Non-HMAC audit values (#4033)

* Add non-hmac request keys * Update comment * Initial audit request keys implementation * Add audit_non_hmac_response_keys * Move where req.NonHMACKeys gets set * Minor refactor * Add params to auth tune endpoints * Sync cache on loadCredentials * Explicitly unset req.NonHMACKeys * Do not error if entry is nil * Add tests * docs: Add params to api sections * Refactor audit.Backend and Formatter interfaces, update audit broker methods * Add audit_broker.go * Fix method call params in audit backends * Remove fields from logical.Request and logical.Response, pass keys via LogInput * Use data.GetOk to allow unsetting existing values * Remove debug lines * Add test for unsetting values * Address review feedback * Initialize values in FormatRequest and FormatResponse using input values * Update docs * Use strutil.StrListContains * Use strutil.StrListContains
2025-11-01 19:17:58 +00:00 · 2018-03-02 12:18:39 -05:00
parent 90f245995a
commit 01eecf9d1a
25 changed files with 820 additions and 351 deletions
--- a/audit/hashstructure_test.go
+++ b/audit/hashstructure_test.go
@@ -116,32 +116,37 @@ func TestHash(t *testing.T) {
 	now := time.Now()

 	cases := []struct {
-		Input  interface{}
-		Output interface{}
+		Input           interface{}
+		Output          interface{}
+		NonHMACDataKeys []string
 	}{
 		{
 			&logical.Auth{ClientToken: "foo"},
 			&logical.Auth{ClientToken: "hmac-sha256:08ba357e274f528065766c770a639abf6809b39ccfd37c2a3157c7f51954da0a"},
+			nil,
 		},
 		{
 			&logical.Request{
 				Data: map[string]interface{}{
 					"foo":              "bar",
+					"baz":              "foobar",
 					"private_key_type": certutil.PrivateKeyType("rsa"),
 				},
 			},
 			&logical.Request{
 				Data: map[string]interface{}{
 					"foo":              "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317",
+					"baz":              "foobar",
 					"private_key_type": "hmac-sha256:995230dca56fffd310ff591aa404aab52b2abb41703c787cfa829eceb4595bf1",
 				},
 			},
+			[]string{"baz"},
 		},
 		{
 			&logical.Response{
 				Data: map[string]interface{}{
 					"foo": "bar",
-
+					"baz": "foobar",
 					// Responses can contain time values, so test that with
 					// a known fixed value.
 					"bar": now,
@@ -157,6 +162,7 @@ func TestHash(t *testing.T) {
 			&logical.Response{
 				Data: map[string]interface{}{
 					"foo": "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317",
+					"baz": "foobar",
 					"bar": now.Format(time.RFC3339Nano),
 				},
 				WrapInfo: &wrapping.ResponseWrapInfo{
@@ -167,10 +173,12 @@ func TestHash(t *testing.T) {
 					WrappedAccessor: "hmac-sha256:f9320baf0249169e73850cd6156ded0106e2bb6ad8cab01b7bbbebe6d1065317",
 				},
 			},
+			[]string{"baz"},
 		},
 		{
 			"foo",
 			"foo",
+			nil,
 		},
 		{
 			&logical.Auth{
@@ -189,6 +197,7 @@ func TestHash(t *testing.T) {

 				ClientToken: "hmac-sha256:08ba357e274f528065766c770a639abf6809b39ccfd37c2a3157c7f51954da0a",
 			},
+			nil,
 		},
 	}

@@ -206,16 +215,16 @@ func TestHash(t *testing.T) {
 	}
 	for _, tc := range cases {
 		input := fmt.Sprintf("%#v", tc.Input)
-		if err := Hash(localSalt, tc.Input); err != nil {
+		if err := Hash(localSalt, tc.Input, tc.NonHMACDataKeys); err != nil {
 			t.Fatalf("err: %s\n\n%s", err, input)
 		}
 		if _, ok := tc.Input.(*logical.Response); ok {
 			if !reflect.DeepEqual(tc.Input.(*logical.Response).WrapInfo, tc.Output.(*logical.Response).WrapInfo) {
-				t.Fatalf("bad:\nInput:\n%s\nTest case input:\n%#v\nTest case output\n%#v", input, tc.Input.(*logical.Response).WrapInfo, tc.Output.(*logical.Response).WrapInfo)
+				t.Fatalf("bad:\nInput:\n%s\nTest case input:\n%#v\nTest case output:\n%#v", input, tc.Input.(*logical.Response).WrapInfo, tc.Output.(*logical.Response).WrapInfo)
 			}
 		}
 		if !reflect.DeepEqual(tc.Input, tc.Output) {
-			t.Fatalf("bad:\nInput:\n%s\nTest case input:\n%#v\nTest case output\n%#v", input, tc.Input, tc.Output)
+			t.Fatalf("bad:\nInput:\n%s\nTest case input:\n%#v\nTest case output:\n%#v", input, tc.Input, tc.Output)
 		}
 	}
 }
@@ -249,7 +258,7 @@ func TestHashWalker(t *testing.T) {
 	for _, tc := range cases {
 		output, err := HashStructure(tc.Input, func(string) string {
 			return replaceText
-		})
+		}, []string{})
 		if err != nil {
 			t.Fatalf("err: %s\n\n%#v", err, tc.Input)
 		}