Ensure that http_raw_body is always passed to the audit redaction sys…

…tem as a string Before this it was passed as a []byte, which doesn't get HMAC'd. The original non-HMACing behaviour can be obtained by adding "http_raw_body" to audit_non_hmac_response_keys. (#8130)
hashicorp · Feb 3, 2020 · 7a1bb2f · 7a1bb2f
1 parent 0f8f59e
commit 7a1bb2f
Showing 1 changed file with 32 additions and 27 deletions.
diff --git a/audit/hashstructure.go b/audit/hashstructure.go
@@ -65,42 +65,36 @@ func HashRequest(salter *salt.Salt, in *logical.Request, HMACAccessor bool, nonH
 		req.ClientTokenAccessor = fn(req.ClientTokenAccessor)
 	}
 
-	data, err := hashMap(fn, req.Data, nonHMACDataKeys)
-	if err != nil {
-		return nil, err
+	if req.Data != nil {
+		copy, err := copystructure.Copy(req.Data)
+		if err != nil {
+			return nil, err
+		}
+
+		err = hashMap(fn, copy.(map[string]interface{}), nonHMACDataKeys)
+		if err != nil {
+			return nil, err
+		}
+		req.Data = copy.(map[string]interface{})
 	}
 
-	req.Data = data
 	return &req, nil
 }
 
-func hashMap(fn func(string) string, data map[string]interface{}, nonHMACDataKeys []string) (map[string]interface{}, error) {
-	if data == nil {
-		return nil, nil
-	}
-
-	copy, err := copystructure.Copy(data)
-	if err != nil {
-		return nil, err
-	}
-	newData := copy.(map[string]interface{})
-	for k, v := range newData {
+func hashMap(fn func(string) string, data map[string]interface{}, nonHMACDataKeys []string) error {
+	for k, v := range data {
 		if o, ok := v.(logical.OptMarshaler); ok {
 			marshaled, err := o.MarshalJSONWithOptions(&logical.MarshalOptions{
 				ValueHasher: fn,
 			})
 			if err != nil {
-				return nil, err
+				return err
 			}
-			newData[k] = json.RawMessage(marshaled)
+			data[k] = json.RawMessage(marshaled)
 		}
 	}
 
-	if err := HashStructure(newData, fn, nonHMACDataKeys); err != nil {
-		return nil, err
-	}
-
-	return newData, nil
+	return HashStructure(data, fn, nonHMACDataKeys)
 }
 
 // HashResponse returns a hashed copy of the logical.Request input.
@@ -124,12 +118,23 @@ func HashResponse(salter *salt.Salt, in *logical.Response, HMACAccessor bool, no
 		}
 	}
 
-	data, err := hashMap(fn, resp.Data, nonHMACDataKeys)
-	if err != nil {
-		return nil, err
-	}
-	resp.Data = data
+	if resp.Data != nil {
+		copy, err := copystructure.Copy(resp.Data)
+		if err != nil {
+			return nil, err
+		}
 
+		mapCopy := copy.(map[string]interface{})
+		if b, ok := mapCopy[logical.HTTPRawBody].([]byte); ok {
+			mapCopy[logical.HTTPRawBody] = string(b)
+		}
+
+		err = hashMap(fn, mapCopy, nonHMACDataKeys)
+		if err != nil {
+			return nil, err
+		}
+		resp.Data = mapCopy
+	}
 	if resp.WrapInfo != nil {
 		var err error
 		resp.WrapInfo, err = HashWrapInfo(salter, resp.WrapInfo, HMACAccessor)