VAULT-21710 - prevent duplicate audit file_path targets

vault/audit.go

@@ -115,6 +115,11 @@ func (c *Core) enableAudit(ctx context.Context, entry *MountEntry, updateStorage
 		case strings.HasPrefix(entry.Path, ent.Path):
 			return fmt.Errorf("path already in use: %w", audit.ErrExternalOptions)
 		}
+
+		// Check if argument file_path vs current vault file_path
+		if entry.Options["file_path"] == ent.Options["file_path"] {
+			return fmt.Errorf("file_path already in use: %w", audit.ErrExternalOptions)
+		}
 	}
 
 	// Generate a new UUID and view

vault/audit_test.go

@@ -105,6 +105,45 @@
 	}
 }
 
+func TestCore_EnableExistingAudit(t *testing.T) {
+	c, _, _ := TestCoreUnsealed(t)
+
+	me := &MountEntry{
+		Table: auditTableType,
+		Path:  "foo",
+		Type:  audit.TypeFile,
+		Options: map[string]string{
+			"file_path": "stdout",
+		},
+	}
+
+	me2 := &MountEntry{
+		Table: auditTableType,
+		Path:  "foo2",
+		Type:  audit.TypeFile,
+		Options: map[string]string{
+			"file_path": "stdout",
+		},
+	}
+
+	// Enable first audit backend
+	err := c.enableAudit(namespace.RootContext(context.Background()), me, true)
+	if err != nil {
+		t.Errorf("failed to enable audit for path 'foo': %v", err)
+	}
+
+	// Check if the first audit backend is registered
+	if !c.auditBroker.IsRegistered("foo/") {
+		t.Errorf("audit backend for path 'foo/' is not registered")
+	}
+
+	// Enable second audit backend
+	err = c.enableAudit(namespace.RootContext(context.Background()), me2, true)
+	if err == nil {
+		t.Errorf("Should not be able to enable audit for path 'foo2' due to duplication: %v", err)
+	}
+}
+
 func TestCore_EnableAudit_MixedFailures(t *testing.T) {
 	c, _, _ := TestCoreUnsealed(t)