proxy: add support for logging http request headers (#4388)

* config: add customization options for logging * config: validate log fields * proxy: add support for logging http request headers * log subset of headers * fix test name * dont use log.HTTPHeaders for access logs * canonicalize http/2 headers
2025-08-02 16:30:17 +02:00 · 2023-07-25 09:46:42 -06:00 · 2023-07-25 09:46:42 -06:00 · 638d9f3d6c
commit 638d9f3d6c
parent 4698e4661a
11 changed files with 172 additions and 13 deletions
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -311,13 +311,13 @@ func safeEval(ctx context.Context, q rego.PreparedEvalQuery, options ...rego.Eva
 // carryOverJWTAssertion copies assertion JWT from request to response
 // note that src keys are expected to be http.CanonicalHeaderKey
 func carryOverJWTAssertion(dst http.Header, src map[string]string) {
-	jwtForKey := http.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertionFor)
+	jwtForKey := httputil.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertionFor)
 	jwtFor, ok := src[jwtForKey]
 	if ok && jwtFor != "" {
 		dst.Add(jwtForKey, jwtFor)
 		return
 	}
-	jwtFor, ok = src[http.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertion)]
+	jwtFor, ok = src[httputil.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertion)]
 	if ok && jwtFor != "" {
 		dst.Add(jwtForKey, jwtFor)
 	}
--- a/authorize/evaluator/evaluator_test.go
+++ b/authorize/evaluator/evaluator_test.go
@ -422,11 +422,11 @@ func TestEvaluator(t *testing.T) {
 		}{
 			{map[string]string{}, ""},
 			{map[string]string{
-				http.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertion): "identity-a",
+				httputil.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertion): "identity-a",
 			}, "identity-a"},
 			{map[string]string{
-				http.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertionFor): "identity-a",
-				http.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertion):    "identity-b",
+				httputil.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertionFor): "identity-a",
+				httputil.CanonicalHeaderKey(httputil.HeaderPomeriumJWTAssertion):    "identity-b",
 			}, "identity-a"},
 		}
 		for _, tc := range tcs {
--- a/authorize/grpc.go
+++ b/authorize/grpc.go
@ -14,6 +14,7 @@ import (
 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/config/envoyconfig"
+	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/telemetry/requestid"
@ -97,8 +98,7 @@ func (a *Authorize) getEvaluatorRequestFromCheckRequest(
 ) (*evaluator.Request, error) {
 	requestURL := getCheckRequestURL(in)
 	attrs := in.GetAttributes()
-	clientCertMetadata :=
-		attrs.GetMetadataContext().GetFilterMetadata()["com.pomerium.client-certificate-info"]
+	clientCertMetadata := attrs.GetMetadataContext().GetFilterMetadata()["com.pomerium.client-certificate-info"]
 	req := &evaluator.Request{
 		IsInternal: envoyconfig.ExtAuthzContextExtensionsIsInternal(attrs.GetContextExtensions()),
 		HTTP: evaluator.NewRequestHTTP(
@ -152,7 +152,7 @@ func getCheckRequestHeaders(req *envoy_service_auth_v3.CheckRequest) map[string]
 	hdrs := make(map[string]string)
 	ch := req.GetAttributes().GetRequest().GetHttp().GetHeaders()
 	for k, v := range ch {
-		hdrs[http.CanonicalHeaderKey(k)] = v
+		hdrs[httputil.CanonicalHeaderKey(k)] = v
 	}
 	return hdrs
 }
--- a/authorize/log.go
+++ b/authorize/log.go
@ -31,9 +31,11 @@ func (a *Authorize) logAuthorizeCheck(
 	impersonateDetails := a.getImpersonateDetails(ctx, s)

 	evt := log.Info(ctx).Str("service", "authorize")
-	for _, field := range a.currentOptions.Load().GetAuthorizeLogFields() {
+	fields := a.currentOptions.Load().GetAuthorizeLogFields()
+	for _, field := range fields {
 		evt = populateLogEvent(ctx, field, evt, in, s, u, hdrs, impersonateDetails)
 	}
+	evt = log.HTTPHeaders(evt, fields, hdrs)

 	// result
 	if res != nil {
@ -155,8 +157,6 @@ func populateLogEvent(
 		return evt.Str(string(field), hdrs["X-Request-Id"])
 	case log.AuthorizeLogFieldEmail:
 		return evt.Str(string(field), u.GetEmail())
-	case log.AuthorizeLogFieldHeaders:
-		return evt.Interface(string(field), hdrs)
 	case log.AuthorizeLogFieldHost:
 		return evt.Str(string(field), in.GetAttributes().GetRequest().GetHttp().GetHost())
 	case log.AuthorizeLogFieldImpersonateEmail: