Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

audit: log invalid wrapping token request/response #6541

Merged
merged 14 commits into from
Jul 5, 2019
Merged

audit: log invalid wrapping token request/response #6541

merged 14 commits into from
Jul 5, 2019

Conversation

calvn
Copy link
Contributor

@calvn calvn commented Apr 5, 2019
edited
Loading

Closes #6491

@calvn calvn added this to the 1.1.2 milestone Apr 5, 2019
@calvn calvn requested a review from jefferai April 5, 2019 18:09
vishalnayak
vishalnayak reviewed Apr 5, 2019
View reviewed changes
helper/consts/error.go Outdated Show resolved Hide resolved
vishalnayak
vishalnayak reviewed Apr 5, 2019
View reviewed changes
vault/wrapping.go Outdated Show resolved Hide resolved
@calvn calvn modified the milestones: 1.1.2, 1.1.1 Apr 5, 2019
@jefferai
Copy link
Member

jefferai commented Apr 6, 2019

My overall comment is it feels like we ought to be able to avoid calling ValidateWrappingToken twice on every action with a wrapping token. Before we called it once; now it's being split into two different places but being called both in both cases.

@calvn
Copy link
Contributor Author

calvn commented Apr 8, 2019

Calling ValidateWrappingToken is now only done at the logical layer (and changed to private), since wrappingVerificationFunc was an old dangling helper func that is no longer necessary.

calvn
calvn commented Apr 8, 2019
View reviewed changes
vault/request_handling.go Outdated Show resolved Hide resolved
@jefferai jefferai modified the milestones: 1.1.1, 1.1.2 Apr 10, 2019
@calvn calvn requested review from jefferai and vishalnayak April 12, 2019 18:45
@briankassouf briankassouf modified the milestones: 1.1.2, 1.1.3 Apr 29, 2019
@briankassouf briankassouf modified the milestones: 1.1.3, 1.2 May 21, 2019
@jefferai jefferai added the beta label Jul 2, 2019
mgritter
mgritter previously approved these changes Jul 2, 2019
View reviewed changes
Copy link
Contributor

@mgritter mgritter left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me.

briankassouf
briankassouf reviewed Jul 3, 2019
View reviewed changes
http/logical.go Outdated
case "sys/wrapping/lookup", "sys/wrapping/rewrap", "sys/wrapping/unwrap":
r = r.WithContext(newCtx)
if err := wrappingVerificationFunc(r.Context(), core, req); err != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should put this back, no? the logic feels cleaner here instead of in handleRequest and handleLoginRequest

ncabatoff
ncabatoff reviewed Jul 5, 2019
View reviewed changes
vault/wrapping.go Outdated
NonHMACReqDataKeys: nonHMACReqDataKeys,
}
if err != nil {
logInput.OuterErr = errwrap.Wrapf("error validating wrapping token: {{err}}", err)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we confident that {{err}} will always be safe to include un-HMACed in the audit log? I think it's probably safer to omit the cause.

ncabatoff
ncabatoff reviewed Jul 5, 2019
View reviewed changes
vault/wrapping.go Outdated
// the wrapping token
if err != nil || !valid {
// Get non-HMAC'ed request data keys
var nonHMACReqDataKeys []string
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't necessary is it? The mount entry will always be sys, which isn't user-mountable or tuneable, thus it will never have non-hmac keys.

ncabatoff
ncabatoff reviewed Jul 5, 2019
View reviewed changes
http/logical_test.go
}
}

{
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we test the same thing twice? And should we test the happy path, i.e. that no audit record is written for a valid token?

ncabatoff
ncabatoff previously approved these changes Jul 5, 2019
View reviewed changes
Copy link
Collaborator

@ncabatoff ncabatoff left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, couple of minor suggestions that I'd be okay with not being implemented.

@briankassouf briankassouf merged commit c3f0f96 into master Jul 5, 2019
@briankassouf briankassouf deleted the audit-wrapping-token branch July 5, 2019 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briankassouf briankassouf briankassouf left review comments

@mgritter mgritter mgritter left review comments

@ncabatoff ncabatoff ncabatoff left review comments

@jefferai jefferai Awaiting requested review from jefferai

@vishalnayak vishalnayak Awaiting requested review from vishalnayak

Assignees
No one assigned
Labels
beta
Projects
None yet
Milestone
1.2
Development

Successfully merging this pull request may close these issues.

Unwrap failures are not logged
6 participants
@calvn @jefferai @briankassouf @vishalnayak @ncabatoff @mgritter