Merge pull request #424 from MadAppGang/featue/log-tokens

Log tokens for audit records

Author: hummerdmag

model/server_settings.go

@@ -27,6 +27,7 @@ type ServerSettings struct {
 	KeyStorage     FileStorageSettings    `yaml:"keyStorage" json:"key_storage"`
 	Config         FileStorageSettings    `yaml:"-" json:"config"`
 	Logger         LoggerSettings         `yaml:"logger" json:"logger"`
+	Audit          AuditSettings          `yaml:"audit" json:"audit"`
 	AdminPanel     AdminPanelSettings     `yaml:"adminPanel" json:"admin_panel"`
 	LoginWebApp    FileStorageSettings    `yaml:"loginWebApp" json:"login_web_app"`
 	EmailTemplates FileStorageSettings    `yaml:"emailTemplates" json:"email_templates"`
@@ -368,6 +369,7 @@ type LoggerSettings struct {
 	// Deprecated: User HTTPDetailing on module level.
 	DumpRequest      bool         `yaml:"dumpRequest" json:"dumpRequest"`
 	Format           string       `yaml:"format" json:"format"`
+	MaxBodySize      int          `yaml:"maxBodySize" json:"maxBodySize"`
 	LogSensitiveData bool         `yaml:"logSensitiveData" json:"logSensitiveData"`
 	Common           LoggerParams `yaml:"common" json:"common"`
 	API              LoggerParams `yaml:"api" json:"api"`
@@ -388,6 +390,18 @@ func HTTPLogDetailing(dumpRequest bool, logType HTTPDetailing) HTTPDetailing {
 	return logType
 }
 
+type TokenRecording string
+
+const (
+	TokenRecordingNone       TokenRecording = "none"
+	TokenRecordingObfuscated TokenRecording = "obfuscated"
+	TokenRecordingFull       TokenRecording = "full"
+)
+
+type AuditSettings struct {
+	TokenRecording TokenRecording `yaml:"tokenRecording" json:"tokenRecording"`
+}
+
 type AdminPanelSettings struct {
 	Enabled bool `json:"enabled" yaml:"enabled"`
 }

model/server_settings_validation.go

@@ -1,6 +1,7 @@
 package model
 
 import (
+	"errors"
 	"fmt"
 	"net/url"
 	"os"
@@ -146,7 +147,7 @@ func (sss *SessionStorageSettings) Validate() []error {
 	result := []error{}
 
 	if len(sss.Type) == 0 {
-		result = append(result, fmt.Errorf("Empty session storage type"))
+		result = append(result, errors.New("empty session storage type"))
 	}
 	if sss.SessionDuration.Duration == 0 {
 		result = append(result, fmt.Errorf("%s. Session duration is 0 seconds", subject))
@@ -226,7 +227,7 @@ func (sss *SMSServiceSettings) Validate() []error {
 	subject := "SMSServiceSettings"
 	result := []error{}
 	if len(sss.Type) == 0 {
-		return []error{fmt.Errorf("Empty SMS service type")}
+		return []error{errors.New("empty SMS service type")}
 	}
 
 	switch sss.Type {

web/admin/router.go

@@ -57,6 +57,7 @@ func NewRouter(settings RouterSettings) (model.Router, error) {
 	ar.middleware = buildMiddleware(
 		settings.LoggerSettings.DumpRequest,
 		settings.LoggerSettings.Format,
+		settings.LoggerSettings.MaxBodySize,
 		settings.LoggerSettings.Admin,
 		settings.LoggerSettings.LogSensitiveData,
 		settings.Cors)
@@ -70,6 +71,7 @@ func NewRouter(settings RouterSettings) (model.Router, error) {
 func buildMiddleware(
 	dumpRequest bool,
 	format string,
+	maxBodySize int,
 	logParams model.LoggerParams,
 	logSensitiveData bool,
 	corsHandler *cors.Cors,
@@ -79,6 +81,7 @@ func buildMiddleware(
 	lm := middleware.NegroniHTTPLogger(
 		logging.ComponentAdmin,
 		format,
+		maxBodySize,
 		logParams,
 		model.HTTPLogDetailing(dumpRequest, logParams.HTTPDetailing),
 		!logSensitiveData,

web/api/2fa.go

@@ -306,8 +306,9 @@ func (ar *Router) FinalizeTFA() http.HandlerFunc {
 			}
 		}
 
-		ar.journal(JournalOperationLoginWith2FA,
-			user.ID, app.ID, r.UserAgent(), user.AccessRole, scopes.Scopes())
+		ar.audit(AuditOperationLoginWith2FA,
+			user.ID, app.ID, r.UserAgent(), user.AccessRole, scopes.Scopes(),
+			result.AccessToken, result.RefreshToken)
 
 		ar.server.Storages().User.UpdateLoginMetadata(user.ID)
 		ar.ServeJSON(w, locale, http.StatusOK, result)

web/api/federated_login.go

@@ -212,8 +212,9 @@ func (ar *Router) FederatedLoginComplete() http.HandlerFunc {
 		authResult.CallbackUrl = fsess.CallbackUrl
 		authResult.Scopes = fsess.Scopes
 
