e2fb199ce5
* Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains
64 lines
2.1 KiB
Go
64 lines
2.1 KiB
Go
package audit
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/hashicorp/vault/helper/salt"
|
|
"github.com/hashicorp/vault/logical"
|
|
)
|
|
|
|
// Backend interface must be implemented for an audit
|
|
// mechanism to be made available. Audit backends can be enabled to
|
|
// sink information to different backends such as logs, file, databases,
|
|
// or other external services.
|
|
type Backend interface {
|
|
// LogRequest is used to synchronously log a request. This is done after the
|
|
// request is authorized but before the request is executed. The arguments
|
|
// MUST not be modified in anyway. They should be deep copied if this is
|
|
// a possibility.
|
|
LogRequest(context.Context, *LogInput) error
|
|
|
|
// LogResponse is used to synchronously log a response. This is done after
|
|
// the request is processed but before the response is sent. The arguments
|
|
// MUST not be modified in anyway. They should be deep copied if this is
|
|
// a possibility.
|
|
LogResponse(context.Context, *LogInput) error
|
|
|
|
// GetHash is used to return the given data with the backend's hash,
|
|
// so that a caller can determine if a value in the audit log matches
|
|
// an expected plaintext value
|
|
GetHash(string) (string, error)
|
|
|
|
// Reload is called on SIGHUP for supporting backends.
|
|
Reload(context.Context) error
|
|
|
|
// Invalidate is called for path invalidation
|
|
Invalidate(context.Context)
|
|
}
|
|
|
|
// LogInput contains the input parameters passed into LogRequest and LogResponse
|
|
type LogInput struct {
|
|
Auth *logical.Auth
|
|
Request *logical.Request
|
|
Response *logical.Response
|
|
OuterErr error
|
|
NonHMACReqDataKeys []string
|
|
NonHMACRespDataKeys []string
|
|
}
|
|
|
|
// BackendConfig contains configuration parameters used in the factory func to
|
|
// instantiate audit backends
|
|
type BackendConfig struct {
|
|
// The view to store the salt
|
|
SaltView logical.Storage
|
|
|
|
// The salt config that should be used for any secret obfuscation
|
|
SaltConfig *salt.Config
|
|
|
|
// Config is the opaque user configuration provided when mounting
|
|
Config map[string]string
|
|
}
|
|
|
|
// Factory is the factory function to create an audit backend.
|
|
type Factory func(context.Context, *BackendConfig) (Backend, error)
|