Commit graph

54 commits

Author SHA1 Message Date
Vishal Nayak 28e3eb9e2c
Errwrap everywhere (#4252)
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
2018-04-05 11:49:21 -04:00
Brian Kassouf 9dba3590ac
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Calvin Leung Huang e2fb199ce5
Non-HMAC audit values (#4033)
* Add non-hmac request keys

* Update comment

* Initial audit request keys implementation

* Add audit_non_hmac_response_keys

* Move where req.NonHMACKeys gets set

* Minor refactor

* Add params to auth tune endpoints

* Sync cache on loadCredentials

* Explicitly unset req.NonHMACKeys

* Do not error if entry is nil

* Add tests

* docs: Add params to api sections

* Refactor audit.Backend and Formatter interfaces, update audit broker methods

* Add audit_broker.go

* Fix method call params in audit backends

* Remove fields from logical.Request and logical.Response, pass keys via LogInput

* Use data.GetOk to allow unsetting existing values

* Remove debug lines

* Add test for unsetting values

* Address review feedback

* Initialize values in FormatRequest and FormatResponse using input values

* Update docs

* Use strutil.StrListContains

* Use strutil.StrListContains
2018-03-02 12:18:39 -05:00
Brian Kassouf 2f19de0305 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Shumate a0d1092420 Conditionally set file audit log mode (#3649) 2017-12-07 11:44:15 -05:00
Jeff Mitchell 8acef196a8 Add 'discard' target to file audit backend (#3262)
Fixes #seth
2017-08-30 19:16:47 -04:00
Christopher Pauley eccbb21ce8 stdout support for file backend via logger (#3235) 2017-08-29 14:51:16 -04:00
Jeff Mitchell 98f64e5154 Opportunistically try re-opening file audit fd on error (#2999)
Addresses a pain point from
https://github.com/hashicorp/vault/issues/2863#issuecomment-309434605
2017-07-14 11:03:01 -04:00
Lars Lehtonen 3f0b15826a Fix swallowed errors in builtin (#2977) 2017-07-07 08:23:12 -04:00
Jeff Mitchell 488aad00b0 Don't dial on backend startup; retry dials at log time so that transient (#2934)
network failures are worked around. Also, during a reconnect always
close the existing connection.

Fixes #2931
2017-07-06 10:18:18 -04:00
Jeff Mitchell 7cc72a9066 Delay salt initialization for audit backends 2017-05-23 20:36:20 -04:00
Jeff Mitchell 5119b173c4 Rename helper 'duration' to 'parseutil'. (#2449)
Add a ParseBool function that accepts various kinds of ways of
specifying booleans.

Have config use ParseBool for UI and disabling mlock/cache.
2017-03-07 11:21:22 -05:00
Jeff Mitchell d7a6ec8d43 Add some repcluster handling to audit and add some tests (#2384)
* Add some repcluster handling to audit and add some tests

* Fix incorrect assumption about nil auth
2017-02-16 13:09:53 -05:00
Tommy Murphy ca06bc0b53 audit: support a configurable prefix string to write before each message (#2359)
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
2017-02-10 16:56:28 -08:00
Brian Kassouf 09049c2787 Added a single retry after a reconnection 2017-02-06 11:38:38 -08:00
Brian Kassouf af1847f2b4 Update the docs and move the logic for reconnecting into its own function 2017-02-04 16:55:17 -08:00
Brian Kassouf b38eeec96a Add write deadline and a Reload function 2017-02-02 15:44:56 -08:00
Harrison Harnisch b09077c2d8 add socket audit backend 2017-02-02 14:21:48 -08:00
Brian Kassouf 6701ba8a10 Configure the request headers that are output to the audit log (#2321)
* Add /sys/config/audited-headers endpoint for configuring the headers that will be audited

* Remove some debug lines

* Add a persistant layer and refactor a bit

* update the api endpoints to be more restful

* Add comments and clean up a few functions

* Remove unneeded hash structure functionaility

* Fix existing tests

* Add tests

* Add test for Applying the header config

* Add Benchmark for the ApplyConfig method

* ResetTimer on the benchmark:

* Update the headers comment

* Add test for audit broker

* Use hyphens instead of camel case

* Add size paramater to the allocation of the result map

* Fix the tests for the audit broker

* PR feedback

* update the path and permissions on config/* paths

* Add docs file

* Fix TestSystemBackend_RootPaths test
2017-02-02 11:49:20 -08:00
Brian Nuszkowski db5e0bb3c3 Minor cleanup in audit backend (#2194) 2016-12-19 15:35:55 -05:00
Laura Bennett 0da9d1ac0c test updates to address feedback 2016-10-10 12:58:30 -04:00
Laura Bennett 962a383bfb address latest feedback 2016-10-10 11:58:26 -04:00
Laura Bennett 290ccee990 minor fix 2016-10-10 10:05:36 -04:00
Laura Bennett 9fc5a37e84 address feedback 2016-10-09 22:23:30 -04:00
Laura Bennett 05519a1267 adding unit tests for file mode 2016-10-09 00:33:24 -04:00
Laura Bennett 1b8d12fe82 changes for 'mode' 2016-10-08 19:52:49 -04:00
Laura Bennett 60ceea5532 initial commit for adding audit file permission changes 2016-10-07 15:09:32 -04:00
Jeff Mitchell 6d00f0c483 Adds HUP support for audit log files to close and reopen. (#1953)
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
2016-09-30 12:04:50 -07:00
Jeff Mitchell 0ff76e16d2 Transit and audit enhancements 2016-09-21 10:49:26 -04:00
Jeff Mitchell 638e61192a Actually show the error occurring if a file audit log can't be opened 2016-08-15 16:26:36 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
vishalnayak 39a0c8e91f Read from 'path' to retain backward compatibility 2016-03-15 20:05:51 -04:00
vishalnayak 71fc07833f Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Jeff Mitchell 9bfd24cd69 s/hash_accessor/hmac_accessor/g 2016-03-14 14:52:29 -04:00
vishalnayak ea108fba18 Use accessor being set as the condition to restore non-hashed values 2016-03-14 11:23:30 -04:00
vishalnayak e09819fedc Added hash_accessor option to audit backends 2016-03-11 19:28:06 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell 80705b7963 If we fail to open a file path, show which it is in the error output 2015-10-30 14:30:21 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell 2098446d47 Ensure that the 'file' audit backend can successfully open its given path before returning success. Fixes #550. 2015-08-26 09:13:10 -07:00
Armon Dadgar 96d6455ef5 audit: properly restore TLS state 2015-07-08 16:45:15 -06:00
Armon Dadgar 12d3aee58e audit: fixing panic caused by tls connection state. Fixes #322 2015-06-29 17:16:17 -07:00
Nate Brown 4ec685dc1a Logging authentication errors and bad token usage 2015-06-18 18:30:18 -07:00
Armon Dadgar b07d0bc56f audit/file: Create file if it does not exist. Fixes #148 2015-05-06 11:33:06 -07:00
Armon Dadgar 848433a355 audit/file: add log_raw parameter and default to hashing 2015-04-27 15:56:41 -07:00
Armon Dadgar f01e14351a audit/syslog: switch defaults 2015-04-27 15:56:41 -07:00
Armon Dadgar de7a81a8fb audit/syslog: Copy structure before hashing to avoid breaking result 2015-04-27 15:56:40 -07:00
Armon Dadgar 1b659d41ff audit/syslog: Hash everything by default, optionally disable 2015-04-27 15:56:40 -07:00
Armon Dadgar bb1dd509d7 audit/syslog: first pass 2015-04-27 15:56:40 -07:00