added access log support to authenticator

snapp-incubator · Mar 1, 2024 · abd2e48 · abd2e48
1 parent cfb7be1
commit abd2e48
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 0 deletions.
diff --git a/internal/settings/consts.go b/internal/settings/consts.go
@@ -0,0 +1,6 @@
+package settings
+
+const (
+	LogLevelDebug = "debug"
+	LogLevelInfo  = "info"
+)
diff --git a/internal/settings/flags.go b/internal/settings/flags.go
@@ -6,6 +6,7 @@ func (s Settings) BindFlags(fs *flag.FlagSet) {
 	flag.StringVar(&s.MetricsAddress, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&s.ProbeAddress, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.StringVar(&s.AuthServerAddress, "address", ":8082", "The address the authorization service binds to.")
+	flag.StringVar(&s.AccessLogLevel, "access-log-level", "info", "The Cerberus access log level (debug will print all requests and headers)")
 
 	flag.StringVar(&s.TLS.CertPath, "tls-cert-path", "", "grpc Authentication server TLS certificate")
 	flag.StringVar(&s.TLS.KeyPath, "tls-key-path", "", "grpc Authentication server TLS key")

diff --git a/internal/settings/settings.go b/internal/settings/settings.go
@@ -6,6 +6,7 @@ type Settings struct {
 	AuthServerAddress string `yaml:"bindAddress" env:"BIND_ADDRESS" env-default:":8082" env-description:"The address the authorization service binds to."`
 	MetricsAddress    string `yaml:"metricsBindAddress" env:"METRICS_BIND_ADDRESS" env-default:":8080" env-description:"The address the metric endpoint binds to."`
 	ProbeAddress      string `yaml:"healthProbeBindAddress" env:"PROBE_BIND_ADDRESS" env-default:":8081" env-description:"The address the probe endpoint binds to."`
+	AccessLogLevel    string `yaml:"accessLogLevel" env:"ACCESS_LOG_LEVEL" env-default:"info" env-description:"The Cerberus access log level (debug will print all requests and headers)"`
 
 	TLS struct {
 		CertPath string `yaml:"certPath" env:"AUTH_SERVER_TLS_CERT_PATH" env-default:"" env-description:"grpc Authentication server TLS certificate file path"`

diff --git a/pkg/auth/authenticator.go b/pkg/auth/authenticator.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
@@ -11,6 +12,7 @@ import (
 	"github.com/asaskevich/govalidator"
 	"github.com/go-logr/logr"
 	"github.com/snapp-incubator/Cerberus/api/v1alpha1"
+	"github.com/snapp-incubator/Cerberus/internal/settings"
 	"github.com/snapp-incubator/Cerberus/internal/tracing"
 	"go.opentelemetry.io/otel/attribute"
 	otelcodes "go.opentelemetry.io/otel/codes"
@@ -25,6 +27,7 @@ const downstreamDeadlineOffset = 50 * time.Microsecond
 // Authenticator can generate cache from Kubernetes API server
 // and it implements envoy.CheckRequest interface
 type Authenticator struct {
+	settings   settings.Settings
 	logger     logr.Logger
 	httpClient *http.Client
 
@@ -145,6 +148,15 @@ func (a *Authenticator) Check(ctx context.Context, request *Request) (finalRespo
 	start_time := time.Now()
 	wsvc, ns, reason := readRequestContext(request)
 
+	// access logs
+	defer func() {
+		if a.settings.AccessLogLevel == settings.LogLevelDebug {
+			a.logger.Info("check request result",
+				"request", fmt.Sprintf("%#v", *request),
+				"response", fmt.Sprintf("%#v", *finalResponse))
+		}
+	}()
+
 	// generate opentelemetry span with given parameters
 	parentCtx := tracing.ReadParentSpanFromRequest(ctx, request.Request)
 	ctx, span := tracing.StartSpan(parentCtx, "CheckFunction",