diff --git a/audit/backend_noop.go b/audit/backend_noop.go new file mode 100644 index 0000000000..a85e29319c --- /dev/null +++ b/audit/backend_noop.go @@ -0,0 +1,350 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: BUSL-1.1 + +package audit + +import ( + "context" + "crypto/sha256" + "encoding/json" + "errors" + "fmt" + "strings" + "sync" + "testing" + + "github.com/hashicorp/eventlogger" + "github.com/hashicorp/vault/helper/testhelpers/corehelpers" + "github.com/hashicorp/vault/internal/observability/event" + "github.com/hashicorp/vault/sdk/helper/salt" + "github.com/hashicorp/vault/sdk/logical" +) + +var ( + _ Backend = (*NoopAudit)(nil) + _ eventlogger.Node = (*noopWrapper)(nil) +) + +// noopWrapper is designed to wrap a formatter node in order to allow access to +// bytes formatted, headers formatted and parts of the logical.LogInput. +// Some older tests relied on being able to query this information so while those +// tests stick around we should look after them. +type noopWrapper struct { + format string + node eventlogger.Node + backend *NoopAudit +} + +// NoopAuditEventListener is a callback used by noopWrapper.Process() to notify +// of each received audit event. +type NoopAuditEventListener func(*AuditEvent) + +func (n *NoopAudit) SetListener(listener NoopAuditEventListener) { + n.listener = listener +} + +type NoopAudit struct { + Config *BackendConfig + + ReqErr error + ReqAuth []*logical.Auth + Req []*logical.Request + ReqHeaders []map[string][]string + ReqNonHMACKeys []string + ReqErrs []error + + RespErr error + RespAuth []*logical.Auth + RespReq []*logical.Request + Resp []*logical.Response + RespNonHMACKeys [][]string + RespReqNonHMACKeys [][]string + RespErrs []error + records [][]byte + l sync.RWMutex + salt *salt.Salt + saltMutex sync.RWMutex + + nodeIDList []eventlogger.NodeID + nodeMap map[eventlogger.NodeID]eventlogger.Node + + listener NoopAuditEventListener +} + +// NoopHeaderFormatter can be used within no-op audit devices to do nothing when +// it comes to only allow configured headers to appear in the result. +// Whatever is passed in will be returned (nil becomes an empty map) in lowercase. +type NoopHeaderFormatter struct{} + +// ApplyConfig implements the relevant interface to make NoopHeaderFormatter an HeaderFormatter. +func (f *NoopHeaderFormatter) ApplyConfig(_ context.Context, headers map[string][]string, _ Salter) (result map[string][]string, retErr error) { + if len(headers) < 1 { + return map[string][]string{}, nil + } + + // Make a copy of the incoming headers with everything lower so we can + // case-insensitively compare + lowerHeaders := make(map[string][]string, len(headers)) + for k, v := range headers { + lowerHeaders[strings.ToLower(k)] = v + } + + return lowerHeaders, nil +} + +// NewNoopAudit should be used to create a NoopAudit as it handles creation of a +// predictable salt and wraps eventlogger nodes so information can be retrieved on +// what they've seen or formatted. +func NewNoopAudit(config *BackendConfig) (*NoopAudit, error) { + view := &logical.InmemStorage{} + + // Create the salt with a known key for predictable hmac values. + se := &logical.StorageEntry{Key: "salt", Value: []byte("foo")} + err := view.Put(context.Background(), se) + if err != nil { + return nil, err + } + + // Override the salt related config settings. + backendConfig := &BackendConfig{ + SaltView: view, + SaltConfig: &salt.Config{ + HMAC: sha256.New, + HMACType: "hmac-sha256", + }, + Config: config.Config, + MountPath: config.MountPath, + } + + noopBackend := &NoopAudit{ + Config: backendConfig, + nodeIDList: make([]eventlogger.NodeID, 2), + nodeMap: make(map[eventlogger.NodeID]eventlogger.Node, 2), + } + + cfg, err := NewFormatterConfig(&NoopHeaderFormatter{}) + if err != nil { + return nil, err + } + + formatterNodeID, err := event.GenerateNodeID() + if err != nil { + return nil, fmt.Errorf("error generating random NodeID for formatter node: %w", err) + } + + formatterNode, err := NewEntryFormatter(config.MountPath, cfg, noopBackend, config.Logger) + if err != nil { + return nil, fmt.Errorf("error creating formatter: %w", err) + } + + // Wrap the formatting node, so we can get any bytes that were formatted etc. + wrappedFormatter := &noopWrapper{format: "json", node: formatterNode, backend: noopBackend} + + noopBackend.nodeIDList[0] = formatterNodeID + noopBackend.nodeMap[formatterNodeID] = wrappedFormatter + + sinkNode := event.NewNoopSink() + sinkNodeID, err := event.GenerateNodeID() + if err != nil { + return nil, fmt.Errorf("error generating random NodeID for sink node: %w", err) + } + + noopBackend.nodeIDList[1] = sinkNodeID + noopBackend.nodeMap[sinkNodeID] = sinkNode + + return noopBackend, nil +} + +// NoopAuditFactory should be used when the test needs a way to access bytes that +// have been formatted by the pipeline during audit requests. +// The records parameter will be repointed to the one used within the pipeline. +func NoopAuditFactory(records **[][]byte) Factory { + return func(config *BackendConfig, _ HeaderFormatter) (Backend, error) { + n, err := NewNoopAudit(config) + if err != nil { + return nil, err + } + if records != nil { + *records = &n.records + } + + return n, nil + } +} + +// Process handles the contortions required by older test code to ensure behavior. +// It will attempt to do some pre/post processing of the logical.LogInput that should +// form part of the event's payload data, as well as capturing the resulting headers +// that were formatted and track the overall bytes that a formatted event uses when +// it's ready to head down the pipeline to the sink node (a noop for us). +func (n *noopWrapper) Process(ctx context.Context, e *eventlogger.Event) (*eventlogger.Event, error) { + n.backend.l.Lock() + defer n.backend.l.Unlock() + + var err error + + // We're expecting audit events since this is an audit device. + a, ok := e.Payload.