Commit Graph

18 Commits

Author SHA1 Message Date
Jeff Mitchell 92e3758291 Don't hash time.Time values in return data maps, they may be useful for reconciling values and are not generally secret 2017-05-08 14:19:42 -04:00
Mitchell Hashimoto c29ee275ce audit: hash time.Time values in map fields (#2689)
This enables audit.Hash to hash time.Time values that may exist as
direct fields in the map. This will error (instead of panic) for any
time.Time values that don't occur within map values. For example, this
does not support a time.Time within a slice. If that needs to be
supported then modifications will need to be made.

This also requires an update to reflectwalk (included in this PR). This
is a minimal change that allows SkipEntry to signal to skip an entire
struct. We do this because we don't want to walk any of time.Time since
we handle it directly.
2017-05-08 14:06:08 -04:00
Brian Kassouf 657d433330 Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object 2017-04-24 12:15:01 -07:00
Jeff Mitchell 3129187dc2 JWT wrapping tokens (#2172) 2017-01-04 16:44:03 -05:00
Vishal Nayak b3c805e662 Audit the client token accessors (#2037) 2016-10-29 17:01:49 -04:00
Jeff Mitchell e925987cb6 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
Jeff Mitchell 31e1ed2417 Implement WrapInfo audit logging 2016-05-07 20:03:56 -04:00
vishalnayak 0602bb25f1 Remove redundant variables 2016-03-11 21:36:38 -05:00
vishalnayak e09819fedc Added hash_accessor option to audit backends 2016-03-11 19:28:06 -05:00
Jeff Mitchell f0c66f0b8c Use reflect.Value.String() rather than a type assertion.
Fixes a panic in hashstructure/auditing that can occur with custom
string types.

Fixes #973
2016-01-26 12:32:50 -05:00
Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
2015-11-18 20:26:03 -05:00
Jeff Mitchell cf4b88c196 Write HMAC-SHA256'd client token to audited requests
Fixes #713
2015-10-29 13:26:18 -04:00
Jeff Mitchell 5dde76fa1c Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell b655f6b858 Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Armon Dadgar 46636ea52c audit: Guard against a few nil pointer cases 2015-04-27 15:56:40 -07:00
Mitchell Hashimoto 1b34aae7f1 audit: separate hashing from formatting to facilitate raw 2015-04-22 07:41:53 +02:00
Mitchell Hashimoto 97ff2ad09b audit: add SHA1 hash callback 2015-04-21 16:13:06 +01:00
Mitchell Hashimoto 2a6bb96276 audit: add hashstructure 2015-04-21 16:02:03 +01:00