Log user claims

Signed-off-by: Victor Chang <vicchang@nvidia.com>

Author: mocsharp

src/Authentication/Extensions/HttpContextExtension.cs

@@ -16,6 +16,9 @@
 
 using Ardalis.GuardClauses;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
+using Monai.Deploy.Security.Authentication.Middleware;
+using Monai.Deploy.WorkflowManager.Logging;
 
 namespace Monai.Deploy.Security.Authentication.Extensions
 {
@@ -27,7 +30,7 @@ public static class HttpContextExtension
         /// <param name="httpcontext"></param>
         /// <param name="requiredClaims"></param>
         /// <returns></returns>
-        public static List<string> GetValidEndpoints(this HttpContext httpcontext, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)
+        public static List<string> GetValidEndpoints(this HttpContext httpcontext, ILogger<EndpointAuthorizationMiddleware> logger, List<Configurations.ClaimMapping> adminClaims, List<Configurations.ClaimMapping> userClaims)
         {
             Guard.Against.Null(adminClaims);
             Guard.Against.Null(userClaims);
@@ -36,6 +39,7 @@ public static List<string> GetValidEndpoints(this HttpContext httpcontext, List<
             {
                 if (httpcontext.User.HasClaim(claim.Claim, claim.Role))
                 {
+                    logger.UserClaimFound(claim.Claim, claim.Role);
                     return new List<string> { "all" };
                 }
             }
@@ -44,6 +48,7 @@ public static List<string> GetValidEndpoints(this HttpContext httpcontext, List<
             {
                 if (httpcontext.User.HasClaim(claim.Claim, claim.Role))
                 {
+                    logger.UserClaimFound(claim.Claim, claim.Role);
                     return claim.Endpoints!;
                 }
             }

src/Authentication/Logging.cs

@@ -26,7 +26,10 @@ public static partial class Log
         [LoggerMessage(EventId = 500001, Level = LogLevel.Debug, Message = "User '{user}' attempting to access controller '{controller}'.")]
         public static partial void UserAccessingController(this ILogger logger, string? user, string controller);
 
-        [LoggerMessage(EventId = 500002, Level = LogLevel.Debug, Message = "User '{user}' access denied due to allowed permissions: '{permissions}'.")]
+        [LoggerMessage(EventId = 500002, Level = LogLevel.Debug, Message = "User '{user}' access denied due to limited permissions: '{permissions}'.")]
         public static partial void UserAccessDenied(this ILogger logger, string? user, string? permissions);
+
+        [LoggerMessage(EventId = 500003, Level = LogLevel.Debug, Message = "User claim {claim}={value}.")]
+        public static partial void UserClaimFound(this ILogger logger, string? claim, string? value);
     }
 }

src/Authentication/Middleware/EndpointAuthorizationMiddleware.cs

@@ -41,39 +41,39 @@ public EndpointAuthorizationMiddleware(RequestDelegate next, IOptions<Authentica
             _logger = logger;
         }
 
-        public async Task InvokeAsync(HttpContext httpcontext)
+        public async Task InvokeAsync(HttpContext httpContext)
         {
             if (_options.Value.BypassAuth(_logger))
             {
-                await _next(httpcontext).ConfigureAwait(false);
+                await _next(httpContext).ConfigureAwait(false);
                 return;
             }
 
-            if (httpcontext.User is not null
-                && httpcontext.User.Identity is not null
-                && httpcontext.User.Identity.IsAuthenticated)
+            if (httpContext.User is not null
+                && httpContext.User.Identity is not null
+                && httpContext.User.Identity.IsAuthenticated)
             {
-                if (httpcontext.GetRouteValue("controller") is string controller)
+                if (httpContext.GetRouteValue("controller") is string controller)
                 {
-                    _logger.UserAccessingController(httpcontext.User.Identity.Name, controller);
-                    var validEndpoints = httpcontext.GetValidEndpoints(_options.Value.OpenId!.Claims!.AdminClaims!, _options.Value.OpenId!.Claims!.UserClaims!);
+                    _logger.UserAccessingController(httpContext.User.Identity.Name, controller);
+                    var validEndpoints = httpContext.GetValidEndpoints(_logger, _options.Value.OpenId!.Claims!.AdminClaims!, _options.Value.OpenId!.Claims!.UserClaims!);
                     var result = validEndpoints.Any(e => e.Equals(controller, StringComparison.InvariantCultureIgnoreCase)) || validEndpoints.Contains("all");
 
                     if (result is false)
                     {
-                        _logger.UserAccessDenied(httpcontext.User.Identity.Name, string.Join(',', validEndpoints));
-                        httpcontext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
+                        _logger.UserAccessDenied(httpContext.User.Identity.Name, string.Join(',', validEndpoints));
+                        httpContext.Response.StatusCode = (int)HttpStatusCode.Forbidden;
 
-                        await httpcontext.Response.CompleteAsync().ConfigureAwait(false);
+                        await httpContext.Response.CompleteAsync().ConfigureAwait(false);
 
                         return;
                     }
                 }
-                await _next(httpcontext).ConfigureAwait(false);
+                await _next(httpContext).ConfigureAwait(false);
             }
             else
             {
-                httpcontext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+                httpContext.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
             }
         }
     }

src/Authentication/example.json

@@ -27,4 +27,4 @@
       }
     }
   }
-}
+}