Add 'AuthorizeID From Parameters' audit logs to the /callback and /login endpoints

Co-authored-by: Ryan Richard <richardry@vmware.com>

internal/testutil/log_lines.go

@@ -27,9 +27,16 @@ type WantedAuditLog struct {
 	Params  map[string]any
 }
 
-//"message":"HTTP Request Custom Headers Used",
-//"auditID":"some-audit-id",
-//"Pinniped-Username":false,"Pinniped-Password":false}`,
+func WantAuditLog(message string, params map[string]any, auditID string) WantedAuditLog {
+	result := WantedAuditLog{
+		Message: message,
+		Params:  params,
+	}
+	if auditID != "" {
+		result.Params["auditID"] = auditID
+	}
+	return result
+}
 
 func CompareAuditLogs(t *testing.T, wantAuditLogs []WantedAuditLog, actualAuditLogsOneLiner string) {
 	t.Helper()
@@ -42,6 +49,7 @@ func CompareAuditLogs(t *testing.T, wantAuditLogs []WantedAuditLog, actualAuditL
 		wantJsonAuditLog["message"] = wantAuditLog.Message
 		wantMessages = append(wantMessages, wantAuditLog.Message)
 		wantJsonAuditLog["auditEvent"] = true
+		wantJsonAuditLog["timestamp"] = "2099-08-08T13:57:36.123456Z"
 		for k, v := range wantAuditLog.Params {
 			wantJsonAuditLog[k] = v
 		}
@@ -58,7 +66,10 @@ func CompareAuditLogs(t *testing.T, wantAuditLogs []WantedAuditLog, actualAuditL
 		err := json.Unmarshal([]byte(actualAuditLog), &actualJsonAuditLog)
 		require.NoError(t, err)
 
-		// we don't care to test the caller
+		// we don't care to test exact equality on the caller - just make sure it is a non-empty string
+		caller, ok := actualJsonAuditLog["caller"]
+		require.True(t, ok)
+		require.NotEmpty(t, caller, "caller for message %q must not be empty", actualJsonAuditLog["message"])
 		delete(actualJsonAuditLog, "caller")
 		actualJsonAuditLogs = append(actualJsonAuditLogs, actualJsonAuditLog)
 
@@ -67,6 +78,9 @@ func CompareAuditLogs(t *testing.T, wantAuditLogs []WantedAuditLog, actualAuditL
 		actualMessages = append(actualMessages, actualMessage)
 	}
 
+	// TODO: remove this
+	t.Logf("LAST AUDIT EVENT: %s", actualAuditLogs[len(actualAuditLogs)-1])
+
 	// We should check array indices first so that we don't exceed any boundaries.
 	// But we also want to be sure to indicate to the caller what went wrong, so compare the messages.
 	require.Equal(t, wantMessages, actualMessages)
@@ -75,6 +89,6 @@ func CompareAuditLogs(t *testing.T, wantAuditLogs []WantedAuditLog, actualAuditL
 	for i := range len(wantJsonAuditLogs) {
 		// compare each item individually so we know which message it is
 		require.Equal(t, wantJsonAuditLogs[i], actualJsonAuditLogs[i],
-			"audit log for message %q does not match", wantJsonAuditLogs[i]["message"])
+			"audit event for message %q does not match", wantJsonAuditLogs[i]["message"])
 	}
 }

internal/testutil/oidctestutil/expected_upstream_state_param.go

@@ -10,6 +10,7 @@ import (
 	"github.com/stretchr/testify/require"
 
 	idpdiscoveryv1alpha1 "go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
+	"go.pinniped.dev/internal/federationdomain/stateparam"
 )
 
 // ExpectedUpstreamStateParamFormat is a separate type from the production code to ensure that the state
@@ -28,10 +29,10 @@ type ExpectedUpstreamStateParamFormat struct {
 
 type UpstreamStateParamBuilder ExpectedUpstreamStateParamFormat
 
-func (b *UpstreamStateParamBuilder) Build(t *testing.T, stateEncoder *securecookie.SecureCookie) string {
+func (b *UpstreamStateParamBuilder) Build(t *testing.T, stateEncoder *securecookie.SecureCookie) stateparam.Encoded {
 	state, err := stateEncoder.Encode("s", b)
 	require.NoError(t, err)
-	return state
+	return stateparam.Encoded(state)
 }
 
 func (b *UpstreamStateParamBuilder) WithAuthorizeRequestParams(params string) *UpstreamStateParamBuilder {