Merge pull request #1980 from hashicorp/audit-update

Audit file update
hashicorp · Oct 10, 2016 · 8d42361 · 8d42361
2 parents 601b1b6 + 6770545
commit 8d42361
Show file tree

Hide file tree

Showing 3 changed files with 112 additions and 2 deletions.
diff --git a/builtin/audit/file/backend.go b/builtin/audit/file/backend.go
@@ -54,8 +54,19 @@ func Factory(conf *audit.BackendConfig) (audit.Backend, error) {
 		logRaw = b
 	}
 
+	// Check if mode is provided
+	mode := os.FileMode(0600)
+	if modeRaw, ok := conf.Config["mode"]; ok {
+		m, err := strconv.ParseUint(modeRaw, 8, 32)
+		if err != nil {
+			return nil, err
+		}
+		mode = os.FileMode(m)
+	}
+
 	b := &Backend{
 		path: path,
+		mode: mode,
 		formatConfig: audit.FormatterConfig{
 			Raw:          logRaw,
 			Salt:         conf.Salt,
@@ -93,6 +104,7 @@ type Backend struct {
 
 	fileLock sync.RWMutex
 	f        *os.File
+	mode     os.FileMode
 }
 
 func (b *Backend) GetHash(data string) string {
@@ -131,12 +143,18 @@ func (b *Backend) open() error {
 	if b.f != nil {
 		return nil
 	}
-	if err := os.MkdirAll(filepath.Dir(b.path), 0600); err != nil {
+	if err := os.MkdirAll(filepath.Dir(b.path), b.mode); err != nil {
 		return err
 	}
 
 	var err error
-	b.f, err = os.OpenFile(b.path, os.O_APPEND|os.O_WRONLY|os.O_CREATE, 0600)
+	b.f, err = os.OpenFile(b.path, os.O_APPEND|os.O_WRONLY|os.O_CREATE, b.mode)
+	if err != nil {
+		return err
+	}
+
+	// Change the file mode in case the log file already existed
+	err = os.Chmod(b.path, b.mode)
 	if err != nil {
 		return err
 	}

diff --git a/builtin/audit/file/backend_test.go b/builtin/audit/file/backend_test.go
@@ -0,0 +1,85 @@
+package file
+
+import (
+	"io/ioutil"
+	"os"
+	"path/filepath"
+	"strconv"
+	"testing"
+
+	"github.com/hashicorp/vault/audit"
+	"github.com/hashicorp/vault/helper/salt"
+)
+
+func TestAuditFile_fileModeNew(t *testing.T) {
+	salter, _ := salt.NewSalt(nil, nil)
+
+	modeStr := "0777"
+	mode, err := strconv.ParseUint(modeStr, 8, 32)
+
+	path, err := ioutil.TempDir("", "vault-test_audit_file-file_mode_new")
+	defer os.RemoveAll(path)
+
+	file := filepath.Join(path, "auditTest.txt")
+
+	config := map[string]string{
+		"path": file,
+		"mode": modeStr,
+	}
+
+	_, err = Factory(&audit.BackendConfig{
+		Salt:   salter,
+		Config: config,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := os.Stat(file)
+	if err != nil {
+		t.Fatalf("Cannot retrieve file mode from `Stat`")
+	}
+	if info.Mode() != os.FileMode(mode) {
+		t.Fatalf("File mode does not match.")
+	}
+}
+
+func TestAuditFile_fileModeExisting(t *testing.T) {
+	salter, _ := salt.NewSalt(nil, nil)
+
+	f, err := ioutil.TempFile("", "test")
+	if err != nil {
+		t.Fatalf("Failure to create test file.")
+	}
+	defer os.Remove(f.Name())
+
+	err = os.Chmod(f.Name(), 0777)
+	if err != nil {
+		t.Fatalf("Failure to chmod temp file for testing.")
+	}
+
+	err = f.Close()
+	if err != nil {
+		t.Fatalf("Failure to close temp file for test.")
+	}
+
+	config := map[string]string{
+		"path": f.Name(),
+	}
+
+	_, err = Factory(&audit.BackendConfig{
+		Salt:   salter,
+		Config: config,
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	info, err := os.Stat(f.Name())
+	if err != nil {
+		t.Fatalf("cannot retrieve file mode from `Stat`")
+	}
+	if info.Mode() != os.FileMode(0600) {
+		t.Fatalf("File mode does not match.")
+	}
+}
diff --git a/website/source/docs/audit/file.html.md b/website/source/docs/audit/file.html.md
@@ -69,6 +69,13 @@ Following are the configuration options available for the backend.
         <span class="param-flags">optional</span>
             A boolean, if set, enables the hashing of token accessor. Defaults
             to `true`. This option is useful only when `log_raw` is `false`.
+      </li>
+	  <li>
+        <span class="param">mode</span>
+        <span class="param-flags">optional</span>
+            A string containing an octal number representing the bit pattern
+            for the file mode, similar to `chmod`. This option defaults to
+            `0600`.
       </li>
       <li>
         <span class="param">format</span>