From ea524012ba56da94c31f5ff3d70927c9837b100c Mon Sep 17 00:00:00 2001
From: user <u@example.com>
Date: Fri, 24 Apr 2026 19:20:47 -0400
Subject: [PATCH] debug(api-server): add V(4) logging to pre-auth stream
 interceptor
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Temporary diagnostic logging to trace why CallerTypeService is not being
set despite GRPC_SERVICE_ACCOUNT being configured. Will be removed once
the root cause is identified.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .../pkg/middleware/bearer_token_grpc.go            | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/components/ambient-api-server/pkg/middleware/bearer_token_grpc.go b/components/ambient-api-server/pkg/middleware/bearer_token_grpc.go
index 7902784ca..90e6320be 100644
--- a/components/ambient-api-server/pkg/middleware/bearer_token_grpc.go
+++ b/components/ambient-api-server/pkg/middleware/bearer_token_grpc.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang/glog"
 	"github.com/openshift-online/rh-trex-ai/pkg/auth"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/metadata"
@@ -52,19 +53,32 @@ func bearerTokenGRPCStreamInterceptor(expectedToken, serviceAccountUsername stri
 			if authHeader := md.Get("authorization"); len(authHeader) > 0 {
 				if token, err := extractBearerToken(authHeader[0]); err == nil {
 					if subtle.ConstantTimeCompare([]byte(token), []byte(expectedToken)) == 1 {
+						glog.V(4).Infof("[pre-auth] stream %s: static token match, setting CallerTypeService", info.FullMethod)
 						return handler(srv, &serviceCallerStream{ServerStream: ss, ctx: withCallerType(ss.Context(), CallerTypeService)})
 					}
 					if username := usernameFromJWT(token); username != "" {
 						ctx := auth.SetUsernameContext(ss.Context(), username)
 						if serviceAccountUsername != "" && username == serviceAccountUsername {
+							glog.V(4).Infof("[pre-auth] stream %s: OIDC username %q matches service account, setting CallerTypeService", info.FullMethod, username)
 							ctx = withCallerType(ctx, CallerTypeService)
+						} else {
+							glog.V(4).Infof("[pre-auth] stream %s: OIDC username %q (service account %q, match=%v)", info.FullMethod, username, serviceAccountUsername, username == serviceAccountUsername)
 						}
 						return handler(srv, &serviceCallerStream{ServerStream: ss, ctx: ctx})
+					} else {
+						glog.V(4).Infof("[pre-auth] stream %s: usernameFromJWT returned empty, token length=%d", info.FullMethod, len(token))
 					}
+				} else {
+					glog.V(4).Infof("[pre-auth] stream %s: extractBearerToken error: %v", info.FullMethod, err)
 				}
+			} else {
+				glog.V(4).Infof("[pre-auth] stream %s: no authorization header in metadata", info.FullMethod)
 			}
+		} else {
+			glog.V(4).Infof("[pre-auth] stream %s: no incoming metadata", info.FullMethod)
 		}
 
+		glog.V(4).Infof("[pre-auth] stream %s: falling through without CallerType", info.FullMethod)
 		return handler(srv, ss)
 	}
 }