audit

package
v1.1.11 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 9, 2023 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Hash

func Hash(salter *salt.Salt, raw interface{}, nonHMACDataKeys []string) error

Hash will hash the given type. This has built-in support for auth, requests, and responses. If it is a type that isn't recognized, then it will be passed through.

The structure is modified in-place.

func HashString

func HashString(salter *salt.Salt, data string) string

HashString hashes the given opaque string and returns it

func HashStructure

func HashStructure(s interface{}, cb HashCallback, ignoredKeys []string) (interface{}, error)

HashStructure takes an interface and hashes all the values within the structure. Only _values_ are hashed: keys of objects are not.

For the HashCallback, see the built-in HashCallbacks below.

Types

type AuditAuth

type AuditAuth struct {
	ClientToken               string              `json:"client_token"`
	Accessor                  string              `json:"accessor"`
	DisplayName               string              `json:"display_name"`
	Policies                  []string            `json:"policies"`
	TokenPolicies             []string            `json:"token_policies,omitempty"`
	IdentityPolicies          []string            `json:"identity_policies,omitempty"`
	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies,omitempty"`
	Metadata                  map[string]string   `json:"metadata"`
	NumUses                   int                 `json:"num_uses,omitempty"`
	RemainingUses             int                 `json:"remaining_uses,omitempty"`
	EntityID                  string              `json:"entity_id"`
	TokenType                 string              `json:"token_type"`
}

type AuditFormatWriter

type AuditFormatWriter interface {
	WriteRequest(io.Writer, *AuditRequestEntry) error
	WriteResponse(io.Writer, *AuditResponseEntry) error
	Salt(context.Context) (*salt.Salt, error)
}

type AuditFormatter

type AuditFormatter struct {
	AuditFormatWriter
}

AuditFormatter implements the Formatter interface, and allows the underlying marshaller to be swapped out

func (*AuditFormatter) FormatRequest

func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config FormatterConfig, in *LogInput) error

func (*AuditFormatter) FormatResponse

func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config FormatterConfig, in *LogInput) error

type AuditNamespace

type AuditNamespace struct {
	ID   string `json:"id"`
	Path string `json:"path"`
}

type AuditRequest

type AuditRequest struct {
	ID                  string                 `json:"id"`
	ReplicationCluster  string                 `json:"replication_cluster,omitempty"`
	Operation           logical.Operation      `json:"operation"`
	ClientToken         string                 `json:"client_token"`
	ClientTokenAccessor string                 `json:"client_token_accessor"`
	Namespace           AuditNamespace         `json:"namespace"`
	Path                string                 `json:"path"`
	Data                map[string]interface{} `json:"data"`
	PolicyOverride      bool                   `json:"policy_override"`
	RemoteAddr          string                 `json:"remote_address"`
	WrapTTL             int                    `json:"wrap_ttl"`
	Headers             map[string][]string    `json:"headers"`
}

type AuditRequestEntry

type AuditRequestEntry struct {
	Time    string       `json:"time,omitempty"`
	Type    string       `json:"type"`
	Auth    AuditAuth    `json:"auth"`
	Request AuditRequest `json:"request"`
	Error   string       `json:"error"`
}

AuditRequestEntry is the structure of a request audit log entry in Audit.

type AuditResponse

type AuditResponse struct {
	Auth     *AuditAuth             `json:"auth,omitempty"`
	Secret   *AuditSecret           `json:"secret,omitempty"`
	Data     map[string]interface{} `json:"data,omitempty"`
	Warnings []string               `json:"warnings,omitempty"`
	Redirect string                 `json:"redirect,omitempty"`
	WrapInfo *AuditResponseWrapInfo `json:"wrap_info,omitempty"`
	Headers  map[string][]string    `json:"headers"`
}

type AuditResponseEntry

type AuditResponseEntry struct {
	Time     string        `json:"time,omitempty"`
	Type     string        `json:"type"`
	Auth     AuditAuth     `json:"auth"`
	Request  AuditRequest  `json:"request"`
	Response AuditResponse `json:"response"`
	Error    string        `json:"error"`
}

