luxolus/open-vault
2
0
Fork 0
Code Issues 1 Pull requests Releases Activity

Fully omitempty audit (#6727)

Browse source
This commit is contained in:
Jeff Mitchell 2019-05-28 16:24:30 -05:00 committed by GitHub
parent 2d727a5640
commit ff2e8053e8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 69 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

86
audit/format.go
View file

@ -145,7 +145,7 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
Type: reqType, Type: reqType,
Error: errString, Error: errString,
Auth: AuditAuth{ Auth: &AuditAuth{
ClientToken: auth.ClientToken, ClientToken: auth.ClientToken,
Accessor: auth.Accessor, Accessor: auth.Accessor,
DisplayName: auth.DisplayName, DisplayName: auth.DisplayName,
@ -159,12 +159,12 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
TokenType: auth.TokenType.String(), TokenType: auth.TokenType.String(),
}, },
Request: AuditRequest{ Request: &AuditRequest{
ID: req.ID, ID: req.ID,
ClientToken: req.ClientToken, ClientToken: req.ClientToken,
ClientTokenAccessor: req.ClientTokenAccessor, ClientTokenAccessor: req.ClientTokenAccessor,
Operation: req.Operation, Operation: req.Operation,
Namespace: AuditNamespace{ Namespace: &AuditNamespace{
ID: ns.ID, ID: ns.ID,
Path: ns.Path, Path: ns.Path,
}, },
@ -389,7 +389,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
respEntry := &AuditResponseEntry{ respEntry := &AuditResponseEntry{
Type: respType, Type: respType,
Error: errString, Error: errString,
Auth: AuditAuth{ Auth: &AuditAuth{
ClientToken: auth.ClientToken, ClientToken: auth.ClientToken,
Accessor: auth.Accessor, Accessor: auth.Accessor,
DisplayName: auth.DisplayName, DisplayName: auth.DisplayName,
@ -403,12 +403,12 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
TokenType: auth.TokenType.String(), TokenType: auth.TokenType.String(),
}, },
Request: AuditRequest{ Request: &AuditRequest{
ID: req.ID, ID: req.ID,
ClientToken: req.ClientToken, ClientToken: req.ClientToken,
ClientTokenAccessor: req.ClientTokenAccessor, ClientTokenAccessor: req.ClientTokenAccessor,
Operation: req.Operation, Operation: req.Operation,
Namespace: AuditNamespace{ Namespace: &AuditNamespace{
ID: ns.ID, ID: ns.ID,
Path: ns.Path, Path: ns.Path,
}, },
@ -421,7 +421,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
Headers: req.Headers, Headers: req.Headers,
}, },
Response: AuditResponse{ Response: &AuditResponse{
Auth: respAuth, Auth: respAuth,
Secret: respSecret, Secret: respSecret,
Data: resp.Data, Data: resp.Data,
@ -446,35 +446,35 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
// AuditRequestEntry is the structure of a request audit log entry in Audit. // AuditRequestEntry is the structure of a request audit log entry in Audit.
type AuditRequestEntry struct { type AuditRequestEntry struct {
Time string `json:"time,omitempty"` Time string `json:"time,omitempty"`
Type string `json:"type"` Type string `json:"type,omitempty"`
Auth AuditAuth `json:"auth"` Auth *AuditAuth `json:"auth,omitempty"`
Request AuditRequest `json:"request"` Request *AuditRequest `json:"request,omitempty"`
Error string `json:"error"` Error string `json:"error,omitempty"`
} }
// AuditResponseEntry is the structure of a response audit log entry in Audit. // AuditResponseEntry is the structure of a response audit log entry in Audit.
type AuditResponseEntry struct { type AuditResponseEntry struct {
Time string `json:"time,omitempty"` Time string `json:"time,omitempty"`
Type string `json:"type"` Type string `json:"type,omitempty"`
Auth AuditAuth `json:"auth"` Auth *AuditAuth `json:"auth,omitempty"`
Request AuditRequest `json:"request"` Request *AuditRequest `json:"request,omitempty"`
Response AuditResponse `json:"response"` Response *AuditResponse `json:"response,omitempty"`
Error string `json:"error"` Error string `json:"error,omitempty"`
} }
type AuditRequest struct { type AuditRequest struct {
ID string `json:"id"` ID string `json:"id,omitempty"`
ReplicationCluster string `json:"replication_cluster,omitempty"` ReplicationCluster string `json:"replication_cluster,omitempty"`
Operation logical.Operation `json:"operation"` Operation logical.Operation `json:"operation,omitempty"`
ClientToken string `json:"client_token"` ClientToken string `json:"client_token,omitempty"`
ClientTokenAccessor string `json:"client_token_accessor"` ClientTokenAccessor string `json:"client_token_accessor,omitempty"`
Namespace AuditNamespace `json:"namespace"` Namespace *AuditNamespace `json:"namespace,omitempty"`
Path string `json:"path"` Path string `json:"path,omitempty"`
Data map[string]interface{} `json:"data"` Data map[string]interface{} `json:"data,omitempty"`
PolicyOverride bool `json:"policy_override"` PolicyOverride bool `json:"policy_override,omitempty"`
RemoteAddr string `json:"remote_address"` RemoteAddr string `json:"remote_address,omitempty"`
WrapTTL int `json:"wrap_ttl"` WrapTTL int `json:"wrap_ttl,omitempty"`
Headers map[string][]string `json:"headers"` Headers map[string][]string `json:"headers,omitempty"`
ClientCertificateSerialNumber string `json:"client_certificate_serial_number,omitempty"` ClientCertificateSerialNumber string `json:"client_certificate_serial_number,omitempty"`
} }
@ -485,40 +485,40 @@ type AuditResponse struct {
Warnings []string `json:"warnings,omitempty"` Warnings []string `json:"warnings,omitempty"`
Redirect string `json:"redirect,omitempty"` Redirect string `json:"redirect,omitempty"`
WrapInfo *AuditResponseWrapInfo `json:"wrap_info,omitempty"` WrapInfo *AuditResponseWrapInfo `json:"wrap_info,omitempty"`
Headers map[string][]string `json:"headers"` Headers map[string][]string `json:"headers,omitempty"`
} }
type AuditAuth struct { type AuditAuth struct {
ClientToken string `json:"client_token"` ClientToken string `json:"client_token,omitempty"`
Accessor string `json:"accessor"` Accessor string `json:"accessor,omitempty"`
DisplayName string `json:"display_name"` DisplayName string `json:"display_name,omitempty"`
Policies []string `json:"policies"` Policies []string `json:"policies,omitempty"`
TokenPolicies []string `json:"token_policies,omitempty"` TokenPolicies []string `json:"token_policies,omitempty"`
IdentityPolicies []string `json:"identity_policies,omitempty"` IdentityPolicies []string `json:"identity_policies,omitempty"`
ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies,omitempty"` ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies,omitempty"`
Metadata map[string]string `json:"metadata"` Metadata map[string]string `json:"metadata,omitempty"`
NumUses int `json:"num_uses,omitempty"` NumUses int `json:"num_uses,omitempty"`
RemainingUses int `json:"remaining_uses,omitempty"` RemainingUses int `json:"remaining_uses,omitempty"`
EntityID string `json:"entity_id"` EntityID string `json:"entity_id,omitempty"`
TokenType string `json:"token_type"` TokenType string `json:"token_type,omitempty"`
} }
type AuditSecret struct { type AuditSecret struct {
LeaseID string `json:"lease_id"` LeaseID string `json:"lease_id,omitempty"`
} }
type AuditResponseWrapInfo struct { type AuditResponseWrapInfo struct {
TTL int `json:"ttl"` TTL int `json:"ttl,omitempty"`
Token string `json:"token"` Token string `json:"token,omitempty"`
Accessor string `json:"accessor"` Accessor string `json:"accessor,omitempty"`
CreationTime string `json:"creation_time"` CreationTime string `json:"creation_time,omitempty"`
CreationPath string `json:"creation_path"` CreationPath string `json:"creation_path,omitempty"`
WrappedAccessor string `json:"wrapped_accessor,omitempty"` WrappedAccessor string `json:"wrapped_accessor,omitempty"`
} }
type AuditNamespace struct { type AuditNamespace struct {
ID string `json:"id"` ID string `json:"id,omitempty"`
Path string `json:"path"` Path string `json:"path,omitempty"`
} }
// getRemoteAddr safely gets the remote address avoiding a nil pointer // getRemoteAddr safely gets the remote address avoiding a nil pointer

