mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-16 03:27:01 +02:00
Code Issues Projects Releases Wiki Activity
10,543 Commits 2,843 Branches 445 Tags 454 MiB
68b40b814c
Commit Graph

45 Commits

Author SHA1 Message Date
ncabatoff
6c836bcd9b
Allow plugins to submit audit requests/responses via extended SystemView (#6777) 
Move audit.LogInput to sdk/logical.  Allow the Data values in audited
logical.Request and Response to implement OptMarshaler, in which case
we delegate hashing/serializing responsibility to them.  Add new
ClientCertificateSerialNumber audit request field.

SystemView can now be cast to ExtendedSystemView to expose the Auditor
interface, which allows submitting requests and responses to the audit
broker.
 2019-05-22 18:52:53 -04:00
Jeff Mitchell
170521481d
Create sdk/ and api/ submodules (#6583) 2019-04-12 17:54:35 -04:00
Jim Kalafut
71473405f0
Switch to strings.EqualFold (#5284) 2018-09-11 16:22:29 -07:00
Vishal Nayak
e2bb2ec3b9
Errwrap everywhere (#4252) 
* package api

* package builtin/credential

* package builtin/logical

* package command

* package helper

* package http and logical

* package physical

* package shamir

* package vault

* package vault

* address feedback

* more fixes
 2018-04-05 11:49:21 -04:00
Brian Kassouf
c0815bd2b0
Add context to the NewSalt function (#4102) 2018-03-08 11:21:11 -08:00
Calvin Leung Huang
01eecf9d1a
Non-HMAC audit values (#4033) 
* Add non-hmac request keys

* Update comment

* Initial audit request keys implementation

* Add audit_non_hmac_response_keys

* Move where req.NonHMACKeys gets set

* Minor refactor

* Add params to auth tune endpoints

* Sync cache on loadCredentials

* Explicitly unset req.NonHMACKeys

* Do not error if entry is nil

* Add tests

* docs: Add params to api sections

* Refactor audit.Backend and Formatter interfaces, update audit broker methods

* Add audit_broker.go

* Fix method call params in audit backends

* Remove fields from logical.Request and logical.Response, pass keys via LogInput

* Use data.GetOk to allow unsetting existing values

* Remove debug lines

* Add test for unsetting values

* Address review feedback

* Initialize values in FormatRequest and FormatResponse using input values

* Update docs

* Use strutil.StrListContains

* Use strutil.StrListContains
 2018-03-02 12:18:39 -05:00
Brian Kassouf
8142b42d95 Add context to storage backends and wire it through a lot of places (#3817) 2018-01-19 01:44:44 -05:00
Brian Shumate
c767dc4ed6 Conditionally set file audit log mode (#3649) 2017-12-07 11:44:15 -05:00
Jeff Mitchell
22528daac6 Add 'discard' target to file audit backend (#3262) 
Fixes #seth
 2017-08-30 19:16:47 -04:00
Christopher Pauley
f2d452b5e1 stdout support for file backend via logger (#3235) 2017-08-29 14:51:16 -04:00
Jeff Mitchell
ba649324f7 Opportunistically try re-opening file audit fd on error (#2999) 
Addresses a pain point from
https://github.com/hashicorp/vault/issues/2863#issuecomment-309434605
 2017-07-14 11:03:01 -04:00
Lars Lehtonen
730bb03c77 Fix swallowed errors in builtin (#2977) 2017-07-07 08:23:12 -04:00
Jeff Mitchell
dd26071875 Delay salt initialization for audit backends 2017-05-23 20:36:20 -04:00
Jeff Mitchell
64d63ba55a Add some repcluster handling to audit and add some tests (#2384) 
* Add some repcluster handling to audit and add some tests

* Fix incorrect assumption about nil auth
 2017-02-16 13:09:53 -05:00
Tommy Murphy
57aac16cd2 audit: support a configurable prefix string to write before each message (#2359) 
A static token at the beginning of a log line can help systems parse
logs better. For example, rsyslog and syslog-ng will recognize the
'@cee: ' prefix and will parse the rest of the line as a valid json message.
This is useful in environments where there is a mix of structured and
unstructured logs.
 2017-02-10 16:56:28 -08:00
Laura Bennett
6770545cfd test updates to address feedback 2016-10-10 12:58:30 -04:00
Laura Bennett
7def50799b address latest feedback 2016-10-10 11:58:26 -04:00
Laura Bennett
18028ffcd6 minor fix 2016-10-10 10:05:36 -04:00
Laura Bennett
3bf0520bbb address feedback 2016-10-09 22:23:30 -04:00
Laura Bennett
bef5a625d6 adding unit tests for file mode 2016-10-09 00:33:24 -04:00
Laura Bennett
a8813c4ff2 changes for 'mode' 2016-10-08 19:52:49 -04:00
Laura Bennett
635873cf4a initial commit for adding audit file permission changes 2016-10-07 15:09:32 -04:00
Jeff Mitchell
81cdd76a5c Adds HUP support for audit log files to close and reopen. (#1953) 
Adds HUP support for audit log files to close and reopen. This makes it
much easier to deal with normal log rotation methods.

