Log failed Vault authentication attempts

minio · Jan 13, 2025 · 9f2be64 · 9f2be64
1 parent 2599d7e
commit 9f2be64
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/internal/keystore/vault/vault.go b/internal/keystore/vault/vault.go
@@ -17,6 +17,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"os"
 	"path"
@@ -139,6 +140,30 @@ func Connect(ctx context.Context, c *Config) (*Store, error) {
 		authenticate = client.AuthenticateWithK8S(c.K8S)
 	}
 
+	// log authentication events
+	lastAuthSuccess := false
+	authenticate = func(ctx context.Context) (*vaultapi.Secret, error) {
+		secret, err := authenticate(ctx)
+		if err != nil {
+			if lastAuthSuccess {
+				slog.Info("Authentication failed (not logged anymore until next successful authentication)", slog.String("error", err.Error()))
+				lastAuthSuccess = false
+			}
+		} else {
+			if c.Verbose {
+				obfuscatedToken := secret.Auth.ClientToken
+				if len(obfuscatedToken) > 10 {
+					obfuscatedToken = obfuscatedToken[:2] + "***" + obfuscatedToken[len(obfuscatedToken)-4:]
+				} else {
+					obfuscatedToken = "***"
+				}
+				slog.Info("Authentication successful", slog.String("token", obfuscatedToken))
+			}
+			lastAuthSuccess = true
+		}
+		return secret, err
+	}
+
 	auth, err := authenticate(ctx)
 	if err != nil {
 		return nil, err

diff --git a/kesconf/config.go b/kesconf/config.go
@@ -122,7 +122,7 @@ type ymlFile struct {
 				Ping env[time.Duration] `yaml:"ping"`
 			} `yaml:"status"`
 
-			Verbose bool `yaml:"verbose"`
+			Verbose env[bool] `yaml:"verbose"`
 		} `yaml:"vault"`
 
 		Fortanix *struct {