generalize events

This commit is contained in:
Denis Mishin 2023-04-25 22:54:49 -04:00
parent 9ba7ead459
commit f1ac2540fd
2 changed files with 12 additions and 43 deletions

View file

@ -1,6 +1,8 @@
package authenticate package authenticate
import ( import (
"context"
"github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/identity" "github.com/pomerium/pomerium/internal/identity"
identitypb "github.com/pomerium/pomerium/pkg/grpc/identity" identitypb "github.com/pomerium/pomerium/pkg/grpc/identity"
@ -9,6 +11,7 @@ import (
type authenticateConfig struct { type authenticateConfig struct {
getIdentityProvider func(options *config.Options, idpID string) (identity.Authenticator, error) getIdentityProvider func(options *config.Options, idpID string) (identity.Authenticator, error)
profileTrimFn func(*identitypb.Profile) profileTrimFn func(*identitypb.Profile)
authEventFn AuthEventFn
} }
// An Option customizes the Authenticate config. // An Option customizes the Authenticate config.
@ -17,6 +20,8 @@ type Option func(*authenticateConfig)
func getAuthenticateConfig(options ...Option) *authenticateConfig { func getAuthenticateConfig(options ...Option) *authenticateConfig {
cfg := new(authenticateConfig) cfg := new(authenticateConfig)
WithGetIdentityProvider(defaultGetIdentityProvider)(cfg) WithGetIdentityProvider(defaultGetIdentityProvider)(cfg)
WithOnAuthenticationEventHook(func(_ context.Context, _ AuthEvent) {})(cfg)
for _, option := range options { for _, option := range options {
option(cfg) option(cfg)
} }
@ -36,3 +41,10 @@ func WithProfileTrimFn(profileTrimFn func(*identitypb.Profile)) Option {
cfg.profileTrimFn = profileTrimFn cfg.profileTrimFn = profileTrimFn
} }
} }
// WithOnAuthenticationEventHook sets the authEventFn function in the config
func WithOnAuthenticationEventHook(fn AuthEventFn) Option {
return func(cfg *authenticateConfig) {
cfg.authEventFn = fn
}
}

View file

@ -1,16 +1,11 @@
package authenticate package authenticate
import ( import (
"context"
"net/http" "net/http"
"net/url"
"github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/middleware" "github.com/pomerium/pomerium/internal/middleware"
"github.com/pomerium/pomerium/internal/urlutil" "github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/grpc/identity"
"github.com/pomerium/pomerium/pkg/hpke"
) )
// requireValidSignatureOnRedirect validates the pomerium_signature if a redirect_uri or pomerium_signature // requireValidSignatureOnRedirect validates the pomerium_signature if a redirect_uri or pomerium_signature
@ -53,41 +48,3 @@ func (a *Authenticate) getExternalRequest(r *http.Request) *http.Request {
return urlutil.GetExternalRequest(internalURL, externalURL, r) return urlutil.GetExternalRequest(internalURL, externalURL, r)
} }
func (a *Authenticate) logAuthenticateEvent(r *http.Request, profile *identity.Profile) {
state := a.state.Load()
ctx := r.Context()
pub, params, err := hpke.DecryptURLValues(state.hpkePrivateKey, r.Form)
if err != nil {
log.Warn(ctx).Err(err).Msg("log authenticate event: failed to decrypt request params")
}
evt := log.Info(context.Background()).
Str("ip", httputil.GetClientIP(r)).
Str("pomerium_version", params.Get(urlutil.QueryVersion)).
Str("pomerium_request_uuid", params.Get(urlutil.QueryRequestUUID)).
Str("pomerium_pub", pub.String())
if uid := getUserID(profile); uid != "" {
evt = evt.Str("authenticate_event", "sign_in_completed").
Str("pomerium_idp_user", getUserID(profile))
} else {
evt = evt.Str("authenticate_event", "sign_in")
}
if redirectURL, err := url.Parse(params.Get(urlutil.QueryRedirectURI)); err == nil {
evt = evt.Str("domain", redirectURL.Hostname())
}
evt.Msg("authenticate: event")
}
func getUserID(profile *identity.Profile) string {
if profile == nil {
return ""
}
if profile.Claims == nil {
return ""
}
return profile.Claims.Fields["sub"].GetStringValue()
}