Merge remote-tracking branch 'remotes/from/ce/release/1.21.x' into release/1.21.x

hc-github-team-secure-vault-core · hc-github-team-secure-vault-core · commit 1ca13a04fbd0 · 2026-01-15T20:02:54.000Z
diff --git a/builtin/logical/nomad/backend_test.go b/builtin/logical/nomad/backend_test.go
@@ -16,8 +16,10 @@ import (
 	nomadapi "github.com/hashicorp/nomad/api"
 	"github.com/hashicorp/vault/helper/testhelpers"
 	"github.com/hashicorp/vault/sdk/helper/docker"
+	"github.com/hashicorp/vault/sdk/helper/testhelpers/observations"
 	"github.com/hashicorp/vault/sdk/logical"
 	"github.com/mitchellh/mapstructure"
+	"github.com/stretchr/testify/require"
 )
 
 type Config struct {
@@ -159,6 +161,8 @@ func preprePolicies(nomadClient *nomadapi.Client) error {
 func TestBackend_config_Bootstrap(t *testing.T) {
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
+	or := observations.NewTestObservationRecorder()
+	config.ObservationRecorder = or
 	b, err := Factory(context.Background(), config)
 	if err != nil {
 		t.Fatal(err)
@@ -184,12 +188,16 @@ func TestBackend_config_Bootstrap(t *testing.T) {
 		t.Fatalf("failed to write configuration: resp:%#v err:%s", resp, err)
 	}
 
+	require.Equal(t, 1, or.NumObservationsByType(ObservationTypeNomadConfigAccessWrite))
+
 	confReq.Operation = logical.ReadOperation
 	resp, err = b.HandleRequest(context.Background(), confReq)
 	if err != nil || (resp != nil && resp.IsError()) {
 		t.Fatalf("failed to write configuration: resp:%#v err:%s", resp, err)
 	}
 
+	require.Equal(t, 1, or.NumObservationsByType(ObservationTypeNomadConfigAccessRead))
+
 	expected := map[string]interface{}{
 		"address":               connData["address"].(string),
 		"max_token_name_length": 0,
@@ -318,6 +326,8 @@ func TestBackend_config_access_with_certs(t *testing.T) {
 func TestBackend_renew_revoke(t *testing.T) {
 	config := logical.TestBackendConfig()
 	config.StorageView = &logical.InmemStorage{}
+	or := observations.NewTestObservationRecorder()
+	config.ObservationRecorder = or
 	b, err := Factory(context.Background(), config)
 	if err != nil {
 		t.Fatal(err)
@@ -341,6 +351,7 @@ func TestBackend_renew_revoke(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	require.Equal(t, 1, or.NumObservationsByType(ObservationTypeNomadConfigAccessWrite))
 
 	req.Path = "role/test"
 	req.Data = map[string]interface{}{
@@ -351,6 +362,12 @@ func TestBackend_renew_revoke(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
+	require.Equal(t, 1, or.NumObservationsByType(ObservationTypeNomadRoleWrite))
+	roleObs := or.ObservationsByType(ObservationTypeNomadRoleWrite)
+	require.Len(t, roleObs, 1)
+	require.Equal(t, "test", roleObs[0].Data["role_name"])
+	require.Equal(t, "client", roleObs[0].Data["token_type"])
+	require.Equal(t, false, roleObs[0].Data["global"])
 
 	req.Operation = logical.ReadOperation
 	req.Path = "creds/test"
@@ -364,6 +381,15 @@ func TestBackend_renew_revoke(t *testing.T) {
 	if resp.IsError() {
 		t.Fatalf("resp is error: %v", resp.Error())
 	}
+	require.Equal(t, 1, or.NumObservationsByType(ObservationTypeNomadCredentialCreateSuccess))
+	credObs := or.ObservationsByType(ObservationTypeNomadCredentialCreateSuccess)
+	require.Len(t, credObs, 1)
+	require.Equal(t, "test", credObs[0].Data["role_name"])
+	require.Equal(t, "client", credObs[0].Data["token_type"])
+	require.Equal(t, false, credObs[0].Data["global"])
+	require.Equal(t, "0s", credObs[0].Data["ttl"])
+	require.Equal(t, "0s", credObs[0].Data["max_ttl"])
+	require.NotEmpty(t, credObs[0].Data["accessor_id"])
 
 	generatedSecret := resp.Secret
 	generatedSecret.TTL = 6 * time.Hour
@@ -402,12 +428,24 @@ func TestBackend_renew_revoke(t *testing.T) {
 		t.Fatal("got nil response from renew")
 	}
 
