-
Notifications
You must be signed in to change notification settings - Fork 4.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add end-to-end test for audit HMACing #28415
Conversation
CI Results: |
Build Results: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"file_path": logFile.Name(), | ||
}, | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Turn on HMAC for x-correlation-id as it is plain text by default |
}) | ||
require.NoError(t, err) | ||
|
||
// Request 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Request 1 | |
// Request 1 | |
// Enable the audit device (the response will be audited) |
require.NoError(t, err) | ||
require.Len(t, devices, 1) | ||
|
||
// Request 3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Request 3 | |
// Request 3 | |
// Enable the userpass auth method (this will be an audited action) |
username := "jdoe" | ||
password := "abc123" | ||
|
||
// Request 4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Request 4 | |
// Request 4 | |
// Create a user with a password (another audited action) |
|
||
hashedCorrelationID, err := client.Sys().AuditHash(devicePath, correlationID) | ||
require.NoError(t, err) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤔 Just a thought, not required either, but you might want to consider disabling the audit device to be sure nothing will write to the file anymore (before you check the file)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh that's a great idea. Thanks!
|
||
loginAuth := loginRespEntry["auth"].(map[string]interface{}) | ||
|
||
require.True(t, strings.HasPrefix(loginRequestDataFromReq["password"].(string), "hmac-sha256:")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❓ would it be 'safer' to pull the "hmac-sha256:"
prefix into a const string somewhere in here and just reference that in all the assertions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I went back and forth on it. Your feedback has made me decide yes. I'll add that. Thanks!
Description
This PR adds a new end to end test
TestAudit_HMACFields
which verifies that the proper fields are HMACed in audit request and response entries.TODO only if you're a HashiCorp employee
to N, N-1, and N-2, using the
backport/ent/x.x.x+ent
labels. If this PR is in the CE repo, you should only backport to N, using thebackport/x.x.x
label, not the enterprise labels.of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.