diff --git a/vault/activity_log.go b/vault/activity_log.go index 2f6c8acb48ef..15ff40d73dc3 100644 --- a/vault/activity_log.go +++ b/vault/activity_log.go @@ -1105,7 +1105,7 @@ func (c *Core) setupActivityLogLocked(ctx context.Context, wg *sync.WaitGroup) e c.AddLogger(logger) if os.Getenv("VAULT_DISABLE_ACTIVITY_LOG") != "" { - if c.CensusLicensingEnabled() { + if c.ManualLicenseReportingEnabled() { logger.Warn("activity log disabled via environment variable while reporting is enabled. " + "Reporting will override, and the activity log will be enabled") } else { diff --git a/vault/activity_log_test.go b/vault/activity_log_test.go index 3b3d44ee7eaa..ffa4f9088db9 100644 --- a/vault/activity_log_test.go +++ b/vault/activity_log_test.go @@ -846,155 +846,89 @@ func TestActivityLog_MultipleFragmentsAndSegments(t *testing.T) { } } -// TestActivityLog_API_ConfigCRUD performs various CRUD operations on internal/counters/config. -func TestActivityLog_API_ConfigCRUD(t *testing.T) { +// TestActivityLog_API_ConfigCRUD_Census performs various CRUD operations on internal/counters/config +// depending on license reporting +func TestActivityLog_API_ConfigCRUD_Census(t *testing.T) { core, b, _ := testCoreSystemBackend(t) view := core.systemBarrierView - // Test reading the defaults - { - req := logical.TestRequest(t, logical.ReadOperation, "internal/counters/config") - req.Storage = view - resp, err := b.HandleRequest(namespace.RootContext(nil), req) - if err != nil { - t.Fatalf("err: %v", err) - } - defaults := map[string]interface{}{ - "default_report_months": 12, - "retention_months": 24, - "enabled": activityLogEnabledDefaultValue, - "queries_available": false, - "reporting_enabled": core.CensusLicensingEnabled(), - "billing_start_timestamp": core.BillingStart(), - "minimum_retention_months": core.activityLog.configOverrides.MinimumRetentionMonths, - } - - if diff := deep.Equal(resp.Data, defaults); len(diff) > 0 { - t.Fatalf("diff: %v", diff) - } - } - - // Check Error Cases - { - req := logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") - req.Storage = view - req.Data["default_report_months"] = 0 - _, err := b.HandleRequest(namespace.RootContext(nil), req) - if err == nil { - t.Fatal("expected error") - } - - req = logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") - req.Storage = view - req.Data["enabled"] = "bad-value" - _, err = b.HandleRequest(namespace.RootContext(nil), req) + req := logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") + req.Storage = view + req.Data["retention_months"] = 2 + resp, err := b.HandleRequest(namespace.RootContext(nil), req) + if core.ManualLicenseReportingEnabled() { if err == nil { t.Fatal("expected error") } - - req = logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") - req.Storage = view - req.Data["retention_months"] = 0 - req.Data["enabled"] = "enable" - _, err = b.HandleRequest(namespace.RootContext(nil), req) - if err == nil { - t.Fatal("expected error") + if resp.Data["error"] != `retention_months must be at least 24 while Reporting is enabled` { + t.Fatalf("bad: %v", resp) } - } - - // Test single key updates - { - req := logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") - req.Storage = view - req.Data["default_report_months"] = 1 - resp, err := b.HandleRequest(namespace.RootContext(nil), req) + } else { if err != nil { t.Fatalf("err: %v", err) } - if resp != nil { - t.Fatalf("bad: %#v", resp) - } + } - req = logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") - req.Storage = view - req.Data["retention_months"] = 2 - resp, err = b.HandleRequest(namespace.RootContext(nil), req) - if err != nil { - t.Fatalf("err: %v", err) + req = logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") + req.Storage = view + req.Data["retention_months"] = 26 + resp, err = b.HandleRequest(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %v", err) + } + if resp != nil { + t.Fatalf("bad: %#v", resp) + } + + req = logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") + req.Storage = view + req.Data["enabled"] = "disable" + resp, err = b.HandleRequest(namespace.RootContext(nil), req) + if core.ManualLicenseReportingEnabled() { + if err == nil { + t.Fatal("expected error") } - if resp != nil { - t.Fatalf("bad: %#v", resp) + if resp.Data["error"] != `cannot disable the activity log while Reporting is enabled` { + t.Fatalf("bad: %v", resp) } - - req = logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") - req.Storage = view - req.Data["enabled"] = "enable" - resp, err = b.HandleRequest(namespace.RootContext(nil), req) + } else { if err != nil { t.Fatalf("err: %v", err) } if resp != nil { t.Fatalf("bad: %#v", resp) } - - req = logical.TestRequest(t, logical.ReadOperation, "internal/counters/config") - req.Storage = view - resp, err = b.HandleRequest(namespace.RootContext(nil), req) - if err != nil { - t.Fatalf("err: %v", err) - } - expected := map[string]interface{}{ - "default_report_months": 1, - "retention_months": 2, - "enabled": "enable", - "queries_available": false, - "reporting_enabled": core.CensusLicensingEnabled(), - "billing_start_timestamp": core.BillingStart(), - "minimum_retention_months": core.activityLog.configOverrides.MinimumRetentionMonths, - } - - if diff := deep.Equal(resp.Data, expected); len(diff) > 0 { - t.Fatalf("diff: %v", diff) - } } - // Test updating all keys - { - req := logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") - req.Storage = view - req.Data["enabled"] = "default" - req.Data["retention_months"] = 24 - req.Data["default_report_months"] = 12 - - originalEnabled := core.activityLog.GetEnabled() - newEnabled := activityLogEnabledDefault - - resp, err := b.HandleRequest(namespace.RootContext(nil), req) - if err != nil { - t.Fatalf("err: %v", err) - } - checkAPIWarnings(t, originalEnabled, newEnabled, resp) - - req = logical.TestRequest(t, logical.ReadOperation, "internal/counters/config") - req.Storage = view - resp, err = b.HandleRequest(namespace.RootContext(nil), req) - if err != nil { - t.Fatalf("err: %v", err) - } + req = logical.TestRequest(t, logical.UpdateOperation, "internal/counters/config") + req.Storage = view + req.Data["enabled"] = "enable" + resp, err = b.HandleRequest(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %v", err) + } + if resp != nil { + t.Fatalf("bad: %#v", resp) + } - defaults := map[string]interface{}{ - "default_report_months": 12, - "retention_months": 24, - "enabled": activityLogEnabledDefaultValue, - "queries_available": false, - "reporting_enabled": core.CensusLicensingEnabled(), - "billing_start_timestamp": core.BillingStart(), - "minimum_retention_months": core.activityLog.configOverrides.MinimumRetentionMonths, - } + req = logical.TestRequest(t, logical.ReadOperation, "internal/counters/config") + req.Storage = view + resp, err = b.HandleRequest(namespace.RootContext(nil), req) + if err != nil { + t.Fatalf("err: %v", err) + } + expected := map[string]interface{}{ + "default_report_months": 12, + "retention_months": 26, + "enabled": "enable", + "queries_available": false, + "reporting_enabled": core.AutomatedLicenseReportingEnabled(), + "billing_start_timestamp": core.BillingStart(), + "minimum_retention_months": core.activityLog.configOverrides.MinimumRetentionMonths, + } - if diff := deep.Equal(resp.Data, defaults); len(diff) > 0 { - t.Fatalf("diff: %v", diff) - } + if diff := deep.Equal(resp.Data, expected); len(diff) > 0 { + t.Fatalf("diff: %v", diff) } } @@ -2172,7 +2106,8 @@ func checkAPIWarnings(t *testing.T, originalEnabled, newEnabled bool, resp *logi } // TestActivityLog_EnableDisable writes a segment, adds an entity to the in-memory fragment, then disables the activity -// log. The test verifies that the segment doesn't exist. The activity log is enabled, then verified that an empty +// log. The test verifies that activity log cannot be disabled if manual reporting is enabled and no segment data is lost. +// If manual reporting is not enabled(OSS), The test verifies that the segment doesn't exist. The activity log is enabled, then verified that an empty // segment is written and new clients can be added and written to segments. func TestActivityLog_EnableDisable(t *testing.T) { timeutil.SkipAtEndOfMonth(t) @@ -2204,10 +2139,19 @@ func TestActivityLog_EnableDisable(t *testing.T) { req.Storage = view req.Data["enabled"] = "disable" resp, err := b.HandleRequest(ctx, req) - if err != nil { - t.Fatalf("err: %v", err) + if a.core.ManualLicenseReportingEnabled() { + if err == nil { + t.Fatal("expected error") + } + if resp.Data["error"] != `cannot disable the activity log while Reporting is enabled` { + t.Fatalf("bad: %v", resp) + } + } else { + if err != nil { + t.Fatalf("err: %v", err) + } + checkAPIWarnings(t, originalEnabled, false, resp) } - checkAPIWarnings(t, originalEnabled, false, resp) } // enable (if not already) and write a segment @@ -2233,33 +2177,35 @@ func TestActivityLog_EnableDisable(t *testing.T) { // Add in-memory fragment a.AddEntityToFragment(id3, "root", time.Now().Unix()) - // disable