audit

package
v0.0.0-...-a0f6db5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 14, 2022 License: MPL-2.0 Imports: 18 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func HashAuth 

func HashAuth(salter *salt.Salt, in *logical.Auth, HMACAccessor bool) (*logical.Auth, error)

HashAuth returns a hashed copy of the logical.Auth input.

func HashRequest 

func HashRequest(salter *salt.Salt, in *logical.Request, HMACAccessor bool, nonHMACDataKeys []string) (*logical.Request, error)

HashRequest returns a hashed copy of the logical.Request input.

func HashResponse 

func HashResponse(salter *salt.Salt, in *logical.Response, HMACAccessor bool, nonHMACDataKeys []string) (*logical.Response, error)

HashResponse returns a hashed copy of the logical.Request input.

func HashString 

func HashString(salter *salt.Salt, data string) string

HashString hashes the given opaque string and returns it

func HashStructure 

func HashStructure(s interface{}, cb HashCallback, ignoredKeys []string) error

HashStructure takes an interface and hashes all the values within the structure. Only _values_ are hashed: keys of objects are not.

For the HashCallback, see the built-in HashCallbacks below.

func HashWrapInfo 

func HashWrapInfo(salter *salt.Salt, in *wrapping.ResponseWrapInfo, HMACAccessor bool) (*wrapping.ResponseWrapInfo, error)

HashWrapInfo returns a hashed copy of the wrapping.ResponseWrapInfo input.

Types

type AuditAuth 

type AuditAuth struct {
	ClientToken               string              `json:"client_token,omitempty"`
	Accessor                  string              `json:"accessor,omitempty"`
	DisplayName               string              `json:"display_name,omitempty"`
	Policies                  []string            `json:"policies,omitempty"`
	TokenPolicies             []string            `json:"token_policies,omitempty"`
	IdentityPolicies          []string            `json:"identity_policies,omitempty"`
	ExternalNamespacePolicies map[string][]string `json:"external_namespace_policies,omitempty"`
	NoDefaultPolicy           bool                `json:"no_default_policy,omitempty"`
	PolicyResults             *AuditPolicyResults `json:"policy_results,omitempty"`
	Metadata                  map[string]string   `json:"metadata,omitempty"`
	NumUses                   int                 `json:"num_uses,omitempty"`
	RemainingUses             int                 `json:"remaining_uses,omitempty"`
	EntityID                  string              `json:"entity_id,omitempty"`
	EntityCreated             bool                `json:"entity_created,omitempty"`
	TokenType                 string              `json:"token_type,omitempty"`
	TokenTTL                  int64               `json:"token_ttl,omitempty"`
	TokenIssueTime            string              `json:"token_issue_time,omitempty"`
}

type AuditFormatWriter 

type AuditFormatWriter interface {
	// WriteRequest writes the request entry to the writer or returns an error.
	WriteRequest(io.Writer, *AuditRequestEntry) error
	// WriteResponse writes the response entry to the writer or returns an error.
	WriteResponse(io.Writer, *AuditResponseEntry) error
	// Salt returns a non-nil salt or an error.
	Salt(context.Context) (*salt.Salt, error)
}

type AuditFormatter 

type AuditFormatter struct {
	AuditFormatWriter
}

AuditFormatter implements the Formatter interface, and allows the underlying marshaller to be swapped out

func NewTemporaryFormatter 

func NewTemporaryFormatter(format, prefix string) *AuditFormatter

Create a formatter not backed by a persistent salt.

