release-engineering · hluk · Jan 7, 2025 · Jan 7, 2025
diff --git a/tests/test_auth.py b/tests/test_auth.py
@@ -50,6 +50,8 @@ def permissions():
 
 @pytest.mark.usefixtures('enable_kerberos')
 class TestGSSAPIAuthentication(object):
+    invalid_token_error = ""
+
     def test_unauthorized(self, client, monkeypatch):
         monkeypatch.setenv('KRB5_KTNAME', '/etc/foo.keytab')
         r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA),
@@ -80,7 +82,14 @@ def test_invalid_token(self, client, monkeypatch):
         r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA),
                         content_type='application/json', headers=headers)
         assert r.status_code == 401
-        assert r.json == {"message": "Invalid authentication token"}
+        assert r.json == {
+            "message": (
+                "Authentication failed:"
+                "\n- Authentication method Kerberos failed:"
+                " 401 Unauthorized: Invalid authentication token"
+                f"{self.invalid_token_error}"
+            )
+        }
 
 
 class TestOIDCAuthentication(object):
@@ -161,6 +170,11 @@ def test_good_ssl_cert(self):
 
 @pytest.mark.usefixtures('enable_kerberos_oidc_fallback')
 class TestKerberosWithFallbackAuthentication(TestGSSAPIAuthentication):
+    invalid_token_error = (
+        "\n- Authentication method OIDC failed:"
+        " 401 Unauthorized: OIDC authentication failed: unsupported_token_type: "
+    )
+
     def test_unauthorized(self, client, monkeypatch):
         monkeypatch.setenv('KRB5_KTNAME', '/etc/foo.keytab')
         r = client.post('/api/v1.0/waivers/', data=json.dumps(WAIVER_DATA),

diff --git a/waiverdb/auth.py b/waiverdb/auth.py
@@ -5,7 +5,7 @@
 import binascii
 import gssapi
 from flask import current_app, Request, Response, session
-from werkzeug.exceptions import Unauthorized, Forbidden
+from werkzeug.exceptions import Unauthorized
 from authlib.oauth2.base import OAuth2Error
 
 from waiverdb.utils import auth_methods
@@ -29,7 +29,7 @@ def process_gssapi_request(token):
         if not sc.complete:
             current_app.logger.error(
                 'Multiple GSSAPI round trips not supported')
-            raise Forbidden("Attempted multiple GSSAPI round trips")
+            raise Unauthorized("Attempted multiple GSSAPI round trips")
 
         current_app.logger.debug('Completed GSSAPI negotiation')
 
@@ -40,23 +40,31 @@ def process_gssapi_request(token):
         current_app.logger.exception(
             'Unable to authenticate: failed to %s: %s' %
             (stage, e.gen_message()))
-        raise Forbidden("Authentication failed")
+        raise Unauthorized("Authentication failed")
 
 
 def get_user(request: Request) -> tuple[str, dict[str, str]]:
     methods = auth_methods(current_app)
 
-    exceptions = []
+    response = None
+    error = ""
 
     for method in methods:
         try:
             return get_user_by_method(request, method)
         except Unauthorized as e:
-            exceptions.append(e)
-            continue
+            message = f"Authentication method {method} failed: {e}"
+            current_app.logger.info(message)
+            error += f"\n- {message}"
+            if response is None and e.response is not None:
+                response = e
+
+    if response is not None:
+        raise response
+
+    if error:
+        raise Unauthorized(f"Authentication failed:{error}")
 
-    if exceptions:
-        raise exceptions[0]
     raise Unauthorized("Authenticated user required. No methods specified.")