6
audit/format_json_test.go
View file

@ -40,6 +40,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
&logical.Auth{ &logical.Auth{
ClientToken: "foo", ClientToken: "foo",
Accessor: "bar", Accessor: "bar",
EntityID: "foobarentity",
DisplayName: "testtoken", DisplayName: "testtoken",
Policies: []string{"root"}, Policies: []string{"root"},
TokenType: logical.TokenTypeService, TokenType: logical.TokenTypeService,
@ -65,6 +66,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
&logical.Auth{ &logical.Auth{
ClientToken: "foo", ClientToken: "foo",
Accessor: "bar", Accessor: "bar",
EntityID: "foobarentity",
DisplayName: "testtoken", DisplayName: "testtoken",
Policies: []string{"root"}, Policies: []string{"root"},
TokenType: logical.TokenTypeService, TokenType: logical.TokenTypeService,
@ -117,7 +119,7 @@ func TestFormatJSON_formatRequest(t *testing.T) {
if err := jsonutil.DecodeJSON([]byte(expectedResultStr), &expectedjson); err != nil { if err := jsonutil.DecodeJSON([]byte(expectedResultStr), &expectedjson); err != nil {
t.Fatalf("bad json: %s", err) t.Fatalf("bad json: %s", err)
} }
expectedjson.Request.Namespace = AuditNamespace{ID: "root"} expectedjson.Request.Namespace = &AuditNamespace{ID: "root"}
var actualjson = new(AuditRequestEntry) var actualjson = new(AuditRequestEntry)
if err := jsonutil.DecodeJSON([]byte(buf.String())[len(tc.Prefix):], &actualjson); err != nil { if err := jsonutil.DecodeJSON([]byte(buf.String())[len(tc.Prefix):], &actualjson); err != nil {
@ -139,5 +141,5 @@ func TestFormatJSON_formatRequest(t *testing.T) {
} }
} }
const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"metadata":null,"entity_id":"","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"} const testFormatJSONReqBasicStrFmt = `{"time":"2015-08-05T13:45:46Z","type":"request","auth":{"client_token":"%s","accessor":"bar","display_name":"testtoken","policies":["root"],"metadata":null,"entity_id":"foobarentity","token_type":"service"},"request":{"operation":"update","path":"/foo","data":null,"wrap_ttl":60,"remote_address":"127.0.0.1","headers":{"foo":["bar"]}},"error":"this is an error"}
` `

