From 91218665d27e39ccf799fdd4c6f7c8bb8e4ca4cf Mon Sep 17 00:00:00 2001 From: tjpcc Date: Wed, 3 May 2023 19:37:26 -0600 Subject: use sha256 for client cert fingerprints, and log them when available --- logging/middleware.go | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) (limited to 'logging/middleware.go') diff --git a/logging/middleware.go b/logging/middleware.go index 750f987..693cb2f 100644 --- a/logging/middleware.go +++ b/logging/middleware.go @@ -2,6 +2,8 @@ package logging import ( "context" + "crypto/sha256" + "encoding/hex" "errors" "io" "time" @@ -18,13 +20,17 @@ func LogRequests(logger Logger) sr.Middleware { response.Body = loggingBody(logger, request, response, start) } else { end := time.Now() - _ = logger.Log( + params := []any{ "msg", "request", "ts", end.UTC(), "dur", end.Sub(start), "url", request.URL, "status", "(not found)", - ) + } + if fingerprint, ok := clientFingerprint(request); ok { + params = append(params, "client_ident", fingerprint) + } + _ = logger.Log(params...) } return response @@ -32,6 +38,15 @@ func LogRequests(logger Logger) sr.Middleware { } } +func clientFingerprint(request *sr.Request) (string, bool) { + if request.TLSState == nil || len(request.TLSState.PeerCertificates) == 0 { + return "", false + } + + digest := sha256.Sum256(request.TLSState.PeerCertificates[0].Raw) + return hex.EncodeToString(digest[:]), true +} + type loggedResponseBody struct { request *sr.Request response *sr.Response @@ -45,14 +60,19 @@ type loggedResponseBody struct { func (lr *loggedResponseBody) log() { end := time.Now() - _ = lr.logger.Log( + params := []any{ "msg", "request", "ts", end.UTC(), "dur", end.Sub(lr.start), "url", lr.request.URL, "status", lr.response.Status, "bodylen", lr.written, - ) + } + if fingerprint, ok := clientFingerprint(lr.request); ok { + params = append(params, "client_ident", fingerprint) + } + + _ = lr.logger.Log(params...) } func (lr *loggedResponseBody) Read(b []byte) (int, error) { -- cgit v1.2.3