add authenticate events

authenticate/middleware.go

@@ -2,10 +2,14 @@ package authenticate
 
 import (
 	"net/http"
+	"net/url"
 
 	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/middleware"
 	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/grpc/identity"
+	"github.com/pomerium/pomerium/pkg/hpke"
 )
 
 // requireValidSignatureOnRedirect validates the pomerium_signature if a redirect_uri or pomerium_signature
@@ -48,3 +52,40 @@ func (a *Authenticate) getExternalRequest(r *http.Request) *http.Request {
 
 	return urlutil.GetExternalRequest(internalURL, externalURL, r)
 }
+
+func (a *Authenticate) logAuthenticateEvent(r *http.Request, profile *identity.Profile) {
+	state := a.state.Load()
+	ctx := r.Context()
+	pub, params, err := hpke.DecryptURLValues(state.hpkePrivateKey, r.Form)
+	if err != nil {
+		log.Warn(ctx).Err(err).Msg("log authenticate event: failed to decrypt request params")
+	}
+
+	evt := log.Info(ctx).
+		Str("pomerium_version", params.Get(urlutil.QueryVersion)).
+		Str("pomerium_request_uuid", params.Get(urlutil.QueryRequestUUID)).
+		Str("pomerium_pub", pub.String())
+
+	if uid := getUserID(profile); uid != "" {
+		evt = evt.Str("authenticate_event", "sign_in_completed").
+			Str("pomerium_idp_user", getUserID(profile))
+	} else {
+		evt = evt.Str("authenticate_event", "sign_in")
+	}
+
+	if redirectURL, err := url.Parse(params.Get(urlutil.QueryRedirectURI)); err == nil {
+		evt = evt.Str("domain", redirectURL.Hostname())
+	}
+
+	evt.Msg("authenticate: event")
+}
+
+func getUserID(profile *identity.Profile) string {
+	if profile == nil {
+		return ""
+	}
+	if profile.Claims == nil {
+		return ""
+	}
+	return profile.Claims.Fields["sub"].GetStringValue()
+}