+	require.Equal(t, 1, or.NumObservationsByType(ObservationTypeNomadCredentialRenew))
+	renewObs := or.ObservationsByType(ObservationTypeNomadCredentialRenew)
+	require.Len(t, renewObs, 1)
+	require.Equal(t, d.Accessor, renewObs[0].Data["accessor_id"])
+	require.Equal(t, "0s", renewObs[0].Data["ttl"])
+	require.Equal(t, "0s", renewObs[0].Data["max_ttl"])
+
 	req.Operation = logical.RevokeOperation
 	resp, err = b.HandleRequest(context.Background(), req)
 	if err != nil {
 		t.Fatal(err)
 	}
 
+	require.Equal(t, 1, or.NumObservationsByType(ObservationTypeNomadCredentialRevoke))
+	revokeObs := or.ObservationsByType(ObservationTypeNomadCredentialRevoke)
+	require.Len(t, revokeObs, 1)
+	require.Equal(t, d.Accessor, revokeObs[0].Data["accessor_id"])
+
 	// Build a management client and verify that the token does not exist anymore
 	nomadmgmtConfig := nomadapi.DefaultConfig()
 	nomadmgmtConfig.Address = connData["address"].(string)
diff --git a/builtin/logical/nomad/observation_consts.go b/builtin/logical/nomad/observation_consts.go
@@ -0,0 +1,51 @@
+// Copyright IBM Corp. 2016, 2025
+// SPDX-License-Identifier: BUSL-1.1
+
+package nomad
+
+const (
+	// Role observation types
+	// These contain role_name, token_type, global as metadata
+
+	ObservationTypeNomadRoleWrite = "nomad/role/write"
+	ObservationTypeNomadRoleRead  = "nomad/role/read"
+
+	// Role delete observation type
+	// This contains role_name as metadata
+
+	ObservationTypeNomadRoleDelete = "nomad/role/delete"
+
+	// Config observation types
+	// These contain no metadata
+
+	ObservationTypeNomadConfigAccessRead   = "nomad/config/access/read"
+	ObservationTypeNomadConfigAccessWrite  = "nomad/config/access/write"
+	ObservationTypeNomadConfigAccessDelete = "nomad/config/access/delete"
+
+	// Lease config observation types
+	// These contain ttl and max_ttl as metadata
+
+	ObservationTypeNomadConfigLeaseRead   = "nomad/config/lease/read"
+	ObservationTypeNomadConfigLeaseWrite  = "nomad/config/lease/write"
+	ObservationTypeNomadConfigLeaseDelete = "nomad/config/lease/delete"
+
+	// Credential success observation type
+	// This contains role_name, token_type, global, ttl, max_ttl, accessor_id as metadata
+
+	ObservationTypeNomadCredentialCreateSuccess = "nomad/credential/create/success"
+
+	// Credential fail observation type
+	// This contains role_name, token_type, global, ttl, max_ttl as metadata
+
+	ObservationTypeNomadCredentialCreateFail = "nomad/credential/create/fail"
+
+	// Credential revoke observation type
+	// This contains accessor_id as metadata
+
+	ObservationTypeNomadCredentialRevoke = "nomad/credential/revoke"
+
+	// Credential renew observation type
+	// This contains ttl, max_ttl, accessor_id as metadata
+
+	ObservationTypeNomadCredentialRenew = "nomad/credential/renew"
+)
diff --git a/builtin/logical/nomad/path_config_access.go b/builtin/logical/nomad/path_config_access.go
@@ -123,6 +123,7 @@ func (b *backend) pathConfigAccessRead(ctx context.Context, req *logical.Request
 		return nil, nil
 	}
 
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadConfigAccessRead, nil)
 	return &logical.Response{
 		Data: map[string]interface{}{
 			"address":               conf.Address,
@@ -177,6 +178,7 @@ func (b *backend) pathConfigAccessWrite(ctx context.Context, req *logical.Reques
 
 	conf.MaxTokenNameLength = data.Get("max_token_name_length").(int)
 
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadConfigAccessWrite, nil)
 	entry, err := logical.StorageEntryJSON("config/access", conf)
 	if err != nil {
 		return nil, err
@@ -192,6 +194,7 @@ func (b *backend) pathConfigAccessDelete(ctx context.Context, req *logical.Reque
 	if err := req.Storage.Delete(ctx, configAccessKey); err != nil {
 		return nil, err
 	}
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadConfigAccessDelete, nil)
 	return nil, nil
 }
 
diff --git a/builtin/logical/nomad/path_config_lease.go b/builtin/logical/nomad/path_config_lease.go
@@ -63,16 +63,22 @@ func pathConfigLease(b *backend) *framework.Path {
 
