Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit: Add token's use count to audit response #2437

Merged
merged 6 commits into from
Mar 8, 2017
Merged

Audit: Add token's use count to audit response #2437

merged 6 commits into from
Mar 8, 2017

Conversation

vishalnayak
Copy link
Member

No description provided.

@vishalnayak
Copy link
Member Author

@jefferai @briankassouf LMK which other fields from TokenEntry would make sense audit response.

jefferai
jefferai reviewed Mar 7, 2017
View reviewed changes
audit/format.go Outdated
DisplayName string `json:"display_name"`
Policies []string `json:"policies"`
Metadata map[string]string `json:"metadata"`
TokenNumUses int `json:"token_num_uses,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about the naming here. By definition, an Auth struct corresponds to a token, so it feels redundant -- otherwise why not have token_policies and token_display_name.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. I had reverted the name in logical.Auth struct. It makes sense to do it here as well.

@jefferai
Copy link
Member

jefferai commented Mar 7, 2017

I think eventually we can add other fields if we decide they make sense but for the moment this is the one that caught my fancy since it's something that you can have a check on in the audit logs to explicitly correlate expected use counts with audit entry.

I do wonder, now that I'm thinking about it more, whether it makes sense to add this in the request entry as well (if non-zero), so that you can explicitly see the value at each use of the token. It's a bit of a bigger hammer though as this would require adding a field to logical.Request, attaching it to the logical request object in requestAuth, ensuring that the value can't be abused by backends in the router, and so on. So maybe we only go down this path if we are seeing requests.

What do you two think?

@vishalnayak
Copy link
Member Author

I think it will be of value to add number of uses left for the token that is supplied. We should populate the request object early in handleRequest before we use the token, even though audit logging will be performed after using the token. I'll do it in a separate PR.

@jefferai
Copy link
Member

jefferai commented Mar 7, 2017

You'd do it in requestAuth, same as the accessor and token itself.

@jefferai jefferai added this to the 0.7.0 milestone Mar 7, 2017
@jefferai jefferai requested a review from briankassouf March 7, 2017 19:47
jefferai
jefferai reviewed Mar 7, 2017
View reviewed changes
audit/format.go Outdated
@@ -367,6 +369,7 @@ type AuditAuth struct {
DisplayName string `json:"display_name"`
Policies []string `json:"policies"`
Metadata map[string]string `json:"metadata"`
NumUses int `json:"num_uses,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Policies/display name/metadata won't change. I wonder if on the request side, because this value does change, it should be RemainingUses. This could be accomplished by having two fields, both with omitempty. The downside is any parsing logic will have to understand both fields; on the flip side, the fields will individually be more meaningful.

Thoughts?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm inclined towards doing this change. It makes sense to me.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the RemainingUses convention as well.

@jefferai
Copy link
Member

jefferai commented Mar 7, 2017

One comment/question. Other than that, looks good, but let's figure that out and get @briankassouf 's input too.

@briankassouf
Copy link
Contributor

Aside from that one question this looks great!

@vishalnayak vishalnayak merged commit 3026b00 into master Mar 8, 2017
@vishalnayak vishalnayak deleted the audit-response-num-uses branch March 8, 2017 22:36
@vishalnayak vishalnayak mentioned this pull request May 23, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jefferai jefferai jefferai approved these changes

@briankassouf briankassouf Awaiting requested review from briankassouf

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.7.0
Development

Successfully merging this pull request may close these issues.
3 participants
@vishalnayak @jefferai @briankassouf