AuditResponseEntry is the structure of a response audit log entry in Audit.

type AuditResponseWrapInfo

type AuditResponseWrapInfo struct {
	TTL             int    `json:"ttl"`
	Token           string `json:"token"`
	Accessor        string `json:"accessor"`
	CreationTime    string `json:"creation_time"`
	CreationPath    string `json:"creation_path"`
	WrappedAccessor string `json:"wrapped_accessor,omitempty"`
}

type AuditSecret

type AuditSecret struct {
	LeaseID string `json:"lease_id"`
}

type Backend

type Backend interface {
	// LogRequest is used to synchronously log a request. This is done after the
	// request is authorized but before the request is executed. The arguments
	// MUST not be modified in anyway. They should be deep copied if this is
	// a possibility.
	LogRequest(context.Context, *LogInput) error

	// LogResponse is used to synchronously log a response. This is done after
	// the request is processed but before the response is sent. The arguments
	// MUST not be modified in anyway. They should be deep copied if this is
	// a possibility.
	LogResponse(context.Context, *LogInput) error

	// GetHash is used to return the given data with the backend's hash,
	// so that a caller can determine if a value in the audit log matches
	// an expected plaintext value
	GetHash(context.Context, string) (string, error)

	// Reload is called on SIGHUP for supporting backends.
	Reload(context.Context) error

	// Invalidate is called for path invalidation
	Invalidate(context.Context)
}

Backend interface must be implemented for an audit mechanism to be made available. Audit backends can be enabled to sink information to different backends such as logs, file, databases, or other external services.

type BackendConfig

type BackendConfig struct {
	// The view to store the salt
	SaltView logical.Storage

	// The salt config that should be used for any secret obfuscation
	SaltConfig *salt.Config

	// Config is the opaque user configuration provided when mounting
	Config map[string]string
}

BackendConfig contains configuration parameters used in the factory func to instantiate audit backends

type Factory

type Factory func(context.Context, *BackendConfig) (Backend, error)

Factory is the factory function to create an audit backend.

type Formatter

type Formatter interface {
	FormatRequest(context.Context, io.Writer, FormatterConfig, *LogInput) error
	FormatResponse(context.Context, io.Writer, FormatterConfig, *LogInput) error
}

Formatter is an interface that is responsible for formating a request/response into some format. Formatters write their output to an io.Writer.

It is recommended that you pass data through Hash prior to formatting it.

type FormatterConfig

type FormatterConfig struct {
	Raw          bool
	HMACAccessor bool

	// This should only ever be used in a testing context
	OmitTime bool
}

type HashCallback

type HashCallback func(string) string

HashCallback is the callback called for HashStructure to hash a value.

type JSONFormatWriter

type JSONFormatWriter struct {
	Prefix   string
	SaltFunc func(context.Context) (*salt.Salt, error)
}

JSONFormatWriter is an AuditFormatWriter implementation that structures data into a JSON format.

func (*JSONFormatWriter) Salt

func (f *JSONFormatWriter) Salt(ctx context.Context) (*salt.Salt, error)

func (*JSONFormatWriter) WriteRequest

func (f *JSONFormatWriter) WriteRequest(w io.Writer, req *AuditRequestEntry) error

func (*JSONFormatWriter) WriteResponse

func (f *JSONFormatWriter) WriteResponse(w io.Writer, resp *AuditResponseEntry) error

type LogInput

type LogInput struct {
	Auth                *logical.Auth
	Request             *logical.Request
	Response            *logical.Response
	OuterErr            error
	NonHMACReqDataKeys  []string
	NonHMACRespDataKeys []string
}

LogInput contains the input parameters passed into LogRequest and LogResponse

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL