
-		Auth: AuditAuth{
+		Auth: &AuditAuth{
 			ClientToken:               auth.ClientToken,
 			Accessor:                  auth.Accessor,
 			DisplayName:               auth.DisplayName,
@@ -403,12 +403,12 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 			TokenType:                 auth.TokenType.String(),
 		},
 
-		Request: AuditRequest{
+		Request: &AuditRequest{
 			ID:                  req.ID,
 			ClientToken:         req.ClientToken,
 			ClientTokenAccessor: req.ClientTokenAccessor,
 			Operation:           req.Operation,
-			Namespace: AuditNamespace{
+			Namespace: &AuditNamespace{
 				ID:   ns.ID,
 				Path: ns.Path,
 			},
@@ -421,7 +421,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 			Headers:                       req.Headers,
 		},
 
-		Response: AuditResponse{
+		Response: &AuditResponse{
 			Auth:     respAuth,
 			Secret:   respSecret,
 			Data:     resp.Data,
@@ -445,37 +445,37 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 
 // AuditRequestEntry is the structure of a request audit log entry in Audit.
 type AuditRequestEntry struct {
-	Time    string       `json:"time,omitempty"`
-	Type    string       `json:"type"`
-	Auth    AuditAuth    `json:"auth"`
-	Request AuditRequest `json:"request"`
-	Error   string       `json:"error"`
+	Time    string        `json:"time,omitempty"`
+	Type    string        `json:"type,omitempty"`
+	Auth    *AuditAuth    `json:"auth,omitempty"`
+	Request *AuditRequest `json:"request,omitempty"`
+	Error   string        `json:"error,omitempty"`
 }
 
 // AuditResponseEntry is the structure of a response audit log entry in Audit.
 type AuditResponseEntry struct {
-	Time     string        `json:"time,omitempty"`
-	Type     string        `json:"type"`
-	Auth     AuditAuth     `json:"auth"`
-	Request  AuditRequest  `json:"request"`
-	Response AuditResponse `json:"response"`
-	Error    string        `json:"error"`
+	Time     string         `json:"time,omitempty"`
+	Type     string         `json:"type,omitempty"`
+	Auth     *AuditAuth     `json:"auth,omitempty"`
+	Request  *AuditRequest  `json:"request,omitempty"`
+	Response *AuditResponse `json:"response,omitempty"`
+	Error    string         `json:"error,omitempty"`
 }
 
 type AuditRequest struct {
-	ID                            string                 `json:"id"`
-	ReplicationCluster            string                 `json:"replication_cluster,omitempty"`
-	Operation                     logical.Operation      `json:"operation"`
-	ClientToken                   string                 `json:"client_token"`
-	ClientTokenAccessor           string                 `json:"client_token_accessor"`
-	Namespace                     AuditNamespace         `json:"namespace"`
-	Path                          string                 `json:"path"`
-	Data                          map[string]interface{} `json:"data"`
-	PolicyOverride                bool                   `json:"policy_override"`
-	RemoteAddr                    string                 `json:"remote_address"`
-	WrapTTL                       int                    `json:"wrap_ttl"`
-	Headers                       map[string][]string    `json:"headers"`
-	ClientCertificateSerialNumber string                 `json:"client_certificate_serial_number,omitempty"`
+	ID                  string                 `json:"id,omitempty"`
+	ReplicationCluster  string                 `json:"replication_cluster,omitempty"`
+	Operation           logical.Operation      `json:"operation,omitempty"`
+	ClientToken         string                 `json:"client_token,omitempty"`
+	ClientTokenAccessor string                 `json:"client_token_accessor,omitempty"`
+	Namespace           *AuditNamespace        `json:"namespace,omitempty"`
+	Path                string                 `json:"path,omitempty"`
+	Data                map[string]interface{} `json:"data,omitempty"`
+	PolicyOverride      bool                   `json:"policy_override,omitempty"`
+	RemoteAddr          string                 `json:"remote_address,omitempty"`
+	WrapTTL             int                    `json:"wrap_ttl,omitempty"`
+	Headers             map[string][]string    `json:"headers,omitempty"`
+  ClientCertificateSerialNumber string                 `json:"client_certificate_serial_number,omitempty"`
 }
 
 type AuditResponse struct {
@@ -485,40 +485,40 @@ type AuditResponse struct {
 	Warnings []string               `json:"warnings,omitempty"`
 	Redirect string                 `json:"redirect,omitempty"`
 	WrapInfo *AuditResponseWrapInfo `json:"wrap_info,omitempty"`
-	Headers  map[string][]string    `json:"headers"`
+	Headers  map[string][]string    `json:"headers,omitempty"`
 }
 
 type AuditAuth struct {
-	ClientToken               string              `json:"client_token"`
-	Accessor                  string              `json:"accessor"`
-	DisplayName               string              `json:"display_name"`
-	Policies                  []string            `json:"policies"`
+	ClientToken               string              `json:"client_token,omitempty"`
+	Accessor                  string              `json:"accessor,omitempty"`
+	DisplayName               string              `json:"display_name,omitempty"`
+	Policies                  []string            `json:"policies,omitempty"`
 	TokenPolicies             []string            `json:"token_policies,omitempty"`
 	IdentityPolicies          []string            `json:"identity_policies,omitempty"`
 	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies,omitempty"`
-	Metadata                  map[string]string   `json:"metadata"`
+	Metadata                  map[string]string   `json:"metadata,omitempty"`
 	NumUses                   int                 `json:"num_uses,omitempty"`
 	RemainingUses             int                 `json:"remaining_uses,omitempty"`
-	EntityID                  string              `json:"entity_id"`
-	TokenType                 string              `json:"token_type"`
+	EntityID                  string              `json:"entity_id,omitempty"`
+	TokenType                 string              `json:"token_type,omitempty"`
 }
 
