diff --git a/lib/auth/auth.go b/lib/auth/auth.go index 8205a7d829142..39f77738aa4e2 100644 --- a/lib/auth/auth.go +++ b/lib/auth/auth.go @@ -1106,6 +1106,13 @@ func (a *Server) SetEmitter(emitter apievents.Emitter) { a.emitter = emitter } +// EmitAuditEvent implements [apievents.Emitter] by delegating to its dedicated +// emitter rather than falling back to the implementation from [Services] (using +// the audit log directly, which is almost never what you want). +func (a *Server) EmitAuditEvent(ctx context.Context, e apievents.AuditEvent) error { + return trace.Wrap(a.emitter.EmitAuditEvent(ctx, e)) +} + // SetUsageReporter sets the server's usage reporter. Note that this is only // safe to use before server start. func (a *Server) SetUsageReporter(reporter usagereporter.UsageReporter) { diff --git a/lib/auth/helpers.go b/lib/auth/helpers.go index 2da5bd20f3a23..f4ade55ccf6d6 100644 --- a/lib/auth/helpers.go +++ b/lib/auth/helpers.go @@ -141,7 +141,7 @@ func NewTestServer(cfg TestServerConfig) (*TestServer, error) { tlsCfg.APIConfig.AuditLog = authServer.AuditLog } if tlsCfg.APIConfig.Emitter == nil { - tlsCfg.APIConfig.Emitter = authServer.AuthServer.emitter + tlsCfg.APIConfig.Emitter = authServer.AuthServer } if tlsCfg.AcceptedUsage == nil { tlsCfg.AcceptedUsage = authServer.AcceptedUsage @@ -582,7 +582,7 @@ func (a *TestAuthServer) NewTestTLSServer() (*TestTLSServer, error) { AuthServer: a.AuthServer, Authorizer: a.Authorizer, AuditLog: a.AuditLog, - Emitter: a.AuthServer.emitter, + Emitter: a.AuthServer, } srv, err := NewTestTLSServer(TestTLSServerConfig{ APIConfig: apiConfig, diff --git a/lib/service/service.go b/lib/service/service.go index 2e1420fd83937..2de0ca0564586 100644 --- a/lib/service/service.go +++ b/lib/service/service.go @@ -1666,7 +1666,7 @@ func (process *TeleportProcess) initAuthService() error { Authorizer: authorizer, AuditLog: process.auditLog, PluginRegistry: process.PluginRegistry, - Emitter: checkingEmitter, + Emitter: authServer, MetadataGetter: uploadHandler, }