log failed access

pkg/rbac/entities/entities.go

@@ -2,6 +2,7 @@ package entities
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	"github.com/el-mike/restrict/v2"
@@ -39,6 +40,7 @@ func SubjectFrom(ctx context.Context) Subject {
 }
 
 type Subject interface {
+	fmt.Stringer
 	restrict.Subject
 	GetName() string
 }
@@ -63,6 +65,10 @@ func (s *PublicSubject) GetName() string {
 	return "PUBLIC:" + s.RemoteAddr
 }
 
+func (s *PublicSubject) String() string {
+	return s.GetName()
+}
+
 func (s *PublicSubject) GetRoles() []string {
 	return []string{RolePublic}
 }
@@ -79,6 +85,10 @@ func (s *SystemServiceSubject) GetName() string {
 	return "SYSTEM:" + s.Name
 }
 
+func (s *SystemServiceSubject) String() string {
+	return s.GetName()
+}
+
 func (s *SystemServiceSubject) GetRoles() []string {
 	return []string{RoleSystem}
 }

pkg/rbac/rbac.go

@@ -8,6 +8,7 @@ import (
 
 	"github.com/el-mike/restrict/v2"
 	"github.com/el-mike/restrict/v2/adapters"
+	"github.com/rs/zerolog/log"
 )
 
 var (
@@ -121,6 +122,18 @@ func (r *rbac) Check(ctx context.Context, res restrict.Resource, opts ...CheckOp
 	}
 
 	authRes := r.access.Authorize(req)
+	if IsErrAccessDenied(authRes) != nil {
+		subS := ""
+		resS := ""
+		if sub != nil {
+			subS = sub.String()
+		}
+
+		if res != nil {
+			resS = res.GetResourceName()
+		}
+		log.Error().Str("resource", resS).Strs("actions", req.Actions).Str("subject", subS).Msg("access denied")
+	}
 
 	return sub, authRes
 }

pkg/shares/share.go

@@ -57,6 +57,10 @@ func (s *Share) GetName() string {
 	return "SHARE:" + s.ID
 }
 
+func (s *Share) String() string {
+	return s.GetName()
+}
+
 func (s *Share) GetRoles() []string {
 	return []string{entities.RoleShareGuest}
 }

pkg/users/user.go

@@ -71,6 +71,10 @@ func (u *User) GetName() string {
 	return u.Username
 }
 
+func (u *User) String() string {
+	return "USER:"+u.GetName()
+}
+
 func (u *User) GetRoles() []string {
 	r := make([]string, 1, 2)