and verify segment no longer exists + // disable and verify segment exists disableRequest() - timeout := time.After(20 * time.Second) - select { - case <-a.deleteDone: - break - case <-timeout: - t.Fatalf("timed out") - } + if !a.core.ManualLicenseReportingEnabled() { + timeout := time.After(20 * time.Second) + select { + case <-a.deleteDone: + break + case <-timeout: + t.Fatalf("timed out") + } - expectMissingSegment(t, core, path) - a.ExpectCurrentSegmentRefreshed(t, 0, false) + expectMissingSegment(t, core, path) + a.ExpectCurrentSegmentRefreshed(t, 0, false) - // enable (if not already) which force-writes an empty segment - enableRequest() + // enable (if not already) which force-writes an empty segment + enableRequest() - seg2 := a.GetStartTimestamp() - if seg1 >= seg2 { - t.Errorf("bad second segment timestamp, %v >= %v", seg1, seg2) - } + seg2 := a.GetStartTimestamp() + if seg1 >= seg2 { + t.Errorf("bad second segment timestamp, %v >= %v", seg1, seg2) + } - // Verify empty segments are present - path = fmt.Sprintf("%ventity/%v/0", ActivityLogPrefix, seg2) - readSegmentFromStorage(t, core, path) + // Verify empty segments are present + path = fmt.Sprintf("%ventity/%v/0", ActivityLogPrefix, seg2) + readSegmentFromStorage(t, core, path) - path = fmt.Sprintf("%vdirecttokens/%v/0", ActivityLogPrefix, seg2) + path = fmt.Sprintf("%vdirecttokens/%v/0", ActivityLogPrefix, seg2) + } readSegmentFromStorage(t, core, path) } diff --git a/vault/census.go b/vault/census.go index cd94ad3e43ce..c608ca47eb75 100644 --- a/vault/census.go +++ b/vault/census.go @@ -11,9 +11,10 @@ import "time" type CensusReporter interface{} // setupCensusAgent is a stub for OSS. -func (c *Core) setupCensusAgent() error { return nil } -func (c *Core) BillingStart() time.Time { return time.Time{} } -func (c *Core) CensusLicensingEnabled() bool { return false } -func (c *Core) CensusAgent() CensusReporter { return nil } -func (c *Core) ReloadCensus() error { return nil } -func (c *Core) teardownCensusAgent() error { return nil } +func (c *Core) setupCensusAgent() error { return nil } +func (c *Core) BillingStart() time.Time { return time.Time{} } +func (c *Core) AutomatedLicenseReportingEnabled() bool { return false } +func (c *Core) CensusAgent() CensusReporter { return nil } +func (c *Core) ReloadCensus() error { return nil } +func (c *Core) teardownCensusAgent() error { return nil } +func (c *Core) ManualLicenseReportingEnabled() bool { return false } diff --git a/vault/logical_system_activity.go b/vault/logical_system_activity.go index 929dca39dd60..cf0d6a273f82 100644 --- a/vault/logical_system_activity.go +++ b/vault/logical_system_activity.go @@ -328,7 +328,7 @@ func (b *SystemBackend) handleActivityConfigRead(ctx context.Context, req *logic "retention_months": config.RetentionMonths, "enabled": config.Enabled, "queries_available": qa, - "reporting_enabled": b.Core.CensusLicensingEnabled(), + "reporting_enabled": b.Core.AutomatedLicenseReportingEnabled(), "billing_start_timestamp": b.Core.BillingStart(), "minimum_retention_months": a.configOverrides.MinimumRetentionMonths, }, @@ -388,8 +388,8 @@ func (b *SystemBackend) handleActivityConfigUpdate(ctx context.Context, req *log !activityLogEnabledDefault && config.Enabled == "enable" && enabledStr == "default" || activityLogEnabledDefault && config.Enabled == "default" && enabledStr == "disable" { - // if census is enabled, the activity log cannot be disabled - if a.core.CensusLicensingEnabled() { + // if reporting is enabled, the activity log cannot be disabled. Manual Reporting is always enabled on ent. + if a.core.ManualLicenseReportingEnabled() { return logical.ErrorResponse("cannot disable the activity log while Reporting is enabled"), logical.ErrInvalidRequest } warnings = append(warnings, "the current monthly segment will be deleted because the activity log was disabled") @@ -416,7 +416,8 @@ func (b *SystemBackend) handleActivityConfigUpdate(ctx context.Context, req *log return logical.ErrorResponse("retention_months cannot be 0 while enabled"), logical.ErrInvalidRequest } - if a.core.CensusLicensingEnabled() && config.RetentionMonths < minimumRetentionMonths { + // if manual license reporting is enabled, retention months must at least be 24 months + if a.core.ManualLicenseReportingEnabled() && config.RetentionMonths < minimumRetentionMonths { return logical.ErrorResponse("retention_months must be at least %d while Reporting is enabled", minimumRetentionMonths), logical.ErrInvalidRequest }