mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-30 15:00:51 +02:00
624622f236
## Summary Adds an option to log request body for protocols that perform request inspection, such as MCP. ## Related issues Fix https://linear.app/pomerium/issue/ENG-2544/authorize-request-body-logging ## User Explanation <!-- How would you explain this change to the user? If this change doesn't create any user-facing changes, you can leave this blank. If filled out, add the `docs` label --> ## Checklist - [ ] reference any related issues - [ ] updated unit tests - [ ] add appropriate label (`enhancement`, `bug`, `breaking`, `dependencies`, `ci`) - [ ] ready for review
107 lines
4.3 KiB
Go
107 lines
4.3 KiB
Go
package log
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
)
|
|
|
|
// An AuthorizeLogField is a field in the authorize logs.
|
|
type AuthorizeLogField string
|
|
|
|
// known authorize log fields
|
|
const (
|
|
AuthorizeLogFieldCheckRequestID AuthorizeLogField = "check-request-id"
|
|
AuthorizeLogFieldBody AuthorizeLogField = "body"
|
|
AuthorizeLogFieldEmail AuthorizeLogField = "email"
|
|
AuthorizeLogFieldEnvoyRouteChecksum AuthorizeLogField = "envoy-route-checksum"
|
|
AuthorizeLogFieldEnvoyRouteID AuthorizeLogField = "envoy-route-id"
|
|
AuthorizeLogFieldHeaders = AuthorizeLogField(headersFieldName)
|
|
AuthorizeLogFieldHost AuthorizeLogField = "host"
|
|
AuthorizeLogFieldIDToken AuthorizeLogField = "id-token"
|
|
AuthorizeLogFieldIDTokenClaims AuthorizeLogField = "id-token-claims"
|
|
AuthorizeLogFieldImpersonateEmail AuthorizeLogField = "impersonate-email"
|
|
AuthorizeLogFieldImpersonateSessionID AuthorizeLogField = "impersonate-session-id"
|
|
AuthorizeLogFieldImpersonateUserID AuthorizeLogField = "impersonate-user-id"
|
|
AuthorizeLogFieldIP AuthorizeLogField = "ip"
|
|
AuthorizeLogFieldMCPMethod AuthorizeLogField = "mcp-method"
|
|
AuthorizeLogFieldMCPTool AuthorizeLogField = "mcp-tool"
|
|
AuthorizeLogFieldMCPToolParameters AuthorizeLogField = "mcp-tool-parameters"
|
|
AuthorizeLogFieldMethod AuthorizeLogField = "method"
|
|
AuthorizeLogFieldPath AuthorizeLogField = "path"
|
|
AuthorizeLogFieldQuery AuthorizeLogField = "query"
|
|
AuthorizeLogFieldRemovedGroupsCount AuthorizeLogField = "removed-groups-count"
|
|
AuthorizeLogFieldRequestID AuthorizeLogField = "request-id"
|
|
AuthorizeLogFieldRouteChecksum AuthorizeLogField = "route-checksum"
|
|
AuthorizeLogFieldRouteID AuthorizeLogField = "route-id"
|
|
AuthorizeLogFieldServiceAccountID AuthorizeLogField = "service-account-id"
|
|
AuthorizeLogFieldSessionID AuthorizeLogField = "session-id"
|
|
AuthorizeLogFieldUser AuthorizeLogField = "user"
|
|
)
|
|
|
|
// DefaultAuthorizeLogFields are the fields to log by default.
|
|
var DefaultAuthorizeLogFields = []AuthorizeLogField{
|
|
AuthorizeLogFieldRequestID,
|
|
AuthorizeLogFieldCheckRequestID,
|
|
AuthorizeLogFieldMethod,
|
|
AuthorizeLogFieldPath,
|
|
AuthorizeLogFieldHost,
|
|
AuthorizeLogFieldIP,
|
|
AuthorizeLogFieldSessionID,
|
|
AuthorizeLogFieldImpersonateSessionID,
|
|
AuthorizeLogFieldImpersonateUserID,
|
|
AuthorizeLogFieldImpersonateEmail,
|
|
AuthorizeLogFieldRemovedGroupsCount,
|
|
AuthorizeLogFieldServiceAccountID,
|
|
AuthorizeLogFieldUser,
|
|
AuthorizeLogFieldEmail,
|
|
AuthorizeLogFieldEnvoyRouteChecksum,
|
|
AuthorizeLogFieldEnvoyRouteID,
|
|
AuthorizeLogFieldRouteChecksum,
|
|
AuthorizeLogFieldRouteID,
|
|
}
|
|
|
|
// ErrUnknownAuthorizeLogField indicates that an authorize log field is unknown.
|
|
var ErrUnknownAuthorizeLogField = errors.New("unknown authorize log field")
|
|
|
|
var authorizeLogFieldLookup = map[AuthorizeLogField]struct{}{
|
|
AuthorizeLogFieldCheckRequestID: {},
|
|
AuthorizeLogFieldBody: {},
|
|
AuthorizeLogFieldEmail: {},
|
|
AuthorizeLogFieldEnvoyRouteChecksum: {},
|
|
AuthorizeLogFieldEnvoyRouteID: {},
|
|
AuthorizeLogFieldHeaders: {},
|
|
AuthorizeLogFieldHost: {},
|
|
AuthorizeLogFieldIDToken: {},
|
|
AuthorizeLogFieldIDTokenClaims: {},
|
|
AuthorizeLogFieldImpersonateEmail: {},
|
|
AuthorizeLogFieldImpersonateSessionID: {},
|
|
AuthorizeLogFieldImpersonateUserID: {},
|
|
AuthorizeLogFieldIP: {},
|
|
AuthorizeLogFieldMCPMethod: {},
|
|
AuthorizeLogFieldMCPTool: {},
|
|
AuthorizeLogFieldMCPToolParameters: {},
|
|
AuthorizeLogFieldMethod: {},
|
|
AuthorizeLogFieldPath: {},
|
|
AuthorizeLogFieldQuery: {},
|
|
AuthorizeLogFieldRemovedGroupsCount: {},
|
|
AuthorizeLogFieldRequestID: {},
|
|
AuthorizeLogFieldRouteChecksum: {},
|
|
AuthorizeLogFieldRouteID: {},
|
|
AuthorizeLogFieldServiceAccountID: {},
|
|
AuthorizeLogFieldSessionID: {},
|
|
AuthorizeLogFieldUser: {},
|
|
}
|
|
|
|
// Validate returns an error if the authorize log field is invalid.
|
|
func (field AuthorizeLogField) Validate() error {
|
|
if _, ok := GetHeaderField(field); ok {
|
|
return nil
|
|
}
|
|
|
|
_, ok := authorizeLogFieldLookup[field]
|
|
if !ok {
|
|
return fmt.Errorf("%w: %s", ErrUnknownAuthorizeLogField, field)
|
|
}
|
|
|
|
return nil
|
|
}
|