fix adding clientID to request in audit log (#12919)

* fix adding clientID to request in audit log * fix boolean statement * use standard encoding for client ID instead of urlEncoding * change encoding in tests * add in client counts to request handling * remove redundant client ID generation in request handling * directly add clientID to req after handling token usage
2026-05-05 12:26:34 +02:00 · 2021-10-26 09:02:13 -07:00 · 2021-10-26 09:02:13 -07:00 · 5dc90d8081
commit 5dc90d8081
parent c97e44e372
5 changed files with 15 additions and 13 deletions
--- a/audit/format.go
+++ b/audit/format.go
@ -110,6 +110,7 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config

 		Request: &AuditRequest{
 			ID:                  req.ID,
+			ClientID:            req.ClientID,
 			ClientToken:         req.ClientToken,
 			ClientTokenAccessor: req.ClientTokenAccessor,
 			Operation:           req.Operation,
@ -336,6 +337,7 @@ type AuditResponseEntry struct {

 type AuditRequest struct {
 	ID                            string                 `json:"id,omitempty"`
+	ClientID                      string                 `json:"client_id,omitempty"`
 	ReplicationCluster            string                 `json:"replication_cluster,omitempty"`
 	Operation                     logical.Operation      `json:"operation,omitempty"`
 	MountType                     string                 `json:"mount_type,omitempty"`
--- a/sdk/logical/request.go
+++ b/sdk/logical/request.go
@ -219,7 +219,7 @@ type Request struct {
 	// entity, it will be the same as the EntityID . If the token has no entity,
 	// this will be the sha256(sorted policies + namespace) associated with the
 	// client token.
-	ClientID string
+	ClientID string `json:"client_id" structs:"client_id" mapstructure:"client_id" sentinel:""`
 }

 // Clone returns a deep copy of the request by using copystructure
--- a/vault/activity_log.go
+++ b/vault/activity_log.go
@ -1583,31 +1583,33 @@ func (a *ActivityLog) loadConfigOrDefault(ctx context.Context) (activityConfig,
 	return config, nil
 }

-// HandleTokenUsage adds the TokenEntry to the current fragment of the activity log.
+// HandleTokenUsage adds the TokenEntry to the current fragment of the activity log
+// and returns the corresponding Client ID.
 // This currently occurs on token usage only.
-func (a *ActivityLog) HandleTokenUsage(entry *logical.TokenEntry) {
+func (a *ActivityLog) HandleTokenUsage(entry *logical.TokenEntry) string {
 	// First, check if a is enabled, so as to avoid the cost of creating an ID for
 	// tokens without entities in the case where it not.
 	a.fragmentLock.RLock()
 	if !a.enabled {
 		a.fragmentLock.RUnlock()
-		return
+		return ""
 	}
 	a.fragmentLock.RUnlock()

 	// Do not count wrapping tokens in client count
 	if IsWrappingToken(entry) {
-		return
+		return ""
 	}

 	// Do not count root tokens in client count.
 	if entry.IsRoot() {
-		return
+		return ""
 	}

 	// Parse an entry's client ID and add it to the activity log
 	clientID, isTWE := a.CreateClientID(entry)
 	a.AddClientToFragment(clientID, entry.NamespaceID, entry.CreationTime, isTWE)
+	return clientID
 }

 // CreateClientID returns the client ID, and a boolean which is false if the clientID
@ -1649,7 +1651,7 @@ func (a *ActivityLog) CreateClientID(entry *logical.TokenEntry) (string, bool) {

 	// Step 5: Hash the sum
 	hashed := sha256.Sum256([]byte(clientIDInput))
-	return base64.URLEncoding.EncodeToString(hashed[:]), true
+	return base64.StdEncoding.EncodeToString(hashed[:]), true
 }

 func (a *ActivityLog) namespaceToLabel(ctx context.Context, nsID string) string {
--- a/vault/activity_log_test.go
+++ b/vault/activity_log_test.go
@ -1534,7 +1534,7 @@ func TestCreateClientID(t *testing.T) {
 		string(sortedPoliciesTWEDelimiter) + "foo" + string(clientIDTWEDelimiter) + "namespaceFoo"

 	hashed := sha256.Sum256([]byte(expectedIDPlaintext))
-	expectedID := base64.URLEncoding.EncodeToString(hashed[:])
+	expectedID := base64.StdEncoding.EncodeToString(hashed[:])
 	if expectedID != id {
 		t.Fatalf("wrong ID: expected %s, found %s", expectedID, id)
 	}
@ -1559,7 +1559,7 @@ func TestCreateClientID(t *testing.T) {
 		string(sortedPoliciesTWEDelimiter) + "foo" + string(clientIDTWEDelimiter)

 	hashed = sha256.Sum256([]byte(expectedIDPlaintext))
-	expectedID = base64.URLEncoding.EncodeToString(hashed[:])
+	expectedID = base64.StdEncoding.EncodeToString(hashed[:])
 	if expectedID != id {
 		t.Fatalf("wrong ID: expected %s, found %s", expectedID, id)
 	}
@ -1573,7 +1573,7 @@ func TestCreateClientID(t *testing.T) {
 	expectedIDPlaintext = "namespaceFoo"

 	hashed = sha256.Sum256([]byte(expectedIDPlaintext))
-	expectedID = base64.URLEncoding.EncodeToString(hashed[:])
+	expectedID = base64.StdEncoding.EncodeToString(hashed[:])
 	if expectedID != id {
 		t.Fatalf("wrong ID: expected %s, found %s", expectedID, id)
 	}
--- a/vault/request_handling.go
+++ b/vault/request_handling.go
@ -398,9 +398,7 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool

 	// If it is an authenticated ( i.e with vault token ) request, increment client count
 	if !unauth && c.activityLog != nil {
-		clientID, _ := c.activityLog.CreateClientID(req.TokenEntry())
-		req.ClientID = clientID
-		c.activityLog.HandleTokenUsage(te)
+		req.ClientID = c.activityLog.HandleTokenUsage(te)
 	}
 	return auth, te, nil
 }