Logg milliseconds, add method and path to output

README.md

@@ -2,6 +2,16 @@
 
 The Guard is a HTTP Server that responds to requests on http://localhost:8000/auth and authenticates the header `Authorization: Bearer JWT` against the configured ISSUER, AUDIENCE and authorizes the request agains a comma separated list of subjects.
 
+
+## How to use
+
+This application is designed to use with Forward Auth, specifically for ingress-nginx, enable with this annotation:
+```yaml
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-url: "http://oauth-guard.monitor.svc.cluster.local:8000/auth"
+```
+
 ## Configuration
 
  - `ISSUER` - Required. A issuer to verify JWT against. Must support the `${ISSUER}.well-known/openid-configuration` endpoint.

auth.go

@@ -25,12 +25,14 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		t := time.Now()
 
+		event := log.Info().Str("method", r.Method).Str("path", r.URL.Path)
+
 		auth := r.Header.Get("Authorization")
 		jwt, err := parseAuthHeader(auth)
 		if err != nil {
 			w.WriteHeader(http.StatusUnauthorized)
 			_, _ = w.Write([]byte("Forbidden"))
-			log.Info().Err(err).Dur("latency", time.Since(t)).Int("status", http.StatusUnauthorized).Msg("Unauthorized")
+			event.Err(err).Dur("elappsed_ms", time.Since(t)).Int("status", http.StatusUnauthorized).Msg("Unauthorized")
 			return
 		}
 
@@ -39,7 +41,7 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler {
 		if err != nil {
 			w.WriteHeader(http.StatusUnauthorized)
 			_, _ = w.Write([]byte("Forbidden"))
-			log.Info().Err(err).Dur("latency", time.Since(t)).Int("status", http.StatusUnauthorized).Msg("Unauthorized")
+			event.Err(err).Dur("elappsed_ms", time.Since(t)).Int("status", http.StatusUnauthorized).Msg("Unauthorized")
 			return
 		}
 
@@ -48,13 +50,13 @@ func AuthHandler(subjects []string, verifier Verifier) http.Handler {
 		if !found {
 			w.WriteHeader(http.StatusForbidden)
 			_, _ = w.Write([]byte("Forbidden"))
-			log.Info().Err(err).Dur("latency", time.Since(t)).Int("status", http.StatusForbidden).Str("sub", subject).Msg("Forbidden")
+			event.Err(err).Dur("elappsed_ms", time.Since(t)).Int("status", http.StatusForbidden).Str("sub", subject).Msg("Forbidden")
 			return
 		}
 
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write([]byte("OK"))
-		log.Info().Dur("latency", time.Since(t)).Int("status", http.StatusOK).Str("sub", subject).Msg("Authorized")
+		event.Dur("elappsed_ms", time.Since(t)).Int("status", http.StatusOK).Str("sub", subject).Msg("Authorized")
 	})
 }
 

deploymet.yaml

@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth-guard
+  namespace: monitor
+spec:
+  selector:
+    matchLabels:
+      app: radix-oauth-guard
+  template:
+    metadata:
+      labels:
+        app: radix-oauth-guard
+    spec:
+      containers:
+        - name: guard
+          image: ghcr.io/equinor/radix-oauth-guard:v0.2.1
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+              name: http
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            capabilities:
+              drop:
+                - ALL
+          env:
+            - name: LOG_PRETTY
+              value: "True"
+            - name: LOG_LEVEL
+              value: debug
+            - name: ISSUER
+              value: https://northeurope.oic.prod-aks.azure.com/3aa4a235-b6e2-48d5-9195-7fcf05b459b0/a2d93ba1-cbde-4408-8979-c100cce7b448/
+            - name: AUDIENCE
+              value: extmonprom
+            - name: SUBJECTS
+              value: system:serviceaccount:monitor:prometheus-operator-prometheus
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth-guard
+  namespace: monitor
+spec:
+  selector:
+    app: radix-oauth-guard
+  ports:
+    - name: http
+      port: 8000

main.go

@@ -61,6 +61,7 @@ func initLogger(opts Options) {
 		logWriter = &zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.TimeOnly}
 	}
 
+	zerolog.DurationFieldUnit = time.Millisecond
 	logger := zerolog.New(logWriter).Level(logLevel).With().Timestamp().Logger()
 
 	log.Logger = logger