authorize: audit logging (#2050)

* authorize: add databroker server and record version to result, force sync via polling

* authorize: audit logging

config/crypt.go

@@ -0,0 +1,26 @@
+package config
+
+import (
+	"encoding/base64"
+
+	"github.com/pomerium/pomerium/pkg/cryptutil"
+)
+
+// A PublicKeyEncryptionKeyOptions represents options for a public key encryption key.
+type PublicKeyEncryptionKeyOptions struct {
+	ID   string `mapstructure:"id" yaml:"id"`
+	Data string `mapstructure:"data" yaml:"data"` // base64-encoded
+}
+
+// GetAuditKey gets the audit key from the options. If no audit key is provided it will return (nil, nil).
+func (o *Options) GetAuditKey() (*cryptutil.PublicKeyEncryptionKey, error) {
+	if o.AuditKey == nil {
+		return nil, nil
+	}
+
+	raw, err := base64.StdEncoding.DecodeString(o.AuditKey.Data)
+	if err != nil {
+		return nil, err
+	}
+	return cryptutil.NewPublicKeyEncryptionKey(o.AuditKey.ID, raw)
+}

config/options.go

@@ -285,6 +285,8 @@ type Options struct {
 
 	// ProgrammaticRedirectDomainWhitelist restricts the allowed redirect URLs when using programmatic login.
 	ProgrammaticRedirectDomainWhitelist []string `mapstructure:"programmatic_redirect_domain_whitelist" yaml:"programmatic_redirect_domain_whitelist,omitempty" json:"programmatic_redirect_domain_whitelist,omitempty"` //nolint
+
+	AuditKey *PublicKeyEncryptionKeyOptions `mapstructure:"audit_key"`
 }
 
 type certificateFilePair struct {
@@ -1130,6 +1132,12 @@ func (o *Options) ApplySettings(settings *config.Settings) {
 	if len(settings.ProgrammaticRedirectDomainWhitelist) > 0 {
 		o.ProgrammaticRedirectDomainWhitelist = settings.GetProgrammaticRedirectDomainWhitelist()
 	}
+	if settings.AuditKey != nil {
+		o.AuditKey = &PublicKeyEncryptionKeyOptions{
+			ID:   settings.AuditKey.GetId(),
+			Data: base64.StdEncoding.EncodeToString(settings.AuditKey.GetData()),
+		}
+	}
 }
 
 func dataDir() string {