 type AuditSecret struct {
-	LeaseID string `json:"lease_id"`
+	LeaseID string `json:"lease_id,omitempty"`
 }
 
 type AuditResponseWrapInfo struct {
-	TTL             int    `json:"ttl"`
-	Token           string `json:"token"`
-	Accessor        string `json:"accessor"`
-	CreationTime    string `json:"creation_time"`
-	CreationPath    string `json:"creation_path"`
+	TTL             int    `json:"ttl,omitempty"`
+	Token           string `json:"token,omitempty"`
+	Accessor        string `json:"accessor,omitempty"`
+	CreationTime    string `json:"creation_time,omitempty"`
+	CreationPath    string `json:"creation_path,omitempty"`
 	WrappedAccessor string `json:"wrapped_accessor,omitempty"`
 }
 
 type AuditNamespace struct {
-	ID   string `json:"id"`
-	Path string `json:"path"`
+	ID   string `json:"id,omitempty"`
+	Path string `json:"path,omitempty"`
 }
 
 // getRemoteAddr safely gets the remote address avoiding a nil pointer
diff --git a/audit/format_json_test.go b/audit/format_json_test.go
index 26ff79ddc..a937eb342 100644
--- a/audit/format_json_test.go
+++ b/audit/format_json_test.go
@@ -40,6 +40,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 			&logical.Auth{
 				ClientToken: "foo",
 				Accessor:    "bar",
+				EntityID:    "foobarentity",
 				DisplayName: "testtoken",
 				Policies:    []string{"root"},
 				TokenType:   logical.TokenTypeService,
@@ -65,6 +66,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 			&logical.Auth{
 				ClientToken: "foo",
 				Accessor:    "bar",
+				EntityID:    "foobarentity",
 				DisplayName: "testtoken",
 				Policies:    []string{"root"},
 				TokenType:   logical.TokenTypeService,
@@ -117,7 +119,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 		if err := jsonutil.DecodeJSON([]byte(expectedResultStr), &expectedjson); err != nil {
 			t.Fatalf("bad json: %s", err)
 		}
-		expectedjson.Request.Namespace = AuditNamespace{ID: "root"}
+		expectedjson.Request.Namespace = &AuditNamespace{ID: "root"}
 
 		var actualjson = new(AuditRequestEntry)
 		if err := jsonutil.DecodeJSON([]byte(buf.String())[len(tc.Prefix):], &actualjson); err != nil {
@@ -139,5 +141,5 @@ func TestFormatJSON_formatRequest(t *testing.T) {
 	}
 }
 
-const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"metadata":null,"entity_id":"","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
+const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"metadata":null,"entity_id":"foobarentity","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
 `
diff --git a/audit/format_jsonx_test.go b/audit/format_jsonx_test.go
index 2ad30a923..d5239277a 100644
--- a/audit/format_jsonx_test.go
+++ b/audit/format_jsonx_test.go
@@ -39,13 +39,17 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 			&logical.Auth{
 				ClientToken: "foo",
 				Accessor:    "bar",
+				EntityID:    "foobarentity",
 				DisplayName: "testtoken",
 				Policies:    []string{"root"},
 				TokenType:   logical.TokenTypeService,
 			},
 			&logical.Request{
-				Operation: logical.UpdateOperation,
-				Path:      "/foo",
+				ID:                  "request",
+				ClientToken:         "foo",
+				ClientTokenAccessor: "bar",
+				Operation:           logical.UpdateOperation,
+				Path:                "/foo",
 				Connection: &logical.Connection{
 					RemoteAddr: "127.0.0.1",
 				},
@@ -55,24 +59,29 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 				Headers: map[string][]string{
 					"foo": []string{"bar"},
 				},
+				PolicyOverride: true,
 			},
 			errors.New("this is an error"),
 			"",
 			"",
-			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
-				fooSalted),
+			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id">foobarentity</json:string><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token">%s</json:string><json:string name="client_token_accessor">bar</json:string><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id">request</json:string><json:object name="namespace"><json:string name="id">root</json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">true</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
+				fooSalted, fooSalted),
 		},
 		"auth, request with prefix": {
 			&logical.Auth{
 				ClientToken: "foo",
 				Accessor:    "bar",
+				EntityID:    "foobarentity",
 				DisplayName: "testtoken",
 				Policies:    []string{"root"},
 				TokenType:   logical.TokenTypeService,
 			},
 			&logical.Request{
-				Operation: logical.UpdateOperation,
-				Path:      "/foo",
+				ID:                  "request",
+				ClientToken:         "foo",
+				ClientTokenAccessor: "bar",
+				Operation:           logical.UpdateOperation,
+				Path:                "/foo",
 				Connection: &logical.Connection{
 					RemoteAddr: "127.0.0.1",
 				},
@@ -82,12 +91,13 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
 				Headers: map[string][]string{
 					"foo": []string{"bar"},
 				},
+				PolicyOverride: true,
 			},
 			errors.New("this is an error"),
 			"",
 			"@cee: ",
-			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
-				fooSalted),
+			fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id">foobarentity</json:string><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token">%s</json:string><json:string name="client_token_accessor">bar</json:string><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id">request</json:string><json:object name="namespace"><json:string name="id">root</json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">true</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
+				fooSalted, fooSalted),
 		},
 	}