New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add end-to-end test for audit HMACing #28415

Merged

ccapurso merged 6 commits into main from vault-30602-e2e-audit-hmac-test

Sep 17, 2024

+214 −0

Contributor

ccapurso commented Sep 17, 2024

Description

This PR adds a new end to end test TestAudit_HMACFields which verifies that the proper fields are HMACed in audit request and response entries.

TODO only if you're a HashiCorp employee

Backport Labels: If this PR is in the ENT repo and needs to be backported, backport
to N, N-1, and N-2, using the backport/ent/x.x.x+ent labels. If this PR is in the CE repo, you should only backport to N, using the backport/x.x.x label, not the enterprise labels.
- If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
Jira: If this change has an associated Jira, it's referenced either
in the PR description, commit message, or branch name.
RFC: If this change has an associated RFC, please link it in the description.
ENT PR: If this change has an associated ENT PR, please link it in the
description. Also, make sure the changelog is in this PR, not in your ENT PR.


          add end-to-end test for audit HMACing

1ddb401

ccapurso added pr/no-changelog pr/no-milestone labels

ccapurso requested review from peteski22 and kubawi

September 17, 2024 12:34

github-actions bot added the hashicorp-contributed-pr label

github-actions bot commented Sep 17, 2024 •

edited

Loading

CI Results:
All Go tests succeeded! ✅

github-actions bot commented Sep 17, 2024

Build Results:
All builds succeeded! ✅

kubawi approved these changes

View reviewed changes

Contributor

kubawi left a comment

Looks good, thanks Chris!

vault/external_tests/audit/audit_test.go Outdated Show resolved Hide resolved

vault/external_tests/audit/audit_test.go Outdated Show resolved Hide resolved

ccapurso added 2 commits

September 17, 2024 11:05


          fix some comments

a051394


          add clarification for entry count assertion

be3b3f8

peteski22 approved these changes

View reviewed changes

Contributor

peteski22 left a comment

Thanks for doing this Chris, it's always a slog and I appreciate you're always the one stepping in to do the 'chores'.

Added a few comments, but nothing that would stop me approving.

vault/external_tests/audit/audit_test.go

+              			"file_path": logFile.Name(),
+              		},
+              	}

Contributor

peteski22 Sep 17, 2024

Suggested change



	// Turn on HMAC for x-correlation-id as it is plain text by default

vault/external_tests/audit/audit_test.go

+              	})
+              	require.NoError(t, err)
+              	// Request 1

Contributor

peteski22 Sep 17, 2024

Suggested change

      
            	// Request 1
          
            	// Request 1
          
            	// Enable the audit device (the response will be audited)

vault/external_tests/audit/audit_test.go

+              	require.NoError(t, err)
+              	require.Len(t, devices, 1)
+              	// Request 3

Contributor

peteski22 Sep 17, 2024

Suggested change

      
            	// Request 3
          
            	// Request 3
          
            	// Enable the userpass auth method (this will be an audited action)

vault/external_tests/audit/audit_test.go

+              	username := "jdoe"
+              	password := "abc123"
+              	// Request 4

Contributor

peteski22 Sep 17, 2024

Suggested change

      
            	// Request 4
          
            	// Request 4
          
            	// Create a user with a password (another audited action)

vault/external_tests/audit/audit_test.go


		hashedCorrelationID, err := client.Sys().AuditHash(devicePath, correlationID)
		require.NoError(t, err)

Contributor

peteski22 Sep 17, 2024

🤔 Just a thought, not required either, but you might want to consider disabling the audit device to be sure nothing will write to the file anymore (before you check the file)?

Contributor Author

ccapurso Sep 17, 2024

Oh that's a great idea. Thanks!

vault/external_tests/audit/audit_test.go Outdated


		loginAuth := loginRespEntry["auth"].(map[string]interface{})

		require.True(t, strings.HasPrefix(loginRequestDataFromReq["password"].(string), "hmac-sha256:"))

Contributor

peteski22 Sep 17, 2024

❓ would it be 'safer' to pull the "hmac-sha256:" prefix into a const string somewhere in here and just reference that in all the assertions?

Contributor Author

ccapurso Sep 17, 2024

I went back and forth on it. Your feedback has made me decide yes. I'll add that. Thanks!

ccapurso added 3 commits

September 17, 2024 14:39


          more comment clarity

c8f6735


          use const for hmac prefix

3b0f80b


          add check for disabling audit device

2c9cacb

ccapurso merged commit 75bea5c into main

83 checks passed

ccapurso deleted the vault-30602-e2e-audit-hmac-test branch

September 17, 2024 19:50

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

hashicorp-contributed-pr pr/no-changelog pr/no-milestone