From 7dbdd66277661b96787369c51e152f2240efc3aa Mon Sep 17 00:00:00 2001 From: Lukas Holecek Date: Tue, 7 Jan 2025 11:23:04 +0100 Subject: [PATCH] Print errors for all authentication methods --- tests/test_auth.py | 16 +++++++++++++++- waiverdb/auth.py | 18 +++++++++++++----- 2 files changed, 28 insertions(+), 6 deletions(-) diff --git a/tests/test_auth.py b/tests/test_auth.py index a32634c..1534b57 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -50,6 +50,8 @@ def permissions(): @pytest.mark.usefixtures('enable_kerberos') class TestGSSAPIAuthentication(object): + invalid_token_error = "" + def test_unauthorized(self, client, monkeypatch): monkeypatch.setenv('KRB5_KTNAME', '/etc/foo.keytab') r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA), @@ -80,7 +82,14 @@ def test_invalid_token(self, client, monkeypatch): r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA), content_type='application/json', headers=headers) assert r.status_code == 401 - assert r.json == {"message": "Invalid authentication token"} + assert r.json == { + "message": ( + "Authentication failed:" + "\n- Authentication method Kerberos failed:" + " 401 Unauthorized: Invalid authentication token" + f"{self.invalid_token_error}" + ) + } class TestOIDCAuthentication(object): @@ -161,6 +170,11 @@ def test_good_ssl_cert(self): @pytest.mark.usefixtures('enable_kerberos_oidc_fallback') class TestKerberosWithFallbackAuthentication(TestGSSAPIAuthentication): + invalid_token_error = ( + "\n- Authentication method OIDC failed:" + " 401 Unauthorized: OIDC authentication failed: unsupported_token_type: " + ) + def test_unauthorized(self, client, monkeypatch): monkeypatch.setenv('KRB5_KTNAME', '/etc/foo.keytab') r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA), diff --git a/waiverdb/auth.py b/waiverdb/auth.py index 40a4912..d366ee4 100644 --- a/waiverdb/auth.py +++ b/waiverdb/auth.py @@ -46,17 +46,25 @@ def process_gssapi_request(token): def get_user(request: Request) -> tuple[str, dict[str, str]]: methods = auth_methods(current_app) - exceptions = [] + response = None + error = "" for method in methods: try: return get_user_by_method(request, method) except Unauthorized as e: - exceptions.append(e) - continue + message = f"Authentication method {method} failed: {e}" + current_app.logger.info(message) + error += f"\n- {message}" + if response is None and e.response is not None: + response = e + + if response is not None: + raise response + + if error: + raise Unauthorized(f"Authentication failed:{error}") - if exceptions: - raise exceptions[0] raise Unauthorized("Authenticated user required. No methods specified.")