Skip to content

Commit d8e7554

Browse files
computatecomputate
committed
Add logging of client-id and service account username
Perform a userinfo request on the Authorization header bearer token to identify the service account and client of each query to the prom-keycloak-proxy.
1 parent 4f32036 commit d8e7554

File tree

1 file changed

+32
-6
lines changed

1 file changed

+32
-6
lines changed

services/authService.go

Lines changed: 32 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,27 @@ func Protect(gocloakClient *gocloak.GoCloak, authRealm string, authClientId stri
6767
return
6868
}
6969

70+
userInfo, err := gocloakClient.GetUserInfo(context.Background(), accessToken, authRealm)
71+
if err != nil {
72+
log.Warn().
73+
Int("status", 401).
74+
Str("method", r.Method).
75+
Str("path", r.RequestURI).
76+
Str("ip", r.RemoteAddr).
77+
Str("client-id", authClientId).
78+
Str("query", query).
79+
Msg("Unauthorized")
80+
81+
w.WriteHeader(401)
82+
json.NewEncoder(w).Encode(errors.BadRequestError(err.Error()))
83+
return
84+
}
85+
username := *userInfo.PreferredUsername
86+
var userClientId string = ""
87+
if strings.Contains(username, "service-account-") {
88+
userClientId = strings.ReplaceAll(username, "service-account-", "")
89+
}
90+
7091
isTokenValid := *rptResult.Active
7192

7293
if !isTokenValid {
@@ -75,7 +96,8 @@ func Protect(gocloakClient *gocloak.GoCloak, authRealm string, authClientId stri
7596
Str("method", r.Method).
7697
Str("path", r.RequestURI).
7798
Str("ip", r.RemoteAddr).
78-
Str("client-id", authClientId).
99+
Str("username", username).
100+
Str("client-id", userClientId).
79101
Str("query", query).
80102
Msg("Unauthorized")
81103

@@ -114,9 +136,10 @@ func Protect(gocloakClient *gocloak.GoCloak, authRealm string, authClientId stri
114136
Str("method", r.Method).
115137
Str("path", r.RequestURI).
116138
Str("ip", r.RemoteAddr).
117-
Str("client-id", authClientId).
139+
Str("username", username).
140+
Str("client-id", userClientId).
118141
Str("query", query).
119-
Msg("Forbidden")
142+
Msg(err.Error())
120143

121144
w.WriteHeader(403)
122145
json.NewEncoder(w).Encode(errors.UnauthorizedError())
@@ -130,7 +153,8 @@ func Protect(gocloakClient *gocloak.GoCloak, authRealm string, authClientId stri
130153
Str("method", r.Method).
131154
Str("path", r.RequestURI).
132155
Str("ip", r.RemoteAddr).
133-
Str("client-id", authClientId).
156+
Str("username", username).
157+
Str("client-id", userClientId).
134158
Str("query", query).
135159
Msg("Bad Request")
136160

@@ -165,7 +189,8 @@ func Protect(gocloakClient *gocloak.GoCloak, authRealm string, authClientId stri
165189
Str("method", r.Method).
166190
Str("path", r.RequestURI).
167191
Str("ip", r.RemoteAddr).
168-
Str("client-id", authClientId).
192+
Str("username", username).
193+
Str("client-id", userClientId).
169194
Str("query", query).
170195
RawJSON("permissions", out).
171196
Msg("OK")
@@ -176,7 +201,8 @@ func Protect(gocloakClient *gocloak.GoCloak, authRealm string, authClientId stri
176201
Str("method", r.Method).
177202
Str("path", r.RequestURI).
178203
Str("ip", r.RemoteAddr).
179-
Str("client-id", authClientId).
204+
Str("username", username).
205+
Str("client-id", userClientId).
180206
Str("query", query).
181207
Msg(message)
182208

0 commit comments

Comments
 (0)