Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'Read Single Audit Request Header Api' is case sensitive and works for lowercase header values only #3701

Closed
rajanadar opened this issue Dec 17, 2017 · 0 comments
Closed

'Read Single Audit Request Header Api' is case sensitive and works for lowercase header values only #3701

rajanadar opened this issue Dec 17, 2017 · 0 comments
Milestone
0.9.1

Comments

@rajanadar
Copy link
Contributor

rajanadar commented Dec 17, 2017
edited
Loading

Environment:

  • Vault Version: 0.9.0
  • Operating System/Architecture: Windows 10/64 bit

Vault Config File:

backend "file" {
path = "d:\vault\file_backend"
}

listener "tcp" {
address = "127.0.0.1:8200"
tls_disable = 1
}

Startup Log Output:
==> WARNING: mlock not supported on this system!

An mlockall(2)-like syscall to prevent memory from being
swapped to disk is not supported on this system. Running
Vault on an mlockall(2) enabled system is much more secure.

==> Vault server configuration:

                 Cgo: disabled
          Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", tls: "disabled")
           Log Level: info
               Mlock: supported: false, enabled: false
             Storage: file
             Version: Vault v0.9.0
         Version Sha: bdac1854478538052ba5b7ec9a9ec688d35a3335

==> Vault server started! Log data will stream in below:

Expected Behavior:
Http 200 Ok from the API with the response payload containing the single audit header details. (name and hmac, wrapped in a secret)

Http Header names are case insensitive as per https://tools.ietf.org/html/rfc7230#section-3.2 and https://tools.ietf.org/html/rfc7540#section-8.1.2

Actual Behavior:
Http 400: {
"errors": [
"Could not find header in config"
]
}

Steps to Reproduce:

  • Startup Vault server.
  • Create a audit header named "X-Forwarded-For" (PUT on /sys/config/auditing/request-headers/X-Forwarded-For)
  • Retrieve the header using a Http GET on /sys/config/auditing/request-headers/X-Forwarded-For
  • You'll see the Http 400 error.
  • If you now try, /sys/config/auditing/request-headers/x-forwarded-for (all lower case header name) then the response is successful and you see the header details.
  • The response should be successful agnostic of the case. Right now, it is not even the case, we used to create the header.

Important Factoids:
Nothing special. Just the normal PUT and GET Apis.

References:
@jefferai jefferai added this to the 0.9.1 milestone Dec 17, 2017
jefferai added a commit that referenced this issue Dec 18, 2017
@jefferai
Fix audited request header lookup
8de0b14 
The headers are stored lowercased but the lookup function wasn't
properly lowercasing when indexing in the header map.

Fixes #3701
@jefferai jefferai mentioned this issue Dec 18, 2017
Merged
jefferai added a commit that referenced this issue Dec 18, 2017
@jefferai
Fix audited request header lookup (#3707)
4cc4010 
The headers are stored lowercased but the lookup function wasn't
properly lowercasing when indexing in the header map.

Fixes #3701
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.9.1
Development

No branches or pull requests
2 participants
@jefferai @rajanadar