func (*AuditFormatter) FormatRequest 

func (f *AuditFormatter) FormatRequest(ctx context.Context, w io.Writer, config FormatterConfig, in *logical.LogInput) error

func (*AuditFormatter) FormatResponse 

func (f *AuditFormatter) FormatResponse(ctx context.Context, w io.Writer, config FormatterConfig, in *logical.LogInput) error

type AuditNamespace 

type AuditNamespace struct {
	ID   string `json:"id,omitempty"`
	Path string `json:"path,omitempty"`
}

type AuditPolicyResults 

type AuditPolicyResults struct {
	Allowed          bool         `json:"allowed"`
	GrantingPolicies []PolicyInfo `json:"granting_policies,omitempty"`
}

type AuditRequest 

type AuditRequest struct {
	ID                            string                 `json:"id,omitempty"`
	ClientID                      string                 `json:"client_id,omitempty"`
	ReplicationCluster            string                 `json:"replication_cluster,omitempty"`
	Operation                     logical.Operation      `json:"operation,omitempty"`
	MountType                     string                 `json:"mount_type,omitempty"`
	MountAccessor                 string                 `json:"mount_accessor,omitempty"`
	ClientToken                   string                 `json:"client_token,omitempty"`
	ClientTokenAccessor           string                 `json:"client_token_accessor,omitempty"`
	Namespace                     *AuditNamespace        `json:"namespace,omitempty"`
	Path                          string                 `json:"path,omitempty"`
	Data                          map[string]interface{} `json:"data,omitempty"`
	PolicyOverride                bool                   `json:"policy_override,omitempty"`
	RemoteAddr                    string                 `json:"remote_address,omitempty"`
	RemotePort                    int                    `json:"remote_port,omitempty"`
	WrapTTL                       int                    `json:"wrap_ttl,omitempty"`
	Headers                       map[string][]string    `json:"headers,omitempty"`
	ClientCertificateSerialNumber string                 `json:"client_certificate_serial_number,omitempty"`
}

type AuditRequestEntry 

type AuditRequestEntry struct {
	Time    string        `json:"time,omitempty"`
	Type    string        `json:"type,omitempty"`
	Auth    *AuditAuth    `json:"auth,omitempty"`
	Request *AuditRequest `json:"request,omitempty"`
	Error   string        `json:"error,omitempty"`
}

AuditRequestEntry is the structure of a request audit log entry in Audit.

type AuditResponse 

type AuditResponse struct {
	Auth          *AuditAuth             `json:"auth,omitempty"`
	MountType     string                 `json:"mount_type,omitempty"`
	MountAccessor string                 `json:"mount_accessor,omitempty"`
	Secret        *AuditSecret           `json:"secret,omitempty"`
	Data          map[string]interface{} `json:"data,omitempty"`
	Warnings      []string               `json:"warnings,omitempty"`
	Redirect      string                 `json:"redirect,omitempty"`
	WrapInfo      *AuditResponseWrapInfo `json:"wrap_info,omitempty"`
	Headers       map[string][]string    `json:"headers,omitempty"`
}

type AuditResponseEntry 

type AuditResponseEntry struct {
	Time     string         `json:"time,omitempty"`
	Type     string         `json:"type,omitempty"`
	Auth     *AuditAuth     `json:"auth,omitempty"`
	Request  *AuditRequest  `json:"request,omitempty"`
	Response *AuditResponse `json:"response,omitempty"`
	Error    string         `json:"error,omitempty"`
}

AuditResponseEntry is the structure of a response audit log entry in Audit.

type AuditResponseWrapInfo 

type AuditResponseWrapInfo struct {
	TTL             int    `json:"ttl,omitempty"`
	Token           string `json:"token,omitempty"`
	Accessor        string `json:"accessor,omitempty"`
	CreationTime    string `json:"creation_time,omitempty"`
	CreationPath    string `json:"creation_path,omitempty"`
	WrappedAccessor string `json:"wrapped_accessor,omitempty"`
}

type AuditSecret 

type AuditSecret struct {
	LeaseID string `json:"lease_id,omitempty"`
}

type Backend 

type Backend interface {
	// LogRequest is used to synchronously log a request. This is done after the
	// request is authorized but before the request is executed. The arguments
	// MUST not be modified in anyway. They should be deep copied if this is
	// a possibility.
	LogRequest(context.Context, *logical.LogInput) error

