| // Copyright (c) HashiCorp, Inc. |
| // SPDX-License-Identifier: MPL-2.0 |
| |
| package audit |
| |
| import ( |
| "context" |
| |
| "github.com/hashicorp/vault/sdk/helper/salt" |
| "github.com/hashicorp/vault/sdk/logical" |
| ) |
| |
| // Backend interface must be implemented for an audit |
| // mechanism to be made available. Audit backends can be enabled to |
| // sink information to different backends such as logs, file, databases, |
| // or other external services. |
| type Backend interface { |
| // LogRequest is used to synchronously log a request. This is done after the |
| // request is authorized but before the request is executed. The arguments |
| // MUST not be modified in anyway. They should be deep copied if this is |
| // a possibility. |
| LogRequest(context.Context, *logical.LogInput) error |
| |
| // LogResponse is used to synchronously log a response. This is done after |
| // the request is processed but before the response is sent. The arguments |
| // MUST not be modified in anyway. They should be deep copied if this is |
| // a possibility. |
| LogResponse(context.Context, *logical.LogInput) error |
| |
| // LogTestMessage is used to check an audit backend before adding it |
| // permanently. It should attempt to synchronously log the given test |
| // message, WITHOUT using the normal Salt (which would require a storage |
| // operation on creation, which is currently disallowed.) |
| LogTestMessage(context.Context, *logical.LogInput, map[string]string) error |
| |
| // GetHash is used to return the given data with the backend's hash, |
| // so that a caller can determine if a value in the audit log matches |
| // an expected plaintext value |
| GetHash(context.Context, string) (string, error) |
| |
| // Reload is called on SIGHUP for supporting backends. |
| Reload(context.Context) error |
| |
| // Invalidate is called for path invalidation |
| Invalidate(context.Context) |
| } |
| |
| // BackendConfig contains configuration parameters used in the factory func to |
| // instantiate audit backends |
| type BackendConfig struct { |
| // The view to store the salt |
| SaltView logical.Storage |
| |
| // The salt config that should be used for any secret obfuscation |
| SaltConfig *salt.Config |
| |
| // Config is the opaque user configuration provided when mounting |
| Config map[string]string |
| } |
| |
| // Factory is the factory function to create an audit backend. |
| type Factory func(context.Context, *BackendConfig) (Backend, error) |