authorize: log service account and impersonation details (#2354)

authorize/grpc.go

@@ -43,7 +43,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 	rawJWT, _ := loadRawSession(hreq, a.currentOptions.Load(), state.encoder)
 	sessionState, _ := loadSession(state.encoder, rawJWT)
 
-	u, err := a.forceSync(ctx, sessionState)
+	s, u, err := a.forceSync(ctx, sessionState)
 	if err != nil {
 		log.Warn(ctx).Err(err).Msg("clearing session due to force sync failed")
 		sessionState = nil
@@ -64,7 +64,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe
 		return nil, err
 	}
 	defer func() {
-		a.logAuthorizeCheck(ctx, in, out, res, u)
+		a.logAuthorizeCheck(ctx, in, out, res, s, u)
 	}()
 
 	if res.Deny != nil {

authorize/log.go

@@ -12,13 +12,14 @@ import (
 	"github.com/pomerium/pomerium/internal/telemetry/requestid"
 	"github.com/pomerium/pomerium/internal/telemetry/trace"
 	"github.com/pomerium/pomerium/pkg/grpc/audit"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
 	"github.com/pomerium/pomerium/pkg/grpc/user"
 )
 
 func (a *Authorize) logAuthorizeCheck(
 	ctx context.Context,
 	in *envoy_service_auth_v3.CheckRequest, out *envoy_service_auth_v3.CheckResponse,
-	res *evaluator.Result, u *user.User,
+	res *evaluator.Result, s sessionOrServiceAccount, u *user.User,
 ) {
 	ctx, span := trace.StartSpan(ctx, "authorize.grpc.LogAuthorizeCheck")
 	defer span.End()
@@ -33,6 +34,33 @@ func (a *Authorize) logAuthorizeCheck(
 	evt = evt.Str("path", stripQueryString(hattrs.GetPath()))
 	evt = evt.Str("host", hattrs.GetHost())
 	evt = evt.Str("query", hattrs.GetQuery())
+
+	// session information
+	if s, ok := s.(*session.Session); ok {
+		evt = evt.Str("session-id", s.GetId())
+		if s.GetImpersonateEmail() != "" {
+			evt = evt.Str("impersonate-email", s.GetImpersonateEmail())
+		}
+		if len(s.GetImpersonateGroups()) > 0 {
+			evt = evt.Strs("impersonate-groups", s.GetImpersonateGroups())
+		}
+		if s.GetImpersonateUserId() != "" {
+			evt = evt.Str("impersonate-user-id", s.GetImpersonateUserId())
+		}
+	}
+	if sa, ok := s.(*user.ServiceAccount); ok {
+		evt = evt.Str("service-account-id", sa.GetId())
+		if sa.GetImpersonateEmail() != "" {
+			evt = evt.Str("impersonate-email", sa.GetImpersonateEmail())
+		}
+		if len(sa.GetImpersonateGroups()) > 0 {
+			evt = evt.Strs("impersonate-groups", sa.GetImpersonateGroups())
+		}
+		if sa.GetImpersonateUserId() != "" {
+			evt = evt.Str("impersonate-user-id", sa.GetImpersonateUserId())
+		}
+	}
+
 	// result
 	if res != nil {
 		evt = evt.Bool("allow", res.Allow)

authorize/sync.go

@@ -65,18 +65,18 @@ func (syncer *dataBrokerSyncer) UpdateRecords(ctx context.Context, serverVersion
 	})
 }
 
-func (a *Authorize) forceSync(ctx context.Context, ss *sessions.State) (*user.User, error) {
+func (a *Authorize) forceSync(ctx context.Context, ss *sessions.State) (sessionOrServiceAccount, *user.User, error) {
 	ctx, span := trace.StartSpan(ctx, "authorize.forceSync")
 	defer span.End()
 	if ss == nil {
-		return nil, nil
+		return nil, nil, nil
 	}
 	s := a.forceSyncSession(ctx, ss.ID)
 	if s == nil {
-		return nil, errors.New("session not found")
+		return nil, nil, errors.New("session not found")
 	}
 	u := a.forceSyncUser(ctx, s.GetUserId())
-	return u, nil
+	return s, u, nil
 }
 
 func (a *Authorize) forceSyncSession(ctx context.Context, sessionID string) sessionOrServiceAccount {