add config for audit logging, remove Audit() from Logger interface

Co-authored-by: Joshua Casey <joshuatcasey@gmail.com>

internal/config/supervisor/config.go

@@ -100,6 +100,10 @@ func FromPath(ctx context.Context, path string, setAllowedCiphers ptls.SetAllowe
 		return nil, fmt.Errorf("validate tls: %w", err)
 	}
 
+	if err := validateAudit(&config.Audit); err != nil {
+		return nil, fmt.Errorf("validate audit: %w", err)
+	}
+
 	return &config, nil
 }
 
@@ -214,3 +218,23 @@ func validateServerPort(port *int64) error {
 	}
 	return nil
 }
+
+func validateAudit(auditConfig *AuditSpec) error {
+	const errFmt = "invalid %s format, valid choices are 'enabled', 'disabled', or empty string (equivalent to 'disabled')"
+
+	switch auditConfig.LogUsernamesAndGroups {
+	case Enabled, Disabled, "":
+		// no-op
+	default:
+		return fmt.Errorf(errFmt, "logUsernamesAndGroups")
+	}
+
+	switch auditConfig.LogInternalPaths {
+	case Enabled, Disabled, "":
+		// no-op
+	default:
+		return fmt.Errorf(errFmt, "logInternalPaths")
+	}
+
+	return nil
+}

internal/config/supervisor/config_test.go

@@ -52,6 +52,9 @@ func TestFromPath(t *testing.T) {
 				    - foo
 				    - bar
 				    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
+				audit:
+				  logUsernamesAndGroups: enabled
+				  logInternalPaths: enabled
 			`),
 			wantConfig: &Config{
 				APIGroupSuffix: ptr.To("some.suffix.com"),
@@ -86,6 +89,10 @@ func TestFromPath(t *testing.T) {
 						},
 					},
 				},
+				Audit: AuditSpec{
+					LogUsernamesAndGroups: "enabled",
+					LogInternalPaths:      "enabled",
+				},
 			},
 		},
 		{
@@ -123,6 +130,42 @@ func TestFromPath(t *testing.T) {
 					},
 				},
 				AggregatedAPIServerPort: ptr.To[int64](10250),
+				Audit: AuditSpec{
+					LogInternalPaths:      "",
+					LogUsernamesAndGroups: "",
+				},
+			},
+		},
+		{
+			name: "audit settings can be disabled explicitly",
+			yaml: here.Doc(`
+				---
+				names:
+				  defaultTLSCertificateSecret: my-secret-name
+				audit:
+				  logInternalPaths: disabled
+				  logUsernamesAndGroups: disabled
+			`),
+			wantConfig: &Config{
+				APIGroupSuffix: ptr.To("pinniped.dev"),
+				Labels:         map[string]string{},
+				NamesConfig: NamesConfigSpec{
+					DefaultTLSCertificateSecret: "my-secret-name",
+				},
+				Endpoints: &Endpoints{
+					HTTPS: &Endpoint{
+						Network: "tcp",
+						Address: ":8443",
+					},
+					HTTP: &Endpoint{
+						Network: "disabled",
+					},
+				},
+				AggregatedAPIServerPort: ptr.To[int64](10250),
+				Audit: AuditSpec{
+					LogInternalPaths:      "disabled",
+					LogUsernamesAndGroups: "disabled",
+				},
 			},
 		},
 		{
@@ -267,6 +310,28 @@ func TestFromPath(t *testing.T) {
 			`),
 			wantError: "validate aggregatedAPIServerPort: must be within range 1024 to 65535",
 		},
+		{
+			name: "invalid audit.logUsernamesAndGroups format",
+			yaml: here.Doc(`
+				---
+				names:
+				  defaultTLSCertificateSecret: my-secret-name
+				audit:
+				  logUsernamesAndGroups: this-is-not-a-valid-value
+			`),
+			wantError: "validate audit: invalid logUsernamesAndGroups format, valid choices are 'enabled', 'disabled', or empty string (equivalent to 'disabled')",
+		},
+		{
+			name: "invalid audit.logInternalPaths format",
+			yaml: here.Doc(`
+				---
+				names:
+				  defaultTLSCertificateSecret: my-secret-name
+				audit:
+				  logInternalPaths: this-is-not-a-valid-value
+			`),
+			wantError: "validate audit: invalid logInternalPaths format, valid choices are 'enabled', 'disabled', or empty string (equivalent to 'disabled')",
+		},
 		{
 			name: "returns setAllowedCiphers errors",
 			yaml: here.Doc(`

internal/config/supervisor/types.go

@@ -7,6 +7,11 @@ import (
 	"go.pinniped.dev/internal/plog"
 )
 
+const (
+	Enabled  = "enabled"
+	Disabled = "disabled"
+)
+
 // Config contains knobs to set up an instance of the Pinniped Supervisor.
 type Config struct {
 	APIGroupSuffix          *string           `json:"apiGroupSuffix,omitempty"`
@@ -20,11 +25,18 @@ type Config struct {
 }
 
 type AuditInternalPaths string
+type AuditUsernamesAndGroups string
 
-const AuditInternalPathsEnabled = "Enabled"
+func (l AuditInternalPaths) Enabled() bool {
+	return l == Enabled
+}
+func (l AuditUsernamesAndGroups) Enabled() bool {
+	return l == Enabled
+}
 
 type AuditSpec struct {
-	InternalPaths AuditInternalPaths `json:"internalPaths"`
+	LogInternalPaths      AuditInternalPaths      `json:"logInternalPaths"`
+	LogUsernamesAndGroups AuditUsernamesAndGroups `json:"logUsernamesAndGroups"`
 }
 
 type TLSSpec struct {