feat(jans-cedarling): add to decision log diagnostic info

docs/cedarling/cedarling-logs.md

@@ -95,6 +95,15 @@ Example of decision log.
     "Workload": {
         "org_id": "some_long_id"
     },
+    "diagnostics": {
+        "reason": [
+            {
+                "id": "840da5d85403f35ea76519ed1a18a33989f855bf1cf8",
+                "description": "policy for user"
+            }
+        ],
+        "errors": []
+    },
     "lock_client_id": null,
     "action": "Jans::Action::\"Update\"",
     "resource": "Jans::Issue::\"random_id\"",

jans-cedarling/cedarling/src/authz/mod.rs

@@ -21,8 +21,9 @@ use crate::jwt::{self, TokenStr};
 
 use crate::log::interface::LogWriter;
 use crate::log::{
-    AuthorizationLogInfo, BaseLogEntry, DecisionLogEntry, Diagnostics, LogEntry, LogLevel,
-    LogTokensInfo, LogType, Logger, PrincipalLogEntry, UserAuthorizeInfo, WorkloadAuthorizeInfo,
+    AuthorizationLogInfo, BaseLogEntry, DecisionLogEntry, Diagnostics, DiagnosticsRefs, LogEntry,
+    LogLevel, LogTokensInfo, LogType, Logger, PrincipalLogEntry, UserAuthorizeInfo,
+    WorkloadAuthorizeInfo,
 };
 
 mod authorize_result;
@@ -266,27 +267,13 @@ impl Authz {
         let entities_json: serde_json::Value = serde_json::from_slice(entities_raw_json.as_slice())
             .map_err(AuthorizeError::EntitiesToJson)?;
 
-        // DEBUG LOG
-        // Log all result information about both authorize checks.
-        // Where principal is `"Jans::Workload"` and where principal is `"Jans::User"`.
-        self.config.log_service.as_ref().log(
-            LogEntry::new_with_data(
-                self.config.pdp_id,
-                Some(self.config.application_name.clone()),
-                LogType::System,
-            )
-            .set_level(LogLevel::DEBUG)
-            .set_auth_info(AuthorizationLogInfo {
-                action: request.action.clone(),
-                context: request.context.clone(),
-                resource: resource_uid.to_string(),
-                entities: entities_json,
-                person_authorize_info: user_authz_info,
-                workload_authorize_info: workload_authz_info,
-                authorized: result.decision,
-            })
-            .set_message("Result of authorize.".to_string()),
-        );
+        let user_authz_diagnostic = user_authz_info
+            .as_ref()
+            .map(|auth_info| &auth_info.diagnostics);
+
+        let workload_authz_diagnostic = user_authz_info
+            .as_ref()
+            .map(|auth_info| &auth_info.diagnostics);
 
         let tokens_logging_info = LogTokensInfo {
             access: tokens.access_token.as_ref().map(|tkn| {
@@ -316,6 +303,7 @@ impl Authz {
         };
 
         // Decision log
+        // we log decision log before debug log, to avoid cloning diagnostic info
         self.config.log_service.as_ref().log_any(&DecisionLogEntry {
             base: BaseLogEntry::new(self.config.pdp_id, LogType::Decision),
             policystore_id: self.config.policy_store.id.as_str(),
@@ -329,8 +317,34 @@ impl Authz {
             decision: result.decision.into(),
             tokens: tokens_logging_info,
             decision_time_ms: elapsed_ms,
+            diagnostics: DiagnosticsRefs::new(&[
+                &user_authz_diagnostic,
+                &workload_authz_diagnostic,
+            ]),
         });
 
+        // DEBUG LOG
+        // Log all result information about both authorize checks.
+        // Where principal is `"Jans::Workload"` and where principal is `"Jans::User"`.
+        self.config.log_service.as_ref().log(
+            LogEntry::new_with_data(
+                self.config.pdp_id,
+                Some(self.config.application_name.clone()),
+                LogType::System,
+            )
+            .set_level(LogLevel::DEBUG)
+            .set_auth_info(AuthorizationLogInfo {
+                action: request.action.clone(),
+                context: request.context.clone(),
+                resource: resource_uid.to_string(),
+                entities: entities_json,
+                person_authorize_info: user_authz_info,
+                workload_authorize_info: workload_authz_info,
+                authorized: result.decision,
+            })
+            .set_message("Result of authorize.".to_string()),
+        );
+
         Ok(result)
     }
 

jans-cedarling/cedarling/src/log/log_entry.rs

@@ -236,6 +236,37 @@ pub struct Diagnostics {
     pub errors: Vec<PolicyEvaluationError>,
 }
 
+/// DiagnosticsRefs structure actually same as Diagnostics but hold reference on data
+/// And allows to not clone data.
+/// Usefull for logging.
+#[derive(Debug, Default, Clone, PartialEq, serde::Serialize)]
+pub struct DiagnosticsRefs<'a> {
+    /// `PolicyId`s of the policies that contributed to the decision.
+    /// If no policies applied to the request, this set will be empty.
+    pub reason: HashSet<&'a PolicyInfo>,
+    /// Errors that occurred during authorization. The errors should be
+    /// treated as unordered, since policies may be evaluated in any order.
+    pub errors: Vec<&'a PolicyEvaluationError>,
+}
+
+impl DiagnosticsRefs<'_> {
+    pub fn new<'a>(diagnostics: &[&'a Option<&Diagnostics>]) -> DiagnosticsRefs<'a> {
+        let policy_info_iter = diagnostics
+            .iter()
+            .filter_map(|diagnostic_opt| diagnostic_opt.map(|diagnostic| &diagnostic.reason))
+            .flatten();
+        let diagnostic_err_iter = diagnostics
+            .iter()
+            .filter_map(|diagnostic_opt| diagnostic_opt.map(|diagnostic| &diagnostic.errors))
+            .flatten();
+
+        DiagnosticsRefs {
+            reason: HashSet::from_iter(policy_info_iter),
+            errors: diagnostic_err_iter.collect(),
+        }
+    }
+}
+
 /// Policy diagnostic info
 #[derive(Debug, Default, Clone, Eq, PartialEq, serde::Serialize, serde::Deserialize)]
 pub struct PolicyInfo {
@@ -296,6 +327,8 @@ pub struct DecisionLogEntry<'a> {
     /// If this Cedarling has registered with a Lock Server, what is the client_id it received
     #[serde(skip_serializing_if = "Option::is_none")]
     pub lock_client_id: Option<String>,
+    /// diagnostic info about policy and errors as result of cedarling
+    pub diagnostics: DiagnosticsRefs<'a>,
     /// action UID for request
     pub action: String,
     /// resource UID for request