diff --git a/authenticate/config.go b/authenticate/config.go index b0ed926f8..7a6f571ea 100644 --- a/authenticate/config.go +++ b/authenticate/config.go @@ -1,6 +1,8 @@ package authenticate import ( + "context" + "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/identity" identitypb "github.com/pomerium/pomerium/pkg/grpc/identity" @@ -9,6 +11,7 @@ import ( type authenticateConfig struct { getIdentityProvider func(options *config.Options, idpID string) (identity.Authenticator, error) profileTrimFn func(*identitypb.Profile) + authEventFn AuthEventFn } // An Option customizes the Authenticate config. @@ -17,6 +20,8 @@ type Option func(*authenticateConfig) func getAuthenticateConfig(options ...Option) *authenticateConfig { cfg := new(authenticateConfig) WithGetIdentityProvider(defaultGetIdentityProvider)(cfg) + WithOnAuthenticationEventHook(func(_ context.Context, _ AuthEvent) {})(cfg) + for _, option := range options { option(cfg) } @@ -36,3 +41,10 @@ func WithProfileTrimFn(profileTrimFn func(*identitypb.Profile)) Option { cfg.profileTrimFn = profileTrimFn } } + +// WithOnAuthenticationEventHook sets the authEventFn function in the config +func WithOnAuthenticationEventHook(fn AuthEventFn) Option { + return func(cfg *authenticateConfig) { + cfg.authEventFn = fn + } +} diff --git a/authenticate/middleware.go b/authenticate/middleware.go index 77328ebb0..86cc3cbdb 100644 --- a/authenticate/middleware.go +++ b/authenticate/middleware.go @@ -1,16 +1,11 @@ package authenticate import ( - "context" "net/http" - "net/url" "github.com/pomerium/pomerium/internal/httputil" - "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/middleware" "github.com/pomerium/pomerium/internal/urlutil" - "github.com/pomerium/pomerium/pkg/grpc/identity" - "github.com/pomerium/pomerium/pkg/hpke" ) // requireValidSignatureOnRedirect validates the pomerium_signature if a redirect_uri or pomerium_signature @@ -53,41 +48,3 @@ func (a *Authenticate) getExternalRequest(r *http.Request) *http.Request { return urlutil.GetExternalRequest(internalURL, externalURL, r) } - -func (a *Authenticate) logAuthenticateEvent(r *http.Request, profile *identity.Profile) { - state := a.state.Load() - ctx := r.Context() - pub, params, err := hpke.DecryptURLValues(state.hpkePrivateKey, r.Form) - if err != nil { - log.Warn(ctx).Err(err).Msg("log authenticate event: failed to decrypt request params") - } - - evt := log.Info(context.Background()). - Str("ip", httputil.GetClientIP(r)). - Str("pomerium_version", params.Get(urlutil.QueryVersion)). - Str("pomerium_request_uuid", params.Get(urlutil.QueryRequestUUID)). - Str("pomerium_pub", pub.String()) - - if uid := getUserID(profile); uid != "" { - evt = evt.Str("authenticate_event", "sign_in_completed"). - Str("pomerium_idp_user", getUserID(profile)) - } else { - evt = evt.Str("authenticate_event", "sign_in") - } - - if redirectURL, err := url.Parse(params.Get(urlutil.QueryRedirectURI)); err == nil { - evt = evt.Str("domain", redirectURL.Hostname()) - } - - evt.Msg("authenticate: event") -} - -func getUserID(profile *identity.Profile) string { - if profile == nil { - return "" - } - if profile.Claims == nil { - return "" - } - return profile.Claims.Fields["sub"].GetStringValue() -}