Audit: Add token's use count to audit response (#2437)

* audit: Added token_num_uses to audit response * Fixed jsonx tests * Revert logical auth to NumUses instead of TokenNumUses * s/TokenNumUses/NumUses * Audit: Add num uses to audit requests as well * Added RemainingUses to distinguish NumUses in audit requests
2025-11-29 14:41:09 +01:00 · 2017-03-08 17:36:50 -05:00 · 2017-03-08 17:36:50 -05:00 · 3026b00da6
commit 3026b00da6
parent a4e41f6568
6 changed files with 24 additions and 8 deletions
--- a/audit/format.go
+++ b/audit/format.go
@ -105,6 +105,7 @@ func (f *AuditFormatter) FormatRequest(
 			DisplayName:   auth.DisplayName,
 			Policies:      auth.Policies,
 			Metadata:      auth.Metadata,
 			RemainingUses: req.ClientTokenRemainingUses,
 		},
 		Request: AuditRequest{
@ -255,6 +256,7 @@ func (f *AuditFormatter) FormatResponse(
 			DisplayName: resp.Auth.DisplayName,
 			Policies:    resp.Auth.Policies,
 			Metadata:    resp.Auth.Metadata,
 			NumUses:     resp.Auth.NumUses,
 		}
 	}
@ -367,6 +369,8 @@ type AuditAuth struct {
 	DisplayName   string            `json:"display_name"`
 	Policies      []string          `json:"policies"`
 	Metadata      map[string]string `json:"metadata"`
 	NumUses       int               `json:"num_uses,omitempty"`
 	RemainingUses int               `json:"remaining_uses,omitempty"`
 }
 type AuditSecret struct {
--- a/http/handler.go
+++ b/http/handler.go
@ -274,6 +274,7 @@ func requestAuth(core *vault.Core, r *http.Request, req *logical.Request) *logic
 		te, err := core.LookupToken(v)
 		if err == nil && te != nil {
 			req.ClientTokenAccessor = te.Accessor
 			req.ClientTokenRemainingUses = te.NumUses
 		}
 	}
--- a/logical/request.go
+++ b/logical/request.go
@ -85,6 +85,10 @@ type Request struct {
 	// WrapInfo contains requested response wrapping parameters
 	WrapInfo *RequestWrapInfo `json:"wrap_info" structs:"wrap_info" mapstructure:"wrap_info"`
 	// ClientTokenNumUses represents the allowed number of uses left on the
 	// token supplied
 	ClientTokenRemainingUses int `json:"client_token_remaining_uses" structs:"client_token_remaining_uses" mapstructure:"client_token_remaining_uses"`
 	// For replication, contains the last WAL on the remote side after handling
 	// the request, used for best-effort avoidance of stale read-after-write
 	lastRemoteWAL uint64
--- a/vault/audit_test.go
+++ b/vault/audit_test.go
@ -444,6 +444,7 @@ func TestAuditBroker_LogResponse(t *testing.T) {
 	b.Register("bar", a2, nil)
 	auth := &logical.Auth{
 		NumUses:     10,
 		ClientToken: "foo",
 		Policies:    []string{"dev", "ops"},
 		Metadata: map[string]string{
--- a/vault/router.go
+++ b/vault/router.go
@ -283,6 +283,10 @@ func (r *Router) routeCommon(req *logical.Request, existenceCheck bool) (*logica
 	// Cache the identifier of the request
 	originalReqID := req.ID
 	// Cache the client token's number of uses in the request
 	originalClientTokenRemainingUses := req.ClientTokenRemainingUses
 	req.ClientTokenRemainingUses = 0
 	// Cache the headers and hide them from backends
 	headers := req.Headers
 	req.Headers = nil
@ -304,6 +308,7 @@ func (r *Router) routeCommon(req *logical.Request, existenceCheck bool) (*logica
 		req.ID = originalReqID
 		req.Storage = nil
 		req.ClientToken = clientToken
 		req.ClientTokenRemainingUses = originalClientTokenRemainingUses
 		req.WrapInfo = wrapInfo
 		req.Headers = headers
 		// This is only set in one place, after routing, so should never be set
--- a/vault/token_store.go
+++ b/vault/token_store.go
@ -1689,6 +1689,7 @@ func (ts *TokenStore) handleCreateCommon(
 	// Generate the response
 	resp.Auth = &logical.Auth{
 		NumUses:     te.NumUses,
 		DisplayName: te.DisplayName,
 		Policies:    te.Policies,
 		Metadata:    te.Meta,