authorize: log service account user ID (#4964)

Currently the 'user-id' field of the authorize logs is empty for requests authenticated via a service account, as there is no associated User object. Instead, populate this log field directly from the the sessionOrServiceAccount value, to handle both types of user.
2025-04-29 10:26:29 +02:00 · 2024-02-27 14:01:19 -08:00 · 2024-02-27 14:01:19 -08:00 · b182ef350e
commit b182ef350e
parent b6c100d880
2 changed files with 10 additions and 2 deletions
--- a/authorize/log.go
+++ b/authorize/log.go
@ -212,7 +212,11 @@ func populateLogEvent(
 		}
 		return evt
 	case log.AuthorizeLogFieldUser:
-		return evt.Str(string(field), u.GetId())
+		var userID string
+		if s != nil {
+			userID = s.GetUserId()
+		}
+		return evt.Str(string(field), userID)
 	default:
 		return evt
 	}
--- a/authorize/log_test.go
+++ b/authorize/log_test.go
@ -49,9 +49,11 @@ func Test_populateLogEvent(t *testing.T) {
 		IdToken: &session.IDToken{
 			Raw: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJPbmxpbmUgSldUIEJ1aWxkZXIiLCJpYXQiOjE2OTAzMTU4NjIsImV4cCI6MTcyMTg1MTg2MiwiYXVkIjoid3d3LmV4YW1wbGUuY29tIiwic3ViIjoianJvY2tldEBleGFtcGxlLmNvbSIsIkdpdmVuTmFtZSI6IkpvaG5ueSIsIlN1cm5hbWUiOiJSb2NrZXQiLCJFbWFpbCI6Impyb2NrZXRAZXhhbXBsZS5jb20iLCJSb2xlIjpbIk1hbmFnZXIiLCJQcm9qZWN0IEFkbWluaXN0cmF0b3IiXX0.AAojgaG0fjMFwMCAC6YALHHMFIZEedFSP_vMGhiHhso",
 		},
+		UserId: "USER-ID",
 	}
 	sa := &user.ServiceAccount{
 		Id:     "SERVICE-ACCOUNT-ID",
+		UserId: "SERVICE-ACCOUNT-USER-ID",
 	}
 	u := &user.User{
 		Id:    "USER-ID",
@ -84,6 +86,8 @@ func Test_populateLogEvent(t *testing.T) {
 		{log.AuthorizeLogFieldServiceAccountID, sa, `{"service-account-id":"SERVICE-ACCOUNT-ID"}`},
 		{log.AuthorizeLogFieldSessionID, s, `{"session-id":"SESSION-ID"}`},
 		{log.AuthorizeLogFieldUser, s, `{"user":"USER-ID"}`},
+		{log.AuthorizeLogFieldUser, sa, `{"user":"SERVICE-ACCOUNT-USER-ID"}`},
+		{log.AuthorizeLogFieldUser, nil, `{"user":""}`},
 	} {

 		tc := tc