yhsm: Add command for dealing with the audit log.

YubiCo docs state that only 1-60 are valid index values. I've set this
value to well beyond 60 in testing. These docs don't say what happens
when the index (u16) rolls over.

https://docs.yubico.com/hardware/yubihsm-2/hsm-2-user-guide/hsm2-cmd-reference.html#set-log-index-command

Author: flihp

src/bin/yhsm.rs

@@ -9,7 +9,7 @@ use log::LevelFilter;
 use std::{path::PathBuf, str::FromStr};
 use yubihsm::{
     object::{Id, Type},
-    Client, Connector, Credentials, UsbConfig,
+    AuditOption, Client, Connector, Credentials, UsbConfig,
 };
 
 #[derive(Parser, Debug)]
@@ -29,8 +29,48 @@ struct Args {
     verbose: bool,
 }
 
+#[derive(Subcommand, Clone, Debug, PartialEq)]
+enum LogCommand {
+    /// dump log serialized to JSON
+    Json,
+
+    /// Set the index of the last entry consumed from the HSM audit log.
+    /// This causes entries with a lower index to be deleted.
+    SetIndex {
+        /// Last entry consumed.
+        index: u16,
+    },
+}
+
+#[derive(Subcommand, Clone, Debug, PartialEq)]
+enum AuditCommand {
+    /// Set the `force-audit` option to the disabled state.
+    Disable,
+
+    /// Set the `force-audit` option to the enabled state.
+    Enable,
+
+    /// Set the `force-audit` option to the locked state.
+    Lock,
+
+    /// Query the state of the `force-audit` option.
+    Query,
+
+    /// Manage the audit log.
+    Log {
+        #[command(subcommand)]
+        command: Option<LogCommand>,
+    },
+}
+
 #[derive(Subcommand, Debug, PartialEq)]
 enum Command {
+    /// Get / Set the state of the `force-audit` option.
+    Audit {
+        #[command(subcommand)]
+        command: AuditCommand,
+    },
+
     /// Export an object identified under wrap.
     Backup {
         /// Object ID: https://developers.yubico.com/YubiHSM2/Concepts/Object_ID.html
@@ -98,6 +138,34 @@ fn main() -> Result<()> {
     let client = Client::open(connector, credentials, true)?;
 
     match args.command {
+        Command::Audit { command } => match command {
+            AuditCommand::Disable => {
+                Ok(client.set_force_audit_option(AuditOption::Off)?)
+            }
+            AuditCommand::Enable => {
+                Ok(client.set_force_audit_option(AuditOption::On)?)
+            }
+            AuditCommand::Lock => Ok(oks::hsm::audit_lock(&client)?),
+            AuditCommand::Query => {
+                let state = client.get_force_audit_option()?;
+                println!("{:?}", state);
+                Ok(())
+            }
+            AuditCommand::Log { command } => match command {
+                None | Some(LogCommand::Json) => {
+                    let entries = client.get_log_entries()?;
+                    if entries.entries.last().is_some() {
+                        println!("{}", serde_json::to_string_pretty(&entries)?);
+                        Ok(())
+                    } else {
+                        Err(anyhow::anyhow!("audit log contains no entries"))
+                    }
+                }
+                Some(LogCommand::SetIndex { index }) => {
+                    Ok(client.set_log_index(index)?)
+                }
+            },
+        },
         Command::Backup { id, kind, file } => {
             // this is a bit weird but necessary because the Type type
             // returns () on error, not a type implementing std::Error

src/hsm.rs

@@ -24,7 +24,8 @@ use yubihsm::{
     authentication::{self, Key, DEFAULT_AUTHENTICATION_KEY_ID},
     object::{Id, Label, Type},
     wrap::{self, Message},
-    Capability, Client, Connector, Credentials, Domain, HttpConfig, UsbConfig,
+    AuditOption, Capability, Client, Connector, Credentials, Domain,
+    HttpConfig, UsbConfig,
 };
 use zeroize::Zeroizing;
 
@@ -699,6 +700,14 @@ pub fn reset(client: &Client) -> Result<()> {
     Ok(())
 }
 
+pub fn audit_lock(client: &Client) -> Result<()> {
+    if are_you_sure()? {
+        Ok(client.set_force_audit_option(AuditOption::Fix)?)
+    } else {
+        Err(anyhow::anyhow!("command aborted"))
+    }
+}
+
 // consts for our authentication credential
 const AUTH_DOMAINS: Domain = Domain::all();
 const AUTH_CAPS: Capability = Capability::all();