From 9f2be64cc31d0a391c2e268c25c33fab7f67575d Mon Sep 17 00:00:00 2001
From: Ramon de Klein <mail@ramondeklein.nl>
Date: Mon, 13 Jan 2025 15:10:44 +0100
Subject: [PATCH] Log failed Vault authentication attempts

---
 internal/keystore/vault/vault.go | 25 +++++++++++++++++++++++++
 kesconf/config.go                |  2 +-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/internal/keystore/vault/vault.go b/internal/keystore/vault/vault.go
index 1f226189..3e438182 100644
--- a/internal/keystore/vault/vault.go
+++ b/internal/keystore/vault/vault.go
@@ -17,6 +17,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"log/slog"
 	"net/http"
 	"os"
 	"path"
@@ -139,6 +140,30 @@ func Connect(ctx context.Context, c *Config) (*Store, error) {
 		authenticate = client.AuthenticateWithK8S(c.K8S)
 	}
 
+	// log authentication events
+	lastAuthSuccess := false
+	authenticate = func(ctx context.Context) (*vaultapi.Secret, error) {
+		secret, err := authenticate(ctx)
+		if err != nil {
+			if lastAuthSuccess {
+				slog.Info("Authentication failed (not logged anymore until next successful authentication)", slog.String("error", err.Error()))
+				lastAuthSuccess = false
+			}
+		} else {
+			if c.Verbose {
+				obfuscatedToken := secret.Auth.ClientToken
+				if len(obfuscatedToken) > 10 {
+					obfuscatedToken = obfuscatedToken[:2] + "***" + obfuscatedToken[len(obfuscatedToken)-4:]
+				} else {
+					obfuscatedToken = "***"
+				}
+				slog.Info("Authentication successful", slog.String("token", obfuscatedToken))
+			}
+			lastAuthSuccess = true
+		}
+		return secret, err
+	}
+
 	auth, err := authenticate(ctx)
 	if err != nil {
 		return nil, err
diff --git a/kesconf/config.go b/kesconf/config.go
index 3234c0b9..eb4603d8 100644
--- a/kesconf/config.go
+++ b/kesconf/config.go
@@ -122,7 +122,7 @@ type ymlFile struct {
 				Ping env[time.Duration] `yaml:"ping"`
 			} `yaml:"status"`
 
-			Verbose bool `yaml:"verbose"`
+			Verbose env[bool] `yaml:"verbose"`
 		} `yaml:"vault"`
 
 		Fortanix *struct {