e2fb199ce5
Non-HMAC audit values ( #4033 )
...
* Add non-hmac request keys
* Update comment
* Initial audit request keys implementation
* Add audit_non_hmac_response_keys
* Move where req.NonHMACKeys gets set
* Minor refactor
* Add params to auth tune endpoints
* Sync cache on loadCredentials
* Explicitly unset req.NonHMACKeys
* Do not error if entry is nil
* Add tests
* docs: Add params to api sections
* Refactor audit.Backend and Formatter interfaces, update audit broker methods
* Add audit_broker.go
* Fix method call params in audit backends
* Remove fields from logical.Request and logical.Response, pass keys via LogInput
* Use data.GetOk to allow unsetting existing values
* Remove debug lines
* Add test for unsetting values
* Address review feedback
* Initialize values in FormatRequest and FormatResponse using input values
* Update docs
* Use strutil.StrListContains
* Use strutil.StrListContains
2018-03-02 12:18:39 -05:00
2b78bc2a9b
Port over bits ( #3575 )
2017-11-13 15:31:32 -05:00
92e3758291
Don't hash time.Time values in return data maps, they may be useful for reconciling values and are not generally secret
2017-05-08 14:19:42 -04:00
c29ee275ce
audit: hash time.Time values in map fields ( #2689 )
...
This enables audit.Hash to hash time.Time values that may exist as
direct fields in the map. This will error (instead of panic) for any
time.Time values that don't occur within map values. For example, this
does not support a time.Time within a slice. If that needs to be
supported then modifications will need to be made.
This also requires an update to reflectwalk (included in this PR). This
is a minimal change that allows SkipEntry to signal to skip an entire
struct. We do this because we don't want to walk any of time.Time since
we handle it directly.
2017-05-08 14:06:08 -04:00
657d433330
Update the ResponseWrapData function to return a wrapping.ResponseWrapInfo object
2017-04-24 12:15:01 -07:00
3129187dc2
JWT wrapping tokens ( #2172 )
2017-01-04 16:44:03 -05:00
b3c805e662
Audit the client token accessors ( #2037 )
2016-10-29 17:01:49 -04:00
e925987cb6
Add token accessor to wrap information if one exists
2016-06-13 23:58:17 +00:00
31e1ed2417
Implement WrapInfo audit logging
2016-05-07 20:03:56 -04:00
0602bb25f1
Remove redundant variables
2016-03-11 21:36:38 -05:00
e09819fedc
Added hash_accessor option to audit backends
2016-03-11 19:28:06 -05:00
f0c66f0b8c
Use reflect.Value.String() rather than a type assertion.
...
Fixes a panic in hashstructure/auditing that can occur with custom
string types.
Fixes #973
2016-01-26 12:32:50 -05:00
1c7157e632
Reintroduce the ability to look up obfuscated values in the audit log
...
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).
In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)
Fixes #784
2015-11-18 20:26:03 -05:00
cf4b88c196
Write HMAC-SHA256'd client token to audited requests
...
Fixes #713
2015-10-29 13:26:18 -04:00
5dde76fa1c
Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass.
2015-09-18 17:38:30 -04:00
b655f6b858
Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash.
2015-09-18 17:38:22 -04:00
46636ea52c
audit: Guard against a few nil pointer cases
2015-04-27 15:56:40 -07:00
1b34aae7f1
audit: separate hashing from formatting to facilitate raw
2015-04-22 07:41:53 +02:00
97ff2ad09b
audit: add SHA1 hash callback
2015-04-21 16:13:06 +01:00
2a6bb96276
audit: add hashstructure
2015-04-21 16:02:03 +01:00
Calvin Leung Huang