Merge pull request 'log access keys' (#1122) from 1686a/log-access-key into main-v1

Reviewed-on: https://git.deuxfleurs.fr/Deuxfleurs/garage/pulls/1122
2026-05-05 19:36:10 +02:00 · 2025-08-27 16:18:16 +00:00 · 2025-08-27 16:18:16 +00:00 · d64498c3d3
commit d64498c3d3
parent 5448012b27 b340599e68
4 changed files with 32 additions and 12 deletions
--- a/src/api/common/generic_server.rs
+++ b/src/api/common/generic_server.rs
@ -33,6 +33,7 @@ use garage_util::metrics::{gen_trace_id, RecordDuration};
 use garage_util::socket_address::UnixOrTCPSocketAddress;

 use crate::helpers::{BoxBody, ErrorBody};
+use crate::signature::payload::Authorization;

 pub trait ApiEndpoint: Send + Sync + 'static {
 	fn name(&self) -> &'static str;
@ -58,6 +59,12 @@ pub trait ApiHandler: Send + Sync + 'static {
 		req: Request<IncomingBody>,
 		endpoint: Self::Endpoint,
 	) -> impl Future<Output = Result<Response<BoxBody<Self::Error>>, Self::Error>> + Send;
+
+	/// Returns the key id used to authenticate this request. The ID returned must be safe to
+	/// log.
+	fn key_id_from_request(&self, req: &Request<IncomingBody>) -> Option<String> {
+		None
+	}
 }

 pub struct ApiServer<A: ApiHandler> {
@ -142,19 +149,20 @@ impl<A: ApiHandler> ApiServer<A> {
 	) -> Result<Response<BoxBody<A::Error>>, http::Error> {
 		let uri = req.uri().clone();

-		if let Ok(forwarded_for_ip_addr) =
+		let source = if let Ok(forwarded_for_ip_addr) =
 			forwarded_headers::handle_forwarded_for_headers(req.headers())
 		{
-			info!(
-				"{} (via {}) {} {}",
-				forwarded_for_ip_addr,
-				addr,
-				req.method(),
-				uri
-			);
+			format!("{forwarded_for_ip_addr} (via {addr})")
 		} else {
-			info!("{} {} {}", addr, req.method(), uri);
-		}
+			format!("{addr}")
+		};
+		// we only do this to log the access key, so we can discard any error
+		let key = self
+			.api_handler
+			.key_id_from_request(&req)
+			.map(|k| format!("(key {k}) "))
+			.unwrap_or_default();
+		info!("{source} {key}{} {uri}", req.method());
 		debug!("{:?}", req);

 		let tracer = opentelemetry::global::tracer("garage");
--- a/src/api/common/signature/payload.rs
+++ b/src/api/common/signature/payload.rs
@ -417,7 +417,7 @@ pub async fn verify_v4(
 // ============ Authorization header, or X-Amz-* query params =========

 pub struct Authorization {
-	key_id: String,
+	pub key_id: String,
 	scope: String,
 	signed_headers: String,
 	signature: String,
@ -426,7 +426,7 @@ pub struct Authorization {
 }

 impl Authorization {
-	fn parse_header(headers: &HeaderMap) -> Result<Self, Error> {
+	pub fn parse_header(headers: &HeaderMap) -> Result<Self, Error> {
 		let authorization = headers
 			.get(AUTHORIZATION)
 			.ok_or_bad_request("Missing authorization header")?
--- a/src/api/k2v/api_server.rs
+++ b/src/api/k2v/api_server.rs
@ -176,6 +176,12 @@ impl ApiHandler for K2VApiServer {

 		Ok(resp_ok)
 	}
+
+	fn key_id_from_request(&self, req: &Request<IncomingBody>) -> Option<String> {
+		garage_api_common::signature::payload::Authorization::parse_header(req.headers())
+			.map(|auth| auth.key_id)
+			.ok()
+	}
 }

 impl ApiEndpoint for K2VApiEndpoint {
--- a/src/api/s3/api_server.rs
+++ b/src/api/s3/api_server.rs
@ -343,6 +343,12 @@ impl ApiHandler for S3ApiServer {

 		Ok(resp_ok)
 	}
+
+	fn key_id_from_request(&self, req: &Request<IncomingBody>) -> Option<String> {
+		garage_api_common::signature::payload::Authorization::parse_header(req.headers())
+			.map(|auth| auth.key_id)
+			.ok()
+	}
 }

 impl ApiEndpoint for S3ApiEndpoint {