From dd2ee06f032cef21e4262db8f4df4dbba386cb97 Mon Sep 17 00:00:00 2001
From: Daniel Ponte <amigan@gmail.com>
Date: Thu, 13 Feb 2025 20:37:38 -0500
Subject: [PATCH] log failed access

---
 pkg/rbac/entities/entities.go | 10 ++++++++++
 pkg/rbac/rbac.go              | 13 +++++++++++++
 pkg/shares/share.go           |  4 ++++
 pkg/users/user.go             |  4 ++++
 4 files changed, 31 insertions(+)

diff --git a/pkg/rbac/entities/entities.go b/pkg/rbac/entities/entities.go
index 2885930..42e1548 100644
--- a/pkg/rbac/entities/entities.go
+++ b/pkg/rbac/entities/entities.go
@@ -2,6 +2,7 @@ package entities
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 
 	"github.com/el-mike/restrict/v2"
@@ -39,6 +40,7 @@ func SubjectFrom(ctx context.Context) Subject {
 }
 
 type Subject interface {
+	fmt.Stringer
 	restrict.Subject
 	GetName() string
 }
@@ -63,6 +65,10 @@ func (s *PublicSubject) GetName() string {
 	return "PUBLIC:" + s.RemoteAddr
 }
 
+func (s *PublicSubject) String() string {
+	return s.GetName()
+}
+
 func (s *PublicSubject) GetRoles() []string {
 	return []string{RolePublic}
 }
@@ -79,6 +85,10 @@ func (s *SystemServiceSubject) GetName() string {
 	return "SYSTEM:" + s.Name
 }
 
+func (s *SystemServiceSubject) String() string {
+	return s.GetName()
+}
+
 func (s *SystemServiceSubject) GetRoles() []string {
 	return []string{RoleSystem}
 }
diff --git a/pkg/rbac/rbac.go b/pkg/rbac/rbac.go
index 3d4cce6..b153885 100644
--- a/pkg/rbac/rbac.go
+++ b/pkg/rbac/rbac.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/el-mike/restrict/v2"
 	"github.com/el-mike/restrict/v2/adapters"
+	"github.com/rs/zerolog/log"
 )
 
 var (
@@ -121,6 +122,18 @@ func (r *rbac) Check(ctx context.Context, res restrict.Resource, opts ...CheckOp
 	}
 
 	authRes := r.access.Authorize(req)
+	if IsErrAccessDenied(authRes) != nil {
+		subS := ""
+		resS := ""
+		if sub != nil {
+			subS = sub.String()
+		}
+
+		if res != nil {
+			resS = res.GetResourceName()
+		}
+		log.Error().Str("resource", resS).Strs("actions", req.Actions).Str("subject", subS).Msg("access denied")
+	}
 
 	return sub, authRes
 }
diff --git a/pkg/shares/share.go b/pkg/shares/share.go
index 20a8a6e..3b75c50 100644
--- a/pkg/shares/share.go
+++ b/pkg/shares/share.go
@@ -57,6 +57,10 @@ func (s *Share) GetName() string {
 	return "SHARE:" + s.ID
 }
 
+func (s *Share) String() string {
+	return s.GetName()
+}
+
 func (s *Share) GetRoles() []string {
 	return []string{entities.RoleShareGuest}
 }
diff --git a/pkg/users/user.go b/pkg/users/user.go
index 9860be1..b5d5d27 100644
--- a/pkg/users/user.go
+++ b/pkg/users/user.go
@@ -71,6 +71,10 @@ func (u *User) GetName() string {
 	return u.Username
 }
 
+func (u *User) String() string {
+	return "USER:"+u.GetName()
+}
+
 func (u *User) GetRoles() []string {
 	r := make([]string, 1, 2)