Merge remote-tracking branch 'origin/main' into peteski22/dependency/…

…swap-armon-go-metrics-to-hashicorp-go-metrics
hashicorp · Jan 9, 2024 · 68a93c7 · 68a93c7
2 parents 25890f8 + 9088f2b
commit 68a93c7
Show file tree

Hide file tree

Showing 103 changed files with 2,908 additions and 660 deletions.
diff --git a/.github/workflows/test-go.yml b/.github/workflows/test-go.yml
@@ -510,7 +510,7 @@ jobs:
       - run: |
           rm -rf test-results/go-test/logs
           ls -lhR test-results/go-test
-          find test-results/go-test -mindepth 1 -mtime +3 -delete
+          find test-results/go-test -mindepth 1 -type f -mtime +3 -delete
 
           # Prune invalid timing files
           find test-results/go-test -mindepth 1 -type f -name "*.json" -exec sh -c '

diff --git a/audit/types.go b/audit/types.go
@@ -279,6 +279,11 @@ type Backend interface {
 	// nodes for node and pipeline registration.
 	event.PipelineReader
 
+	// IsFallback can be used to determine if this audit backend device is intended to
+	// be used as a fallback to catch all events that are not written when only using
+	// filtered pipelines.
+	IsFallback() bool
+
 	// LogRequest is used to synchronously log a request. This is done after the
 	// request is authorized but before the request is executed. The arguments
 	// MUST not be modified in any way. They should be deep copied if this is

diff --git a/builtin/audit/file/backend.go b/builtin/audit/file/backend.go
@@ -16,6 +16,7 @@ import (
 	"sync/atomic"
 
 	"github.com/hashicorp/eventlogger"
+	"github.com/hashicorp/go-secure-stdlib/parseutil"
 	"github.com/hashicorp/vault/audit"
 	"github.com/hashicorp/vault/internal/observability/event"
 	"github.com/hashicorp/vault/sdk/helper/salt"
@@ -36,6 +37,7 @@ var _ audit.Backend = (*Backend)(nil)
 // or reset the write cursor, this should be done in the future.
 type Backend struct {
 	f            *os.File
+	fallback     bool
 	fileLock     sync.RWMutex
 	formatter    *audit.EntryFormatterWriter
 	formatConfig audit.FormatterConfig
@@ -60,6 +62,21 @@ func Factory(_ context.Context, conf *audit.BackendConfig, useEventLogger bool,
 		return nil, fmt.Errorf("%s: nil salt view", op)
 	}
 
+	// The config options 'fallback' and 'filter' are mutually exclusive, a fallback
+	// device catches everything, so it cannot be allowed to filter.
+	var fallback bool
+	var err error
+	if fallbackRaw, ok := conf.Config["fallback"]; ok {
+		fallback, err = parseutil.ParseBool(fallbackRaw)
+		if err != nil {
+			return nil, fmt.Errorf("%s: unable to parse 'fallback': %w", op, err)
+		}
+	}
+
+	if _, ok := conf.Config["filter"]; ok && fallback {
+		return nil, fmt.Errorf("%s: cannot configure a fallback device with a filter: %w", op, event.ErrInvalidParameter)
+	}
+
 	// Get file path from config or fall back to the old option name ('path') for compatibility
 	// (see commit bac4fe0799a372ba1245db642f3f6cd1f1d02669).
 	var filePath string
@@ -106,6 +123,7 @@ func Factory(_ context.Context, conf *audit.BackendConfig, useEventLogger bool,
 	}
 
