use sha256 for client cert fingerprints, and log them when available

1 files changed, 24 insertions, 4 deletions

diff --git a/logging/middleware.go b/logging/middleware.go
index 750f987..693cb2f 100644
--- a/logging/middleware.go
+++ b/logging/middleware.go
@@ -2,6 +2,8 @@ package logging
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"errors"
 	"io"
 	"time"
@@ -18,13 +20,17 @@ func LogRequests(logger Logger) sr.Middleware {
 				response.Body = loggingBody(logger, request, response, start)
 			} else {
 				end := time.Now()
-				_ = logger.Log(
+				params := []any{
 					"msg", "request",
 					"ts", end.UTC(),
 					"dur", end.Sub(start),
 					"url", request.URL,
 					"status", "(not found)",
-				)
+				}
+				if fingerprint, ok := clientFingerprint(request); ok {
+					params = append(params, "client_ident", fingerprint)
+				}
+				_ = logger.Log(params...)
 			}
 
 			return response
@@ -32,6 +38,15 @@ func LogRequests(logger Logger) sr.Middleware {
 	}
 }
 
+func clientFingerprint(request *sr.Request) (string, bool) {
+	if request.TLSState == nil || len(request.TLSState.PeerCertificates) == 0 {
+		return "", false
+	}
+
+	digest := sha256.Sum256(request.TLSState.PeerCertificates[0].Raw)
+	return hex.EncodeToString(digest[:]), true
+}
+
 type loggedResponseBody struct {
 	request  *sr.Request
 	response *sr.Response
@@ -45,14 +60,19 @@ type loggedResponseBody struct {
 
 func (lr *loggedResponseBody) log() {
 	end := time.Now()
-	_ = lr.logger.Log(
+	params := []any{
 		"msg", "request",
 		"ts", end.UTC(),
 		"dur", end.Sub(lr.start),
 		"url", lr.request.URL,
 		"status", lr.response.Status,
 		"bodylen", lr.written,
-	)
+	}
+	if fingerprint, ok := clientFingerprint(lr.request); ok {
+		params = append(params, "client_ident", fingerprint)
+	}
+
+	_ = lr.logger.Log(params...)
 }
 
 func (lr *loggedResponseBody) Read(b []byte) (int, error) {