As part of testing this I noticed that HUP and other items that come out
of command/server.go are going to stderr, which is where our normal log
lines go. This isn't so much problematic with our normal output but as
we officially move to supporting other formats this can cause
interleaving issues, so I moved those to stdout instead.
 2016-09-30 12:04:50 -07:00
Jeff Mitchell
8482118ac6 Transit and audit enhancements 2016-09-21 10:49:26 -04:00
Jeff Mitchell
e65b48a7e4 Actually show the error occurring if a file audit log can't be opened 2016-08-15 16:26:36 -04:00
Jeff Mitchell
47dc1ccd25 Add token accessor to wrap information if one exists 2016-06-13 23:58:17 +00:00
vishalnayak
4d28fa38c4 Read from 'path' to retain backward compatibility 2016-03-15 20:05:51 -04:00
vishalnayak
bac4fe0799 Rename id to path and path to file_path, print audit backend paths 2016-03-14 17:15:07 -04:00
Jeff Mitchell
9609f4bb78 s/hash_accessor/hmac_accessor/g 2016-03-14 14:52:29 -04:00
vishalnayak
51847a6b25 Use accessor being set as the condition to restore non-hashed values 2016-03-14 11:23:30 -04:00
vishalnayak
ac0639d5bc Added hash_accessor option to audit backends 2016-03-11 19:28:06 -05:00
Jeff Mitchell
49d525ebf3 Reintroduce the ability to look up obfuscated values in the audit log 
with a new endpoint '/sys/audit-hash', which returns the given input
string hashed with the given audit backend's hash function and salt
(currently, always HMAC-SHA256 and a backend-specific salt).

In the process of adding the HTTP handler, this also removes the custom
HTTP handlers for the other audit endpoints, which were simply
forwarding to the logical system backend. This means that the various
audit functions will now redirect correctly from a standby to master.
(Tests all pass.)

Fixes #784
 2015-11-18 20:26:03 -05:00
Jeff Mitchell
8cf0d1444a If we fail to open a file path, show which it is in the error output 2015-10-30 14:30:21 -04:00
Jeff Mitchell
1a22cb0b12 Expand HMAC support in Salt; require an identifier be passed in to specify type but allow generation with and without. Add a StaticSalt ID for testing functions. Fix bugs; unit tests pass. 2015-09-18 17:38:30 -04:00
Jeff Mitchell
a4ca14cfbc Add HMAC capability to salt. Pass a salt into audit backends. Require it for audit.Hash. 2015-09-18 17:38:22 -04:00
Jeff Mitchell
989b33483b Ensure that the 'file' audit backend can successfully open its given path before returning success. Fixes #550. 2015-08-26 09:13:10 -07:00
Armon Dadgar
b8754e740c audit: properly restore TLS state 2015-07-08 16:45:15 -06:00
Armon Dadgar
b49683a40b audit: fixing panic caused by tls connection state. Fixes #322 2015-06-29 17:16:17 -07:00
Nate Brown
71a738ad7d Logging authentication errors and bad token usage 2015-06-18 18:30:18 -07:00
Armon Dadgar
70ae9323e2 audit/file: Create file if it does not exist. Fixes #148 2015-05-06 11:33:06 -07:00
Armon Dadgar
1530403a04 audit/file: add log_raw parameter and default to hashing 2015-04-27 15:56:41 -07:00
Armon Dadgar
79d0c0affe audit/file: Attempt to create directory path. Fixes #38 2015-04-27 12:40:32 -07:00
Mitchell Hashimoto
8cab481400 audit/file: append 2015-04-19 22:43:39 -07:00
Mitchell Hashimoto
164335cfd8 audit/file: use JSON formatter to write output 2015-04-13 14:12:14 -07:00
Mitchell Hashimoto
2b12d51d70 builtin/audit: add file audit 2015-04-04 18:10:25 -07:00