scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-29 17:52:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

VAULT-21710 - prevent duplicate audit file_path targets (#28751)

Browse Source 
* updating audit file_path duplication

* update test

* updating tests

* fixing go test errors

* adding go test doc for TestCore_EnableExistingAudit

* adding go test doc for TestCore_EnableExistingAudit

* adding go test doc for TestCore_EnableExistingAudit

* adding changelog

* adding suggested comments
This commit is contained in:
Tin Vo
2024-10-24 10:54:48 -07:00
committed by GitHub
parent 415d260995
commit 48cf1a1809
3 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/28751.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:bug
audit: Prevent users from enabling multiple audit devices of file type with the same file_path to write to.
```

7
vault/audit.go
View File

@@ -115,6 +115,13 @@ func (c *Core) enableAudit(ctx context.Context, entry *MountEntry, updateStorage
case strings.HasPrefix(entry.Path, ent.Path): case strings.HasPrefix(entry.Path, ent.Path):
return fmt.Errorf("path already in use: %w", audit.ErrExternalOptions) return fmt.Errorf("path already in use: %w", audit.ErrExternalOptions)
} }
// Ensure that the provided file_path argument isn't already used for another audit device's file_path.
if entry.Type == "file" {
if entry.Options["file_path"] == ent.Options["file_path"] {
return fmt.Errorf("file_path already in use: %w", audit.ErrExternalOptions)
}
}
} }
// Generate a new UUID and view // Generate a new UUID and view

43
vault/audit_test.go
View File

@@ -105,6 +105,49 @@ func TestCore_EnableAudit(t *testing.T) {
} }
} }
// TestCore_EnableExistingAudit ensures that we don't allow enabling a file audit device
// with the same `file_path` as one of the existing ones.
func TestCore_EnableExistingAudit(t *testing.T) {
c, _, _ := TestCoreUnsealed(t)
// First audit backend entry
me := &MountEntry{
Table: auditTableType,
Path: "foo",
Type: audit.TypeFile,
Options: map[string]string{
"file_path": "stdout",
},
}
// Second audit backend entry
me2 := &MountEntry{
Table: auditTableType,
Path: "foo2",
Type: audit.TypeFile,
Options: map[string]string{
"file_path": "stdout",
},
}
// Enable first audit backend
err := c.enableAudit(namespace.RootContext(context.Background()), me, true)
if err != nil {
t.Errorf("failed to enable audit for path 'foo': %v", err)
}
// Check if the first audit backend is registered
if !c.auditBroker.IsRegistered("foo/") {
t.Errorf("audit backend for path 'foo/' is not registered")
}
// Enable second audit backend
err = c.enableAudit(namespace.RootContext(context.Background()), me2, true)
if err == nil {
t.Errorf("Should not be able to enable audit for path 'foo2' due to duplication: %v", err)
}
}
func TestCore_EnableAudit_MixedFailures(t *testing.T) { func TestCore_EnableAudit_MixedFailures(t *testing.T) {
c, _, _ := TestCoreUnsealed(t) c, _, _ := TestCoreUnsealed(t)