(*AuditEvent) + if !ok { + return nil, errors.New("cannot parse payload as an audit event") + } + + if n.backend.listener != nil { + n.backend.listener(a) + } + + in := a.Data + + // Depending on the type of the audit event (request or response) we need to + // track different things. + switch a.Subtype { + case RequestType: + n.backend.ReqAuth = append(n.backend.ReqAuth, in.Auth) + n.backend.Req = append(n.backend.Req, in.Request) + n.backend.ReqNonHMACKeys = in.NonHMACReqDataKeys + n.backend.ReqErrs = append(n.backend.ReqErrs, in.OuterErr) + + if n.backend.ReqErr != nil { + return nil, n.backend.ReqErr + } + case ResponseType: + n.backend.RespAuth = append(n.backend.RespAuth, in.Auth) + n.backend.RespReq = append(n.backend.RespReq, in.Request) + n.backend.Resp = append(n.backend.Resp, in.Response) + n.backend.RespErrs = append(n.backend.RespErrs, in.OuterErr) + + if in.Response != nil { + n.backend.RespNonHMACKeys = append(n.backend.RespNonHMACKeys, in.NonHMACRespDataKeys) + n.backend.RespReqNonHMACKeys = append(n.backend.RespReqNonHMACKeys, in.NonHMACReqDataKeys) + } + + if n.backend.RespErr != nil { + return nil, n.backend.RespErr + } + default: + return nil, fmt.Errorf("unknown audit event type: %q", a.Subtype) + } + + // Once we've taken note of the relevant properties of the event, we get the + // underlying (wrapped) node to process it as normal. + e, err = n.node.Process(ctx, e) + if err != nil { + return nil, fmt.Errorf("error processing wrapped node: %w", err) + } + + // Once processing has been carried out, the underlying node (a formatter node) + // should contain the output ready for the sink node. We'll get that in order + // to track how many bytes we formatted. + b, ok := e.Format(n.format) + if ok { + n.backend.records = append(n.backend.records, b) + } + + // Finally, the last bit of post-processing is to make sure that we track the + // formatted headers that would have made it to the logs via the sink node. + // They only appear in requests. + if a.Subtype == RequestType { + reqEntry := &RequestEntry{} + err = json.Unmarshal(b, &reqEntry) + if err != nil { + return nil, fmt.Errorf("unable to parse formatted audit entry data: %w", err) + } + + n.backend.ReqHeaders = append(n.backend.ReqHeaders, reqEntry.Request.Headers) + } + + // Return the event and no error in order to let the pipeline continue on. + return e, nil +} + +func (n *noopWrapper) Reopen() error { + return n.node.Reopen() +} + +func (n *noopWrapper) Type() eventlogger.NodeType { + return n.node.Type() +} + +// LogTestMessage will manually crank the handle on the nodes associated with this backend. +func (n *NoopAudit) LogTestMessage(ctx context.Context, in *logical.LogInput) error { + if len(n.nodeIDList) > 0 { + return ProcessManual(ctx, in, n.nodeIDList, n.nodeMap) + } + + return nil +} + +func (n *NoopAudit) Salt(ctx context.Context) (*salt.Salt, error) { + n.saltMutex.RLock() + if n.salt != nil { + defer n.saltMutex.RUnlock() + return n.salt, nil + } + n.saltMutex.RUnlock() + n.saltMutex.Lock() + defer n.saltMutex.Unlock() + if n.salt != nil { + return n.salt, nil + } + s, err := salt.NewSalt(ctx, n.Config.SaltView, n.Config.SaltConfig) + if err != nil { + return nil, err + } + n.salt = s + return s, nil +} + +func (n *NoopAudit) GetHash(ctx context.Context, data string) (string, error) { + s, err := n.Salt(ctx) + if err != nil { + return "", err + } + return s.GetIdentifiedHMAC(data), nil +} + +func (n *NoopAudit) Reload() error { + return nil +} + +func (n *NoopAudit) Invalidate(_ context.Context) { + n.saltMutex.Lock() + defer n.saltMutex.Unlock() + n.salt = nil +} + +func (n *NoopAudit) EventType() eventlogger.EventType { + return event.AuditType.AsEventType() +} + +func (n *NoopAudit) HasFiltering() bool { + return false +} + +func (n *NoopAudit) Name() string { + return n.Config.MountPath +} + +func (n *NoopAudit) Nodes() map[eventlogger.NodeID]eventlogger.Node { + return n.nodeMap +} + +func (n *NoopAudit) NodeIDs() []eventlogger.NodeID { + return n.nodeIDList +} + +func (n *NoopAudit) IsFallback() bool { + return false +} + +func TestNoopAudit(t *testing.T, path string, config map[string]string) *NoopAudit { + cfg := &BackendConfig{ + Config: config, + MountPath: path, + Logger: corehelpers.NewTestLogger(t), + } + n, err := NewNoopAudit(cfg) + if err != nil { + t.Fatal(err) + } + return n +} diff --git a/audit/types.go b/audit/types.go index 448a17393e..bcce2b64a5 100644 --- a/audit/types.go +++ b/audit/types.go @@ -36,7 +36,7 @@ type Backend interface { LogTestMessage(context.Context, *logical.LogInput) error // Reload is called on SIGHUP for supporting backends. - Reload(context.Context) error + Reload() error // Invalidate is called for path invalidation Invalidate(context.Context) @@ -203,4 +203,4 @@ type BackendConfig struct { } // Factory is the factory function to create an audit backend. -type Factory func(context.Context, *BackendConfig, HeaderFormatter) (Backend, error) +type Factory func(*BackendConfig, HeaderFormatter) (Backend, error) diff --git a/builtin/audit/file/backend.go b/builtin/audit/file/backend.go index 7bede8f564..61155d4a26 100644 --- a/builtin/audit/file/backend.go +++ b/builtin/audit/file/backend.go @@ -44,7 +44,7 @@ type Backend struct { saltView logical.Storage } -func Factory(_ context.Context, conf *audit.BackendConfig, headersConfig audit.HeaderFormatter) (audit.Backend, error) { +func Factory(conf *audit.BackendConfig, headersConfig audit.HeaderFormatter) (audit.Backend, error) { if conf.SaltConfig == nil { return nil, fmt.Errorf("nil salt config: %w", audit.ErrInvalidParameter) } @@ -164,7 +164,7 @@ func (b *Backend) LogTestMessage(ctx context.Context, in *logical.LogInput) erro return nil } -func (b *Backend) Reload(_ context.Context) error { +func (b *Backend) Reload() error { for _, n := range b.nodeMap { if n.Type() == eventlogger.NodeTypeSink { return n.Reopen() diff --git a/builtin/audit/file/backend_filter_node_test.go b/builtin/audit/file/backend_filter_node_test.go index 3b05b6702f..29082db521 100644 --- a/builtin/audit/file/backend_filter_node_test.go +++ b/builtin/audit/file/backend_filter_node_test.go @@ -11,7 +11,6 @@ import ( "github.com/hashicorp/eventlogger" "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/audit" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/stretchr/testify/require" ) @@ -75,7 +74,7 @@ func TestBackend_configureFilterFormatterSink(t *testing.T) { nodeMap: map[eventlogger.NodeID]eventlogger.Node{}, } - formatConfig, err := audit.NewFormatterConfig(&corehelpers.NoopHeaderFormatter{}) + formatConfig, err := audit.NewFormatterConfig(&audit.NoopHeaderFormatter{}) require.NoError(t, err) err = b.configureFilterNode("path == bar") diff --git a/builtin/audit/file/backend_test.go b/builtin/audit/file/backend_test.go index 004513f1ad..3d77f81295 100644 --- a/builtin/audit/file/backend_test.go +++ b/builtin/audit/file/backend_test.go @@ -4,7 +4,6 @@ package file import ( - "context" "os" "path/filepath" "strconv" @@ -13,7 +12,6 @@ import ( "github.com/hashicorp/eventlogger" "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/audit" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/hashicorp/vault/internal/observability/event" "github.com/hashicorp/vault/sdk/helper/salt" "github.com/hashicorp/vault/sdk/logical" @@ -41,7 +39,7 @@ func TestAuditFile_fileModeNew(t *testing.T) { SaltView: &logical.InmemStorage{}, Logger: hclog.NewNullLogger(), } - _, err = Factory(context.Background(), backendConfig, &corehelpers.NoopHeaderFormatter{}) + _, err = Factory(backendConfig, &audit.NoopHeaderFormatter{}) require.NoError(t, err) info, err := os.Stat(file) @@ -74,7 +72,7 @@ func TestAuditFile_fileModeExisting(t *testing.T) { Logger: hclog.NewNullLogger(), } - _, err = Factory(context.Background(), backendConfig, &corehelpers.NoopHeaderFormatter{}) + _, err = Factory(backendConfig, &audit.NoopHeaderFormatter{}) require.NoError(t, err) info, err := os.Stat(f.Name()) @@ -108,7 +106,7 @@ func TestAuditFile_fileMode0000(t *testing.T) { Logger: hclog.NewNullLogger(), } - _, err = Factory(context.Background(), backendConfig, &corehelpers.NoopHeaderFormatter{}) + _, err = Factory(backendConfig, &audit.NoopHeaderFormatter{}) require.NoError(t, err) info, err := os.Stat(f.Name()) @@ -137,7 +135,7 @@ func TestAuditFile_EventLogger_fileModeNew(t *testing.T) { Logger: hclog.NewNullLogger(), } - _, err = Factory(context.Background(), backendConfig, &corehelpers.NoopHeaderFormatter{}) + _, err = Factory(backendConfig, &audit.NoopHeaderFormatter{}) require.NoError(t, err) info, err := os.Stat(file) @@ -243,7 +241,7 @@ func TestBackend_newFormatterConfig(t *testing.T) { t.Run(name, func(t *testing.T) { t.Parallel() - got, err := newFormatterConfig(&corehelpers.NoopHeaderFormatter{}, tc.config) + got, err := newFormatterConfig(&audit.NoopHeaderFormatter{}, tc.config) if tc.wantErr { require.Error(t, err) require.EqualError(t, err, tc.expectedMessage) @@ -270,7 +268,7 @@ func TestBackend_configureFormatterNode(t *testing.T) { nodeMap: map[eventlogger.NodeID]eventlogger.Node{}, } - formatConfig, err := audit.NewFormatterConfig(&corehelpers.NoopHeaderFormatter{}) + formatConfig, err := audit.NewFormatterConfig(&audit.NoopHeaderFormatter{}) require.NoError(t, err) err = b.configureFormatterNode("juan", formatConfig, hclog.NewNullLogger()) @@ -425,8 +423,6 @@ func TestBackend_configureSinkNode(t *testing.T) { func TestBackend_Factory_Conf(t *testing.T) { t.Parallel() - ctx := context.Background() - tests := map[string]struct { backendConfig *audit.BackendConfig isErrorExpected bool @@ -493,7 +489,7 @@ func TestBackend_Factory_Conf(t *testing.T) { t.Run(name, func(t *testing.T) { t.Parallel() - be, err := Factory(ctx, tc.backendConfig, &corehelpers.NoopHeaderFormatter{}) + be, err := Factory(tc.backendConfig, &audit.NoopHeaderFormatter{}) switch { case tc.isErrorExpected: @@ -512,8 +508,6 @@ func TestBackend_Factory_Conf(t *testing.T) { func TestBackend_IsFallback(t *testing.T) { t.Parallel() - ctx := context.Background() - tests := map[string]struct { backendConfig *audit.BackendConfig isFallbackExpected bool @@ -552,7 +546,7 @@ func TestBackend_IsFallback(t *testing.T) { t.Run(name, func(t *testing.T) { t.Parallel() - be, err := Factory(ctx, tc.backendConfig, &corehelpers.NoopHeaderFormatter{}) + be, err := Factory(tc.backendConfig, &audit.NoopHeaderFormatter{}) require.NoError(t, err) require.NotNil(t, be) require.Equal(t, tc.isFallbackExpected, be.IsFallback()) diff --git a/builtin/audit/socket/backend.go b/builtin/audit/socket/backend.go index 96c788df60..d4d32016b9 100644 --- a/builtin/audit/socket/backend.go +++ b/builtin/audit/socket/backend.go @@ -34,7 +34,7 @@ type Backend struct { saltView logical.Storage } -func Factory(_ context.Context, conf *audit.BackendConfig, headersConfig audit.HeaderFormatter) (audit.Backend, error) { +func Factory(conf *audit.BackendConfig, headersConfig audit.HeaderFormatter) (audit.Backend, error) { if conf.SaltConfig == nil { return nil, fmt.Errorf("nil salt config: %w", audit.ErrInvalidParameter) } @@ -129,7 +129,7 @@ func (b *Backend) LogTestMessage(ctx context.Context, in *logical.LogInput) erro return nil } -func (b *Backend) Reload(ctx context.Context) error { +func (b *Backend) Reload() error { for _, n := range b.nodeMap { if n.Type() == eventlogger.NodeTypeSink { return n.Reopen() diff --git a/builtin/audit/socket/backend_filter_node_test.go b/builtin/audit/socket/backend_filter_node_test.go index c3b9112e7c..03b1a61563 100644 --- a/builtin/audit/socket/backend_filter_node_test.go +++ b/builtin/audit/socket/backend_filter_node_test.go @@ -11,7 +11,6 @@ import ( "github.com/hashicorp/eventlogger" "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/audit" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/stretchr/testify/require" ) @@ -75,7 +74,7 @@ func TestBackend_configureFilterFormatterSink(t *testing.T) { nodeMap: map[eventlogger.NodeID]eventlogger.Node{}, } - formatConfig, err := audit.NewFormatterConfig(&corehelpers.NoopHeaderFormatter{}) + formatConfig, err := audit.NewFormatterConfig(&audit.NoopHeaderFormatter{}) require.NoError(t, err) err = b.configureFilterNode("path == bar") diff --git a/builtin/audit/socket/backend_test.go b/builtin/audit/socket/backend_test.go index b800374feb..2f9687923c 100644 --- a/builtin/audit/socket/backend_test.go +++ b/builtin/audit/socket/backend_test.go @@ -4,13 +4,11 @@ package socket import ( - "context" "testing" "github.com/hashicorp/eventlogger" "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/audit" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/hashicorp/vault/internal/observability/event" "github.com/hashicorp/vault/sdk/helper/salt" "github.com/hashicorp/vault/sdk/logical" @@ -115,7 +113,7 @@ func TestBackend_newFormatterConfig(t *testing.T) { t.Run(name, func(t *testing.T) { t.Parallel() - got, err := newFormatterConfig(&corehelpers.NoopHeaderFormatter{}, tc.config) + got, err := newFormatterConfig(&audit.NoopHeaderFormatter{}, tc.config) if tc.wantErr { require.Error(t, err) require.EqualError(t, err, tc.expectedErrMsg) @@ -142,7 +140,7 @@ func TestBackend_configureFormatterNode(t *testing.T) { nodeMap: map[eventlogger.NodeID]eventlogger.Node{}, } - formatConfig, err := audit.NewFormatterConfig(&corehelpers.NoopHeaderFormatter{}) + formatConfig, err := audit.NewFormatterConfig(&audit.NoopHeaderFormatter{}) require.NoError(t, err) err = b.configureFormatterNode("juan", formatConfig, hclog.NewNullLogger()) @@ -253,8 +251,6 @@ func TestBackend_configureSinkNode(t *testing.T) { func TestBackend_Factory_Conf(t *testing.T) { t.Parallel() - ctx := context.Background() - tests := map[string]struct { backendConfig *audit.BackendConfig isErrorExpected bool @@ -387,7 +383,7 @@ func TestBackend_Factory_Conf(t *testing.T) { t.Run(name, func(t *testing.T) { t.Parallel() - be, err := Factory(ctx, tc.backendConfig, &corehelpers.NoopHeaderFormatter{}) + be, err := Factory(tc.backendConfig, &audit.NoopHeaderFormatter{}) switch { case tc.isErrorExpected: @@ -406,8 +402,6 @@ func TestBackend_Factory_Conf(t *testing.T) { func TestBackend_IsFallback(t *testing.T) { t.Parallel() - ctx := context.Background() - tests := map[string]struct { backendConfig *audit.BackendConfig isFallbackExpected bool @@ -448,7 +442,7 @@ func TestBackend_IsFallback(t *testing.T) { t.Run(name, func(t *testing.T) { t.Parallel() - be, err := Factory(ctx, tc.backendConfig, &corehelpers.NoopHeaderFormatter{}) + be, err := Factory(tc.backendConfig, &audit.NoopHeaderFormatter{}) require.NoError(t, err) require.NotNil(t, be) require.Equal(t, tc.isFallbackExpected, be.IsFallback()) diff --git a/builtin/audit/syslog/backend.go b/builtin/audit/syslog/backend.go index 19f541e632..6065d9df42 100644 --- a/builtin/audit/syslog/backend.go +++ b/builtin/audit/syslog/backend.go @@ -34,7 +34,7 @@ type Backend struct { saltView logical.Storage } -func Factory(_ context.Context, conf *audit.BackendConfig, headersConfig audit.HeaderFormatter) (audit.Backend, error) { +func Factory(conf *audit.BackendConfig, headersConfig audit.HeaderFormatter) (audit.Backend, error) { if conf.SaltConfig == nil { return nil, fmt.Errorf("nil salt config: %w", audit.ErrInvalidParameter) } @@ -127,7 +127,7 @@ func (b *Backend) LogTestMessage(ctx context.Context, in *logical.LogInput) erro return nil } -func (b *Backend) Reload(_ context.Context) error { +func (b *Backend) Reload() error { return nil } diff --git a/builtin/audit/syslog/backend_filter_node_test.go b/builtin/audit/syslog/backend_filter_node_test.go index 8c49037340..358690cb09 100644 --- a/builtin/audit/syslog/backend_filter_node_test.go +++ b/builtin/audit/syslog/backend_filter_node_test.go @@ -11,7 +11,6 @@ import ( "github.com/hashicorp/eventlogger" "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/audit" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/stretchr/testify/require" ) @@ -75,7 +74,7 @@ func TestBackend_configureFilterFormatterSink(t *testing.T) { nodeMap: map[eventlogger.NodeID]eventlogger.Node{}, } - formatConfig, err := audit.NewFormatterConfig(&corehelpers.NoopHeaderFormatter{}) + formatConfig, err := audit.NewFormatterConfig(&audit.NoopHeaderFormatter{}) require.NoError(t, err) err = b.configureFilterNode("path == bar") diff --git a/builtin/audit/syslog/backend_test.go b/builtin/audit/syslog/backend_test.go index 1ee304a210..20a9ce1b13 100644 --- a/builtin/audit/syslog/backend_test.go +++ b/builtin/audit/syslog/backend_test.go @@ -4,13 +4,11 @@ package syslog import ( - "context" "testing" "github.com/hashicorp/eventlogger" "github.com/hashicorp/go-hclog" "github.com/hashicorp/vault/audit" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/hashicorp/vault/internal/observability/event" "github.com/hashicorp/vault/sdk/helper/salt" "github.com/hashicorp/vault/sdk/logical" @@ -115,7 +113,7 @@ func TestBackend_newFormatterConfig(t *testing.T) { t.Run(name, func(t *testing.T) { t.Parallel() - got, err := newFormatterConfig(&corehelpers.NoopHeaderFormatter{}, tc.config) + got, err := newFormatterConfig(&audit.NoopHeaderFormatter{}, tc.config) if tc.wantErr { require.Error(t, err) require.EqualError(t, err, tc.expectedErrMsg) @@ -142,7 +140,7 @@ func TestBackend_configureFormatterNode(t *testing.T) { nodeMap: map[eventlogger.NodeID]eventlogger.Node{}, } - formatConfig, err := audit.NewFormatterConfig(&corehelpers.NoopHeaderFormatter{}) + formatConfig, err := audit.NewFormatterConfig(&audit.NoopHeaderFormatter{}) require.NoError(t, err) err = b.configureFormatterNode("juan", formatConfig, hclog.NewNullLogger()) @@ -235,8 +233,6 @@ func TestBackend_configureSinkNode(t *testing.T) { func TestBackend_Factory_Conf(t *testing.T) { t.Parallel() - ctx := context.Background() - tests := map[string]struct { backendConfig *audit.BackendConfig isErrorExpected bool @@ -291,7 +287,7 @@ func TestBackend_Factory_Conf(t *testing.T) { t.Run(name, func(t *testing.T) { t.Parallel() - be, err := Factory(ctx, tc.backendConfig, &corehelpers.NoopHeaderFormatter{}) + be, err := Factory(tc.backendConfig, &audit.NoopHeaderFormatter{}) switch { case tc.isErrorExpected: @@ -310,8 +306,6 @@ func TestBackend_Factory_Conf(t *testing.T) { func TestBackend_IsFallback(t *testing.T) { t.Parallel() - ctx := context.Background() - tests := map[string]struct { backendConfig *audit.BackendConfig isFallbackExpected bool @@ -348,7 +342,7 @@ func TestBackend_IsFallback(t *testing.T) { t.Run(name, func(t *testing.T) { t.Parallel() - be, err := Factory(ctx, tc.backendConfig, &corehelpers.NoopHeaderFormatter{}) + be, err := Factory(tc.backendConfig, &audit.NoopHeaderFormatter{}) require.NoError(t, err) require.NotNil(t, be) require.Equal(t, tc.isFallbackExpected, be.IsFallback()) diff --git a/helper/builtinplugins/builtinplugins_test.go b/helper/builtinplugins/builtinplugins_test.go index 8df20209c1..9f4e430df8 100644 --- a/helper/builtinplugins/builtinplugins_test.go +++ b/helper/builtinplugins/builtinplugins_test.go @@ -10,7 +10,6 @@ import ( "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/audit" logicalDb "github.com/hashicorp/vault/builtin/logical/database" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/logical" @@ -48,7 +47,7 @@ func TestBuiltinPluginsWork(t *testing.T) { // Specifying at least one audit backend factory will prevent NewTestCluster // from attempting to enable a noop audit, and audit isn't required for this test. AuditBackends: map[string]audit.Factory{ - "noop": corehelpers.NoopAuditFactory(nil), + "noop": audit.NoopAuditFactory(nil), }, }, &vault.TestClusterOptions{ diff --git a/helper/testhelpers/corehelpers/corehelpers.go b/helper/testhelpers/corehelpers/corehelpers.go index cae4d5b019..e2132b08e9 100644 --- a/helper/testhelpers/corehelpers/corehelpers.go +++ b/helper/testhelpers/corehelpers/corehelpers.go @@ -7,35 +7,20 @@ package corehelpers import ( "context" - "crypto/sha256" - "encoding/json" - "errors" - "fmt" "io" "os" "path/filepath" - "strings" - "sync" "time" - "github.com/hashicorp/eventlogger" "github.com/hashicorp/go-hclog" - "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/builtin/credential/approle" - "github.com/hashicorp/vault/internal/observability/event" "github.com/hashicorp/vault/plugins/database/mysql" "github.com/hashicorp/vault/sdk/framework" "github.com/hashicorp/vault/sdk/helper/consts" - "github.com/hashicorp/vault/sdk/helper/salt" "github.com/hashicorp/vault/sdk/logical" "github.com/mitchellh/go-testing-interface" ) -var ( - _ audit.Backend = (*NoopAudit)(nil) - _ eventlogger.Node = (*noopWrapper)(nil) -) - var externalPlugins = []string{"transform", "kmip", "keymgmt"} // RetryUntil runs f until it returns a nil result or the timeout is reached. @@ -217,324 +202,6 @@ func (m *mockBuiltinRegistry) DeprecationStatus(name string, pluginType consts.P return consts.Unknown, false } -func TestNoopAudit(t testing.T, path string, config map[string]string) *NoopAudit { - cfg := &audit.BackendConfig{ - Config: config, - MountPath: path, - Logger: NewTestLogger(t), - } - n, err := NewNoopAudit(cfg) - if err != nil { - t.Fatal(err) - } - return n -} - -// NoopHeaderFormatter can be used within no-op audit devices to do nothing when -// it comes to only allow configured headers to appear in the result. -// Whatever is passed in will be returned (nil becomes an empty map) in lowercase. -type NoopHeaderFormatter struct{} - -// ApplyConfig implements the relevant interface to make NoopHeaderFormatter an audit.HeaderFormatter. -func (f *NoopHeaderFormatter) ApplyConfig(_ context.Context, headers map[string][]string, _ audit.Salter) (result map[string][]string, retErr error) { - if len(headers) < 1 { - return map[string][]string{}, nil - } - - // Make a copy of the incoming headers with everything lower so we can - // case-insensitively compare - lowerHeaders := make(map[string][]string, len(headers)) - for k, v := range headers { - lowerHeaders[strings.ToLower(k)] = v - } - - return lowerHeaders, nil -} - -// NewNoopAudit should be used to create a NoopAudit as it handles creation of a -// predictable salt and wraps eventlogger nodes so information can be retrieved on -// what they've seen or formatted. -func NewNoopAudit(config *audit.BackendConfig) (*NoopAudit, error) { - view := &logical.InmemStorage{} - - // Create the salt with a known key for predictable hmac values. - se := &logical.StorageEntry{Key: "salt", Value: []byte("foo")} - err := view.Put(context.Background(), se) - if err != nil { - return nil, err - } - - // Override the salt related config settings. - backendConfig := &audit.BackendConfig{ - SaltView: view, - SaltConfig: &salt.Config{ - HMAC: sha256.New, - HMACType: "hmac-sha256", - }, - Config: config.Config, - MountPath: config.MountPath, - } - - noopBackend := &NoopAudit{ - Config: backendConfig, - nodeIDList: make([]eventlogger.NodeID, 2), - nodeMap: make(map[eventlogger.NodeID]eventlogger.Node, 2), - } - - cfg, err := audit.NewFormatterConfig(&NoopHeaderFormatter{}) - if err != nil { - return nil, err - } - - formatterNodeID, err := event.GenerateNodeID() - if err != nil { - return nil, fmt.Errorf("error generating random NodeID for formatter node: %w", err) - } - - formatterNode, err := audit.NewEntryFormatter(config.MountPath, cfg, noopBackend, config.Logger) - if err != nil { - return nil, fmt.Errorf("error creating formatter: %w", err) - } - - // Wrap the formatting node, so we can get any bytes that were formatted etc. - wrappedFormatter := &noopWrapper{format: "json", node: formatterNode, backend: noopBackend} - - noopBackend.nodeIDList[0] = formatterNodeID - noopBackend.nodeMap[formatterNodeID] = wrappedFormatter - - sinkNode := event.NewNoopSink() - sinkNodeID, err := event.GenerateNodeID() - if err != nil { - return nil, fmt.Errorf("error generating random NodeID for sink node: %w", err) - } - - noopBackend.nodeIDList[1] = sinkNodeID - noopBackend.nodeMap[sinkNodeID] = sinkNode - - return noopBackend, nil -} - -// NoopAuditFactory should be used when the test needs a way to access bytes that -// have been formatted by the pipeline during audit requests. -// The records parameter will be repointed to the one used within the pipeline. -func NoopAuditFactory(records **[][]byte) audit.Factory { - return func(_ context.Context, config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { - n, err := NewNoopAudit(config) - if err != nil { - return nil, err - } - if records != nil { - *records = &n.records - } - - return n, nil - } -} - -// noopWrapper is designed to wrap a formatter node in order to allow access to -// bytes formatted, headers formatted and parts of the logical.LogInput. -// Some older tests relied on being able to query this information so while those -// tests stick around we should look after them. -type noopWrapper struct { - format string - node eventlogger.Node - backend *NoopAudit -} - -// NoopAuditEventListener is a callback used by noopWrapper.Process() to notify -// of each received audit event. -type NoopAuditEventListener func(*audit.AuditEvent) - -type NoopAudit struct { - Config *audit.BackendConfig - - ReqErr error - ReqAuth []*logical.Auth - Req []*logical.Request - ReqHeaders []map[string][]string - ReqNonHMACKeys []string - ReqErrs []error - - RespErr error - RespAuth []*logical.Auth - RespReq []*logical.Request - Resp []*logical.Response - RespNonHMACKeys [][]string - RespReqNonHMACKeys [][]string - RespErrs []error - records [][]byte - l sync.RWMutex - salt *salt.Salt - saltMutex sync.RWMutex - - nodeIDList []eventlogger.NodeID - nodeMap map[eventlogger.NodeID]eventlogger.Node - - listener NoopAuditEventListener -} - -// Process handles the contortions required by older test code to ensure behavior. -// It will attempt to do some pre/post processing of the logical.LogInput that should -// form part of the event's payload data, as well as capturing the resulting headers -// that were formatted and track the overall bytes that a formatted event uses when -// it's ready to head down the pipeline to the sink node (a noop for us). -func (n *noopWrapper) Process(ctx context.Context, e *eventlogger.Event) (*eventlogger.Event, error) { - n.backend.l.Lock() - defer n.backend.l.Unlock() - - var err error - - // We're expecting audit events since this is an audit device. - a, ok := e.Payload.(*audit.AuditEvent) - if !ok { - return nil, errors.New("cannot parse payload as an audit event") - } - - if n.backend.listener != nil { - n.backend.listener(a) - } - - in := a.Data - - // Depending on the type of the audit event (request or response) we need to - // track different things. - switch a.Subtype { - case audit.RequestType: - n.backend.ReqAuth = append(n.backend.ReqAuth, in.Auth) - n.backend.Req = append(n.backend.Req, in.Request) - n.backend.ReqNonHMACKeys = in.NonHMACReqDataKeys - n.backend.ReqErrs = append(n.backend.ReqErrs, in.OuterErr) - - if n.backend.ReqErr != nil { - return nil, n.backend.ReqErr - } - case audit.ResponseType: - n.backend.RespAuth = append(n.backend.RespAuth, in.Auth) - n.backend.RespReq = append(n.backend.RespReq, in.Request) - n.backend.Resp = append(n.backend.Resp, in.Response) - n.backend.RespErrs = append(n.backend.RespErrs, in.OuterErr) - - if in.Response != nil { - n.backend.RespNonHMACKeys = append(n.backend.RespNonHMACKeys, in.NonHMACRespDataKeys) - n.backend.RespReqNonHMACKeys = append(n.backend.RespReqNonHMACKeys, in.NonHMACReqDataKeys) - } - - if n.backend.RespErr != nil { - return nil, n.backend.RespErr - } - default: - return nil, fmt.Errorf("unknown audit event type: %q", a.Subtype) - } - - // Once we've taken note of the relevant properties of the event, we get the - // underlying (wrapped) node to process it as normal. - e, err = n.node.Process(ctx, e) - if err != nil { - return nil, fmt.Errorf("error processing wrapped node: %w", err) - } - - // Once processing