adding logs whenever client uses token which is security best practice

Author: mbpavan

pkg/provider/bitbucketcloud/bitbucket.go

@@ -203,12 +203,16 @@ func (v *Provider) SetClient(_ context.Context, run *params.Run, event *info.Eve
 		return fmt.Errorf("no git_provider.user has been in repo crd")
 	}
 	v.bbClient = bitbucket.NewBasicAuth(event.Provider.User, event.Provider.Token)
+	// Added log for security audit purposes to log client access when a token is used
+	v.Logger.Infof("bitbucket-cloud: initialized client with provided token for user=%s", event.Provider.User)
+
 	v.Token = &event.Provider.Token
 	v.Username = &event.Provider.User
 	v.run = run
 	v.eventEmitter = eventEmitter
 	v.repo = repo
 	v.triggerEvent = event.EventType
+
 	return nil
 }
 

pkg/provider/bitbucketcloud/bitbucket_test.go

@@ -137,7 +137,9 @@ func TestSetClient(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ctx, _ := rtesting.SetupFakeContext(t)
-			v := Provider{}
+			observer, _ := zapobserver.New(zap.InfoLevel)
+			logger := zap.New(observer).Sugar()
+			v := Provider{Logger: logger}
 			err := v.SetClient(ctx, nil, tt.event, nil, nil)
 			if tt.wantErrSubstr != "" {
 				assert.ErrorContains(t, err, tt.wantErrSubstr)

pkg/provider/bitbucketdatacenter/bitbucketdatacenter.go

@@ -307,6 +307,9 @@ func (v *Provider) SetClient(ctx context.Context, run *params.Run, event *info.E
 			},
 		}
 		v.client = client
+
+		// Added for security audit purposes to log client access when a token is used
+		v.Logger.Infof("bitbucket-datacenter: initialized client with provided token for user=%s providerURL=%s", event.Provider.User, event.Provider.URL)
 	}
 	v.run = run
 	v.repo = repo

pkg/provider/bitbucketdatacenter/bitbucketdatacenter_test.go

@@ -362,13 +362,15 @@ func TestSetClient(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
+			observer, _ := zapobserver.New(zap.InfoLevel)
+			logger := zap.New(observer).Sugar()
 			ctx, _ := rtesting.SetupFakeContext(t)
 			client, mux, tearDown, tURL := bbtest.SetupBBDataCenterClient()
 			defer tearDown()
 			if tt.muxUser != nil {
 				mux.HandleFunc("/users/foo", tt.muxUser)
 			}
-			v := &Provider{client: client, baseURL: tURL}
+			v := &Provider{client: client, baseURL: tURL, Logger: logger}
 			err := v.SetClient(ctx, nil, tt.opts, nil, nil)
 			if tt.wantErrSubstr != "" {
 				assert.ErrorContains(t, err, tt.wantErrSubstr)

pkg/provider/gitea/gitea.go

@@ -159,6 +159,10 @@ func (v *Provider) SetClient(_ context.Context, run *params.Run, runevent *info.
 	if err != nil {
 		return err
 	}
+
+	// Added log for security audit purposes to log client access when a token is used
+	v.Logger.Infof("gitea: initialized API client with provided credentials user=%s providerURL=%s", runevent.Provider.User, apiURL)
+
 	v.giteaInstanceURL = runevent.Provider.URL
 	v.eventEmitter = emitter
 	v.repo = repo

pkg/provider/github/github.go

@@ -301,6 +301,13 @@ func (v *Provider) SetClient(ctx context.Context, run *params.Run, event *info.E
 		return fmt.Errorf("no github client has been initialized")
 	}
 
+	// Added log for security audit purposes to log client access when a token is used
+	integration := "github-webhook"
+	if event.InstallationID != 0 {
+		integration = "github-app"
+	}
+	v.Logger.Infof(integration+": initialized OAuth2 client for providerName=%s providerURL=%s", v.providerName, event.Provider.URL)
+
 	v.APIURL = apiURL
 
 	if event.Provider.WebhookSecretFromRepo {

pkg/provider/github/github_test.go

@@ -663,7 +663,9 @@ func TestGithubSetClient(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			ctx, _ := rtesting.SetupFakeContext(t)
-			v := Provider{}
+			observer, _ := zapobserver.New(zap.InfoLevel)
+			logger := zap.New(observer).Sugar()
+			v := Provider{Logger: logger}
 			err := v.SetClient(ctx, nil, tt.event, nil, nil)
 			assert.NilError(t, err)
 			assert.Equal(t, tt.expectedURL, *v.APIURL)

pkg/provider/gitlab/gitlab.go

@@ -201,6 +201,7 @@ func (v *Provider) SetClient(_ context.Context, run *params.Run, runevent *info.
 	}
 	v.Token = &runevent.Provider.Token
 
+	v.Logger.Infof("gitlab: initialized for client with token for apiURL=%s, org=%s, repo=%s)", apiURL, runevent.Organization, runevent.Repository)
 	// In a scenario where the source repository is forked and a merge request (MR) is created on the upstream
 	// repository, runevent.SourceProjectID will not be 0 when SetClient is called from the pac-watcher code.
 	// This is because, in the controller, SourceProjectID is set in the annotation of the pull request,

pkg/provider/gitlab/gitlab_test.go

@@ -260,12 +260,14 @@ func TestGetConfig(t *testing.T) {
 
 func TestSetClient(t *testing.T) {
 	ctx, _ := rtesting.SetupFakeContext(t)
+	observer, _ := zapobserver.New(zap.InfoLevel)
+	fakelogger := zap.New(observer).Sugar()
 	v := &Provider{}
 	assert.Assert(t, v.SetClient(ctx, nil, info.NewEvent(), nil, nil) != nil)
 
 	client, _, tearDown := thelp.Setup(t)
 	defer tearDown()
-	vv := &Provider{gitlabClient: client}
+	vv := &Provider{gitlabClient: client, Logger: fakelogger}
 	err := vv.SetClient(ctx, nil, &info.Event{
 		Provider: &info.Provider{
 			Token: "hello",
@@ -277,6 +279,8 @@ func TestSetClient(t *testing.T) {
 
 func TestSetClientDetectAPIURL(t *testing.T) {
 	ctx, _ := rtesting.SetupFakeContext(t)
+	observer, _ := zapobserver.New(zap.InfoLevel)
+	fakelogger := zap.New(observer).Sugar()
 	mockClient, _, tearDown := thelp.Setup(t)
 	defer tearDown()
 
@@ -381,6 +385,7 @@ func TestSetClientDetectAPIURL(t *testing.T) {
 				gitlabClient:      mockClient, // Use the shared mock client
 				repoURL:           tc.repoURL,
 				pathWithNamespace: tc.pathWithNamespace,
+				Logger:            fakelogger,
 			}
 			event := info.NewEvent()
 			event.Provider.Token = tc.providerToken

pkg/reconciler/reconciler_test.go

@@ -66,7 +66,8 @@ func TestReconciler_ReconcileKind(t *testing.T) {
 	defer teardown()
 
 	vcx := &ghprovider.Provider{
-		Token: github.Ptr("None"),
+		Token:  github.Ptr("None"),
+		Logger: fakelogger,
 	}
 
 	vcx.SetGithubClient(fakeclient)