CLDSRV-893: return ARN for assumed-role requesters in access logs

The getRequester() function fell through to the canonical ID for
assumed-role sessions, producing a space-containing string that
broke space-delimited log parsers.

Author: dvasilas

lib/utilities/serverAccessLogger.js

@@ -323,11 +323,15 @@ function getOperation(req) {
     return `REST.${req.method}.${resourceType}`;
 }
 
+const assumedRoleArnRegex = /^arn:aws:sts::[0-9]{12}:assumed-role\/.*$/;
+
 function getRequester(authInfo) {
     const requester = null;
     if (authInfo) {
         if (authInfo.isRequesterPublicUser && authInfo.isRequesterPublicUser()) {
             return requester; // Unauthenticated requests
+        } else if (authInfo.getArn && assumedRoleArnRegex.test(authInfo.getArn())) {
+            return authInfo.getArn();
         } else if (authInfo.isRequesterAnIAMUser && authInfo.isRequesterAnIAMUser()) {
             // IAM user: include IAM user name and account
             const iamUserName = authInfo.getIAMdisplayName ? authInfo.getIAMdisplayName() : '';

tests/unit/utils/serverAccessLogger.js

@@ -311,6 +311,18 @@ describe('serverAccessLogger utility functions', () => {
             assert.strictEqual(result, 'canonicalID123');
         });
 
+        it('should return ARN for assumed-role session user', () => {
+            const arn = 'arn:aws:sts::123456789012:assumed-role/lifecycle-role/backbeat-lifecycle';
+            const authInfo = {
+                isRequesterPublicUser: () => false,
+                isRequesterAnIAMUser: () => false,
+                getArn: () => arn,
+                getCanonicalID: () => 'canonicalID789',
+            };
+            const result = getRequester(authInfo);
+            assert.strictEqual(result, arn);
+        });
+
         it('should return canonical ID for regular user', () => {
             const authInfo = {
                 isRequesterPublicUser: () => false,