authorize: log JWT groups filtering

Add a new Authorize Log Fields option for logging the number of groups removed during JWT groups filtering. This will be enabled by default. Additionally, when the log level is Debug (or more verbose), store and log the IDs of any groups removed during JWT groups filtering.
2025-07-30 15:00:51 +02:00 · 2025-01-08 13:33:21 -08:00 · 2025-01-08 13:33:21 -08:00 · 2bde1daab5
commit 2bde1daab5
parent e9786f9719
7 changed files with 84 additions and 29 deletions
--- a/authorize/log.go
+++ b/authorize/log.go
@ -33,7 +33,7 @@ func (a *Authorize) logAuthorizeCheck(
 	evt := log.Ctx(ctx).Info().Str("service", "authorize")
 	fields := a.currentOptions.Load().GetAuthorizeLogFields()
 	for _, field := range fields {
-		evt = populateLogEvent(ctx, field, evt, in, s, u, hdrs, impersonateDetails)
+		evt = populateLogEvent(ctx, field, evt, in, s, u, hdrs, impersonateDetails, res)
 	}
 	evt = log.HTTPHeaders(evt, fields, hdrs)

@ -139,6 +139,7 @@ func populateLogEvent(
 	u *user.User,
 	hdrs map[string]string,
 	impersonateDetails *impersonateDetails,
+	res *evaluator.Result,
 ) *zerolog.Event {
 	path, query, _ := strings.Cut(in.GetAttributes().GetRequest().GetHttp().GetPath(), "?")

@ -205,6 +206,11 @@ func populateLogEvent(
 		}
 		return evt.Str(string(field), userID)
 	default:
+		if res != nil {
+			if v, ok := res.AdditionalLogFields[field]; ok {
+				evt = evt.Interface(string(field), v)
+			}
+		}
 		return evt
 	}
 }