Log path and identity for all authz failures

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-02-16 11:12:08 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-02-16 11:12:08 +0100
commit: 14bb5d56b35080a7372976a4b98e48a0e8ee9d37 (patch)
tree: b2e4ec156be6423544a3093951c5d195cf5fa871 /controller-server/src
parent: 0d1afa9450280ed26b28d3e17469bd703dc8ca2e (diff)
1 files changed, 21 insertions, 10 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
index 2f1f59b90d9..3d0a50d71dc 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/ControllerAuthorizationFilter.java
@@ -53,7 +53,7 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter {
     private final AuthorizationResponseHandler authorizationResponseHandler;
 
     public interface AuthorizationResponseHandler {
-        void handle(ResponseHandler responseHandler, WebApplicationException verificationException);
+        void handle(ResponseHandler responseHandler, DiscFilterRequest request, WebApplicationException verificationException);
     }
 
     @Inject
@@ -85,7 +85,7 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter {
 
         try {
             Path path = new Path(request.getRequestURI());
-            AthenzPrincipal principal = getPrincipal(request);
+            AthenzPrincipal principal = getPrincipalOrThrow(request);
             if (isWhiteListedOperation(path, method)) {
                 // no authz check
             } else if (isHostedOperatorOperation(path, method)) {
@@ -98,7 +98,7 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter {
                 throw new ForbiddenException("No access control is explicitly declared for this api.");
             }
         } catch (WebApplicationException e) {
-            authorizationResponseHandler.handle(handler, e);
+            authorizationResponseHandler.handle(handler, request, e);
         }
     }
 
@@ -186,22 +186,31 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter {
         return Method.valueOf(request.getMethod().toUpperCase());
     }
 
-    private static AthenzPrincipal getPrincipal(DiscFilterRequest request) {
-        return Optional.ofNullable(request.getUserPrincipal())
-                .map(AthenzPrincipal.class::cast)
+    private static AthenzPrincipal getPrincipalOrThrow(DiscFilterRequest request) {
+        return getPrincipal(request)
                 .orElseThrow(() -> new NotAuthorizedException("User not authenticated"));
     }
 
+    private static Optional<AthenzPrincipal> getPrincipal(DiscFilterRequest request) {
+        return Optional.ofNullable(request.getUserPrincipal())
+                .map(AthenzPrincipal.class::cast);
+    }
+
     private static class LoggingAuthorizationResponseHandler implements AuthorizationResponseHandler {
 
         @SuppressWarnings("LoggerInitializedWithForeignClass")
         private static final Logger log = Logger.getLogger(ControllerAuthorizationFilter.class.getName());
 
         @Override
-        public void handle(ResponseHandler responseHandler, WebApplicationException exception) {
+        public void handle(ResponseHandler responseHandler,
+                           DiscFilterRequest request,
+                           WebApplicationException exception) {
             log.log(LogLevel.WARNING,
-                    String.format("Access denied (%d): %s",
-                                  exception.getResponse().getStatus(), exception.getMessage()));
+                    String.format("Access denied (%d): '%s'\nPath: %s\nIdentity: %s",
+                                  exception.getResponse().getStatus(),
+                                  exception.getMessage(),
+                                  request.getRequestURI(),
+                                  getPrincipal(request).map(p -> p.getIdentity().getFullName()).orElse("[none]")));
         }
     }
 
@@ -209,7 +218,9 @@ public class ControllerAuthorizationFilter implements SecurityRequestFilter {
     @SuppressWarnings("unused")
     static class HttpRespondingAuthorizationResponseHandler implements AuthorizationResponseHandler {
         @Override
-        public void handle(ResponseHandler responseHandler, WebApplicationException exception) {
+        public void handle(ResponseHandler responseHandler,
+                           DiscFilterRequest request,
+                           WebApplicationException exception) {
             sendErrorResponse(responseHandler, exception.getResponse().getStatus(), exception.getMessage());
         }
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-02-16 11:12:08 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-02-16 11:12:08 +0100
commit	14bb5d56b35080a7372976a4b98e48a0e8ee9d37 (patch)
tree	b2e4ec156be6423544a3093951c5d195cf5fa871 /controller-server/src
parent	0d1afa9450280ed26b28d3e17469bd703dc8ca2e (diff)