From ec1f261db9852e17ee63a037eb51c96977c41e1a Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Tue, 7 May 2024 16:49:20 +0100 Subject: [PATCH] NewTestCluster: default to enabling a 'discard' file audit device when none are configured (#26861) * Removed unrequired noop audit factory declaration * Default NewTestCluster to using file audit device (discard) --- helper/builtinplugins/builtinplugins_test.go | 6 ------ vault/testing.go | 14 +++++++++++--- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/helper/builtinplugins/builtinplugins_test.go b/helper/builtinplugins/builtinplugins_test.go index 9f4e430df8..9587960436 100644 --- a/helper/builtinplugins/builtinplugins_test.go +++ b/helper/builtinplugins/builtinplugins_test.go @@ -8,7 +8,6 @@ import ( logicalKv "github.com/hashicorp/vault-plugin-secrets-kv" "github.com/hashicorp/vault/api" - "github.com/hashicorp/vault/audit" logicalDb "github.com/hashicorp/vault/builtin/logical/database" vaulthttp "github.com/hashicorp/vault/http" "github.com/hashicorp/vault/sdk/helper/consts" @@ -44,11 +43,6 @@ func TestBuiltinPluginsWork(t *testing.T) { "database": logicalDb.Factory, }, PendingRemovalMountsAllowed: true, - // Specifying at least one audit backend factory will prevent NewTestCluster - // from attempting to enable a noop audit, and audit isn't required for this test. - AuditBackends: map[string]audit.Factory{ - "noop": audit.NoopAuditFactory(nil), - }, }, &vault.TestClusterOptions{ HandlerFunc: vaulthttp.Handler, diff --git a/vault/testing.go b/vault/testing.go index d95669cf16..b83ce732d7 100644 --- a/vault/testing.go +++ b/vault/testing.go @@ -1540,9 +1540,11 @@ func NewTestCluster(t testing.T, base *CoreConfig, opts *TestClusterOptions) *Te coreConfig.RawConfig = c } + // If the caller didn't supply any configuration for types of audit device, + // default to adding `file` (and enabling it later). addAuditBackend := len(coreConfig.AuditBackends) == 0 if addAuditBackend { - coreConfig.AuditBackends["noop"] = audit.NoopAuditFactory(nil) + coreConfig.AuditBackends[audit.TypeFile] = audit.NewFileBackend } if coreConfig.Physical == nil && (opts == nil || opts.PhysicalFactory == nil) { @@ -1975,6 +1977,9 @@ func (tc *TestCluster) InitCores(t testing.T, opts *TestClusterOptions, addAudit tc.initCores(t, opts, addAuditBackend) } +// initCores attempts to initialize a core for a test cluster using the supplied +// options. If the addAuditBackend flag is true, the core will have a file audit +// device enabled with the 'discard' file path (See: /vault/docs/audit/file#discard). func (tc *TestCluster) initCores(t testing.T, opts *TestClusterOptions, addAuditBackend bool) { leader := tc.Cores[0] @@ -2087,8 +2092,11 @@ func (tc *TestCluster) initCores(t testing.T, opts *TestClusterOptions, addAudit auditReq := &logical.Request{ Operation: logical.UpdateOperation, ClientToken: tc.RootToken, - Path: "sys/audit/noop", - Data: map[string]interface{}{"type": "noop"}, + Path: "sys/audit/file", + Data: map[string]interface{}{ + "type": audit.TypeFile, + "file_path": "discard", + }, } resp, err := leader.Core.HandleRequest(namespace.RootContext(ctx), auditReq) if err != nil {