From f5efec8e430bdf0422a9d22c8c2c13c9d7dcf67e Mon Sep 17 00:00:00 2001 From: Calvin Leung Huang Date: Mon, 29 Apr 2019 12:49:40 -0700 Subject: [PATCH] core: honor non-HMAC keys in audit requests --- vault/request_handling.go | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/vault/request_handling.go b/vault/request_handling.go index b2f0a9a20249..d3e9bb04a603 100644 --- a/vault/request_handling.go +++ b/vault/request_handling.go @@ -914,9 +914,17 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re req.Unauthenticated = true - var auth *logical.Auth + var nonHMACReqDataKeys []string + entry := c.router.MatchingMountEntry(ctx, req.Path) + if entry != nil { + // Get and set ignored HMAC'd value. + if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok { + nonHMACReqDataKeys = rawVals.([]string) + } + } // Do an unauth check. This will cause EGP policies to be checked + var auth *logical.Auth var ctErr error auth, _, ctErr = c.checkToken(ctx, req, true) if ctErr == logical.ErrPerfStandbyPleaseForward { @@ -933,15 +941,6 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re errType = logical.ErrInvalidRequest } - var nonHMACReqDataKeys []string - entry := c.router.MatchingMountEntry(ctx, req.Path) - if entry != nil { - // Get and set ignored HMAC'd value. - if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok { - nonHMACReqDataKeys = rawVals.([]string) - } - } - logInput := &audit.LogInput{ Auth: auth, Request: req, @@ -965,8 +964,9 @@ func (c *Core) handleLoginRequest(ctx context.Context, req *logical.Request) (re // Create an audit trail of the request. Attach auth if it was returned, // e.g. if a token was provided. logInput := &audit.LogInput{ - Auth: auth, - Request: req, + Auth: auth, + Request: req, + NonHMACReqDataKeys: nonHMACReqDataKeys, } if err := c.auditBroker.LogRequest(ctx, logInput, c.auditedHeaders); err != nil { c.logger.Error("failed to audit request", "path", req.Path, "error", err)