	// LogResponse is used to synchronously log a response. This is done after
	// the request is processed but before the response is sent. The arguments
	// MUST not be modified in anyway. They should be deep copied if this is
	// a possibility.
	LogResponse(context.Context, *logical.LogInput) error

	// LogTestMessage is used to check an audit backend before adding it
	// permanently. It should attempt to synchronously log the given test
	// message, WITHOUT using the normal Salt (which would require a storage
	// operation on creation, which is currently disallowed.)
	LogTestMessage(context.Context, *logical.LogInput, map[string]string) error

	// GetHash is used to return the given data with the backend's hash,
	// so that a caller can determine if a value in the audit log matches
	// an expected plaintext value
	GetHash(context.Context, string) (string, error)

	// Reload is called on SIGHUP for supporting backends.
	Reload(context.Context) error

	// Invalidate is called for path invalidation
	Invalidate(context.Context)
}

Backend interface must be implemented for an audit mechanism to be made available. Audit backends can be enabled to sink information to different backends such as logs, file, databases, or other external services.

type BackendConfig 

type BackendConfig struct {
	// The view to store the salt
	SaltView logical.Storage

	// The salt config that should be used for any secret obfuscation
	SaltConfig *salt.Config

	// Config is the opaque user configuration provided when mounting
	Config map[string]string
}

BackendConfig contains configuration parameters used in the factory func to instantiate audit backends

type Factory 

type Factory func(context.Context, *BackendConfig) (Backend, error)

Factory is the factory function to create an audit backend.

type Formatter 

type Formatter interface {
	FormatRequest(context.Context, io.Writer, FormatterConfig, *logical.LogInput) error
	FormatResponse(context.Context, io.Writer, FormatterConfig, *logical.LogInput) error
}

Formatter is an interface that is responsible for formating a request/response into some format. Formatters write their output to an io.Writer.

It is recommended that you pass data through Hash prior to formatting it.

type FormatterConfig 

type FormatterConfig struct {
	Raw          bool
	HMACAccessor bool

	// This should only ever be used in a testing context
	OmitTime bool
}

type HashCallback 

type HashCallback func(string) string

HashCallback is the callback called for HashStructure to hash a value.

type JSONFormatWriter 

type JSONFormatWriter struct {
	Prefix   string
	SaltFunc func(context.Context) (*salt.Salt, error)
}

JSONFormatWriter is an AuditFormatWriter implementation that structures data into a JSON format.

func (*JSONFormatWriter) Salt 

func (f *JSONFormatWriter) Salt(ctx context.Context) (*salt.Salt, error)

func (*JSONFormatWriter) WriteRequest 

func (f *JSONFormatWriter) WriteRequest(w io.Writer, req *AuditRequestEntry) error

func (*JSONFormatWriter) WriteResponse 

func (f *JSONFormatWriter) WriteResponse(w io.Writer, resp *AuditResponseEntry) error

type JSONxFormatWriter 

type JSONxFormatWriter struct {
	Prefix   string
	SaltFunc func(context.Context) (*salt.Salt, error)
}

JSONxFormatWriter is an AuditFormatWriter implementation that structures data into a XML format.

func (*JSONxFormatWriter) Salt 

func (f *JSONxFormatWriter) Salt(ctx context.Context) (*salt.Salt, error)

func (*JSONxFormatWriter) WriteRequest 

func (f *JSONxFormatWriter) WriteRequest(w io.Writer, req *AuditRequestEntry) error

func (*JSONxFormatWriter) WriteResponse 

func (f *JSONxFormatWriter) WriteResponse(w io.Writer, resp *AuditResponseEntry) error

type PolicyInfo 

type PolicyInfo struct {
	Name        string `json:"name,omitempty"`
	NamespaceId string `json:"namespace_id,omitempty"`
	Type        string `json:"type"`
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.