Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAULT-21710 - prevent duplicate audit file_path targets #28751

Merged
merged 9 commits into from
Oct 24, 2024
Merged

VAULT-21710 - prevent duplicate audit file_path targets #28751

merged 9 commits into from
Oct 24, 2024

Conversation

tvo0813
Copy link
Collaborator

@tvo0813 tvo0813 commented Oct 22, 2024
edited
Loading

Description

Prevent the audit process from allowing duplicate file path targets

TODO only if you're a HashiCorp employee

  • Backport Labels: If this PR is in the ENT repo and needs to be backported, backport
    to N, N-1, and N-2, using the backport/ent/x.x.x+ent labels. If this PR is in the CE repo, you should only backport to N, using the backport/x.x.x label, not the enterprise labels.
    • If this fixes a critical security vulnerability or severity 1 bug, it will also need to be backported to the current LTS versions of Vault. To ensure this, use all available enterprise labels.
  • ENT Breakage: If this PR either 1) removes a public function OR 2) changes the signature
    of a public function, even if that change is in a CE file, double check that
    applying the patch for this PR to the ENT repo and running tests doesn't
    break any tests. Sometimes ENT only tests rely on public functions in CE
    files.
  • Jira: If this change has an associated Jira, it's referenced either
    in the PR description, commit message, or branch name.
  • RFC: If this change has an associated RFC, please link it in the description.
  • ENT PR: If this change has an associated ENT PR, please link it in the
    description. Also, make sure the changelog is in this PR, not in your ENT PR.

@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Oct 22, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 22, 2024
edited
Loading

CI Results:
All Go tests succeeded! ✅

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 22, 2024
edited
Loading

Build Results:
All builds succeeded! ✅

@tvo0813 tvo0813 force-pushed the bug/VAULT-21710_prevent_duplicate_targets branch from e20767d to a1f951b Compare October 22, 2024 21:09
@ltcarbonell ltcarbonell self-requested a review October 23, 2024 13:51
ltcarbonell
ltcarbonell requested changes Oct 23, 2024
View reviewed changes
Copy link
Contributor

@ltcarbonell ltcarbonell left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a sample of the new error response from Vault to the description? This will help us see how Vault responds without needing to run it manually.

@tvo0813
Copy link
Collaborator Author

tvo0813 commented Oct 23, 2024
edited
Loading

Tested locally and is working as it should (failed when enabling same file_path)

tin.vo@tin command % vault audit enable -path=file1 file file_path=${APATH};             
Success! Enabled the file audit device at: file1/
tin.vo@tin command % vault audit enable -path=file2 file log_raw=true file_path=${APATH};
Error enabling audit device: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/audit/file2
Code: 400. Errors:

* file_path already in use: invalid configuration

2024-10-23T09:25:10.924-0700 [INFO]  core: enabled audit backend: path=file1/ type=file
2024-10-23T09:25:15.533-0700 [ERROR] core: enable audit mount failed: path=file2/ error="file_path already in use: invalid configuration"```

@kubawi kubawi changed the title VAULT: 21710 - prevent duplicate audit file_path targets VAULT-21710 - prevent duplicate audit file_path targets Oct 24, 2024
kubawi
kubawi approved these changes Oct 24, 2024
View reviewed changes
Copy link
Contributor

@kubawi kubawi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks Tin!

I am leaving an approval and some suggestions to make comments clearer.

vault/audit.go Outdated Show resolved Hide resolved
changelog/28751.txt Outdated Show resolved Hide resolved
vault/audit_test.go Outdated Show resolved Hide resolved
@tvo0813 tvo0813 added backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent backport/1.18.x backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent labels Oct 24, 2024
@tvo0813 tvo0813 merged commit 48cf1a1 into main Oct 24, 2024
106 checks passed
@tvo0813 tvo0813 deleted the bug/VAULT-21710_prevent_duplicate_targets branch October 24, 2024 17:54
Merged
6 tasks
@tvo0813 tvo0813 added backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent and removed backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent labels Oct 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kubawi kubawi kubawi approved these changes

@ltcarbonell ltcarbonell ltcarbonell approved these changes

Assignees
No one assigned
Labels
backport/ent/1.16.x+ent Changes are backported to 1.16.x+ent backport/ent/1.17.x+ent Changes are backported to 1.17.x+ent backport/1.18.x hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed pr/no-milestone
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tvo0813 @ltcarbonell @kubawi