Jeff Mitchell 1c7157e632 Reintroduce the ability to look up obfuscated values in the audit log

with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784

2015-11-18 20:26:03 -05:00

1.3 KiB

Raw Blame History

layout	page_title	sidebar_current	description
http	HTTP API: /sys/audit-hash	docs-http-audits-hash	The `/sys/audit-hash` endpoint is used to hash data using an audit backend's hash function and salt.

/sys/audit-hash

POST

Description

Hash the given input data with the specified audit backend's hash function and salt. This endpoint can be used to discover whether a given plaintext string (the `input` parameter) appears in the audit log in obfuscated form. Note that the audit log records requests and responses; since the Vault API is JSON-based, any binary data returned from an API call (such as a DER-format certificate) is base64-encoded by the Vault server in the response, and as a result such information should also be base64-encoded to supply into the `input` parameter.

Method

POST

URL

`/sys/audit-hash/`

Parameters

input required The input string to hash.

Returns

```javascript
{
  "hash": "hmac-sha256:08ba357e274f528065766c770a639abf6809b39ccfd37c2a3157c7f51954da0a"
}
```

1.3 KiB Raw Blame History

/sys/audit-hash

POST

1.3 KiB

Raw Blame History