Skip to content

Commit

Permalink
moved zap-x509 integration to its own package; log individual certifi…
Browse files Browse the repository at this point in the history
…cate verification errors
  • Loading branch information
johnabass committed Nov 22, 2024
1 parent a7d30e0 commit c3ad63e
Show file tree
Hide file tree
Showing 4 changed files with 30 additions and 3 deletions.
9 changes: 9 additions & 0 deletions token/claimBuilder.go
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ import (
"github.com/xmidt-org/themis/random"
"github.com/xmidt-org/themis/xhttp/xhttpclient"
"github.com/xmidt-org/themis/xhttp/xhttpserver"
"github.com/xmidt-org/themis/xzap"
"go.uber.org/zap"

"github.com/go-kit/kit/endpoint"
kithttp "github.com/go-kit/kit/transport/http"
Expand Down Expand Up @@ -238,6 +240,13 @@ func (cb *clientCertificateClaimBuilder) AddClaims(_ context.Context, r *Request
}

_, verifyErr := pc.Verify(vo)
if verifyErr != nil {
r.Logger.Warn(
"certificate verification failed",
xzap.Certificate("cert", pc),
zap.Error(verifyErr),
)
}

switch {
case expired && verifyErr != nil:
Expand Down
3 changes: 2 additions & 1 deletion xhttp/xhttpserver/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (

"github.com/xmidt-org/sallust"
"github.com/xmidt-org/sallust/sallusthttp"
"github.com/xmidt-org/themis/xzap"
"go.uber.org/zap"

"github.com/justinas/alice"
Expand Down Expand Up @@ -59,7 +60,7 @@ func NewServerChain(o Options, l *zap.Logger, fbs ...sallusthttp.FieldBuilder) a
return l.With(zap.String("userAgent", r.UserAgent()))
})
bs.Add(func(r *http.Request, l *zap.Logger) *zap.Logger {
return l.With(connectionStateField("state", r.TLS))
return l.With(xzap.ConnectionState("state", r.TLS))
})

chain := alice.New(
Expand Down
7 changes: 7 additions & 0 deletions xzap/doc.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
// SPDX-FileCopyrightText: 2019 Comcast Cable Communications Management, LLC
// SPDX-License-Identifier: Apache-2.0

/*
Package xzap provides some zap logging integrations.
*/
package xzap
14 changes: 12 additions & 2 deletions xhttp/xhttpserver/zap.go → xzap/zap.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
// SPDX-FileCopyrightText: 2017 Comcast Cable Communications Management, LLC
// SPDX-License-Identifier: Apache-2.0
package xhttpserver
package xzap

import (
"crypto/tls"
Expand Down Expand Up @@ -53,6 +53,14 @@ func (c certificate) MarshalLogObject(enc zapcore.ObjectEncoder) error {
return nil
}

func Certificate(field string, cert *x509.Certificate) zap.Field {
if cert != nil {
return zap.Object(field, certificate(*cert))
} else {
return zap.Skip()
}
}

type certificates []*x509.Certificate

func (cs certificates) MarshalLogArray(enc zapcore.ArrayEncoder) error {
Expand Down Expand Up @@ -96,7 +104,9 @@ func (cstate connectionState) MarshalLogObject(enc zapcore.ObjectEncoder) error
return nil
}

func connectionStateField(field string, v *tls.ConnectionState) zap.Field {
// ConnectionState produces a zap logging Field that produces an object representation
// of a TLS connection state.
func ConnectionState(field string, v *tls.ConnectionState) zap.Field {
if v != nil {
return zap.Object(field, connectionState(*v))
} else {
Expand Down

0 comments on commit c3ad63e

Please sign in to comment.