Add client_type field to EntityRecord protobuf (#20626)

* Add client_type field to EntityRecord protobuf * changelog * Add ACME clientType verification
hashicorp · May 19, 2023 · 6d95f8c · 6d95f8c
1 parent c250c95
commit 6d95f8c
Show file tree

Hide file tree

Showing 5 changed files with 80 additions and 39 deletions.
diff --git a/builtin/logical/pki/acme_billing_test.go b/builtin/logical/pki/acme_billing_test.go
@@ -21,6 +21,7 @@ import (
 	"github.com/hashicorp/vault/builtin/logical/pki/dnstest"
 	"github.com/hashicorp/vault/helper/constants"
 	"github.com/hashicorp/vault/helper/timeutil"
+	"github.com/hashicorp/vault/vault/activity"
 
 	"github.com/stretchr/testify/require"
 )
@@ -102,6 +103,26 @@ func TestACMEBilling(t *testing.T) {
 	// same name as another namespace should increase counts as well.
 	doACMEForDomainWithDNS(t, dns, &acmeClientPKINS2, []string{"very-unique.dadgarcorp.com"})
 	expectedCount = validateClientCount(t, client, "ns2/pki", expectedCount+1, "unique identifier in a different namespace")
+
+	// Check the current fragment
+	fragment := cluster.Cores[0].Core.ResetActivityLog()[0]
+	if fragment == nil {
+		t.Fatal("no fragment created")
+	}
+	validateAcmeClientTypes(t, fragment, expectedCount)
+}
+
+func validateAcmeClientTypes(t *testing.T, fragment *activity.LogFragment, expectedCount int64) {
+	t.Helper()
+	if int64(len(fragment.Clients)) != expectedCount {
+		t.Fatalf("bad number of entities, expected %v: got %v, entities are: %v", expectedCount, len(fragment.Clients), fragment.Clients)
+	}
+
+	for _, ac := range fragment.Clients {
+		if ac.ClientType != "acme" {
+			t.Fatalf("Couldn't find expected 'acme' client_type in %v", fragment.Clients)
+		}
+	}
 }
 
 func validateClientCount(t *testing.T, client *api.Client, mount string, expected int64, message string) int64 {

diff --git a/changelog/20626.txt b/changelog/20626.txt
@@ -0,0 +1,4 @@
+```release-note:improvement
+activitylog: EntityRecord protobufs now contain a ClientType field for
+distinguishing client sources.
+```
diff --git a/vault/activity/activity_log.pb.go b/vault/activity/activity_log.pb.go
diff --git a/vault/activity/activity_log.proto b/vault/activity/activity_log.proto
@@ -22,6 +22,9 @@ message EntityRecord {
 	// MountAccessor is the auth mount accessor of the token used to perform the
 	// activity.
 	string mount_accessor = 5;
+	// client_type identifies the source of the entity record (entity,
+	// non-entity, acme, etc.)
+	string client_type = 6;
 }
 
 message LogFragment {

diff --git a/vault/activity_log.go b/vault/activity_log.go
@@ -1487,6 +1487,7 @@ func (a *ActivityLog) AddActivityToFragment(clientID string, namespaceID string,
 		NamespaceID:   namespaceID,
 		Timestamp:     timestamp,
 		MountAccessor: mountAccessor,
+		ClientType:    activityType,
 	}
 
 	// Track whether the clientID corresponds to a token without an entity or not.