Print errors for all authentication methods

release-engineering · Jan 7, 2025 · 7dbdd66 · 7dbdd66
1 parent 5463a0d
commit 7dbdd66
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 6 deletions.
diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -50,6 +50,8 @@ def permissions():
 
 @pytest.mark.usefixtures('enable_kerberos')
 class TestGSSAPIAuthentication(object):
+    invalid_token_error = ""
+
     def test_unauthorized(self, client, monkeypatch):
         monkeypatch.setenv('KRB5_KTNAME', '/etc/foo.keytab')
         r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA),
@@ -80,7 +82,14 @@ def test_invalid_token(self, client, monkeypatch):
         r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA),
                         content_type='application/json', headers=headers)
         assert r.status_code == 401
-        assert r.json == {"message": "Invalid authentication token"}
+        assert r.json == {
+            "message": (
+                "Authentication failed:"
+                "\n- Authentication method Kerberos failed:"
+                " 401 Unauthorized: Invalid authentication token"
+                f"{self.invalid_token_error}"
+            )
+        }
 
 
 class TestOIDCAuthentication(object):
@@ -161,6 +170,11 @@ def test_good_ssl_cert(self):
 
 @pytest.mark.usefixtures('enable_kerberos_oidc_fallback')
 class TestKerberosWithFallbackAuthentication(TestGSSAPIAuthentication):
+    invalid_token_error = (
+        "\n- Authentication method OIDC failed:"
+        " 401 Unauthorized: OIDC authentication failed: unsupported_token_type: "
+    )
+
     def test_unauthorized(self, client, monkeypatch):
         monkeypatch.setenv('KRB5_KTNAME', '/etc/foo.keytab')
         r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA),

diff --git a/waiverdb/auth.py b/waiverdb/auth.py
@@ -46,17 +46,25 @@ def process_gssapi_request(token):
 def get_user(request: Request) -> tuple[str, dict[str, str]]:
     methods = auth_methods(current_app)
 
-    exceptions = []
+    response = None
+    error = ""
 
     for method in methods:
         try:
             return get_user_by_method(request, method)
         except Unauthorized as e:
-            exceptions.append(e)
-            continue
+            message = f"Authentication method {method} failed: {e}"
+            current_app.logger.info(message)
+            error += f"\n- {message}"
+            if response is None and e.response is not None:
+                response = e
+
+    if response is not None:
+        raise response
+
+    if error:
+        raise Unauthorized(f"Authentication failed:{error}")
 
-    if exceptions:
-        raise exceptions[0]
     raise Unauthorized("Authenticated user required. No methods specified.")