Fix accidental debug logging in the OCSP helper client (#28450)

sgmiller · web-flow · commit 4515a016f733 · 2024-09-23T18:17:11.000Z
* Fix accidental debug logging in the OCSP helper client

* changelog
diff --git a/changelog/28450.txt b/changelog/28450.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/cert: During certificate validation, OCSP requests are debug logged even if Vault's log level is above DEBUG.
+```
diff --git a/sdk/helper/ocsp/client.go b/sdk/helper/ocsp/client.go
@@ -612,6 +612,7 @@ func (c *Client) GetRevocationStatus(ctx context.Context, subject, issuer *x509.
 		timeout := defaultOCSPResponderTimeout
 
 		ocspClient := retryablehttp.NewClient()
+		ocspClient.Logger = c.Logger()
 		ocspClient.RetryMax = conf.OcspMaxRetries
 		ocspClient.HTTPClient.Timeout = timeout
 		ocspClient.HTTPClient.Transport = newInsecureOcspTransport(conf.ExtraCas)
diff --git a/sdk/helper/ocsp/ocsp_test.go b/sdk/helper/ocsp/ocsp_test.go
@@ -50,15 +50,16 @@ func TestOCSP(t *testing.T) {
 	for _, tgt := range targetURL {
 		c.ocspResponseCache, _ = lru.New2Q(10)
 		for _, tr := range transports {
-			c := &http.Client{
-				Transport: tr,
-				Timeout:   30 * time.Second,
-			}
-			req, err := http.NewRequest("GET", tgt, bytes.NewReader(nil))
+			ocspClient := retryablehttp.NewClient()
+			ocspClient.Logger = c.Logger()
+			ocspClient.RetryMax = conf.OcspMaxRetries
+			ocspClient.HTTPClient.Timeout = 30 * time.Second
+			ocspClient.HTTPClient.Transport = tr
+			req, err := retryablehttp.NewRequest("GET", tgt, bytes.NewReader(nil))
 			if err != nil {
 				t.Fatalf("fail to create a request. err: %v", err)
 			}
-			res, err := c.Do(req)
+			res, err := ocspClient.Do(req)
 			if err != nil {
 				t.Fatalf("failed to GET contents. err: %v", err)
 			}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	+```release-note:bug
	`2`	`+auth/cert: During certificate validation, OCSP requests are debug logged even if Vault's log level is above DEBUG.`
	`3`	+```