has been carried out, the underlying node (a formatter node) - // should contain the output ready for the sink node. We'll get that in order - // to track how many bytes we formatted. - b, ok := e.Format(n.format) - if ok { - n.backend.records = append(n.backend.records, b) - } - - // Finally, the last bit of post-processing is to make sure that we track the - // formatted headers that would have made it to the logs via the sink node. - // They only appear in requests. - if a.Subtype == audit.RequestType { - reqEntry := &audit.RequestEntry{} - err = json.Unmarshal(b, &reqEntry) - if err != nil { - return nil, fmt.Errorf("unable to parse formatted audit entry data: %w", err) - } - - n.backend.ReqHeaders = append(n.backend.ReqHeaders, reqEntry.Request.Headers) - } - - // Return the event and no error in order to let the pipeline continue on. - return e, nil -} - -func (n *noopWrapper) Reopen() error { - return n.node.Reopen() -} - -func (n *noopWrapper) Type() eventlogger.NodeType { - return n.node.Type() -} - -// LogTestMessage will manually crank the handle on the nodes associated with this backend. -func (n *NoopAudit) LogTestMessage(ctx context.Context, in *logical.LogInput) error { - if len(n.nodeIDList) > 0 { - return audit.ProcessManual(ctx, in, n.nodeIDList, n.nodeMap) - } - - return nil -} - -func (n *NoopAudit) Salt(ctx context.Context) (*salt.Salt, error) { - n.saltMutex.RLock() - if n.salt != nil { - defer n.saltMutex.RUnlock() - return n.salt, nil - } - n.saltMutex.RUnlock() - n.saltMutex.Lock() - defer n.saltMutex.Unlock() - if n.salt != nil { - return n.salt, nil - } - s, err := salt.NewSalt(ctx, n.Config.SaltView, n.Config.SaltConfig) - if err != nil { - return nil, err - } - n.salt = s - return s, nil -} - -func (n *NoopAudit) GetHash(ctx context.Context, data string) (string, error) { - s, err := n.Salt(ctx) - if err != nil { - return "", err - } - return s.GetIdentifiedHMAC(data), nil -} - -func (n *NoopAudit) Reload(_ context.Context) error { - return nil -} - -func (n *NoopAudit) Invalidate(_ context.Context) { - n.saltMutex.Lock() - defer n.saltMutex.Unlock() - n.salt = nil -} - -// RegisterNodesAndPipeline registers the nodes and a pipeline as required by -// the audit.Backend interface. -func (n *NoopAudit) RegisterNodesAndPipeline(broker *eventlogger.Broker, name string) error { - for id, node := range n.nodeMap { - if err := broker.RegisterNode(id, node); err != nil { - return err - } - } - - pipeline := eventlogger.Pipeline{ - PipelineID: eventlogger.PipelineID(name), - EventType: event.AuditType.AsEventType(), - NodeIDs: n.nodeIDList, - } - - return broker.RegisterPipeline(pipeline) -} - -func (n *NoopAudit) SetListener(listener NoopAuditEventListener) { - n.listener = listener -} - type TestLogger struct { hclog.InterceptLogger Path string @@ -598,27 +265,3 @@ func NewTestLogger(t testing.T) *TestLogger { func (tl *TestLogger) StopLogging() { tl.InterceptLogger.DeregisterSink(tl.sink) } - -func (n *NoopAudit) EventType() eventlogger.EventType { - return event.AuditType.AsEventType() -} - -func (n *NoopAudit) HasFiltering() bool { - return false -} - -func (n *NoopAudit) Name() string { - return n.Config.MountPath -} - -func (n *NoopAudit) Nodes() map[eventlogger.NodeID]eventlogger.Node { - return n.nodeMap -} - -func (n *NoopAudit) NodeIDs() []eventlogger.NodeID { - return n.nodeIDList -} - -func (n *NoopAudit) IsFallback() bool { - return false -} diff --git a/helper/testhelpers/teststorage/teststorage.go b/helper/testhelpers/teststorage/teststorage.go index c2d30a8f84..a0a17a685f 100644 --- a/helper/testhelpers/teststorage/teststorage.go +++ b/helper/testhelpers/teststorage/teststorage.go @@ -20,7 +20,6 @@ import ( logicalDb "github.com/hashicorp/vault/builtin/logical/database" "github.com/hashicorp/vault/builtin/plugin" "github.com/hashicorp/vault/helper/namespace" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/internalshared/configutil" "github.com/hashicorp/vault/physical/raft" @@ -324,7 +323,7 @@ func ClusterSetup(conf *vault.CoreConfig, opts *vault.TestClusterOptions, setup "file": auditFile.Factory, "socket": auditSocket.Factory, "syslog": auditSyslog.Factory, - "noop": corehelpers.NoopAuditFactory(nil), + "noop": audit.NoopAuditFactory(nil), } } diff --git a/http/logical_test.go b/http/logical_test.go index e07815896d..704fe937d0 100644 --- a/http/logical_test.go +++ b/http/logical_test.go @@ -569,10 +569,10 @@ func TestLogical_RespondWithStatusCode(t *testing.T) { func TestLogical_Audit_invalidWrappingToken(t *testing.T) { // Create a noop audit backend - noop := corehelpers.TestNoopAudit(t, "noop/", nil) + noop := audit.TestNoopAudit(t, "noop/", nil) c, _, root := vault.TestCoreUnsealedWithConfig(t, &vault.CoreConfig{ AuditBackends: map[string]audit.Factory{ - "noop": func(ctx context.Context, config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { + "noop": func(config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { return noop, nil }, }, diff --git a/http/sys_generate_root_test.go b/http/sys_generate_root_test.go index 8358d18a53..2b00926f67 100644 --- a/http/sys_generate_root_test.go +++ b/http/sys_generate_root_test.go @@ -231,7 +231,7 @@ func testCoreUnsealedWithAudit(t *testing.T, records **[][]byte) (*vault.Core, [ conf := &vault.CoreConfig{ BuiltinRegistry: corehelpers.NewMockBuiltinRegistry(), AuditBackends: map[string]audit.Factory{ - "noop": corehelpers.NoopAuditFactory(records), + "noop": audit.NoopAuditFactory(records), }, } core, keys, token := vault.TestCoreUnsealedWithConfig(t, conf) diff --git a/vault/audit.go b/vault/audit.go index a039b3421e..b271eabea2 100644 --- a/vault/audit.go +++ b/vault/audit.go @@ -545,15 +545,13 @@ func (c *Core) newAuditBackend(ctx context.Context, entry *MountEntry, view logi } auditLogger := c.baseLogger.Named("audit") - be, err := f( - ctx, &audit.BackendConfig{ - SaltView: view, - SaltConfig: saltConfig, - Config: conf, - MountPath: entry.Path, - Logger: auditLogger, - }, - c.auditedHeaders) + be, err := f(&audit.BackendConfig{ + SaltView: view, + SaltConfig: saltConfig, + Config: conf, + MountPath: entry.Path, + Logger: auditLogger, + }, c.auditedHeaders) if err != nil { return nil, fmt.Errorf("unable to create new audit backend: %w", err) } @@ -576,7 +574,7 @@ func (c *Core) newAuditBackend(ctx context.Context, entry *MountEntry, view logi c.reloadFuncs[key] = append(c.reloadFuncs[key], func() error { auditLogger.Info("reloading file audit backend", "path", entry.Path) - return be.Reload(ctx) + return be.Reload() }) c.reloadFuncsLock.Unlock() diff --git a/vault/audit_broker_test.go b/vault/audit_broker_test.go index 4626353b41..58d60e2aae 100644 --- a/vault/audit_broker_test.go +++ b/vault/audit_broker_test.go @@ -47,7 +47,7 @@ func testAuditBackend(t *testing.T, path string, config map[string]string) audit MountPath: path, } - be, err := syslog.Factory(context.Background(), cfg, headersCfg) + be, err := syslog.Factory(cfg, headersCfg) require.NoError(t, err) require.NotNil(t, be) @@ -118,7 +118,7 @@ func BenchmarkAuditBroker_File_Request_DevNull(b *testing.B) { Logger: hclog.NewNullLogger(), } - sink, err := file.Factory(context.Background(), backendConfig, nil) + sink, err := file.Factory(backendConfig, nil) require.NoError(b, err) broker, err := NewAuditBroker(nil) diff --git a/vault/audit_test.go b/vault/audit_test.go index a0429c5b84..979a014382 100644 --- a/vault/audit_test.go +++ b/vault/audit_test.go @@ -18,7 +18,6 @@ import ( "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/helper/constants" "github.com/hashicorp/vault/helper/namespace" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/hashicorp/vault/sdk/helper/jsonutil" "github.com/hashicorp/vault/sdk/helper/logging" "github.com/hashicorp/vault/sdk/logical" @@ -28,16 +27,16 @@ import ( func TestAudit_ReadOnlyViewDuringMount(t *testing.T) { c, _, _ := TestCoreUnsealed(t) - c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { - err := config.SaltView.Put(ctx, &logical.StorageEntry{ + c.auditBackends["noop"] = func(config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { + err := config.SaltView.Put(context.Background(), &logical.StorageEntry{ Key: "bar", Value: []byte("baz"), }) if err == nil || !strings.Contains(err.Error(), logical.ErrSetupReadOnly.Error()) { t.Fatalf("expected a read-only error") } - factory := corehelpers.NoopAuditFactory(nil) - return factory(ctx, config, nil) + factory := audit.NoopAuditFactory(nil) + return factory(config, nil) } me := &MountEntry{ @@ -53,7 +52,7 @@ func TestAudit_ReadOnlyViewDuringMount(t *testing.T) { func TestCore_EnableAudit(t *testing.T) { c, keys, _ := TestCoreUnsealed(t) - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) me := &MountEntry{ Table: auditTableType, @@ -74,7 +73,7 @@ func TestCore_EnableAudit(t *testing.T) { AuditBackends: make(map[string]audit.Factory), DisableMlock: true, } - conf.AuditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + conf.AuditBackends["noop"] = audit.NoopAuditFactory(nil) c2, err := NewCore(conf) if err != nil { t.Fatalf("err: %v", err) @@ -103,8 +102,8 @@ func TestCore_EnableAudit(t *testing.T) { func TestCore_EnableAudit_MixedFailures(t *testing.T) { c, _, _ := TestCoreUnsealed(t) - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) - c.auditBackends["fail"] = func(ctx context.Context, config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) + c.auditBackends["fail"] = func(config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { return nil, fmt.Errorf("failing enabling") } @@ -152,8 +151,8 @@ func TestCore_EnableAudit_MixedFailures(t *testing.T) { // correctly func TestCore_EnableAudit_Local(t *testing.T) { c, _, _ := TestCoreUnsealed(t) - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) - c.auditBackends["fail"] = func(ctx context.Context, config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) + c.auditBackends["fail"] = func(config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { return nil, fmt.Errorf("failing enabling") } @@ -238,7 +237,7 @@ func TestCore_EnableAudit_Local(t *testing.T) { func TestCore_DisableAudit(t *testing.T) { c, keys, _ := TestCoreUnsealed(t) - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) existed, err := c.disableAudit(namespace.RootContext(context.Background()), "foo", true) if existed && err != nil { @@ -346,8 +345,8 @@ func TestAuditBroker_LogRequest(t *testing.T) { t.Fatal(err) } - a1 := corehelpers.TestNoopAudit(t, "foo", nil) - a2 := corehelpers.TestNoopAudit(t, "bar", nil) + a1 := audit.TestNoopAudit(t, "foo", nil) + a2 := audit.TestNoopAudit(t, "bar", nil) err = b.Register("foo", a1, false) require.NoError(t, err) err = b.Register("bar", a2, false) @@ -399,7 +398,7 @@ func TestAuditBroker_LogRequest(t *testing.T) { t.Fatalf("err: %v", err) } - for _, a := range []*corehelpers.NoopAudit{a1, a2} { + for _, a := range []*audit.NoopAudit{a1, a2} { if !reflect.DeepEqual(a.ReqAuth[0], auth) { t.Fatalf("Bad: %#v", a.ReqAuth[0]) } @@ -435,8 +434,8 @@ func TestAuditBroker_LogResponse(t *testing.T) { t.Fatal(err) } - a1 := corehelpers.TestNoopAudit(t, "foo", nil) - a2 := corehelpers.TestNoopAudit(t, "bar", nil) + a1 := audit.TestNoopAudit(t, "foo", nil) + a2 := audit.TestNoopAudit(t, "bar", nil) err = b.Register("foo", a1, false) require.NoError(t, err) err = b.Register("bar", a2, false) @@ -499,7 +498,7 @@ func TestAuditBroker_LogResponse(t *testing.T) { t.Fatalf("err: %v", err) } - for _, a := range []*corehelpers.NoopAudit{a1, a2} { + for _, a := range []*audit.NoopAudit{a1, a2} { if !reflect.DeepEqual(a.RespAuth[0], auth) { t.Fatalf("Bad: %#v", a.ReqAuth[0]) } @@ -540,8 +539,8 @@ func TestAuditBroker_AuditHeaders(t *testing.T) { t.Fatal(err) } - a1 := corehelpers.TestNoopAudit(t, "foo", nil) - a2 := corehelpers.TestNoopAudit(t, "bar", nil) + a1 := audit.TestNoopAudit(t, "foo", nil) + a2 := audit.TestNoopAudit(t, "bar", nil) err = b.Register("foo", a1, false) require.NoError(t, err) @@ -589,7 +588,7 @@ func TestAuditBroker_AuditHeaders(t *testing.T) { "x-vault-header": {"bar"}, } - for _, a := range []*corehelpers.NoopAudit{a1, a2} { + for _, a := range []*audit.NoopAudit{a1, a2} { if !reflect.DeepEqual(a.ReqHeaders[0], expected) { t.Fatalf("Bad audited headers: %#v", a.ReqHeaders[0]) } @@ -710,7 +709,7 @@ func TestAudit_enableAudit(t *testing.T) { defer cluster.Cleanup() c := cluster.Cores[0] - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) me := &MountEntry{ Table: auditTableType, @@ -734,7 +733,7 @@ func TestAudit_newAuditBackend(t *testing.T) { defer cluster.Cleanup() c := cluster.Cores[0] - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) me := &MountEntry{ Table: auditTableType, diff --git a/vault/core_test.go b/vault/core_test.go index 8eb29f80bd..342f973d39 100644 --- a/vault/core_test.go +++ b/vault/core_test.go @@ -1543,11 +1543,11 @@ func TestCore_HandleLogin_Token(t *testing.T) { func TestCore_HandleRequest_AuditTrail(t *testing.T) { // Create a noop audit backend - var noop *corehelpers.NoopAudit + var noop *audit.NoopAudit c, _, root := TestCoreUnsealed(t) - c.auditBackends["noop"] = func(_ context.Context, config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { + c.auditBackends["noop"] = func(config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { var err error - noop, err = corehelpers.NewNoopAudit(config) + noop, err = audit.NewNoopAudit(config) return noop, err } @@ -1606,11 +1606,11 @@ func TestCore_HandleRequest_AuditTrail(t *testing.T) { func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) { // Create