fix(cost-management): add structured audit logging with user identity (#2619)

* fix(cost-management): add structured audit logging with user identity

- New auditLog utility resolves user identity via UserInfoService and emits
  structured JSON audit entries with actor, action, resource, decision, and filters
- All endpoints now produce audit logs: secureProxy, /access, /access/cost-management,
  and /apply-recommendation
- Inject coreServices.userInfo into the backend plugin

Fixes: FLPATH-3490
Made-with: Cursor

* fix(cost-management): log warning when actor identity resolution fails

Add logger.warn in resolveActor catch block so operators can detect and
diagnose identity resolution failures instead of silently falling back
to 'unknown' actor.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: hardengl

workspaces/cost-management/plugins/cost-management-backend/src/models/RouterOptions.ts

@@ -26,6 +26,7 @@ import type {
   CacheService,
   DiscoveryService,
   AuthService,
+  UserInfoService,
 } from '@backstage/backend-plugin-api';
 
 /** @public */
@@ -37,6 +38,7 @@ export interface RouterOptions {
   cache: CacheService;
   discovery: DiscoveryService;
   auth: AuthService;
+  userInfo: UserInfoService;
   optimizationApi: OptimizationsApi;
   costManagementApi: CostManagementSlimApi;
 }

workspaces/cost-management/plugins/cost-management-backend/src/plugin.ts

@@ -40,6 +40,7 @@ export const costManagementPlugin = createBackendPlugin({
         cache: coreServices.cache,
         discovery: coreServices.discovery,
         auth: coreServices.auth,
+        userInfo: coreServices.userInfo,
         optimizationApi: optimizationServiceRef,
         costManagementApi: costManagementServiceRef,
       },
@@ -52,6 +53,7 @@ export const costManagementPlugin = createBackendPlugin({
         cache,
         discovery,
         auth,
+        userInfo,
         optimizationApi,
         costManagementApi,
       }) {
@@ -63,6 +65,7 @@ export const costManagementPlugin = createBackendPlugin({
           cache,
           discovery,
           auth,
+          userInfo,
           optimizationApi,
           costManagementApi,
         });

workspaces/cost-management/plugins/cost-management-backend/src/routes/access.ts

@@ -23,6 +23,7 @@ import {
 import { rosPluginPermissions } from '@red-hat-developer-hub/plugin-cost-management-common/permissions';
 import { getTokenFromApi } from '../util/tokenUtil';
 import { AuthorizeResult } from '@backstage/plugin-permission-common';
+import { resolveActor, emitAuditLog } from '../util/auditLog';
 
 export const getAccess: (options: RouterOptions) => RequestHandler =
   options => async (_, response) => {
@@ -43,6 +44,14 @@ export const getAccess: (options: RouterOptions) => RequestHandler =
     if (rosPluginDecision.result === AuthorizeResult.ALLOW) {
       finalDecision = AuthorizeResult.ALLOW;
 
+      const actor = await resolveActor(_, options);
+      emitAuditLog(options, {
+        actor,
+        action: 'access_check',
+        resource: '/access',
+        decision: 'ALLOW',
+      });
+
       const body = {
         decision: finalDecision,
         authorizeClusterIds: [],
@@ -186,6 +195,18 @@ export const getAccess: (options: RouterOptions) => RequestHandler =
       finalDecision = AuthorizeResult.DENY;
     }
 
+    const actor = await resolveActor(_, options);
+    emitAuditLog(options, {
+      actor,
+      action: 'access_check',
+      resource: '/access',
+      decision: finalDecision === AuthorizeResult.ALLOW ? 'ALLOW' : 'DENY',
+      filters: {
+        clusters: finalAuthorizedClusterIds,
+        projects: authorizeProjects,
+      },
+    });
+
     const body = {
       decision: finalDecision,
       authorizeClusterIds: finalAuthorizedClusterIds,

workspaces/cost-management/plugins/cost-management-backend/src/routes/applyRecommendation.test.ts