-		ar.journal(JournalOperationFederatedLogin,
-			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes())
+		ar.audit(AuditOperationFederatedLogin,
+			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes(),
+			authResult.AccessToken, authResult.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}

web/api/federated_oidc_login.go

@@ -249,8 +249,9 @@ func (ar *Router) OIDCLoginComplete(useSession bool) http.HandlerFunc {
 		authResult.Scopes = resultScopes.Scopes()
 		authResult.ProviderData = *providerData
 
-		ar.journal(JournalOperationOIDCLogin,
-			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes())
+		ar.audit(AuditOperationOIDCLogin,
+			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes(),
+			authResult.AccessToken, authResult.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}

web/api/impersonate_as.go

@@ -77,8 +77,9 @@ func (ar *Router) ImpersonateAs() http.HandlerFunc {
 		// do not allow refresh for impersonated user
 		authResult.RefreshToken = ""
 
-		ar.journal(JournalOperationImpersonatedAs,
-			userID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes())
+		ar.audit(AuditOperationImpersonatedAs,
+			userID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes(),
+			authResult.AccessToken, authResult.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}

web/api/journal.go

@@ -2,29 +2,36 @@ package api
 
 import (
 	"github.com/madappgang/identifo/v2/logging"
+	"github.com/madappgang/identifo/v2/model"
 )
 
-type JournalOperation string
+type AuditOperation string
 
 const (
-	JournalOperationLoginWithPassword JournalOperation = "login_with_password"
-	JournalOperationLoginWithPhone    JournalOperation = "login_with_phone"
-	JournalOperationLoginWith2FA      JournalOperation = "login_with_2fa"
-	JournalOperationRefreshToken      JournalOperation = "refresh_token"
-	JournalOperationOIDCLogin         JournalOperation = "oidc_login"
-	JournalOperationFederatedLogin    JournalOperation = "federated_login"
-	JournalOperationRegistration      JournalOperation = "registration"
-	JournalOperationLogout            JournalOperation = "logout"
-	JournalOperationImpersonatedAs    JournalOperation = "impersonated_as"
+	AuditOperationLoginWithPassword AuditOperation = "login_with_password"
+	AuditOperationLoginWithPhone    AuditOperation = "login_with_phone"
+	AuditOperationLoginWith2FA      AuditOperation = "login_with_2fa"
+	AuditOperationRefreshToken      AuditOperation = "refresh_token"
+	AuditOperationOIDCLogin         AuditOperation = "oidc_login"
+	AuditOperationFederatedLogin    AuditOperation = "federated_login"
+	AuditOperationRegistration      AuditOperation = "registration"
+	AuditOperationLogout            AuditOperation = "logout"
+	AuditOperationImpersonatedAs    AuditOperation = "impersonated_as"
 )
 
-func (ar *Router) journal(
-	op JournalOperation,
+func (ar *Router) audit(
+	op AuditOperation,
 	userID, appID, device, accessRole string,
 	scopes []string,
+	accessToken, refreshToken string,
 ) {
 	iss := ar.server.Services().Token.Issuer()
 
+	auditSettings := ar.server.Settings().Audit
+
+	accessToken = maskToken(accessToken, auditSettings.TokenRecording)
+	refreshToken = maskToken(refreshToken, auditSettings.TokenRecording)
+
 	// TODO: Create an interface for the audit log
 	// Implement it for logging to stdout, a database, or a remote service
 	ar.logger.Info("audit_record",
@@ -35,5 +42,24 @@ func (ar *Router) journal(
 		"issuer", iss,
 		"accessRole", accessRole,
 		"scopes", scopes,
+		"accessToken", accessToken,
+		"refreshToken", refreshToken,
 	)
 }
+
+func maskToken(token string, tokenRecording model.TokenRecording) string {
+	switch tokenRecording {
+	case model.TokenRecordingNone:
+		return "<redacted>"
+	case model.TokenRecordingObfuscated:
+		if len(token) < 32 {
+			return "<short>"
+		}
+
+		return token[:6] + "..." + token[len(token)-6:]
+	case model.TokenRecordingFull:
+		return token
+	default:
+		return "<redacted>"
+	}
+}

web/api/login.go

@@ -189,8 +189,9 @@ func (ar *Router) LoginWithPassword() http.HandlerFunc {
 			return
 		}
 
-		ar.journal(JournalOperationLoginWithPassword,
-			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes())
+		ar.audit(AuditOperationLoginWithPassword,
+			user.ID, app.ID, r.UserAgent(), user.AccessRole, resultScopes.Scopes(),
+			authResult.AccessToken, authResult.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, authResult)
 	}

web/api/logout.go

@@ -64,8 +64,9 @@ func (ar *Router) Logout() http.HandlerFunc {
 			}
 		}
 
-		ar.journal(JournalOperationLogout,
-			accessToken.Subject(), accessToken.Audience(), r.UserAgent(), "", nil)
+		ar.audit(AuditOperationLogout,
+			accessToken.Subject(), accessToken.Audience(), r.UserAgent(), "", nil,
+			accessTokenString, d.RefreshToken)
 
 		ar.ServeJSON(w, locale, http.StatusOK, result)
 	}