generalize events

authenticate/config.go

@@ -1,6 +1,8 @@
 package authenticate
 
 import (
+	"context"
+
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/identity"
 	identitypb "github.com/pomerium/pomerium/pkg/grpc/identity"
@@ -9,6 +11,7 @@ import (
 type authenticateConfig struct {
 	getIdentityProvider func(options *config.Options, idpID string) (identity.Authenticator, error)
 	profileTrimFn       func(*identitypb.Profile)
+	authEventFn         AuthEventFn
 }
 
 // An Option customizes the Authenticate config.
@@ -17,6 +20,8 @@ type Option func(*authenticateConfig)
 func getAuthenticateConfig(options ...Option) *authenticateConfig {
 	cfg := new(authenticateConfig)
 	WithGetIdentityProvider(defaultGetIdentityProvider)(cfg)
+	WithOnAuthenticationEventHook(func(_ context.Context, _ AuthEvent) {})(cfg)
+
 	for _, option := range options {
 		option(cfg)
 	}
@@ -36,3 +41,10 @@ func WithProfileTrimFn(profileTrimFn func(*identitypb.Profile)) Option {
 		cfg.profileTrimFn = profileTrimFn
 	}
 }
+
+// WithOnAuthenticationEventHook sets the authEventFn function in the config
+func WithOnAuthenticationEventHook(fn AuthEventFn) Option {
+	return func(cfg *authenticateConfig) {
+		cfg.authEventFn = fn
+	}
+}

authenticate/middleware.go

@@ -1,16 +1,11 @@
 package authenticate
 
 import (
-	"context"
 	"net/http"
-	"net/url"
 
 	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/middleware"
 	"github.com/pomerium/pomerium/internal/urlutil"
-	"github.com/pomerium/pomerium/pkg/grpc/identity"
-	"github.com/pomerium/pomerium/pkg/hpke"
 )
 
 // requireValidSignatureOnRedirect validates the pomerium_signature if a redirect_uri or pomerium_signature
@@ -53,41 +48,3 @@ func (a *Authenticate) getExternalRequest(r *http.Request) *http.Request {
 
 	return urlutil.GetExternalRequest(internalURL, externalURL, r)
 }
-
-func (a *Authenticate) logAuthenticateEvent(r *http.Request, profile *identity.Profile) {
-	state := a.state.Load()
-	ctx := r.Context()
-	pub, params, err := hpke.DecryptURLValues(state.hpkePrivateKey, r.Form)
-	if err != nil {
-		log.Warn(ctx).Err(err).Msg("log authenticate event: failed to decrypt request params")
-	}
-
-	evt := log.Info(context.Background()).
-		Str("ip", httputil.GetClientIP(r)).
-		Str("pomerium_version", params.Get(urlutil.QueryVersion)).
-		Str("pomerium_request_uuid", params.Get(urlutil.QueryRequestUUID)).
-		Str("pomerium_pub", pub.String())
-
-	if uid := getUserID(profile); uid != "" {
-		evt = evt.Str("authenticate_event", "sign_in_completed").
-			Str("pomerium_idp_user", getUserID(profile))
-	} else {
-		evt = evt.Str("authenticate_event", "sign_in")
-	}
-
-	if redirectURL, err := url.Parse(params.Get(urlutil.QueryRedirectURI)); err == nil {
-		evt = evt.Str("domain", redirectURL.Hostname())
-	}
-
-	evt.Msg("authenticate: event")
-}
-
-func getUserID(profile *identity.Profile) string {
-	if profile == nil {
-		return ""
-	}
-	if profile.Claims == nil {
-		return ""
-	}
-	return profile.Claims.Fields["sub"].GetStringValue()
-}