Review feedback

hashicorp · Jul 5, 2019 · b327f24 · b327f24
1 parent d7df2b2
commit b327f24
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 37 deletions.
diff --git a/http/http_test.go b/http/http_test.go
@@ -22,32 +22,36 @@ func testHttpGet(t *testing.T, token string, addr string) *http.Response {
 		loggedToken = "<empty>"
 	}
 	t.Logf("Token is %s", loggedToken)
-	return testHttpData(t, "GET", token, addr, nil, false)
+	return testHttpData(t, "GET", token, addr, nil, false, 0)
 }
 
 func testHttpDelete(t *testing.T, token string, addr string) *http.Response {
-	return testHttpData(t, "DELETE", token, addr, nil, false)
+	return testHttpData(t, "DELETE", token, addr, nil, false, 0)
 }
 
 // Go 1.8+ clients redirect automatically which breaks our 307 standby testing
 func testHttpDeleteDisableRedirect(t *testing.T, token string, addr string) *http.Response {
-	return testHttpData(t, "DELETE", token, addr, nil, true)
+	return testHttpData(t, "DELETE", token, addr, nil, true, 0)
+}
+
+func testHttpPostWrapped(t *testing.T, token string, addr string, body interface{}, wrapTTL time.Duration) *http.Response {
+	return testHttpData(t, "POST", token, addr, body, false, wrapTTL)
 }
 
 func testHttpPost(t *testing.T, token string, addr string, body interface{}) *http.Response {
-	return testHttpData(t, "POST", token, addr, body, false)
+	return testHttpData(t, "POST", token, addr, body, false, 0)
 }
 
 func testHttpPut(t *testing.T, token string, addr string, body interface{}) *http.Response {
-	return testHttpData(t, "PUT", token, addr, body, false)
+	return testHttpData(t, "PUT", token, addr, body, false, 0)
 }
 
 // Go 1.8+ clients redirect automatically which breaks our 307 standby testing
 func testHttpPutDisableRedirect(t *testing.T, token string, addr string, body interface{}) *http.Response {
-	return testHttpData(t, "PUT", token, addr, body, true)
+	return testHttpData(t, "PUT", token, addr, body, true, 0)
 }
 
-func testHttpData(t *testing.T, method string, token string, addr string, body interface{}, disableRedirect bool) *http.Response {
+func testHttpData(t *testing.T, method string, token string, addr string, body interface{}, disableRedirect bool, wrapTTL time.Duration) *http.Response {
 	bodyReader := new(bytes.Buffer)
 	if body != nil {
 		enc := json.NewEncoder(bodyReader)
@@ -68,6 +72,10 @@ func testHttpData(t *testing.T, method string, token string, addr string, body i
 
 	req.Header.Set("Content-Type", "application/json")
 
+	if wrapTTL > 0 {
+		req.Header.Set("X-Vault-Wrap-TTL", wrapTTL.String())
+	}
+
 	if len(token) != 0 {
 		req.Header.Set(consts.AuthHeaderName, token)
 	}

diff --git a/http/logical_test.go b/http/logical_test.go
@@ -406,34 +406,34 @@ func TestLogical_Audit_invalidWrappingToken(t *testing.T) {
 	}
 
 	{
+		resp := testHttpPostWrapped(t, root, addr+"/v1/auth/token/create", nil, 10*time.Second)
+		testResponseStatus(t, resp, 200)
+		body := map[string]interface{}{}
+		testResponseBody(t, resp, &body)
+
+		wrapToken := body["wrap_info"].(map[string]interface{})["token"].(string)
+
 		// Make a wrapping/unwrap request with an invalid token
-		resp := testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
-			"token": "foo",
+		resp = testHttpPost(t, root, addr+"/v1/sys/wrapping/unwrap", map[string]interface{}{
+			"token": wrapToken,
 		})
-		testResponseStatus(t, resp, 400)
-		body := map[string][]string{}
-		testResponseBody(t, resp, &body)
-		if body["errors"][0] != "wrapping token is not valid or does not exist" {
-			t.Fatal(body)
-		}
+		testResponseStatus(t, resp, 200)
 
 		// Check the audit trail on request and response
-		if len(noop.ReqAuth) != 2 {
+		if len(noop.ReqAuth) != 3 {
 			t.Fatalf("bad: %#v", noop)
 		}
-		auth := noop.ReqAuth[1]
+		auth := noop.ReqAuth[2]
 		if auth.ClientToken != root {
 			t.Fatalf("bad client token: %#v", auth)
 		}
-		if len(noop.Req) != 2 || noop.Req[1].Path != "sys/wrapping/unwrap" {
-			t.Fatalf("bad:\ngot:\n%#v", noop.Req[1])
+		if len(noop.Req) != 3 || noop.Req[2].Path != "sys/wrapping/unwrap" {
+			t.Fatalf("bad:\ngot:\n%#v", noop.Req[2])
 		}
 
-		if len(noop.ReqErrs) != 2 {
+		// Make sure there is only one error in the logs
+		if noop.ReqErrs[1] != nil || noop.ReqErrs[2] != nil {
 			t.Fatalf("bad: %#v", noop.RespErrs)
 		}
-		if noop.ReqErrs[1] != consts.ErrInvalidWrappingToken {
-			t.Fatalf("bad: %#v", noop.ReqErrs)
-		}
 	}
 }
diff --git a/vault/wrapping.go b/vault/wrapping.go
@@ -317,16 +317,6 @@ func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request)
 		// Perform audit logging before returning if there's an issue with checking
 		// the wrapping token
 		if err != nil || !valid {
-			// Get non-HMAC'ed request data keys
-			var nonHMACReqDataKeys []string
-			entry := c.router.MatchingMountEntry(ctx, req.Path)
-			if entry != nil {
-				// Get and set ignored HMAC'd value.
-				if rawVals, ok := entry.synthesizedConfigCache.Load("audit_non_hmac_request_keys"); ok {
-					nonHMACReqDataKeys = rawVals.([]string)
-				}
-			}
-
 			// We log the Auth object like so here since the wrapping token can
 			// come from the header, which gets set as the ClientToken
 			auth := &logical.Auth{
@@ -335,12 +325,11 @@ func (c *Core) ValidateWrappingToken(ctx context.Context, req *logical.Request)
 			}
 
 			logInput := &logical.LogInput{
-				Auth:               auth,
-				Request:            req,
-				NonHMACReqDataKeys: nonHMACReqDataKeys,
+				Auth:    auth,
+				Request: req,
 			}
 			if err != nil {
-				logInput.OuterErr = errwrap.Wrapf("error validating wrapping token: {{err}}", err)
+				logInput.OuterErr = errors.New("error validating wrapping token")
 			}
 			if !valid {
 				logInput.OuterErr = consts.ErrInvalidWrappingToken