From 12467e95a81caf29f9e4fbf8a1d155ebd3a540f6 Mon Sep 17 00:00:00 2001 From: Lukas Holecek Date: Tue, 7 Jan 2025 11:23:04 +0100 Subject: [PATCH] Print errors for all authentication methods --- tests/test_auth.py | 16 +++++++++++++++- waiverdb/auth.py | 24 ++++++++++++++++-------- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/tests/test_auth.py b/tests/test_auth.py index a32634c..1534b57 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -50,6 +50,8 @@ def permissions(): @pytest.mark.usefixtures('enable_kerberos') class TestGSSAPIAuthentication(object): + invalid_token_error = "" + def test_unauthorized(self, client, monkeypatch): monkeypatch.setenv('KRB5_KTNAME', '/etc/foo.keytab') r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA), @@ -80,7 +82,14 @@ def test_invalid_token(self, client, monkeypatch): r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA), content_type='application/json', headers=headers) assert r.status_code == 401 - assert r.json == {"message": "Invalid authentication token"} + assert r.json == { + "message": ( + "Authentication failed:" + "\n- Authentication method Kerberos failed:" + " 401 Unauthorized: Invalid authentication token" + f"{self.invalid_token_error}" + ) + } class TestOIDCAuthentication(object): @@ -161,6 +170,11 @@ def test_good_ssl_cert(self): @pytest.mark.usefixtures('enable_kerberos_oidc_fallback') class TestKerberosWithFallbackAuthentication(TestGSSAPIAuthentication): + invalid_token_error = ( + "\n- Authentication method OIDC failed:" + " 401 Unauthorized: OIDC authentication failed: unsupported_token_type: " + ) + def test_unauthorized(self, client, monkeypatch): monkeypatch.setenv('KRB5_KTNAME', '/etc/foo.keytab') r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA), diff --git a/waiverdb/auth.py b/waiverdb/auth.py index 40a4912..f47bf89 100644 --- a/waiverdb/auth.py +++ b/waiverdb/auth.py @@ -5,7 +5,7 @@ import binascii import gssapi from flask import current_app, Request, Response, session -from werkzeug.exceptions import Unauthorized, Forbidden +from werkzeug.exceptions import Unauthorized from authlib.oauth2.base import OAuth2Error from waiverdb.utils import auth_methods @@ -29,7 +29,7 @@ def process_gssapi_request(token): if not sc.complete: current_app.logger.error( 'Multiple GSSAPI round trips not supported') - raise Forbidden("Attempted multiple GSSAPI round trips") + raise Unauthorized("Attempted multiple GSSAPI round trips") current_app.logger.debug('Completed GSSAPI negotiation') @@ -40,23 +40,31 @@ def process_gssapi_request(token): current_app.logger.exception( 'Unable to authenticate: failed to %s: %s' % (stage, e.gen_message())) - raise Forbidden("Authentication failed") + raise Unauthorized("Authentication failed") def get_user(request: Request) -> tuple[str, dict[str, str]]: methods = auth_methods(current_app) - exceptions = [] + response = None + error = "" for method in methods: try: return get_user_by_method(request, method) except Unauthorized as e: - exceptions.append(e) - continue + message = f"Authentication method {method} failed: {e}" + current_app.logger.info(message) + error += f"\n- {message}" + if response is None and e.response is not None: + response = e + + if response is not None: + raise response + + if error: + raise Unauthorized(f"Authentication failed:{error}") - if exceptions: - raise exceptions[0] raise Unauthorized("Authenticated user required. No methods specified.")