From 65bd97278f10487fadc94b53505faae09e36905c Mon Sep 17 00:00:00 2001 From: Marc Boudreau Date: Wed, 5 Jul 2023 16:55:37 -0400 Subject: [PATCH 1/2] introduce experiment to toggle between legacy auditing backends and eventlogger --- helper/experiments/experiments.go | 6 +++++- vault/audit.go | 7 ++++--- vault/audit_broker.go | 28 ++++++++++++++++++---------- vault/audit_test.go | 12 ++++++------ 4 files changed, 33 insertions(+), 20 deletions(-) diff --git a/helper/experiments/experiments.go b/helper/experiments/experiments.go index 538430e64ccc..35f29b6c4060 100644 --- a/helper/experiments/experiments.go +++ b/helper/experiments/experiments.go @@ -3,10 +3,14 @@ package experiments -const VaultExperimentEventsAlpha1 = "events.alpha1" +const ( + VaultExperimentEventsAlpha1 = "events.alpha1" + VaultExperimentCoreAuditEventsAlpha1 = "core.audit.events.alpha1" +) var validExperiments = []string{ VaultExperimentEventsAlpha1, + VaultExperimentCoreAuditEventsAlpha1, } // ValidExperiments exposes the list without exposing a mutable global variable. diff --git a/vault/audit.go b/vault/audit.go index 3f80b9654929..4078edbee28a 100644 --- a/vault/audit.go +++ b/vault/audit.go @@ -12,6 +12,7 @@ import ( uuid "github.com/hashicorp/go-uuid" "github.com/hashicorp/vault/audit" + "github.com/hashicorp/vault/helper/experiments" "github.com/hashicorp/vault/helper/namespace" "github.com/hashicorp/vault/sdk/helper/consts" "github.com/hashicorp/vault/sdk/helper/jsonutil" @@ -155,7 +156,7 @@ func (c *Core) enableAudit(ctx context.Context, entry *MountEntry, updateStorage c.audit = newTable // Register the backend - c.auditBroker.Register(entry.Path, backend, entry.Local) + c.auditBroker.Register(entry.Path, backend, entry.Local, c.IsExperimentEnabled(experiments.VaultExperimentCoreAuditEventsAlpha1)) if c.logger.IsInfo() { c.logger.Info("enabled audit backend", "path", entry.Path, "type", entry.Type) } @@ -208,7 +209,7 @@ func (c *Core) disableAudit(ctx context.Context, path string, updateStorage bool c.audit = newTable // Unmount the backend - c.auditBroker.Deregister(path) + c.auditBroker.Deregister(path, c.IsExperimentEnabled(experiments.VaultExperimentCoreAuditEventsAlpha1)) if c.logger.IsInfo() { c.logger.Info("disabled audit backend", "path", path) } @@ -416,7 +417,7 @@ func (c *Core) setupAudits(ctx context.Context) error { } // Mount the backend - broker.Register(entry.Path, backend, entry.Local) + broker.Register(entry.Path, backend, entry.Local, c.IsExperimentEnabled(experiments.VaultExperimentCoreAuditEventsAlpha1)) successCount++ } diff --git a/vault/audit_broker.go b/vault/audit_broker.go index faa9a001e7e6..711d6d271490 100644 --- a/vault/audit_broker.go +++ b/vault/audit_broker.go @@ -40,20 +40,28 @@ func NewAuditBroker(log log.Logger) *AuditBroker { } // Register is used to add new audit backend to the broker -func (a *AuditBroker) Register(name string, b audit.Backend, local bool) { - a.Lock() - defer a.Unlock() - a.backends[name] = backendEntry{ - backend: b, - local: local, +func (a *AuditBroker) Register(name string, b audit.Backend, local bool, useEventLogger bool) { + if useEventLogger { + // TODO: Coming soon + } else { + a.Lock() + defer a.Unlock() + a.backends[name] = backendEntry{ + backend: b, + local: local, + } } } // Deregister is used to remove an audit backend from the broker -func (a *AuditBroker) Deregister(name string) { - a.Lock() - defer a.Unlock() - delete(a.backends, name) +func (a *AuditBroker) Deregister(name string, useEventLogger bool) { + if useEventLogger { + // TODO: Coming soon + } else { + a.Lock() + defer a.Unlock() + delete(a.backends, name) + } } // IsRegistered is used to check if a given audit backend is registered diff --git a/vault/audit_test.go b/vault/audit_test.go index a5b68be5dcfe..c7d85dcdf382 100644 --- a/vault/audit_test.go +++ b/vault/audit_test.go @@ -343,8 +343,8 @@ func TestAuditBroker_LogRequest(t *testing.T) { b := NewAuditBroker(l) a1 := corehelpers.TestNoopAudit(t, nil) a2 := corehelpers.TestNoopAudit(t, nil) - b.Register("foo", a1, false) - b.Register("bar", a2, false) + b.Register("foo", a1, false, false) + b.Register("bar", a2, false, false) auth := &logical.Auth{ ClientToken: "foo", @@ -430,8 +430,8 @@ func TestAuditBroker_LogResponse(t *testing.T) { b := NewAuditBroker(l) a1 := corehelpers.TestNoopAudit(t, nil) a2 := corehelpers.TestNoopAudit(t, nil) - b.Register("foo", a1, false) - b.Register("bar", a2, false) + b.Register("foo", a1, false, false) + b.Register("bar", a2, false, false) auth := &logical.Auth{ NumUses: 10, @@ -537,8 +537,8 @@ func TestAuditBroker_AuditHeaders(t *testing.T) { view := NewBarrierView(barrier, "headers/") a1 := corehelpers.TestNoopAudit(t, nil) a2 := corehelpers.TestNoopAudit(t, nil) - b.Register("foo", a1, false) - b.Register("bar", a2, false) + b.Register("foo", a1, false, false) + b.Register("bar", a2, false, false) auth := &logical.Auth{ ClientToken: "foo", From 1d66519f63d1dd6f62922c545401e39c17a87ad3 Mon Sep 17 00:00:00 2001 From: Marc Boudreau Date: Thu, 6 Jul 2023 14:10:37 -0400 Subject: [PATCH 2/2] provide changelog file --- changelog/21628.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/21628.txt diff --git a/changelog/21628.txt b/changelog/21628.txt new file mode 100644 index 000000000000..888108b27667 --- /dev/null +++ b/changelog/21628.txt @@ -0,0 +1,3 @@ +```release-note:improvement +audit: add core audit events experiment +``` \ No newline at end of file