Added hash_accessor option to audit backends

2026-05-06 04:46:25 +02:00 · 2016-03-11 19:28:06 -05:00 · 2016-03-11 19:28:06 -05:00 · ac0639d5bc
commit ac0639d5bc
parent 640b3b25c5
3 changed files with 80 additions and 13 deletions
--- a/audit/hashstructure.go
+++ b/audit/hashstructure.go
@ -32,6 +32,10 @@ func Hash(salter *salt.Salt, raw interface{}) error {
 			token := fn(s.ClientToken)
 			s.ClientToken = token
 		}
+		if s.Accessor != "" {
+			accessor := fn(s.Accessor)
+			s.Accessor = accessor
+		}

 	case *logical.Request:
 		if s == nil {
--- a/builtin/audit/file/backend.go
+++ b/builtin/audit/file/backend.go
@ -15,7 +15,7 @@ import (

 func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
 	if conf.Salt == nil {
-		return nil, fmt.Errorf("Nil salt passed in")
+		return nil, fmt.Errorf("nil salt")
 	}

 	path, ok := conf.Config["path"]
@ -23,6 +23,16 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
 		return nil, fmt.Errorf("path is required")
 	}

+	// Check if hashing of accessor is disabled
+	hashAccessor := true
+	if hashAccessorRaw, ok := conf.Config["hash_accessor"]; ok {
+		value, err := strconv.ParseBool(hashAccessorRaw)
+		if err != nil {
+			return nil, err
+		}
+		hashAccessor = value
+	}
+
 	// Check if raw logging is enabled
 	logRaw := false
 	if raw, ok := conf.Config["log_raw"]; ok {
@ -34,9 +44,10 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
 	}

 	b := &Backend{
-		path:   path,
-		logRaw: logRaw,
-		salt:   conf.Salt,
+		path:         path,
+		logRaw:       logRaw,
+		hashAccessor: hashAccessor,
+		salt:         conf.Salt,
 	}

 	// Ensure that the file can be successfully opened for writing;
@ -55,9 +66,10 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
 // It doesn't do anything more at the moment to assist with rotation
 // or reset the write cursor, this should be done in the future.
 type Backend struct {
-	path   string
-	logRaw bool
-	salt   *salt.Salt
+	path         string
+	logRaw       bool
+	hashAccessor bool
+	salt         *salt.Salt

 	once sync.Once
 	f    *os.File
@ -103,6 +115,7 @@ func (b *Backend) LogRequest(auth *logical.Auth, req *logical.Request, outerErr
 		if err := audit.Hash(b.salt, req); err != nil {
 			return err
 		}
+
 	}

 	var format audit.FormatJSON
@ -149,15 +162,34 @@ func (b *Backend) LogResponse(
 		resp = cp.(*logical.Response)

 		// Hash any sensitive information
+
+		// Cache and restore accessor in the auth
+		var accessor string
+		if !b.hashAccessor && auth != nil && auth.Accessor != "" {
+			accessor = auth.Accessor
+		}
 		if err := audit.Hash(b.salt, auth); err != nil {
 			return err
 		}
+		if !b.hashAccessor && auth != nil && auth.Accessor != "" {
+			auth.Accessor = accessor
+		}
+
 		if err := audit.Hash(b.salt, req); err != nil {
 			return err
 		}
+
+		// Cache and restore accessor in the response
+		accessor = ""
+		if !b.hashAccessor && resp != nil && resp.Auth != nil && resp.Auth.Accessor != "" {
+			accessor = resp.Auth.Accessor
+		}
 		if err := audit.Hash(b.salt, resp); err != nil {
 			return err
 		}
+		if !b.hashAccessor && resp != nil && resp.Auth != nil && resp.Auth.Accessor != "" {
+			resp.Auth.Accessor = accessor
+		}
 	}

 	var format audit.FormatJSON
--- a/builtin/audit/syslog/backend.go
+++ b/builtin/audit/syslog/backend.go
@ -29,6 +29,16 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
 		tag = "vault"
 	}

+	// Check if hashing of accessor is disabled
+	hashAccessor := true
+	if hashAccessorRaw, ok := conf.Config["hash_accessor"]; ok {
+		value, err := strconv.ParseBool(hashAccessorRaw)
+		if err != nil {
+			return nil, err
+		}
+		hashAccessor = value
+	}
+
 	// Check if raw logging is enabled
 	logRaw := false
 	if raw, ok := conf.Config["log_raw"]; ok {
@ -46,18 +56,20 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
 	}

 	b := &Backend{
-		logger: logger,
-		logRaw: logRaw,
-		salt:   conf.Salt,
+		logger:       logger,
+		logRaw:       logRaw,
+		hashAccessor: hashAccessor,
+		salt:         conf.Salt,
 	}
 	return b, nil
 }

 // Backend is the audit backend for the syslog-based audit store.
 type Backend struct {
-	logger gsyslog.Syslogger
-	logRaw bool
-	salt   *salt.Salt
+	logger       gsyslog.Syslogger
+	logRaw       bool
+	hashAccessor bool
+	salt         *salt.Salt
 }

 func (b *Backend) GetHash(data string) string {
@ -145,15 +157,34 @@ func (b *Backend) LogResponse(auth *logical.Auth, req *logical.Request,
 		resp = cp.(*logical.Response)

 		// Hash any sensitive information
+
+		// Cache and restore accessor in the auth
+		var accessor string
+		if !b.hashAccessor && auth != nil && auth.Accessor != "" {
+			accessor = auth.Accessor
+		}
 		if err := audit.Hash(b.salt, auth); err != nil {
 			return err
 		}
+		if !b.hashAccessor && auth != nil && auth.Accessor != "" {
+			auth.Accessor = accessor
+		}
+
 		if err := audit.Hash(b.salt, req); err != nil {
 			return err
 		}
+
+		// Cache and restore accessor in the response
+		accessor = ""
+		if !b.hashAccessor && resp != nil && resp.Auth != nil && resp.Auth.Accessor != "" {
+			accessor = resp.Auth.Accessor
+		}
 		if err := audit.Hash(b.salt, resp); err != nil {
 			return err
 		}
+		if !b.hashAccessor && resp != nil && resp.Auth != nil && resp.Auth.Accessor != "" {
+			resp.Auth.Accessor = accessor
+		}
 	}

 	// Encode the entry as JSON