@@ -53,6 +53,7 @@ describe('applyRecommendation', () => {
       cache: mockServices.cache.mock(),
       discovery: mockDiscovery,
       auth: mockServices.auth(),
+      userInfo: mockServices.userInfo(),
       optimizationApi: {
         getRecommendationList: jest.fn(),
         getRecommendationById: jest.fn(),

workspaces/cost-management/plugins/cost-management-backend/src/routes/applyRecommendation.ts

@@ -19,6 +19,7 @@ import type { RouterOptions } from '../models/RouterOptions';
 import { authorize } from '../util/checkPermissions';
 import { rosApplyPermissions } from '@red-hat-developer-hub/plugin-cost-management-common/permissions';
 import { AuthorizeResult } from '@backstage/plugin-permission-common';
+import { resolveActor, emitAuditLog } from '../util/auditLog';
 
 const ALLOWED_RESOURCE_TYPES = new Set([
   'deployment',
@@ -104,21 +105,27 @@ export const applyRecommendation: (options: RouterOptions) => RequestHandler =
     }
     const { workflowId, inputData } = validation.data;
 
+    const actor = await resolveActor(req, options);
+
     const decision = await authorize(
       req,
       rosApplyPermissions,
       permissions,
       httpAuth,
     );
     if (decision.result !== AuthorizeResult.ALLOW) {
-      logger.info('audit:apply-recommendation:denied', {
+      emitAuditLog(options, {
+        actor,
         action: 'apply_recommendation',
+        resource: `/apply-recommendation/${workflowId}`,
         decision: 'DENY',
-        workflowId,
-        cluster: inputData.clusterName,
-        namespace: inputData.resourceNamespace,
-        workload: inputData.resourceName,
-        resourceType: inputData.resourceType,
+        meta: {
+          workflowId,
+          cluster: inputData.clusterName,
+          namespace: inputData.resourceNamespace,
+          workload: inputData.resourceName,
+          resourceType: inputData.resourceType,
+        },
       });
       return res
         .status(403)
@@ -165,28 +172,38 @@ export const applyRecommendation: (options: RouterOptions) => RequestHandler =
       }
 
       if (!upstreamResponse.ok) {
-        logger.warn('audit:apply-recommendation:upstream-error', {
+        emitAuditLog(options, {
+          actor,
           action: 'apply_recommendation',
+          resource: `/apply-recommendation/${workflowId}`,
           decision: 'ALLOW',
-          workflowId,
-          cluster: inputData.clusterName,
-          namespace: inputData.resourceNamespace,
-          workload: inputData.resourceName,
-          resourceType: inputData.resourceType,
-          upstreamStatus: upstreamResponse.status,
+          meta: {
+            workflowId,
+            cluster: inputData.clusterName,
+            namespace: inputData.resourceNamespace,
+            workload: inputData.resourceName,
+            resourceType: inputData.resourceType,
+            upstreamStatus: upstreamResponse.status,
+            outcome: 'upstream_error',
+          },
         });
         return res.status(upstreamResponse.status).json(payload);
       }
 
-      logger.info('audit:apply-recommendation:success', {
+      emitAuditLog(options, {
+        actor,
         action: 'apply_recommendation',
+        resource: `/apply-recommendation/${workflowId}`,
         decision: 'ALLOW',
-        workflowId,
-        instanceId: (payload as { id?: string }).id,
-        cluster: inputData.clusterName,
-        namespace: inputData.resourceNamespace,
-        workload: inputData.resourceName,
-        resourceType: inputData.resourceType,
+        meta: {
+          workflowId,
+          instanceId: (payload as { id?: string }).id,
+          cluster: inputData.clusterName,
+          namespace: inputData.resourceNamespace,
+          workload: inputData.resourceName,
+          resourceType: inputData.resourceType,
+          outcome: 'success',
+        },
       });
 
       return res.status(200).json(payload);

workspaces/cost-management/plugins/cost-management-backend/src/routes/costManagementAccess.ts

@@ -23,6 +23,7 @@ import {
 import { costPluginPermissions } from '@red-hat-developer-hub/plugin-cost-management-common/permissions';
 import { AuthorizeResult } from '@backstage/plugin-permission-common';
 import { getTokenFromApi } from '../util/tokenUtil';
+import { resolveActor, emitAuditLog } from '../util/auditLog';
 
 // Cache keys for cost management clusters and projects
 const COST_CLUSTERS_CACHE_KEY = 'cost_clusters';
@@ -49,6 +50,14 @@ export const getCostManagementAccess: (
   if (costPluginDecision.result === AuthorizeResult.ALLOW) {
     finalDecision = AuthorizeResult.ALLOW;
 
+    const actor = await resolveActor(_, options);
+    emitAuditLog(options, {
+      actor,
+      action: 'access_check',
+      resource: '/access/cost-management',
+      decision: 'ALLOW',
+    });
+
     const body = {
       decision: finalDecision,
       authorizedClusterNames: [],
@@ -164,6 +173,18 @@ export const getCostManagementAccess: (
     finalDecision = AuthorizeResult.ALLOW;
   }
 
+  const actor = await resolveActor(_, options);
+  emitAuditLog(options, {
+    actor,
+    action: 'access_check',
+    resource: '/access/cost-management',
+    decision: finalDecision === AuthorizeResult.ALLOW ? 'ALLOW' : 'DENY',
+    filters: {
+      clusters: finalAuthorizedClusterNames,
+      projects: authorizeProjects,
+    },
+  });
+
   const body = {
     decision: finalDecision,
     authorizedClusterNames: finalAuthorizedClusterNames,

workspaces/cost-management/plugins/cost-management-backend/src/routes/secureProxy.ts

@@ -27,6 +27,7 @@ import {
 import { AuthorizeResult } from '@backstage/plugin-permission-common';
 import { getTokenFromApi } from '../util/tokenUtil';
 import { DEFAULT_COST_MANAGEMENT_PROXY_BASE_URL } from '../util/constant';
+import { resolveActor, emitAuditLog } from '../util/auditLog';
 
 const CACHE_TTL = 15 * 60 * 1000;
 
@@ -290,7 +291,7 @@ function injectRbacFilters(targetUrl: URL, access: AccessResult): void {
  */
 export const secureProxy: (options: RouterOptions) => RequestHandler =
   options => async (req, res) => {
-    const { logger, config } = options;
+    const { config } = options;
     const proxyPath = req.params[0];
 
     if (!proxyPath) {
@@ -305,8 +306,19 @@ export const secureProxy: (options: RouterOptions) => RequestHandler =
 
     try {
       const access = await resolveAccess(req, proxyPath, options);
+      const actor = await resolveActor(req, options);
 
       if (access.decision !== 'ALLOW') {
+        emitAuditLog(options, {
+          actor,
+          action: 'data_access',
+          resource: proxyPath,
+          decision: 'DENY',
+          filters: {
+            clusters: access.clusterFilters,
+            projects: access.projectFilters,
+          },
+        });
         return res.status(403).json({ error: 'Access denied by RBAC policy' });
       }
 
@@ -348,9 +360,16 @@ export const secureProxy: (options: RouterOptions) => RequestHandler =
 
       injectRbacFilters(targetUrl, access);
 
-      logger.info(
-        `Proxying ${req.method} to ${targetUrl.pathname}${targetUrl.search}`,
-      );
+      emitAuditLog(options, {
+        actor,
+        action: 'data_access',
+        resource: proxyPath,
+        decision: 'ALLOW',
+        filters: {
+          clusters: access.clusterFilters,
+          projects: access.projectFilters,
+        },
+      });
 
       const upstreamResponse = await fetch(targetUrl.toString(), {
         headers: {
@@ -371,7 +390,7 @@ export const secureProxy: (options: RouterOptions) => RequestHandler =
       res.set('Content-Type', contentType);
       return res.send(await upstreamResponse.text());
     } catch (error) {
-      logger.error('Secure proxy error', error);
+      options.logger.error('Secure proxy error', error);
       return res.status(500).json({ error: 'Internal proxy error' });
     }
   };

workspaces/cost-management/plugins/cost-management-backend/src/service/router.test.ts

@@ -31,6 +31,7 @@ describe('createRouter', () => {
       cache: mockServices.cache.mock(),
       discovery: mockServices.discovery(),
       auth: mockServices.auth(),
+      userInfo: mockServices.userInfo(),
       optimizationApi: {
         getRecommendationList: jest.fn(),
         getRecommendationById: jest.fn(),