Don't panic in audit logs when reading transit keys.

Fixes #2958
hashicorp · Jul 4, 2017 · dddabad · dddabad
1 parent ffa76e3
commit dddabad
Show file tree

Hide file tree

Showing 2 changed files with 85 additions and 5 deletions.
diff --git a/builtin/logical/transit/path_keys.go b/builtin/logical/transit/path_keys.go
@@ -9,6 +9,7 @@ import (
 
 	"golang.org/x/crypto/ed25519"
 
+	"github.com/fatih/structs"
 	"github.com/hashicorp/vault/helper/keysutil"
 	"github.com/hashicorp/vault/logical"
 	"github.com/hashicorp/vault/logical/framework"
@@ -155,9 +156,9 @@ func (b *backend) pathPolicyWrite(
 
 // Built-in helper type for returning asymmetric keys
 type asymKey struct {
-	Name         string    `json:"name"`
-	PublicKey    string    `json:"public_key"`
-	CreationTime time.Time `json:"creation_time"`
+	Name         string    `json:"name" structs:"name"`
+	PublicKey    string    `json:"public_key" structs:"public_key"`
+	CreationTime time.Time `json:"creation_time" structs:"creation_time"`
 }
 
 func (b *backend) pathPolicyRead(
@@ -225,7 +226,7 @@ func (b *backend) pathPolicyRead(
 		resp.Data["keys"] = retKeys
 
 	case keysutil.KeyType_ECDSA_P256, keysutil.KeyType_ED25519:
-		retKeys := map[string]asymKey{}
+		retKeys := map[string]map[string]interface{}{}
 		for k, v := range p.Keys {
 			key := asymKey{
 				PublicKey:    v.FormattedPublicKey,
@@ -254,7 +255,7 @@ func (b *backend) pathPolicyRead(
 				key.Name = "ed25519"
 			}
 
-			retKeys[strconv.Itoa(k)] = key
+			retKeys[strconv.Itoa(k)] = structs.New(key).Map()
 		}
 		resp.Data["keys"] = retKeys
 	}

diff --git a/builtin/logical/transit/path_keys_test.go b/builtin/logical/transit/path_keys_test.go
@@ -0,0 +1,79 @@
+package transit_test
+
+import (
+	"testing"
+
+	"github.com/hashicorp/vault/api"
+	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/builtin/audit/file"
+	"github.com/hashicorp/vault/builtin/logical/transit"
+	vaulthttp "github.com/hashicorp/vault/http"
+	"github.com/hashicorp/vault/logical"
+	"github.com/hashicorp/vault/vault"
+)
+
+func TestTransit_Issue_2958(t *testing.T) {
+	coreConfig := &vault.CoreConfig{
+		LogicalBackends: map[string]logical.Factory{
+			"transit": transit.Factory,
+		},
+		AuditBackends: map[string]audit.Factory{
+			"file": file.Factory,
+		},
+	}
+
+	cluster := vault.NewTestCluster(t, coreConfig, true)
+	cluster.StartListeners()
+	defer cluster.CloseListeners()
+
+	cores := cluster.Cores
+
+	cores[0].Handler.Handle("/", vaulthttp.Handler(cores[0].Core))
+	cores[1].Handler.Handle("/", vaulthttp.Handler(cores[1].Core))
+	cores[2].Handler.Handle("/", vaulthttp.Handler(cores[2].Core))
+
+	vault.TestWaitActive(t, cores[0].Core)
+
+	client := cores[0].Client
+
+	err := client.Sys().EnableAuditWithOptions("file", &api.EnableAuditOptions{
+		Type: "file",
+		Options: map[string]string{
+			"file_path": "/dev/null",
+		},
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = client.Sys().Mount("transit", &api.MountInput{
+		Type: "transit",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("transit/keys/foo", map[string]interface{}{
+		"type": "ecdsa-p256",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Write("transit/keys/bar", map[string]interface{}{
+		"type": "ed25519",
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Read("transit/keys/foo")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, err = client.Logical().Read("transit/keys/bar")
+	if err != nil {
+		t.Fatal(err)
+	}
+}