* Add audit log entries for enterprise JWT token fields
* Reduce enterprise token field comment detail
- simplify enterprise token comments in sdk/logical/request.go
- remove verbose wording about issuer/audience/authorization semantics
* Fix TestAudit_JWT_DelegationToken permission denied error
The test was failing with 'permission denied' when using a delegation token
(JWT with act claim) to access cubbyhole. The root causes were:
1. RAR (Rich Authorization Request) check: The JWT contained
'authorization_details' constraints that only allowed access to
'secret/data/users/alice' and 'secret/data/config/general', but the
test was attempting to access 'cubbyhole/test'. The RAR check in
PerformRARCheck() was correctly denying this mismatch.
2. Missing entity policies for actor ACL: For delegation tokens, the
actor's ACL is built solely from entity identity policies (not token
policies like 'default'). Without explicit policies on the actor
entity, the delegation ACL intersection check would fail.
Fixes:
- Removed 'authorization_details' from the test JWT since the test is
about verifying audit log entries for delegation tokens, not RAR
constraints
- Added 'default' policy to both subject and actor entities to ensure
both ACLs allow cubbyhole access for the delegation token intersection
- Updated test assertions to match the simplified JWT (removed
authorization_details verification)
* Use require.NoError instead of t.Fatalf for error check
* Add explicit checks for auth field presence before type assertion
Adds separate checks to verify the 'auth' and 'metadata' fields exist in
the map before attempting type assertion, preventing potential panics
and improving test clarity.
* test: tighten request metadata merge assertions
* test: simplify enterprise metadata assertions
* test: split enterprise metadata merge coverage
* style: apply gofumpt to entry formatter tests
* test: add godoc for enterprise token metadata test
---------
Co-authored-by: Bianca <48203644+biazmoreira@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* Add the ability to specify extra audit only fields from a plugin
* Add extra auditing fields within the PKI OCSP handler
* Add missing copywrite headers
* Format OCSP dates when non-zero, otherwise specify not set to be clear
* Feedback 2: Only set time fields if not zero instead of non-parsable string
* Serialize JSON fields in SDK response struct
* Perform renames based on RFC feedback
* Resolve OpenAPI test failure
* add cl
Co-authored-by: Steven Clark <steven.clark@hashicorp.com>
* license: update headers to IBM Corp.
* `make proto`
* update offset because source file changed
Signed-off-by: Ryan Cragun <me@ryan.ec>
Co-authored-by: Ryan Cragun <me@ryan.ec>
* Add additional validations to the destination and properties of file audit sinks
* changelog
* docs
* Revert "docs"
This reverts commit c2e8f7608ede78adf96726100013a45831712e13.
* include user-agent header in audit by default
* add user-agent audit tests
* update audit default headers docs
* add changelog entry
* remove temp changes from TestAuditedHeadersConfig_ApplyConfig
* more TestAuditedHeadersConfig_ApplyConfig fixes
* add some test comments
* verify type assertions in TestAudit_Headers
* more type assertion checks
* Add trace logging to context creation during log req/resp. Improve context sensitivity of sink nodes (file, socket), update eventlogger to include context info in error
* changelog
* Queue for the lock but check context immediately
* fix race in test
* CE changes to support exclusion in audit
* Add an external test for audit exclusion
---------
Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com>
* Add Logger to BackendConfig
* EntryFormatter use logger and recover panics
* Added TODO to consider
* Add 'name' to entry formatter
* Add test for the panic
* Fix NoopAudit with update params
* emit counter metric even when 0
* Fix vault package tests
* changelog
* Remove old comment during test writing
* add gosimport to make fmt and run it
* move installation to tools.sh
* correct weird spacing issue
* Update Makefile
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* fix a weird issue
---------
Co-authored-by: Nick Cabatoff <ncabatoff@hashicorp.com>
* Validate audit filter option against filter selectors referencing unsupported fields
* Test updates due to filter validation
* Test all properties of the log input bexpr datum struct in filters
* Remove redundant cloning of the client in external tests for audit filtering
* TestAuditFilteringFilterForUnsupportedField now also tests the same behaviour with skip_test option set to true
* Add filter validation test cases to unit tests for audit backends
---------
Co-authored-by: Peter Wilson <peter.wilson@hashicorp.com>
