Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide token ttl and issue time in the audit log. #9091

Merged
merged 6 commits into from
May 29, 2020
Merged

Provide token ttl and issue time in the audit log. #9091

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
6b8a00d
Populate a token_ttl and token_issue_time field on the Auth struct of…
sgmiller May 27, 2020
b8735b4
Merge remote-tracking branch 'origin/master' into add-audit-lease-opt…
sgmiller May 28, 2020
844b6d9
Revert go fmt, better zero checking
sgmiller May 28, 2020
fa21119
Update unit tests
sgmiller May 28, 2020
a11dd3e
changelog++
sgmiller May 28, 2020
687c71c
Merge branch 'master' into add-audit-lease-options
sgmiller May 29, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions audit/format.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import (
"context"
"crypto/tls"
"fmt"
"github.com/hashicorp/vault/sdk/helper/salt"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you revert this rearrangement of imports please?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure.

"github.com/hashicorp/vault/sdk/logical"
"io"
"strings"
"time"
Expand All @@ -12,8 +14,6 @@ import (

"github.com/hashicorp/errwrap"
"github.com/hashicorp/vault/helper/namespace"
"github.com/hashicorp/vault/sdk/helper/salt"
"github.com/hashicorp/vault/sdk/logical"
)

type AuditFormatWriter interface {
Expand Down Expand Up @@ -106,6 +106,7 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
EntityID: auth.EntityID,
RemainingUses: req.ClientTokenRemainingUses,
TokenType: auth.TokenType.String(),
TokenTTL: int64(auth.TTL.Seconds()),
},

Request: &AuditRequest{
Expand All @@ -127,6 +128,11 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
},
}

var zt time.Time
if auth.IssueTime != zt {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I used to do this all the time, but I think you can now use the .IsZero method instead.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, much better. Was not liking that construct.

reqEntry.Auth.TokenIssueTime = auth.IssueTime.Format(time.RFC3339)
ncabatoff marked this conversation as resolved.
Show resolved Hide resolved
}

if req.WrapInfo != nil {
reqEntry.Request.WrapTTL = int(req.WrapInfo.TTL / time.Second)
}
Expand Down Expand Up @@ -212,6 +218,11 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
NumUses: resp.Auth.NumUses,
EntityID: resp.Auth.EntityID,
TokenType: resp.Auth.TokenType.String(),
TokenTTL: int64(resp.Auth.TTL.Seconds()),
}
var zt time.Time
if resp.Auth.IssueTime != zt {
respAuth.TokenIssueTime = resp.Auth.IssueTime.Format(time.RFC3339)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure why this is useful to include? Does it differ significantly from the time on the response itself?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, could be useful for renew calls, I guess?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a login I guess it would be a similar time. I was just trying to add it consistently.

}
}

Expand Down Expand Up @@ -258,6 +269,7 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
RemainingUses: req.ClientTokenRemainingUses,
EntityID: auth.EntityID,
TokenType: auth.TokenType.String(),
TokenTTL: int64(auth.TTL.Seconds()),
},

Request: &AuditRequest{
Expand Down Expand Up @@ -289,6 +301,10 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
},
}

var zt time.Time
if auth.IssueTime != zt {
respEntry.Auth.TokenIssueTime = auth.IssueTime.Format(time.RFC3339)
}
if req.WrapInfo != nil {
respEntry.Request.WrapTTL = int(req.WrapInfo.TTL / time.Second)
}
Expand Down Expand Up @@ -359,6 +375,8 @@ type AuditAuth struct {
RemainingUses int `json:"remaining_uses,omitempty"`
EntityID string `json:"entity_id,omitempty"`
TokenType string `json:"token_type,omitempty"`
TokenTTL int64 `json:"token_ttl,omitempty"`
TokenIssueTime string `json:"token_issue_time,omitempty"`
}

type AuditSecret struct {
Expand Down
4 changes: 4 additions & 0 deletions vault/request_handling.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -343,6 +343,10 @@ func (c *Core) checkToken(ctx context.Context, req *logical.Request, unauth bool
// Store the entity ID in the request object
req.EntityID = te.EntityID
auth.TokenType = te.Type
auth.TTL = te.TTL
if te.CreationTime > 0 {
auth.IssueTime = time.Unix(te.CreationTime, 0)
}
}

// Check the standard non-root ACLs. Return the token entry if it's not
Expand Down