From bae0c0ab2157b9fe89ddb80d66af18a5ea8df1ea Mon Sep 17 00:00:00 2001
From: Cyril Cressent <cyril@sensu.io>
Date: Fri, 30 Sep 2022 12:15:55 -0700
Subject: [PATCH] Enhance logging for authentication providers (#4880)

An INFO level message is emitted upon successful login, with details
about the user and provider used. An ERROR level message is emitted upon
authentication failure, with the username that was tried.

(cherry-picked from a994851d6cd82ab31747ecc6b48f7184c3dc95f7)
Signed-off-by: Cyril Cressent <cyril@sensu.io>
---
 CHANGELOG-7.md                          |  5 +++--
 backend/authentication/authenticator.go | 11 +++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG-7.md b/CHANGELOG-7.md
index 287d0d603d..dc2603ee94 100644
--- a/CHANGELOG-7.md
+++ b/CHANGELOG-7.md
@@ -6,7 +6,6 @@ and this project adheres to [Semantic
 Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
-
 ### Breaking
 - Embedded etcd is no longer supported, all related configuration has been
 removed.
@@ -26,7 +25,9 @@ migrated from Etcd.
 - Added configuration store selector to sensu-backend.
 - Added postgresql state store.
 - GlobalResource interface in core/v3 allows core/v3 resources to
-be marked as global resources.
+  be marked as global resources.
+- The authentication module now logs successful (INFO) and unsuccessful (ERROR)
+  login attempts.
 
 ### Fixed
 - Fixed an issue where multi-expression exclusive "Deny" filters were not
diff --git a/backend/authentication/authenticator.go b/backend/authentication/authenticator.go
index 775c7c81c5..218f1048a4 100644
--- a/backend/authentication/authenticator.go
+++ b/backend/authentication/authenticator.go
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"sync"
 
+	"github.com/sirupsen/logrus"
+
 	corev2 "github.com/sensu/sensu-go/api/core/v2"
 )
 
@@ -33,11 +35,20 @@ func (a *Authenticator) Authenticate(ctx context.Context, username, password str
 			continue
 		}
 
+		logger.WithFields(logrus.Fields{
+			"subject":         claims.Subject,
+			"groups":          claims.Groups,
+			"provider_id":     claims.Provider.ProviderID,
+			"provider_type":   claims.Provider.ProviderType,
+			"provider_userid": claims.Provider.UserID,
+		}).Info("login successful")
 		return claims, nil
 	}
 
 	// TODO(palourde): We might want to return a more meaningful and actionnable
 	// error message, but we don't want to leak sensitive information.
+
+	logger.WithField("username", username).Error("authentication failed")
 	return nil, errors.New("authentication failed")
 }