Log always the token, even on errors.

5 years ago · 1c7155298b
parent adbc496b40
commit 1c7155298b
1 changed files with 13 additions and 6 deletions
--- a/api/api.go
+++ b/api/api.go
@ -259,6 +259,8 @@ func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) {
 		WriteError(w, BadRequest(errors.Wrap(err, "error reading request body")))
 		return
 	}
+
+	logOtt(w, body.OTT)
 	if err := body.Validate(); err != nil {
 		WriteError(w, err)
 		return
@ -282,7 +284,7 @@ func (h *caHandler) Sign(w http.ResponseWriter, r *http.Request) {
 	}

 	w.WriteHeader(http.StatusCreated)
-	logCertificate(w, cert, body.OTT)
+	logCertificate(w, cert)
 	JSON(w, &SignResponse{
 		ServerPEM:  Certificate{cert},
 		CaPEM:      Certificate{root},
@ -305,7 +307,7 @@ func (h *caHandler) Renew(w http.ResponseWriter, r *http.Request) {
 	}

 	w.WriteHeader(http.StatusCreated)
-	logCertificate(w, cert, "")
+	logCertificate(w, cert)
 	JSON(w, &SignResponse{
 		ServerPEM:  Certificate{cert},
 		CaPEM:      Certificate{root},
@ -389,7 +391,15 @@ type stepProvisioner struct {
 	CredentialID []byte
 }

-func logCertificate(w http.ResponseWriter, cert *x509.Certificate, token string) {
+func logOtt(w http.ResponseWriter, token string) {
+	if rl, ok := w.(logging.ResponseLogger); ok {
+		rl.WithFields(map[string]interface{}{
+			"ott": token,
+		})
+	}
+}
+
+func logCertificate(w http.ResponseWriter, cert *x509.Certificate) {
 	if rl, ok := w.(logging.ResponseLogger); ok {
 		m := map[string]interface{}{
 			"serial":      cert.SerialNumber,
@ -400,9 +410,6 @@ func logCertificate(w http.ResponseWriter, cert *x509.Certificate, token string)
 			"public-key":  fmtPublicKey(cert),
 			"certificate": base64.StdEncoding.EncodeToString(cert.Raw),
 		}
-		if len(token) > 0 {
-			m["ott"] = token
-		}
 		for _, ext := range cert.Extensions {
 			if ext.Id.Equal(oidStepProvisioner) {
 				val := &stepProvisioner{}