VAULT-11595: Augment forwarded requests with host:port info (from/to …

…nodes) (Enterprise) (hashicorp#20733) * Allow audit entries to contain forwarded from host info * adjust logical/request and audit format to use bool instead of string for 'to' host
mcollao-hc · May 24, 2023 · 4b0d85e · 4b0d85e
1 parent e796005
commit 4b0d85e
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 16 deletions.
diff --git a/audit/format.go b/audit/format.go
@@ -92,9 +92,9 @@ func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config
 		reqType = "request"
 	}
 	reqEntry := &AuditRequestEntry{
-		Type:  reqType,
-		Error: errString,
-
+		Type:          reqType,
+		Error:         errString,
+		ForwardedFrom: req.ForwardedFrom,
 		Auth: &AuditAuth{
 			ClientToken:               auth.ClientToken,
 			Accessor:                  auth.Accessor,
@@ -297,8 +297,9 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 		respType = "response"
 	}
 	respEntry := &AuditResponseEntry{
-		Type:  respType,
-		Error: errString,
+		Type:      respType,
+		Error:     errString,
+		Forwarded: req.ForwardedFrom != "",
 		Auth: &AuditAuth{
 			ClientToken:               auth.ClientToken,
 			Accessor:                  auth.Accessor,
@@ -392,21 +393,23 @@ func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config
 
 // AuditRequestEntry is the structure of a request audit log entry in Audit.
 type AuditRequestEntry struct {
-	Time    string        `json:"time,omitempty"`
-	Type    string        `json:"type,omitempty"`
-	Auth    *AuditAuth    `json:"auth,omitempty"`
-	Request *AuditRequest `json:"request,omitempty"`
-	Error   string        `json:"error,omitempty"`
+	Time          string        `json:"time,omitempty"`
+	Type          string        `json:"type,omitempty"`
+	Auth          *AuditAuth    `json:"auth,omitempty"`
+	Request       *AuditRequest `json:"request,omitempty"`
+	Error         string        `json:"error,omitempty"`
+	ForwardedFrom string        `json:"forwarded_from,omitempty"` // Populated in Enterprise when a request is forwarded
 }
 
 // AuditResponseEntry is the structure of a response audit log entry in Audit.
 type AuditResponseEntry struct {
-	Time     string         `json:"time,omitempty"`
-	Type     string         `json:"type,omitempty"`
-	Auth     *AuditAuth     `json:"auth,omitempty"`
-	Request  *AuditRequest  `json:"request,omitempty"`
-	Response *AuditResponse `json:"response,omitempty"`
-	Error    string         `json:"error,omitempty"`
+	Time      string         `json:"time,omitempty"`
+	Type      string         `json:"type,omitempty"`
+	Auth      *AuditAuth     `json:"auth,omitempty"`
+	Request   *AuditRequest  `json:"request,omitempty"`
+	Response  *AuditResponse `json:"response,omitempty"`
+	Error     string         `json:"error,omitempty"`
+	Forwarded bool           `json:"forwarded,omitempty"`
 }
 
 type AuditRequest struct {

diff --git a/sdk/logical/request.go b/sdk/logical/request.go
@@ -243,6 +243,9 @@ type Request struct {
 	// InboundSSCToken is the token that arrives on an inbound request, supplied
 	// by the vault user.
 	InboundSSCToken string
+
+	// When a request has been forwarded, contains information of the host the request was forwarded 'from'
+	ForwardedFrom string `json:"forwarded_from,omitempty"`
 }
 
 // Clone returns a deep copy of the request by using copystructure