From b182ef350efb81d917d30fede17d23d77a491b0d Mon Sep 17 00:00:00 2001
From: Kenneth Jenkins <51246568+kenjenkins@users.noreply.github.com>
Date: Tue, 27 Feb 2024 14:01:19 -0800
Subject: [PATCH] authorize: log service account user ID (#4964)

Currently the 'user-id' field of the authorize logs is empty for
requests authenticated via a service account, as there is no associated
User object. Instead, populate this log field directly from the the
sessionOrServiceAccount value, to handle both types of user.
---
 authorize/log.go      | 6 +++++-
 authorize/log_test.go | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/authorize/log.go b/authorize/log.go
index 8e220ce96..d6a069009 100644
--- a/authorize/log.go
+++ b/authorize/log.go
@@ -212,7 +212,11 @@ func populateLogEvent(
 		}
 		return evt
 	case log.AuthorizeLogFieldUser:
-		return evt.Str(string(field), u.GetId())
+		var userID string
+		if s != nil {
+			userID = s.GetUserId()
+		}
+		return evt.Str(string(field), userID)
 	default:
 		return evt
 	}
diff --git a/authorize/log_test.go b/authorize/log_test.go
index a9cbd98f5..e03c1da70 100644
--- a/authorize/log_test.go
+++ b/authorize/log_test.go
@@ -49,9 +49,11 @@ func Test_populateLogEvent(t *testing.T) {
 		IdToken: &session.IDToken{
 			Raw: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2OTAzMTU4NjIsImV4cCI6MTcyMTg1MTg2MiwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.AAojgaG0fjMFwMCAC6YALHHMFIZEedFSP_vMGhiHhso",
 		},
+		UserId: "USER-ID",
 	}
 	sa := &user.ServiceAccount{
-		Id: "SERVICE-ACCOUNT-ID",
+		Id:     "SERVICE-ACCOUNT-ID",
+		UserId: "SERVICE-ACCOUNT-USER-ID",
 	}
 	u := &user.User{
 		Id:    "USER-ID",
@@ -84,6 +86,8 @@ func Test_populateLogEvent(t *testing.T) {
 		{log.AuthorizeLogFieldServiceAccountID, sa, `{"service-account-id":"SERVICE-ACCOUNT-ID"}`},
 		{log.AuthorizeLogFieldSessionID, s, `{"session-id":"SESSION-ID"}`},
 		{log.AuthorizeLogFieldUser, s, `{"user":"USER-ID"}`},
+		{log.AuthorizeLogFieldUser, sa, `{"user":"SERVICE-ACCOUNT-USER-ID"}`},
+		{log.AuthorizeLogFieldUser, nil, `{"user":""}`},
 	} {
 
 		tc := tc