a noop audit backend - var noop *corehelpers.NoopAudit + var noop *audit.NoopAudit c, _, root := TestCoreUnsealed(t) - c.auditBackends["noop"] = func(_ context.Context, config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { + c.auditBackends["noop"] = func(config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { var err error - noop, err = corehelpers.NewNoopAudit(config) + noop, err = audit.NewNoopAudit(config) return noop, err } @@ -1709,7 +1709,7 @@ func TestCore_HandleRequest_AuditTrail_noHMACKeys(t *testing.T) { func TestCore_HandleLogin_AuditTrail(t *testing.T) { // Create a badass credential backend that always logs in as armon - var noop *corehelpers.NoopAudit + var noop *audit.NoopAudit noopBack := &NoopBackend{ Login: []string{"login"}, Response: &logical.Response{ @@ -1729,9 +1729,9 @@ func TestCore_HandleLogin_AuditTrail(t *testing.T) { c.credentialBackends["noop"] = func(context.Context, *logical.BackendConfig) (logical.Backend, error) { return noopBack, nil } - c.auditBackends["noop"] = func(_ context.Context, config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { + c.auditBackends["noop"] = func(config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { var err error - noop, err = corehelpers.NewNoopAudit(config) + noop, err = audit.NewNoopAudit(config) return noop, err } diff --git a/vault/external_tests/identity/login_mfa_totp_test.go b/vault/external_tests/identity/login_mfa_totp_test.go index b5794b2b85..97b1c7137e 100644 --- a/vault/external_tests/identity/login_mfa_totp_test.go +++ b/vault/external_tests/identity/login_mfa_totp_test.go @@ -17,7 +17,6 @@ import ( "github.com/hashicorp/vault/builtin/credential/userpass" "github.com/hashicorp/vault/builtin/logical/totp" "github.com/hashicorp/vault/helper/testhelpers" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/logical" "github.com/hashicorp/vault/vault" @@ -51,7 +50,7 @@ func doTwoPhaseLogin(t *testing.T, client *api.Client, totpCodePath, methodID, u } func TestLoginMfaGenerateTOTPTestAuditIncluded(t *testing.T) { - noop := corehelpers.TestNoopAudit(t, "noop/", nil) + noop := audit.TestNoopAudit(t, "noop/", nil) cluster := vault.NewTestCluster(t, &vault.CoreConfig{ CredentialBackends: map[string]logical.Factory{ @@ -61,7 +60,7 @@ func TestLoginMfaGenerateTOTPTestAuditIncluded(t *testing.T) { "totp": totp.Factory, }, AuditBackends: map[string]audit.Factory{ - "noop": func(ctx context.Context, config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { + "noop": func(config *audit.BackendConfig, _ audit.HeaderFormatter) (audit.Backend, error) { return noop, nil }, }, diff --git a/vault/external_tests/router/router_ext_test.go b/vault/external_tests/router/router_ext_test.go index c2cb58c4c3..86260f005e 100644 --- a/vault/external_tests/router/router_ext_test.go +++ b/vault/external_tests/router/router_ext_test.go @@ -12,7 +12,6 @@ import ( "github.com/hashicorp/vault/api" "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/helper/testhelpers" - "github.com/hashicorp/vault/helper/testhelpers/corehelpers" "github.com/hashicorp/vault/helper/testhelpers/minimal" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/logical" @@ -95,7 +94,7 @@ func TestWellKnownRedirect_HA(t *testing.T) { var records *[][]byte cluster := vault.NewTestCluster(t, &vault.CoreConfig{ AuditBackends: map[string]audit.Factory{ - "noop": corehelpers.NoopAuditFactory(&records), + "noop": audit.NoopAuditFactory(&records), }, DisablePerformanceStandby: true, LogicalBackends: map[string]logical.Factory{ diff --git a/vault/logical_system_test.go b/vault/logical_system_test.go index 8acf4d7799..e13104ce6d 100644 --- a/vault/logical_system_test.go +++ b/vault/logical_system_test.go @@ -25,6 +25,7 @@ import ( wrapping "github.com/hashicorp/go-kms-wrapping/v2" aeadwrapper "github.com/hashicorp/go-kms-wrapping/wrappers/aead/v2" "github.com/hashicorp/go-uuid" + "github.com/hashicorp/vault/audit" credUserpass "github.com/hashicorp/vault/builtin/credential/userpass" "github.com/hashicorp/vault/helper/builtinplugins" "github.com/hashicorp/vault/helper/experiments" @@ -2667,7 +2668,7 @@ func TestSystemBackend_policyCRUD(t *testing.T) { func TestSystemBackend_enableAudit(t *testing.T) { c, b, _ := testCoreSystemBackend(t) - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo") req.Data["type"] = "noop" @@ -2737,7 +2738,7 @@ func TestSystemBackend_decodeToken(t *testing.T) { func TestSystemBackend_auditHash(t *testing.T) { c, b, _ := testCoreSystemBackend(t) - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo") req.Data["type"] = "noop" @@ -2799,7 +2800,7 @@ func TestSystemBackend_enableAudit_invalid(t *testing.T) { func TestSystemBackend_auditTable(t *testing.T) { c, b, _ := testCoreSystemBackend(t) - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo") req.Data["type"] = "noop" @@ -2834,7 +2835,7 @@ func TestSystemBackend_auditTable(t *testing.T) { func TestSystemBackend_disableAudit(t *testing.T) { c, b, _ := testCoreSystemBackend(t) - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) req := logical.TestRequest(t, logical.UpdateOperation, "audit/foo") req.Data["type"] = "noop" diff --git a/vault/mount_test.go b/vault/mount_test.go index a412252e44..804e9e43fc 100644 --- a/vault/mount_test.go +++ b/vault/mount_test.go @@ -13,6 +13,7 @@ import ( "github.com/armon/go-metrics" "github.com/go-test/deep" + "github.com/hashicorp/vault/audit" "github.com/hashicorp/vault/helper/metricsutil" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/helper/testhelpers/corehelpers" @@ -721,7 +722,7 @@ func TestDefaultMountTable(t *testing.T) { func TestCore_MountTable_UpgradeToTyped(t *testing.T) { c, _, _ := TestCoreUnsealed(t) - c.auditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + c.auditBackends["noop"] = audit.NoopAuditFactory(nil) me := &MountEntry{ Table: auditTableType, diff --git a/vault/testing.go b/vault/testing.go index 61dc35695a..4ef8edb0be 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -273,7 +273,7 @@ func TestCoreWithSealAndUINoCleanup(t testing.T, opts *CoreConfig) *Core { func testCoreConfig(t testing.T, physicalBackend physical.Backend, logger log.Logger) *CoreConfig { t.Helper() noopAudits := map[string]audit.Factory{ - "noop": corehelpers.NoopAuditFactory(nil), + "noop": audit.NoopAuditFactory(nil), } noopBackends := make(map[string]logical.Factory) @@ -1539,7 +1539,7 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te addAuditBackend := len(coreConfig.AuditBackends) == 0 if addAuditBackend { - coreConfig.AuditBackends["noop"] = corehelpers.NoopAuditFactory(nil) + coreConfig.AuditBackends["noop"] = audit.NoopAuditFactory(nil) } if coreConfig.Physical == nil && (opts == nil || opts.PhysicalFactory == nil) {