dadrus · dadrus · Apr 4, 2024 · Apr 5, 2024 · Apr 5, 2024 · Apr 9, 2024
diff --git a/internal/accesscontext/access_context.go b/internal/accesscontext/access_context.go
@@ -18,13 +18,15 @@ package accesscontext
 
 import (
 	"context"
+
+	"github.com/dadrus/heimdall/internal/subject"
 )
 
 type ctxKey struct{}
 
 type accessContext struct {
 	err     error
-	subject string
+	subject subject.Subject
 }
 
 func New(ctx context.Context) context.Context {
@@ -45,16 +47,16 @@ func SetError(ctx context.Context, err error) {
 	}
 }
 
-func Subject(ctx context.Context) string {
+func Subject(ctx context.Context) subject.Subject {
 	if c, ok := ctx.Value(ctxKey{}).(*accessContext); ok {
 		return c.subject
 	}
 
-	return ""
+	return subject.Subject{}
 }
 
-func SetSubject(ctx context.Context, subject string) {
+func SetSubject(ctx context.Context, sub subject.Subject) {
 	if c, ok := ctx.Value(ctxKey{}).(*accessContext); ok {
-		c.subject = subject
+		c.subject = sub
 	}
 }
diff --git a/internal/handler/middleware/grpc/accesslog/interceptor.go b/internal/handler/middleware/grpc/accesslog/interceptor.go
@@ -110,22 +110,29 @@ func (i *accessLogInterceptor) finalizeTransaction(
 func logAccessStatus(ctx context.Context, event *zerolog.Event, err error) *zerolog.Event {
 	subject := accesscontext.Subject(ctx)
 	accessErr := accesscontext.Error(ctx)
+	dict := zerolog.Dict()
+
+	if len(subject) != 0 {
+		for _, v := range subject {
+			dict = dict.Str("id", v.ID)
+		}
+	}
 
 	switch {
 	case err != nil:
 		if len(subject) != 0 {
-			event.Str("_subject", subject)
+			event.Dict("_subject", dict)
 		}
 
 		event.Err(err).Bool("_access_granted", false)
 	case accessErr != nil:
 		if len(subject) != 0 {
-			event.Str("_subject", subject)
+			event.Dict("_subject", dict)
 		}
 
 		event.Err(accessErr).Bool("_access_granted", false)
 	default:
-		event.Str("_subject", subject).Bool("_access_granted", true)
+		event.Dict("_subject", dict).Bool("_access_granted", true)
 	}
 
 	return event

diff --git a/internal/handler/middleware/grpc/accesslog/interceptor_test.go b/internal/handler/middleware/grpc/accesslog/interceptor_test.go
@@ -46,6 +46,7 @@ import (
 
 	"github.com/dadrus/heimdall/internal/accesscontext"
 	mocks2 "github.com/dadrus/heimdall/internal/handler/middleware/grpc/mocks"
+	"github.com/dadrus/heimdall/internal/subject"
 	"github.com/dadrus/heimdall/internal/x/testsupport"
 )
 
@@ -76,7 +77,7 @@ func TestAccessLogInterceptorForKnownService(t *testing.T) {
 				m.On("Check",
 					mock.MatchedBy(
 						func(ctx context.Context) bool {
-							accesscontext.SetSubject(ctx, "foo")
+							accesscontext.SetSubject(ctx, subject.Subject{"Subject": &subject.Principal{ID: "foo"}})
 
 							return true
 						},
@@ -112,7 +113,7 @@ func TestAccessLogInterceptorForKnownService(t *testing.T) {
 				assert.Equal(t, logEvent1["_trace_id"], logEvent2["_trace_id"])
 				assert.Equal(t, logEvent1["_parent_id"], logEvent2["_parent_id"])
 				assert.Equal(t, true, logEvent2["_access_granted"]) //nolint:testifylint
-				assert.Equal(t, "foo", logEvent2["_subject"])
+				assert.Equal(t, map[string]any{"id": "foo"}, logEvent2["_subject"])
 				assert.InDelta(t, float64(codes.OK), logEvent2["_grpc_status_code"], 0.001)
 				assert.Equal(t, "TX finished", logEvent2["message"])
 			},
@@ -184,7 +185,7 @@ func TestAccessLogInterceptorForKnownService(t *testing.T) {
 				m.On("Check",
 					mock.MatchedBy(
 						func(ctx context.Context) bool {
-							accesscontext.SetSubject(ctx, "bar")
+							accesscontext.SetSubject(ctx, subject.Subject{"Subject": &subject.Principal{ID: "bar"}})
 							accesscontext.SetError(ctx, errors.New("test error"))
 
