From c905df3be68a459c71c44acb54cce6a15b2b0f0d Mon Sep 17 00:00:00 2001
From: ben-toogood <bentoogood@gmail.com>
Date: Thu, 26 Mar 2020 17:35:28 +0000
Subject: [PATCH] Log auth verify requests (#1422)

* More auth debugging

* More auth debugging

Co-authored-by: Ben Toogood <ben@micro.mu>
---
 auth/service/service.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/auth/service/service.go b/auth/service/service.go
index 7e9e77c9..af121998 100644
--- a/auth/service/service.go
+++ b/auth/service/service.go
@@ -124,6 +124,8 @@ func (s *svc) Revoke(role string, res *auth.Resource) error {
 
 // Verify an account has access to a resource
 func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
+	log.Infof("%v requesting access to %v:%v:%v", acc.ID, res.Type, res.Name, res.Endpoint)
+
 	queries := [][]string{
 		{res.Type, res.Name, res.Endpoint}, // check for specific role, e.g. service.foo.ListFoo:admin (role is checked in accessForRule)
 		{res.Type, res.Name, "*"},          // check for wildcard endpoint, e.g. service.foo*
@@ -146,14 +148,17 @@ func (s *svc) Verify(acc *auth.Account, res *auth.Resource) error {
 			case rulePb.Access_UNKNOWN:
 				continue // rule did not specify access, check the next rule
 			case rulePb.Access_GRANTED:
+				log.Infof("%v granted access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
 				return nil // rule grants the account access to the resource
 			case rulePb.Access_DENIED:
-				return auth.ErrForbidden // reule denies access to the resource
+				log.Infof("%v denied access to %v:%v:%v by rule %v", acc.ID, res.Type, res.Name, res.Endpoint, rule.Id)
+				return auth.ErrForbidden // rule denies access to the resource
 			}
 		}
 	}
 
 	// no rules were found for the resource, default to denying access
+	log.Infof("%v denied access to %v:%v:%v by lack of rule", acc.ID, res.Type, res.Name, res.Endpoint)
 	return auth.ErrForbidden
 }
 
@@ -241,7 +246,7 @@ func (s *svc) listRules(filters ...string) []*rulePb.Rule {
 
 // loadRules retrieves the rules from the auth service
 func (s *svc) loadRules() {
-	log.Infof("Loading rules from auth service\n")
+	log.Infof("Loading rules from auth service")
 	rsp, err := s.rule.List(context.TODO(), &rulePb.ListRequest{})
 	s.Lock()
 	defer s.Unlock()
@@ -251,7 +256,7 @@ func (s *svc) loadRules() {
 		return
 	}
 
-	log.Infof("Loaded %v rules from the auth service\n", len(rsp.Rules))
+	log.Infof("Loaded %v rules from the auth service", len(rsp.Rules))
 	s.rules = rsp.Rules
 }