 	b := &Backend{
+		fallback:     fallback,
 		filePath:     filePath,
 		formatConfig: cfg,
 		mode:         mode,
@@ -550,3 +568,10 @@ func (b *Backend) EventType() eventlogger.EventType {
 func (b *Backend) HasFiltering() bool {
 	return len(b.nodeIDList) > 0 && b.nodeMap[b.nodeIDList[0]].Type() == eventlogger.NodeTypeFilter
 }
+
+// IsFallback can be used to determine if this audit backend device is intended to
+// be used as a fallback to catch all events that are not written when only using
+// filtered pipelines.
+func (b *Backend) IsFallback() bool {
+	return b.fallback
+}
diff --git a/builtin/audit/file/backend_test.go b/builtin/audit/file/backend_test.go
@@ -576,3 +576,129 @@ func TestBackend_configureFilterFormatterSink(t *testing.T) {
 	node = b.nodeMap[id]
 	require.Equal(t, eventlogger.NodeTypeSink, node.Type())
 }
+
+// TestBackend_Factory_Conf is used to ensure that any configuration which is
+// supplied, is validated and tested.
+func TestBackend_Factory_Conf(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+
+	tests := map[string]struct {
+		backendConfig        *audit.BackendConfig
+		isErrorExpected      bool
+		expectedErrorMessage string
+	}{
+		"nil-salt-config": {
+			backendConfig: &audit.BackendConfig{
+				SaltConfig: nil,
+			},
+			isErrorExpected:      true,
+			expectedErrorMessage: "file.Factory: nil salt config",
+		},
+		"nil-salt-view": {
+			backendConfig: &audit.BackendConfig{
+				SaltConfig: &salt.Config{},
+			},
+			isErrorExpected:      true,
+			expectedErrorMessage: "file.Factory: nil salt view",
+		},
+		"fallback-device-with-filter": {
+			backendConfig: &audit.BackendConfig{
+				MountPath:  "discard",
+				SaltConfig: &salt.Config{},
+				SaltView:   &logical.InmemStorage{},
+				Config: map[string]string{
+					"fallback":  "true",
+					"file_path": discard,
+					"filter":    "mount_type == kv",
+				},
+			},
+			isErrorExpected:      true,
+			expectedErrorMessage: "file.Factory: cannot configure a fallback device with a filter: invalid parameter",
+		},
+		"non-fallback-device-with-filter": {
+			backendConfig: &audit.BackendConfig{
+				MountPath:  "discard",
+				SaltConfig: &salt.Config{},
+				SaltView:   &logical.InmemStorage{},
+				Config: map[string]string{
+					"fallback":  "false",
+					"file_path": discard,
+					"filter":    "mount_type == kv",
+				},
+			},
+			isErrorExpected: false,
+		},
+	}
+
+	for name, tc := range tests {
+		name := name
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			be, err := Factory(ctx, tc.backendConfig, true, nil)
+
+			switch {
+			case tc.isErrorExpected:
+				require.Error(t, err)
+				require.EqualError(t, err, tc.expectedErrorMessage)
+			default:
+				require.NoError(t, err)
+				require.NotNil(t, be)
+			}
+		})
+	}
+}
+
+// TestBackend_IsFallback ensures that the 'fallback' config setting is parsed
+// and set correctly, then exposed via the interface method IsFallback().
+func TestBackend_IsFallback(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+
+	tests := map[string]struct {
+		backendConfig      *audit.BackendConfig
+		isFallbackExpected bool
+	}{
+		"fallback": {
+			backendConfig: &audit.BackendConfig{
+				MountPath:  "discard",
+				SaltConfig: &salt.Config{},
+				SaltView:   &logical.InmemStorage{},
+				Config: map[string]string{
+					"fallback":  "true",
+					"file_path": discard,
+				},
+			},
+			isFallbackExpected: true,
+		},
+		"no-fallback": {
+			backendConfig: &audit.BackendConfig{
+				MountPath:  "discard",
+				SaltConfig: &salt.Config{},
+				SaltView:   &logical.InmemStorage{},
+				Config: map[string]string{
+					"fallback":  "false",
+					"file_path": discard,
+				},
+			},
+			isFallbackExpected: false,
+		},
+	}
+
+	for name, tc := range tests {
+		name := name
+		tc := tc
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			be, err := Factory(ctx, tc.backendConfig, true, nil)
+			require.NoError(t, err)
+			require.NotNil(t, be)
+			require.Equal(t, tc.isFallbackExpected, be.IsFallback())
+		})
+	}
+}
diff --git a/builtin/audit/socket/backend.go b/builtin/audit/socket/backend.go
@@ -29,6 +29,7 @@ type Backend struct {
 	sync.Mutex
 	address       string
 	connection    net.Conn
+	fallback      bool
 	formatter     *audit.EntryFormatterWriter
 	formatConfig  audit.FormatterConfig
 	name          string
@@ -73,12 +74,27 @@ func Factory(_ context.Context, conf *audit.BackendConfig, useEventLogger bool,
 		return nil, fmt.Errorf("%s: failed to parse 'write_timeout': %w", op, err)
 	}
 
+	// The config options 'fallback' and 'filter' are mutually exclusive, a fallback
+	// device catches everything, so it cannot be allowed to filter.
+	var fallback bool
+	if fallbackRaw, ok := conf.Config["fallback"]; ok {
+		fallback, err = parseutil.ParseBool(fallbackRaw)
+		if err != nil {
+			return nil, fmt.Errorf("%s: unable to parse 'fallback': %w", op, err)
+		}
+	}
+
+	if _, ok := conf.Config["filter"]; ok && fallback {
+		return nil, fmt.Errorf("%s: cannot configure a fallback device with a filter: %w", op, event.ErrInvalidParameter)
+	}
+
 	cfg, err := formatterConfig(conf.Config)
 	if err != nil {
 		return nil, fmt.Errorf("%s: failed to create formatter config: %w", op, err)
 	}
 
 	b := &Backend{
+		fallback:      fallback,
 		address:       address,
 		formatConfig:  cfg,
 		name:          conf.MountPath,
@@ -443,3 +459,10 @@ func (b *Backend) EventType() eventlogger.EventType {
 func (b *Backend) HasFiltering() bool {
 	return len(b.nodeIDList) > 0 && b.nodeMap[b.nodeIDList[0]].Type() == eventlogger.NodeTypeFilter
 }
+
+// IsFallback can be used to determine if this audit backend device is intended to
+// be used as a fallback to catch all events that are not written when only using
+// filtered pipelines.
+func (b *Backend) IsFallback() bool {
+	return b.fallback
+}