 							return true
@@ -221,7 +222,7 @@ func TestAccessLogInterceptorForKnownService(t *testing.T) {
 				assert.Equal(t, logEvent1["_trace_id"], logEvent2["_trace_id"])
 				assert.Equal(t, logEvent1["_parent_id"], logEvent2["_parent_id"])
 				assert.Equal(t, false, logEvent2["_access_granted"]) //nolint:testifylint
-				assert.Equal(t, "bar", logEvent2["_subject"])
+				assert.Equal(t, map[string]any{"id": "bar"}, logEvent2["_subject"])
 				assert.Equal(t, "test error", logEvent2["error"])
 				assert.InDelta(t, float64(codes.OK), logEvent2["_grpc_status_code"], 0.001)
 				assert.Equal(t, "TX finished", logEvent2["message"])
@@ -275,11 +276,11 @@ func TestAccessLogInterceptorForKnownService(t *testing.T) {
 			// THEN
 			srv.Stop()
 
-			events := strings.Split(tb.CollectedLog(), "}")
-			require.Len(t, events, 3)
+			events := strings.Split(tb.CollectedLog(), "}{")
+			require.Len(t, events, 2)
 
 			require.NoError(t, json.Unmarshal([]byte(events[0]+"}"), &logLine1))
-			require.NoError(t, json.Unmarshal([]byte(events[1]+"}"), &logLine2))
+			require.NoError(t, json.Unmarshal([]byte("{"+events[1]), &logLine2))
 
 			tc.assert(t, logLine1, logLine2)
 			handler.AssertExpectations(t)

diff --git a/internal/handler/middleware/http/accesslog/handler.go b/internal/handler/middleware/http/accesslog/handler.go
@@ -74,7 +74,12 @@ func logAccessStatus(ctx context.Context, event *zerolog.Event, statusCode int)
 	err := accesscontext.Error(ctx)
 
 	if len(subject) != 0 {
-		event.Str("_subject", subject)
+		dict := zerolog.Dict()
+		for _, v := range subject {
+			dict = dict.Str("id", v.ID)
+		}
+
+		event.Dict("_subject", dict)
 	}
 
 	if err != nil || statusCode >= 300 {

diff --git a/internal/handler/middleware/http/accesslog/handler_test.go b/internal/handler/middleware/http/accesslog/handler_test.go
@@ -37,6 +37,7 @@ import (
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/dadrus/heimdall/internal/accesscontext"
+	"github.com/dadrus/heimdall/internal/subject"
 	"github.com/dadrus/heimdall/internal/x/testsupport"
 )
 
@@ -63,7 +64,7 @@ func TestHandlerExecution(t *testing.T) {
 			handleRequest: func(t *testing.T, rw http.ResponseWriter, req *http.Request) {
 				t.Helper()
 
-				accesscontext.SetSubject(req.Context(), "foo")
+				accesscontext.SetSubject(req.Context(), subject.Subject{"Subject": &subject.Principal{ID: "foo"}})
 				rw.WriteHeader(http.StatusOK)
 			},
 			assert: func(t *testing.T, clientReq *http.Request, logEvent1, logEvent2 map[string]any) {
@@ -100,7 +101,7 @@ func TestHandlerExecution(t *testing.T) {
 				assert.Contains(t, logEvent2, "_body_bytes_sent")
 				assert.InDelta(t, float64(http.StatusOK), logEvent2["_http_status_code"], 0.001)
 				assert.Equal(t, true, logEvent2["_access_granted"]) //nolint:testifylint
-				assert.Equal(t, "foo", logEvent2["_subject"])
+				assert.Equal(t, map[string]any{"id": "foo"}, logEvent2["_subject"])
 				assert.Contains(t, logEvent2, "_http_user_agent")
 				assert.Equal(t, "TX finished", logEvent2["message"])
 			},
@@ -182,7 +183,7 @@ func TestHandlerExecution(t *testing.T) {
 			handleRequest: func(t *testing.T, rw http.ResponseWriter, req *http.Request) {
 				t.Helper()
 
