Add logging of hashed authorization information (#12255)

... for cross-checking usage of compromised keys.

Specifically, adds a `custom_metadata.auth_type` value, specifying the authentication type used for actions. Additionally, adds `http.request.headers.hashed_authorization` and `http.request.headers.hashed_cookie` for logging SHA256 hashed copies of the authorization and/or cookie headers used in the request.

Author: walterhpearce

src/auth.rs

@@ -288,13 +288,19 @@ async fn authenticate(parts: &Parts, conn: &mut AsyncPgConnection) -> AppResult<
 
     match authenticate_via_cookie(parts, conn).await {
         Ok(None) => {}
-        Ok(Some(auth)) => return Ok(Authentication::Cookie(auth)),
+        Ok(Some(auth)) => {
+            parts.request_log().add("auth_type", "cookie");
+            return Ok(Authentication::Cookie(auth));
+        }
         Err(err) => return Err(err),
     }
 
     match authenticate_via_token(parts, conn).await {
         Ok(None) => {}
-        Ok(Some(auth)) => return Ok(Authentication::Token(auth)),
+        Ok(Some(auth)) => {
+            parts.request_log().add("auth_type", "token");
+            return Ok(Authentication::Token(auth));
+        }
         Err(err) => return Err(err),
     }
 

src/controllers/krate/publish.rs

@@ -172,6 +172,8 @@ pub async fn publish(app: AppState, req: Parts, body: Body) -> AppResult<Json<Go
         .transpose()?;
 
     let auth = if let Some(trustpub_token) = trustpub_token {
+        request_log.add("auth_type", "trustpub");
+
         let Some(existing_crate) = &existing_crate else {
             let error = forbidden(
                 "Trusted Publishing tokens do not support creating new crates. Publish the crate manually, first",

src/middleware/log_request.rs

@@ -12,8 +12,9 @@ use axum::response::IntoResponse;
 use axum_extra::TypedHeader;
 use axum_extra::headers::UserAgent;
 use derive_more::Deref;
-use http::{Method, Uri};
+use http::{Method, Uri, header};
 use parking_lot::Mutex;
+use sha2::{Digest, Sha256};
 use std::borrow::Cow;
 use std::collections::HashMap;
 use std::fmt::Display;
@@ -48,6 +49,16 @@ pub async fn log_requests(
     let custom_metadata = RequestLog::default();
     req.extensions_mut().insert(custom_metadata.clone());
 
+    // Log all authorization headers via hashed mask
+    let hashed_auth_header = req
+        .headers()
+        .get(header::AUTHORIZATION)
+        .map(|header| hex::encode(Sha256::digest(header.as_bytes())));
+    let hashed_cookie_header = req
+        .headers()
+        .get(header::COOKIE)
+        .map(|header| hex::encode(Sha256::digest(header.as_bytes())));
+
     let response = next.run(req).await;
 
     let duration = start_instant.elapsed();
@@ -83,6 +94,8 @@ pub async fn log_requests(
         http.matched_path = %matched_path,
         http.request_id = %request_metadata.request_id.as_ref().map(|h| h.as_str()).unwrap_or_default(),
         http.useragent = %request_metadata.user_agent.as_ref().map(|h| h.as_str()).unwrap_or_default(),
+        http.request.headers.hashed_authorization = hashed_auth_header.unwrap_or_default(),
+        http.request.headers.hashed_cookie = hashed_cookie_header.unwrap_or_default(),
         http.status_code = status.as_u16(),
         cause = response.extensions().get::<CauseField>().map(|e| e.0.as_str()).unwrap_or_default(),
         error.message = response.extensions().get::<ErrorField>().map(|e| e.0.as_str()).unwrap_or_default(),