 // Sets the lease configuration parameters
 func (b *backend) pathLeaseUpdate(ctx context.Context, req *logical.Request, d *framework.FieldData) (*logical.Response, error) {
+	ttl := time.Second * time.Duration(d.Get("ttl").(int))
+	maxTTL := time.Second * time.Duration(d.Get("max_ttl").(int))
 	entry, err := logical.StorageEntryJSON("config/lease", &configLease{
-		TTL:    time.Second * time.Duration(d.Get("ttl").(int)),
-		MaxTTL: time.Second * time.Duration(d.Get("max_ttl").(int)),
+		TTL:    ttl,
+		MaxTTL: maxTTL,
 	})
 	if err != nil {
 		return nil, err
 	}
 	if err := req.Storage.Put(ctx, entry); err != nil {
 		return nil, err
 	}
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadConfigLeaseWrite, map[string]interface{}{
+		"ttl":     ttl.String(),
+		"max_ttl": maxTTL.String(),
+	})
 
 	return nil, nil
 }
@@ -82,6 +88,7 @@ func (b *backend) pathLeaseDelete(ctx context.Context, req *logical.Request, d *
 		return nil, err
 	}
 
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadConfigLeaseDelete, nil)
 	return nil, nil
 }
 
@@ -95,6 +102,10 @@ func (b *backend) pathLeaseRead(ctx context.Context, req *logical.Request, data
 		return nil, nil
 	}
 
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadConfigLeaseRead, map[string]interface{}{
+		"ttl":     lease.TTL.String(),
+		"max_ttl": lease.MaxTTL.String(),
+	})
 	return &logical.Response{
 		Data: map[string]interface{}{
 			"ttl":     int64(lease.TTL.Seconds()),
diff --git a/builtin/logical/nomad/path_creds_create.go b/builtin/logical/nomad/path_creds_create.go
@@ -82,6 +82,14 @@ func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *fr
 		tokenName = tokenName[:tokenNameLength]
 	}
 
+	metadata := map[string]interface{}{
+		"role_name":  name,
+		"token_type": role.TokenType,
+		"global":     role.Global,
+		"ttl":        leaseConfig.TTL.String(),
+		"max_ttl":    leaseConfig.MaxTTL.String(),
+	}
+
 	// Create it
 	token, _, err := c.ACLTokens().Create(&api.ACLToken{
 		Name:     tokenName,
@@ -90,6 +98,7 @@ func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *fr
 		Global:   role.Global,
 	}, nil)
 	if err != nil {
+		b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadCredentialCreateFail, metadata)
 		return nil, err
 	}
 
@@ -103,5 +112,7 @@ func (b *backend) pathTokenRead(ctx context.Context, req *logical.Request, d *fr
 	resp.Secret.TTL = leaseConfig.TTL
 	resp.Secret.MaxTTL = leaseConfig.MaxTTL
 
+	metadata["accessor_id"] = token.AccessorID
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadCredentialCreateSuccess, metadata)
 	return resp, nil
 }
diff --git a/builtin/logical/nomad/path_roles.go b/builtin/logical/nomad/path_roles.go
@@ -132,6 +132,11 @@ func (b *backend) pathRolesRead(ctx context.Context, req *logical.Request, d *fr
 			"policies": role.Policies,
 		},
 	}
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadRoleRead, map[string]interface{}{
+		"role_name":  name,
+		"token_type": role.TokenType,
+		"global":     role.Global,
+	})
 	return resp, nil
 }
 
@@ -182,6 +187,12 @@ func (b *backend) pathRolesWrite(ctx context.Context, req *logical.Request, d *f
 		return nil, err
 	}
 
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadRoleWrite, map[string]interface{}{
+		"role_name":  name,
+		"token_type": role.TokenType,
+		"global":     role.Global,
+	})
+
 	return nil, nil
 }
 