-				accesscontext.SetSubject(req.Context(), "bar")
+				accesscontext.SetSubject(req.Context(), subject.Subject{"Subject": &subject.Principal{ID: "foo"}})
 				accesscontext.SetError(req.Context(), errors.New("test error"))
 				rw.WriteHeader(http.StatusUnauthorized)
 			},
@@ -220,7 +221,7 @@ func TestHandlerExecution(t *testing.T) {
 				assert.Contains(t, logEvent2, "_body_bytes_sent")
 				assert.InDelta(t, float64(http.StatusUnauthorized), logEvent2["_http_status_code"], 0.001)
 				assert.Equal(t, false, logEvent2["_access_granted"]) //nolint:testifylint
-				assert.Equal(t, "bar", logEvent2["_subject"])
+				assert.Equal(t, map[string]any{"id": "foo"}, logEvent2["_subject"])
 				assert.Equal(t, "test error", logEvent2["error"])
 				assert.Contains(t, logEvent2, "_http_user_agent")
 				assert.Equal(t, "TX finished", logEvent2["message"])
@@ -233,7 +234,7 @@ func TestHandlerExecution(t *testing.T) {
 			handleRequest: func(t *testing.T, rw http.ResponseWriter, req *http.Request) {
 				t.Helper()
 
-				accesscontext.SetSubject(req.Context(), "bar")
+				accesscontext.SetSubject(req.Context(), subject.Subject{"Subject": &subject.Principal{ID: "bar"}})
 				rw.WriteHeader(http.StatusSeeOther)
 			},
 			assert: func(t *testing.T, clientReq *http.Request, logEvent1, logEvent2 map[string]any) {
@@ -270,7 +271,7 @@ func TestHandlerExecution(t *testing.T) {
 				assert.Contains(t, logEvent2, "_body_bytes_sent")
 				assert.InDelta(t, float64(http.StatusSeeOther), logEvent2["_http_status_code"], 0.001)
 				assert.Equal(t, false, logEvent2["_access_granted"]) //nolint:testifylint
-				assert.Equal(t, "bar", logEvent2["_subject"])
+				assert.Equal(t, map[string]any{"id": "bar"}, logEvent2["_subject"])
 				assert.Contains(t, logEvent2, "_http_user_agent")
 				assert.Equal(t, "TX finished", logEvent2["message"])
 			},
@@ -320,16 +321,16 @@ func TestHandlerExecution(t *testing.T) {
 			require.NoError(t, err)
 			require.NoError(t, resp.Body.Close())
 
-			events := strings.Split(tb.CollectedLog(), "}")
-			require.Len(t, events, 3)
+			events := strings.Split(tb.CollectedLog(), "}{")
+			require.Len(t, events, 2)
 
 			var (
 				logLine1 map[string]any
 				logLine2 map[string]any
 			)
 
 			require.NoError(t, json.Unmarshal([]byte(events[0]+"}"), &logLine1))
-			require.NoError(t, json.Unmarshal([]byte(events[1]+"}"), &logLine2))
+			require.NoError(t, json.Unmarshal([]byte("{"+events[1]), &logLine2))
 
 			tc.assert(t, req, logLine1, logLine2)
 		})

diff --git a/internal/heimdall/mocks/context.go b/internal/heimdall/mocks/context.go
diff --git a/internal/heimdall/mocks/jwt_signer.go b/internal/heimdall/mocks/jwt_signer.go