Merge 983e5fad95 into e0e827dab0

2026-04-21 17:07:16 +00:00 · 2026-04-21 01:28:11 +00:00 · 2026-04-21 01:28:11 +00:00 · 498436c366
commit 498436c366
parent e0e827dab0 983e5fad95
2 changed files with 40 additions and 0 deletions
--- a/server/server.go
+++ b/server/server.go
@ -57,6 +57,7 @@ import (
 	"google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/keepalive"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/peer"
 	"google.golang.org/grpc/reflection"
 	"google.golang.org/grpc/status"
 	"gopkg.in/yaml.v2"
@ -1506,6 +1507,14 @@ func replaceBaseHRef(data string, replaceWith string) string {
 	return baseHRefRegex.ReplaceAllString(data, replaceWith)
 }

+// clientAddress returns the client IP address from the gRPC peer info, or "unknown" if unavailable.
+func clientAddress(ctx context.Context) string {
+	if p, ok := peer.FromContext(ctx); ok && p.Addr != nil {
+		return p.Addr.String()
+	}
+	return "unknown"
+}
+
 // Authenticate checks for the presence of a valid token when accessing server-side resources.
 func (server *ArgoCDServer) Authenticate(ctx context.Context) (context.Context, error) {
 	var span trace.Span
@ -1534,6 +1543,10 @@ func (server *ArgoCDServer) Authenticate(ctx context.Context) (context.Context,
 	}

 	if claimsErr != nil {
+		log.WithFields(log.Fields{
+			"client": clientAddress(ctx),
+		}).Warnf("authentication failed: %v", claimsErr)
+
 		argoCDSettings, err := server.settingsMgr.GetSettings()
 		if err != nil {
 			return ctx, status.Errorf(codes.Internal, "unable to load settings: %v", err)
--- a/server/server_test.go
+++ b/server/server_test.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@ -21,6 +22,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/peer"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/fake"
@ -1839,3 +1841,28 @@ func Test_StaticAssetsDir_no_symlink_traversal(t *testing.T) {
 	resp = w.Result()
 	assert.Equal(t, http.StatusOK, resp.StatusCode, "should have been able to access the normal file")
 }
+
+func TestClientAddress(t *testing.T) {
+	t.Run("returns peer address when available", func(t *testing.T) {
+		ctx := peer.NewContext(context.Background(), &peer.Peer{
+			Addr: &net.TCPAddr{IP: net.ParseIP("192.168.1.1"), Port: 12345},
+		})
+		assert.Equal(t, "192.168.1.1:12345", clientAddress(ctx))
+	})
+
+	t.Run("returns unknown when no peer", func(t *testing.T) {
+		assert.Equal(t, "unknown", clientAddress(context.Background()))
+	})
+
+	t.Run("returns unknown when peer has nil Addr", func(t *testing.T) {
+		ctx := peer.NewContext(context.Background(), &peer.Peer{Addr: nil})
+		assert.Equal(t, "unknown", clientAddress(ctx))
+	})
+
+	t.Run("returns IPv6 address", func(t *testing.T) {
+		ctx := peer.NewContext(context.Background(), &peer.Peer{
+			Addr: &net.TCPAddr{IP: net.ParseIP("::1"), Port: 443},
+		})
+		assert.Equal(t, "[::1]:443", clientAddress(ctx))
+	})
+}