@@ -190,6 +201,9 @@ func (b *backend) pathRolesDelete(ctx context.Context, req *logical.Request, d *
 	if err := req.Storage.Delete(ctx, "role/"+name); err != nil {
 		return nil, err
 	}
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadRoleDelete, map[string]interface{}{
+		"role_name": name,
+	})
 	return nil, nil
 }
 
diff --git a/builtin/logical/nomad/secret_token.go b/builtin/logical/nomad/secret_token.go
@@ -42,6 +42,18 @@ func (b *backend) secretTokenRenew(ctx context.Context, req *logical.Request, d
 	resp := &logical.Response{Secret: req.Secret}
 	resp.Secret.TTL = lease.TTL
 	resp.Secret.MaxTTL = lease.MaxTTL
+	accessorID := ""
+	if req.Secret.InternalData != nil {
+		accessorIDRaw, ok := req.Secret.InternalData["accessor_id"]
+		if ok {
+			accessorID, _ = accessorIDRaw.(string)
+		}
+	}
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadCredentialRenew, map[string]interface{}{
+		"ttl":         lease.TTL.String(),
+		"max_ttl":     lease.MaxTTL.String(),
+		"accessor_id": accessorID,
+	})
 	return resp, nil
 }
 
@@ -68,5 +80,9 @@ func (b *backend) secretTokenRevoke(ctx context.Context, req *logical.Request, d
 		return nil, err
 	}
 
+	b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadCredentialRevoke, map[string]interface{}{
+		"accessor_id": accessorID,
+	})
+
 	return nil, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -123,6 +123,7 @@ func (b backend) pathConfigAccessRead(ctx context.Context, req logical.Request`
`123`	`123`	`return nil, nil`
`124`	`124`	`}`
`125`	`125`
	`126`	`+ b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadConfigAccessRead, nil)`
`126`	`127`	`return &logical.Response{`
`127`	`128`	`Data: map[string]interface{}{`
`128`	`129`	`"address": conf.Address,`
`@@ -177,6 +178,7 @@ func (b backend) pathConfigAccessWrite(ctx context.Context, req logical.Reques`
`177`	`178`
`178`	`179`	`conf.MaxTokenNameLength = data.Get("max_token_name_length").(int)`
`179`	`180`
	`181`	`+ b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadConfigAccessWrite, nil)`
`180`	`182`	`entry, err := logical.StorageEntryJSON("config/access", conf)`
`181`	`183`	`if err != nil {`
`182`	`184`	`return nil, err`
`@@ -192,6 +194,7 @@ func (b backend) pathConfigAccessDelete(ctx context.Context, req logical.Reque`
`192`	`194`	`if err := req.Storage.Delete(ctx, configAccessKey); err != nil {`
`193`	`195`	`return nil, err`
`194`	`196`	`}`
	`197`	`+ b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadConfigAccessDelete, nil)`
`195`	`198`	`return nil, nil`
`196`	`199`	`}`
`197`	`200`
Original file line number	Diff line number	Diff line change
`@@ -132,6 +132,11 @@ func (b backend) pathRolesRead(ctx context.Context, req logical.Request, d *fr`
`132`	`132`	`"policies": role.Policies,`
`133`	`133`	`},`
`134`	`134`	`}`
	`135`	`+ b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadRoleRead, map[string]interface{}{`
	`136`	`+ "role_name": name,`
	`137`	`+ "token_type": role.TokenType,`
	`138`	`+ "global": role.Global,`
	`139`	`+ })`
`135`	`140`	`return resp, nil`
`136`	`141`	`}`
`137`	`142`
`@@ -182,6 +187,12 @@ func (b backend) pathRolesWrite(ctx context.Context, req logical.Request, d *f`
`182`	`187`	`return nil, err`
`183`	`188`	`}`
`184`	`189`
	`190`	`+ b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadRoleWrite, map[string]interface{}{`
	`191`	`+ "role_name": name,`
	`192`	`+ "token_type": role.TokenType,`
	`193`	`+ "global": role.Global,`
	`194`	`+ })`
	`195`	`+`
`185`	`196`	`return nil, nil`
`186`	`197`	`}`
`187`	`198`
`@@ -190,6 +201,9 @@ func (b backend) pathRolesDelete(ctx context.Context, req logical.Request, d *`
`190`	`201`	`if err := req.Storage.Delete(ctx, "role/"+name); err != nil {`
`191`	`202`	`return nil, err`
`192`	`203`	`}`
	`204`	`+ b.TryRecordObservationWithRequest(ctx, req, ObservationTypeNomadRoleDelete, map[string]interface{}{`
	`205`	`+ "role_name": name,`
	`206`	`+ })`
`193`	`207`	`return nil, nil`
`194`	`208`	`}`
`195`	`209`