diff --git a/http/http_test.go b/http/http_test.go index 1f2b20444762..e37b9c3d7693 100644 --- a/http/http_test.go +++ b/http/http_test.go @@ -22,32 +22,36 @@ func testHttpGet(t *testing.T, token string, addr string) *http.Response { loggedToken = "" } t.Logf("Token is %s", loggedToken) - return testHttpData(t, "GET", token, addr, nil, false) + return testHttpData(t, "GET", token, addr, nil, false, 0) } func testHttpDelete(t *testing.T, token string, addr string) *http.Response { - return testHttpData(t, "DELETE", token, addr, nil, false) + return testHttpData(t, "DELETE", token, addr, nil, false, 0) } // Go 1.8+ clients redirect automatically which breaks our 307 standby testing func testHttpDeleteDisableRedirect(t *testing.T, token string, addr string) *http.Response { - return testHttpData(t, "DELETE", token, addr, nil, true) + return testHttpData(t, "DELETE", token, addr, nil, true, 0) +} + +func testHttpPostWrapped(t *testing.T, token string, addr string, body interface{}, wrapTTL time.Duration) *http.Response { + return testHttpData(t, "POST", token, addr, body, false, wrapTTL) } func testHttpPost(t *testing.T, token string, addr string, body interface{}) *http.Response { - return testHttpData(t, "POST", token, addr, body, false) + return testHttpData(t, "POST", token, addr, body, false, 0) } func testHttpPut(t *testing.T, token string, addr string, body interface{}) *http.Response { - return testHttpData(t, "PUT", token, addr, body, false) + return testHttpData(t, "PUT", token, addr, body, false, 0) } // Go 1.8+ clients redirect automatically which breaks our 307 standby testing func testHttpPutDisableRedirect(t *testing.T, token string, addr string, body interface{}) *http.Response { - return testHttpData(t, "PUT", token, addr, body, true) + return testHttpData(t, "PUT", token, addr, body, true, 0) } -func testHttpData(t *testing.T, method string, token string, addr string, body interface{}, disableRedirect bool) *http.Response { +func testHttpData(t *testing.T, method string, token string, addr string, body interface{}, disableRedirect bool, wrapTTL time.Duration) *http.Response { bodyReader := new(bytes.Buffer) if body != nil { enc := json.NewEncoder(bodyReader) @@ -68,6 +72,10 @@ func testHttpData(t *testing.T, method string, token string, addr string, body i req.Header.Set("Content-Type", "application/json") + if wrapTTL > 0 { + req.Header.Set("X-Vault-Wrap-TTL", wrapTTL.String()) + } + if len(token) != 0 { req.Header.Set(consts.AuthHeaderName, token) } diff --git a/http/logical_test.go b/http/logical_test.go index 284d94c11425..df385bd05ee4 100644 --- a/http/logical_test.go +++ b/http/logical_test.go @@ -406,34 +406,34 @@ func TestLogical_Audit_invalidWrappingToken(t *testing.T) { } { + resp := testHttpPostWrapped(t, root, addr+"/v1/auth/token/create", nil, 10*time.Second) + testResponseStatus(t, resp, 200) + body := map[string]interface{}{} + testResponseBody(t, resp, &body) + + wrapToken := body["wrap_info"].(map[string]interface{})["token"].(string) + // Make a wrapping/unwrap request with an invalid token - resp := testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{ - "token": "foo", + resp = testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{ + "token": wrapToken, }) - testResponseStatus(t, resp, 400) - body := map[string][]string{} - testResponseBody(t, resp, &body) - if body["errors"][0] != "wrapping token is not valid or does not exist" { - t.Fatal(body) - } + testResponseStatus(t, resp, 200) // Check the audit trail on request and response - if len(noop.ReqAuth) != 2 { + if len(noop.ReqAuth) != 3 { t.Fatalf("bad: %#v", noop) } - auth := noop.ReqAuth[1] + auth := noop.ReqAuth[2] if auth.ClientToken != root { t.Fatalf("bad client token: %#v", auth) } - if len(noop.Req) != 2 || noop.Req[1].Path != "sys/wrapping/unwrap" { - t.Fatalf("bad:\ngot:\n%#v", noop.Req[1]) + if len(noop.Req) != 3 || noop.Req[2].Path != "sys/wrapping/unwrap" { + t.Fatalf("bad:\ngot:\n%#v", noop.Req[2]) } - if len(noop.ReqErrs) != 2 { + // Make sure there is only one error in the logs + if noop.ReqErrs[1] != nil || noop.ReqErrs[2] != nil { t.Fatalf("bad: %#v", noop.RespErrs) } - if noop.ReqErrs[1] != consts.ErrInvalidWrappingToken { - t.Fatalf("bad: %#v", noop.ReqErrs) - } } } diff --git a/vault/wrapping.go b/vault/wrapping.go index 2f461073c0d0..a861e14ed26a 100644 --- a/vault/wrapping.go +++ b/vault/wrapping.go @@ -317,16 +317,6 @@ func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request) // Perform audit logging before returning if there's an issue with checking // the wrapping token if err != nil || !valid { - // Get non-HMAC'ed request data keys - var nonHMACReqDataKeys []string - entry := c.router.MatchingMountEntry(ctx, req.Path) - if entry != nil { - // Get and set ignored HMAC'd value. - if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok { - nonHMACReqDataKeys = rawVals.([]string) - } - } - // We log the Auth object like so here since the wrapping token can // come from the header, which gets set as the ClientToken auth := &logical.Auth{ @@ -335,12 +325,11 @@ func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request) } logInput := &logical.LogInput{ - Auth: auth, - Request: req, - NonHMACReqDataKeys: nonHMACReqDataKeys, + Auth: auth, + Request: req, } if err != nil { - logInput.OuterErr = errwrap.Wrapf("error validating wrapping token: {{err}}", err) + logInput.OuterErr = errors.New("error validating wrapping token") } if !valid { logInput.OuterErr = consts.ErrInvalidWrappingToken