[NRL-1700] Log info about which clientcert is being used for each request

mattdean3-nhs · mattdean3-nhs · commit 34f6509f0650 · 2025-10-21T12:51:54.000+01:00
diff --git a/layer/nrlf/core/decorators.py b/layer/nrlf/core/decorators.py
@@ -236,15 +236,23 @@ def request_handler(
     """
 
     def wrapped_func(func: RequestHandler):
-        def wrapper(*args, **kwargs):
-            event: APIGatewayProxyEvent = args[0]
-            context: LambdaContext = args[1]
+        def wrapper(event: APIGatewayProxyEvent, context: LambdaContext, **kwargs):
+            client_cert = event.request_context.identity.client_cert
+            if client_cert:
+                client_cert_info = {
+                    "subject_dn": client_cert.subject_dn,
+                    "issuer_dn": client_cert.issuer_dn,
+                    "serial_number": client_cert.serial_number,
+                }
+            else:
+                client_cert_info = "No client certificate provided"
 
             logger.log(
                 code=LogReference.HANDLER000,
                 method=event.http_method,
                 path=event.path,
                 headers=event.headers,
+                client_cert_info=client_cert_info,
             )
 
             if skip_request_verification:
diff --git a/layer/nrlf/tests/events.py b/layer/nrlf/tests/events.py
@@ -55,6 +55,13 @@ def create_test_api_gateway_event(
             "resourcePath": "/",
             "httpMethod": "GET",
             "path": "/Prod/",
+            "identity": {
+                "client_cert": {
+                    "subject_dn": "CN=TEST SUBJECT",
+                    "issuer_dn": "CN=TEST ISSUER",
+                    "serial_number": "0000001",
+                }
+            },
         },
         "headers": headers or create_headers(),
         "multiValueHeaders": {},
