Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VAULT-21710 - prevent duplicate audit file_path targets #28751

Merged
merged 9 commits into from
Oct 24, 2024
Merged

VAULT-21710 - prevent duplicate audit file_path targets #28751

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
fd32b1f
updating audit file_path duplication
tvo0813 Oct 22, 2024
a8aae85
update test
tvo0813 Oct 22, 2024
a1f951b
updating tests
tvo0813 Oct 22, 2024
2a34934
fixing go test errors
tvo0813 Oct 23, 2024
ca0deae
adding go test doc for TestCore_EnableExistingAudit
tvo0813 Oct 23, 2024
0b5415b
adding go test doc for TestCore_EnableExistingAudit
tvo0813 Oct 23, 2024
92363c9
adding go test doc for TestCore_EnableExistingAudit
tvo0813 Oct 23, 2024
9c01dc9
adding changelog
tvo0813 Oct 23, 2024
9a1f727
adding suggested comments
tvo0813 Oct 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions changelog/28751.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
audit: Prevent users from enabling multiple audit devices of file type with the same file_path to write to.
```
7 changes: 7 additions & 0 deletions vault/audit.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,13 @@ func (c *Core) enableAudit(ctx context.Context, entry *MountEntry, updateStorage
case strings.HasPrefix(entry.Path, ent.Path):
return fmt.Errorf("path already in use: %w", audit.ErrExternalOptions)
}

// Ensure that the provided file_path argument isn't already used for another audit device's file_path.
if entry.Type == "file" {
if entry.Options["file_path"] == ent.Options["file_path"] {
return fmt.Errorf("file_path already in use: %w", audit.ErrExternalOptions)
}
}
}

// Generate a new UUID and view
Expand Down
43 changes: 43 additions & 0 deletions vault/audit_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,49 @@ func TestCore_EnableAudit(t *testing.T) {
}
}

// TestCore_EnableExistingAudit ensures that we don't allow enabling a file audit device
// with the same `file_path` as one of the existing ones.
func TestCore_EnableExistingAudit(t *testing.T) {
c, _, _ := TestCoreUnsealed(t)

// First audit backend entry
me := &MountEntry{
Table: auditTableType,
Path: "foo",
Type: audit.TypeFile,
Options: map[string]string{
"file_path": "stdout",
},
}

// Second audit backend entry
me2 := &MountEntry{
Table: auditTableType,
Path: "foo2",
Type: audit.TypeFile,
Options: map[string]string{
"file_path": "stdout",
},
}

// Enable first audit backend
err := c.enableAudit(namespace.RootContext(context.Background()), me, true)
if err != nil {
t.Errorf("failed to enable audit for path 'foo': %v", err)
}

// Check if the first audit backend is registered
if !c.auditBroker.IsRegistered("foo/") {
t.Errorf("audit backend for path 'foo/' is not registered")
}

// Enable second audit backend
err = c.enableAudit(namespace.RootContext(context.Background()), me2, true)
if err == nil {
t.Errorf("Should not be able to enable audit for path 'foo2' due to duplication: %v", err)
}
}

func TestCore_EnableAudit_MixedFailures(t *testing.T) {
c, _, _ := TestCoreUnsealed(t)

Expand Down
Loading