Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Send a test message before committing a new audit device. #10520

Merged
merged 11 commits into from
Dec 16, 2020
Merged

Send a test message before committing a new audit device. #10520

merged 11 commits into from
Dec 16, 2020

Conversation

mgritter
Copy link
Contributor

@mgritter mgritter commented Dec 9, 2020

Also, lower timeout on connection attempts in socket device.

Some history here:

  1. I first tried just sending a normal message. This doesn't work because the Salt is not yet initialized, and it can't be initialized until the storage view is readable, and it's set to read-only during construction. (Probably for replication-related reasons, although it's not clear whether that is just copying what secret mounts, or is actually necessary here.)
  2. Then I tried doing the check in the backend Factory methods, like the file backend does. I thought this would be a bad idea, because those checks would then get re-run every time Vault unsealed and recreated the audit devices. Worse, if they failed, then that audit device would be temporarily removed until Vault went through another unseal-- even if it was weeks.
  3. So, I added a new method specifically for testing, which creates a Salt that is used once and discarded.

The test message looks like this:

{"time":"2020-12-09T20:14:22.451152342Z","type":"request","auth":{"token_type":"default"},"request":{"id":"3ca7b3cc-7581-77c7-8610-b80b6284e43f","operation":"update","namespace":{"id":"root"},"path":"sys/audit/test"}}

@mgritter mgritter marked this pull request as draft December 9, 2020 20:16
@mgritter mgritter marked this pull request as ready for review December 9, 2020 20:32
swayne275
swayne275 reviewed Dec 10, 2020
View reviewed changes
Copy link
Contributor

@swayne275 swayne275 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good overall! Just a few comments and things I'd like to know.

audit/format.go Outdated Show resolved Hide resolved
builtin/audit/file/backend.go
writer = os.Stdout
case "discard":
return nil
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should there be a default case? otherwise i'd think writer could be nil?

Copy link
Contributor Author

@mgritter mgritter Dec 10, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

writer can be nil, but confusingly for this backend the log function uses open() when it is

builtin/audit/socket/backend.go Show resolved Hide resolved
sdk/helper/salt/salt.go Show resolved Hide resolved
vendor/github.com/hashicorp/vault/api/sys_config_cors.go Outdated Show resolved Hide resolved
vendor/github.com/hashicorp/vault/sdk/helper/salt/salt.go Show resolved Hide resolved
@mgritter mgritter merged commit 97e62cd into master Dec 16, 2020
@mgritter mgritter deleted the audit_device_precheck branch January 6, 2021 22:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swayne275 swayne275 swayne275 approved these changes

@briankassouf briankassouf Awaiting requested review from briankassouf

@alexanderbez alexanderbez Awaiting requested review from alexanderbez

Assignees
No one assigned
Labels
core/audit
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mgritter @swayne275