nathan/vctp2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more ldap logging
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Nathan Coad
2026-04-21 13:21:32 +10:00
parent d2a7145a4c
commit a8e38784d9
3 changed files with 183 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/handler/auth.go
+17
View File
@@ -109,7 +109,9 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
ctx, cancel := withRequestTimeout(r, authLoginRequestTimeout)
defer cancel()
ldapAuthStartedAt := time.Now()
identity, err := ldapAuth.AuthenticateAndFetchGroups(ctx, username, password)
ldapAuthDuration := time.Since(ldapAuthStartedAt)
if err != nil {
if errors.Is(err, auth.ErrLDAPInvalidCredentials) {
audit.LogAuthEvent(h.Logger, r, "login", "deny",
@@ -117,6 +119,7 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
"username", username,
"ldap_bind_address", cfg.LDAPBindAddress,
"ldap_base_dn", cfg.LDAPBaseDN,
"ldap_auth_total_duration_ms", ldapAuthDuration.Milliseconds(),
"error", err,
)
writeJSONError(w, http.StatusUnauthorized, authLoginFailureMessage)
@@ -129,6 +132,7 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
"ldap_bind_address", cfg.LDAPBindAddress,
"ldap_base_dn", cfg.LDAPBaseDN,
"timeout_seconds", authLoginRequestTimeout.Seconds(),
"ldap_auth_total_duration_ms", ldapAuthDuration.Milliseconds(),
"error", err,
)
writeJSONError(w, http.StatusUnauthorized, authLoginFailureMessage)
@@ -139,6 +143,7 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
"username", username,
"ldap_bind_address", cfg.LDAPBindAddress,
"ldap_base_dn", cfg.LDAPBaseDN,
"ldap_auth_total_duration_ms", ldapAuthDuration.Milliseconds(),
"error", err,
)
writeJSONError(w, http.StatusUnauthorized, authLoginFailureMessage)
@@ -151,6 +156,10 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
"ldap_user_dn", identity.UserDN,
"ldap_group_count", len(identity.Groups),
"ldap_groups", limitStrings(identity.Groups, maxDebugLogListItems),
"ldap_auth_total_duration_ms", ldapAuthDuration.Milliseconds(),
"ldap_bind_duration_ms", identity.BindDuration.Milliseconds(),
"ldap_user_lookup_duration_ms", identity.UserLookupDuration.Milliseconds(),
"ldap_group_lookup_duration_ms", identity.GroupMembershipLookupDuration.Milliseconds(),
"ldap_diagnostics", limitStrings(identity.Diagnostics, maxDebugLogListItems),
)
@@ -163,6 +172,10 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
"required_groups", limitStrings(cfg.LDAPGroups, maxDebugLogListItems),
"user_groups", limitStrings(identity.Groups, maxDebugLogListItems),
"resolved_roles", roles,
"ldap_auth_total_duration_ms", ldapAuthDuration.Milliseconds(),
"ldap_bind_duration_ms", identity.BindDuration.Milliseconds(),
"ldap_user_lookup_duration_ms", identity.UserLookupDuration.Milliseconds(),
"ldap_group_lookup_duration_ms", identity.GroupMembershipLookupDuration.Milliseconds(),
"auth_group_role_mapping_keys", limitStrings(sortedStringMapKeys(cfg.AuthGroupRoleMappings), maxDebugLogListItems),
)
if !hasRequiredGroup || len(roles) == 0 {
@@ -174,6 +187,10 @@ func (h *Handler) AuthLogin(w http.ResponseWriter, r *http.Request) {
"required_groups", limitStrings(cfg.LDAPGroups, maxDebugLogListItems),
"user_groups", limitStrings(identity.Groups, maxDebugLogListItems),
"resolved_roles", roles,
"ldap_auth_total_duration_ms", ldapAuthDuration.Milliseconds(),
"ldap_bind_duration_ms", identity.BindDuration.Milliseconds(),
"ldap_user_lookup_duration_ms", identity.UserLookupDuration.Milliseconds(),
"ldap_group_lookup_duration_ms", identity.GroupMembershipLookupDuration.Milliseconds(),
"ldap_diagnostics", limitStrings(identity.Diagnostics, maxDebugLogListItems),
)
writeJSONError(w, http.StatusUnauthorized, authLoginFailureMessage)