VAULT-12112: openapi response definitions: sys/audit (#18456)

* added audit-hash operations * more audit paths Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * added audit fields * add changelog file * dynamic fields should be nil Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * start to add test helper Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> * add tests for /sys/audit openapi paths Signed-off-by: Daniel Huckins <dhuckins@users.noreply.github.com> Co-authored-by: Anton Averchenkov <anton.averchenkov@hashicorp.com>
2025-11-02 11:38:02 +00:00 · 2023-01-20 11:09:33 -05:00
parent 38264fdd3b
commit 94d0ba019c
3 changed files with 79 additions and 3 deletions
--- a/changelog/18456.txt
+++ b/changelog/18456.txt
@@ -0,0 +1,3 @@
 ```release-note:improvement
 openapi: add openapi response defintions to /sys/audit endpoints
 ```
--- a/vault/logical_system_paths.go
+++ b/vault/logical_system_paths.go
@@ -1,6 +1,7 @@
 package vault
 import (
 	"net/http"
 	"strings"
 	"github.com/hashicorp/vault/sdk/framework"
@@ -571,9 +572,21 @@ func (b *SystemBackend) auditPaths() []*framework.Path {
 					Type: framework.TypeString,
 				},
 			},
-
+			Operations: map[logical.Operation]framework.OperationHandler{
-			Callbacks: map[logical.Operation]framework.OperationFunc{
+				logical.UpdateOperation: &framework.PathOperation{
-				logical.UpdateOperation: b.handleAuditHash,
+					Callback: b.handleAuditHash,
 					Responses: map[int][]framework.Response{
 						http.StatusOK: {{
 							Description: "OK",
 							Fields: map[string]*framework.FieldSchema{
 								"hash": {
 									Type:     framework.TypeString,
 									Required: true,
 								},
 							},
 						}},
 					},
 				},
 			},
 			HelpSynopsis:    strings.TrimSpace(sysHelp["audit-hash"][0]),
@@ -587,6 +600,13 @@ func (b *SystemBackend) auditPaths() []*framework.Path {
 				logical.ReadOperation: &framework.PathOperation{
 					Callback: b.handleAuditTable,
 					Summary:  "List the enabled audit devices.",
 					Responses: map[int][]framework.Response{
 						http.StatusOK: {{
 							// this response has dynamic keys
 							Description: "OK",
 							Fields:      nil,
 						}},
 					},
 				},
 			},
@@ -625,10 +645,20 @@ func (b *SystemBackend) auditPaths() []*framework.Path {
 				logical.UpdateOperation: &framework.PathOperation{
 					Callback: b.handleEnableAudit,
 					Summary:  "Enable a new audit device at the supplied path.",
 					Responses: map[int][]framework.Response{
 						http.StatusNoContent: {{
 							Description: "OK",
 						}},
 					},
 				},
 				logical.DeleteOperation: &framework.PathOperation{
 					Callback: b.handleDisableAudit,
 					Summary:  "Disable the audit device at the given path.",
 					Responses: map[int][]framework.Response{
 						http.StatusNoContent: {{
 							Description: "OK",
 						}},
 					},
 				},
 			},
@@ -652,14 +682,31 @@ func (b *SystemBackend) auditPaths() []*framework.Path {
 				logical.UpdateOperation: &framework.PathOperation{
 					Callback: b.handleAuditedHeaderUpdate,
 					Summary:  "Enable auditing of a header.",
 					Responses: map[int][]framework.Response{
 						http.StatusNoContent: {{
 							Description: "OK",
 						}},
 					},
 				},
 				logical.DeleteOperation: &framework.PathOperation{
 					Callback: b.handleAuditedHeaderDelete,
 					Summary:  "Disable auditing of the given request header.",
 					Responses: map[int][]framework.Response{
 						http.StatusNoContent: {{
 							Description: "OK",
 						}},
 					},
 				},
 				logical.ReadOperation: &framework.PathOperation{
 					Callback: b.handleAuditedHeaderRead,
 					Summary:  "List the information for the given request header.",
 					Responses: map[int][]framework.Response{
 						http.StatusOK: {{
 							Description: "OK",
 							// the response keys are dynamic
 							Fields: nil,
 						}},
 					},
 				},
 			},
@@ -674,6 +721,17 @@ func (b *SystemBackend) auditPaths() []*framework.Path {
 				logical.ReadOperation: &framework.PathOperation{
 					Callback: b.handleAuditedHeadersRead,
 					Summary:  "List the request headers that are configured to be audited.",
 					Responses: map[int][]framework.Response{
 						http.StatusOK: {{
 							Description: "OK",
 							Fields: map[string]*framework.FieldSchema{
 								"headers": {
 									Type:     framework.TypeMap,
 									Required: true,
 								},
 							},
 						}},
 					},
 				},
 			},
--- a/vault/logical_system_test.go
+++ b/vault/logical_system_test.go
@@ -33,6 +33,7 @@ import (
 	"github.com/hashicorp/vault/sdk/helper/jsonutil"
 	"github.com/hashicorp/vault/sdk/helper/pluginutil"
 	"github.com/hashicorp/vault/sdk/helper/salt"
 	"github.com/hashicorp/vault/sdk/helper/testhelpers/schema"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/hashicorp/vault/version"
 	"github.com/mitchellh/mapstructure"
@@ -2194,6 +2195,7 @@ func TestSystemBackend_enableAudit(t *testing.T) {
 func TestSystemBackend_auditHash(t *testing.T) {
 	c, b, _ := testCoreSystemBackend(t)
 	paths := b.(*SystemBackend).auditPaths()
 	c.auditBackends["noop"] = func(ctx context.Context, config *audit.BackendConfig) (audit.Backend, error) {
 		view := &logical.InmemStorage{}
 		view.Put(namespace.RootContext(nil), &logical.StorageEntry{
@@ -2221,6 +2223,12 @@ func TestSystemBackend_auditHash(t *testing.T) {
 	if resp != nil {
 		t.Fatalf("bad: %v", resp)
 	}
 	schema.ValidateResponse(
 		t,
 		schema.FindResponseSchema(t, paths, 2, req.Operation),
 		resp,
 		true,
 	)
 	req = logical.TestRequest(t, logical.UpdateOperation, "audit-hash/foo")
 	req.Data["input"] = "bar"
@@ -2232,6 +2240,13 @@ func TestSystemBackend_auditHash(t *testing.T) {
 	if resp == nil || resp.Data == nil {
 		t.Fatalf("response or its data was nil")
 	}
 	schema.ValidateResponse(
 		t,
 		schema.FindResponseSchema(t, paths, 0, req.Operation),
 		resp,
 		true,
 	)
 	hash, ok := resp.Data["hash"]
 	if !ok {
 		t.Fatalf("did not get hash back in response, response was %#v", resp.Data)