18
audit/format_jsonx_test.go
View file

@ -39,11 +39,15 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
&logical.Auth{ &logical.Auth{
ClientToken: "foo", ClientToken: "foo",
Accessor: "bar", Accessor: "bar",
EntityID: "foobarentity",
DisplayName: "testtoken", DisplayName: "testtoken",
Policies: []string{"root"}, Policies: []string{"root"},
TokenType: logical.TokenTypeService, TokenType: logical.TokenTypeService,
}, },
&logical.Request{ &logical.Request{
ID: "request",
ClientToken: "foo",
ClientTokenAccessor: "bar",
Operation: logical.UpdateOperation, Operation: logical.UpdateOperation,
Path: "/foo", Path: "/foo",
Connection: &logical.Connection{ Connection: &logical.Connection{
@ -55,22 +59,27 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
Headers: map[string][]string{ Headers: map[string][]string{
"foo": []string{"bar"}, "foo": []string{"bar"},
}, },
PolicyOverride: true,
}, },
errors.New("this is an error"), errors.New("this is an error"),
"", "",
"", "",
fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`, fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id">foobarentity</json:string><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token">%s</json:string><json:string name="client_token_accessor">bar</json:string><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id">request</json:string><json:object name="namespace"><json:string name="id">root</json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">true</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
fooSalted), fooSalted, fooSalted),
}, },
"auth, request with prefix": { "auth, request with prefix": {
&logical.Auth{ &logical.Auth{
ClientToken: "foo", ClientToken: "foo",
Accessor: "bar", Accessor: "bar",
EntityID: "foobarentity",
DisplayName: "testtoken", DisplayName: "testtoken",
Policies: []string{"root"}, Policies: []string{"root"},
TokenType: logical.TokenTypeService, TokenType: logical.TokenTypeService,
}, },
&logical.Request{ &logical.Request{
ID: "request",
ClientToken: "foo",
ClientTokenAccessor: "bar",
Operation: logical.UpdateOperation, Operation: logical.UpdateOperation,
Path: "/foo", Path: "/foo",
Connection: &logical.Connection{ Connection: &logical.Connection{
@ -82,12 +91,13 @@ func TestFormatJSONx_formatRequest(t *testing.T) {
Headers: map[string][]string{ Headers: map[string][]string{
"foo": []string{"bar"}, "foo": []string{"bar"},
}, },
PolicyOverride: true,
}, },
errors.New("this is an error"), errors.New("this is an error"),
"", "",
"@cee: ", "@cee: ",
fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id"></json:string><json:null name="metadata" /><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token"></json:string><json:string name="client_token_accessor"></json:string><json:null name="data" /><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id"></json:string><json:object name="namespace"><json:string name="id">root</json:string><json:string name="path"></json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">false</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`, fmt.Sprintf(`<json:object name="auth"><json:string name="accessor">bar</json:string><json:string name="client_token">%s</json:string><json:string name="display_name">testtoken</json:string><json:string name="entity_id">foobarentity</json:string><json:array name="policies"><json:string>root</json:string></json:array><json:string name="token_type">service</json:string></json:object><json:string name="error">this is an error</json:string><json:object name="request"><json:string name="client_token">%s</json:string><json:string name="client_token_accessor">bar</json:string><json:object name="headers"><json:array name="foo"><json:string>bar</json:string></json:array></json:object><json:string name="id">request</json:string><json:object name="namespace"><json:string name="id">root</json:string></json:object><json:string name="operation">update</json:string><json:string name="path">/foo</json:string><json:boolean name="policy_override">true</json:boolean><json:string name="remote_address">127.0.0.1</json:string><json:number name="wrap_ttl">60</json:number></json:object><json:string name="type">request</json:string>`,
fooSalted), fooSalted, fooSalted),
}, },
} }