From 25a4d1a00dc81a5b4907c76c2358f38d30c05747 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Wed, 22 Nov 2023 15:59:54 -0500 Subject: [PATCH] backport of commit 39762174206ee353e8cb2d1eab2c544723b91c2d (#24241) Co-authored-by: Peter Wilson --- changelog/24238.txt | 3 +++ vault/audit_broker.go | 19 ++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 changelog/24238.txt diff --git a/changelog/24238.txt b/changelog/24238.txt new file mode 100644 index 0000000000..207a61d609 --- /dev/null +++ b/changelog/24238.txt @@ -0,0 +1,3 @@ +```release-note:bug +core/audit: Audit logging a Vault response will now use a 5 second context timeout, separate from the original request. +``` \ No newline at end of file diff --git a/vault/audit_broker.go b/vault/audit_broker.go index 7fcce78e29..7ad214513e 100644 --- a/vault/audit_broker.go +++ b/vault/audit_broker.go @@ -10,6 +10,8 @@ import ( "sync" "time" + "github.com/hashicorp/vault/helper/namespace" + "github.com/hashicorp/vault/internal/observability/event" metrics "github.com/armon/go-metrics" @@ -297,7 +299,22 @@ func (a *AuditBroker) LogResponse(ctx context.Context, in *logical.LogInput, hea e.Data = in - status, err := a.broker.Send(ctx, eventlogger.EventType(event.AuditType.String()), e) + // In cases where we are trying to audit the response, we detach + // ourselves from the original context (keeping only the namespace). + // This is so that we get a fair run at writing audit entries if Vault + // Took up a lot of time handling the request before audit (response) + // is triggered. Pipeline nodes may check for a cancelled context and + // refuse to process the nodes further. + ns, err := namespace.FromContext(ctx) + if err != nil { + retErr = multierror.Append(retErr, fmt.Errorf("namespace missing from context: %w", err)) + return retErr.ErrorOrNil() + } + + auditContext, auditCancel := context.WithTimeout(context.Background(), 5*time.Second) + defer auditCancel() + auditContext = namespace.ContextWithNamespace(auditContext, ns) + status, err := a.broker.Send(auditContext, eventlogger.EventType(event.AuditType.String()), e) if err != nil { retErr = multierror.Append(retErr, multierror.Append(err, status.Warnings...)) }