Improve error message when user authentication fails

author: Bjørn Christian Seime <bjorncs@oath.com> 2017-11-22 16:44:31 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2017-11-22 16:44:31 +0100
commit: efa28693c9e9aa0d599f610836d035cd38aa949d (patch)
tree: b685c9a9b9dae851cbda97602ef3c81d60f72ef3 /controller-server
parent: 47a72fee625e178d82b494a1f172e9f4b0745fa4 (diff)
3 files changed, 26 insertions, 17 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java
index f5e2020d3e3..51865be04fa 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/AthenzPrincipalFilter.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.hosted.controller.athenz.filter;
 
 import com.google.inject.Inject;
+import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.jdisc.http.filter.SecurityRequestFilter;
@@ -13,7 +14,7 @@ import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig;
 
 import java.util.concurrent.Executor;
 
-import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendUnauthorized;
+import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendErrorResponse;
 
 /**
  * Performs authentication by validating the principal token (NToken) header.
@@ -44,7 +45,7 @@ public class AthenzPrincipalFilter implements SecurityRequestFilter {
     public void filter(DiscFilterRequest request, ResponseHandler responseHandler) {
         String rawToken = request.getHeader(principalTokenHeader);
         if (rawToken == null || rawToken.isEmpty()) {
-            sendUnauthorized(responseHandler, "NToken is missing");
+            sendErrorResponse(responseHandler, Response.Status.UNAUTHORIZED, "NToken is missing");
             return;
         }
         try {
@@ -52,7 +53,7 @@ public class AthenzPrincipalFilter implements SecurityRequestFilter {
             request.setUserPrincipal(principal);
             request.setRemoteUser(principal.getName());
         } catch (InvalidTokenException e) {
-            sendUnauthorized(responseHandler, e.getMessage());
+            sendErrorResponse(responseHandler,Response.Status.UNAUTHORIZED, e.getMessage());
         }
     }
 
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/SecurityFilterUtils.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/SecurityFilterUtils.java
index 075e5e76acd..8e193d3848f 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/SecurityFilterUtils.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/SecurityFilterUtils.java
@@ -17,8 +17,8 @@ class SecurityFilterUtils {
 
     private SecurityFilterUtils() {}
 
-    static void sendUnauthorized(ResponseHandler responseHandler, String message) {
-        Response response = new Response(Response.Status.UNAUTHORIZED);
+    static void sendErrorResponse(ResponseHandler responseHandler, int statusCode, String message) {
+        Response response = new Response(statusCode);
         response.headers().put("Content-Type", "application/json");
         ObjectNode errorMessage = mapper.createObjectNode();
         errorMessage.put("message", message);
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java
index 62c54b10a00..44ca7895a33 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/filter/UserAuthWithAthenzPrincipalFilter.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.athenz.filter;
 
 import com.google.inject.Inject;
 import com.yahoo.container.jdisc.HttpRequest;
+import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.handler.ResponseHandler;
 import com.yahoo.jdisc.http.filter.DiscFilterRequest;
 import com.yahoo.log.LogLevel;
@@ -19,7 +20,7 @@ import java.util.concurrent.Executor;
 import java.util.logging.Logger;
 import java.util.stream.Stream;
 
-import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendUnauthorized;
+import static com.yahoo.vespa.hosted.controller.athenz.filter.SecurityFilterUtils.sendErrorResponse;
 
 /**
  * A variant of the {@link AthenzPrincipalFilter} to be used in combination with a cookie-based
@@ -46,17 +47,24 @@ public class UserAuthWithAthenzPrincipalFilter extends AthenzPrincipalFilter {
     public void filter(DiscFilterRequest request, ResponseHandler responseHandler) {
         if (request.getMethod().equals("OPTIONS")) return; // Skip authentication on OPTIONS - required for Javascript CORS
 
-        switch (getUserAuthenticationResult(request)) {
-            case USER_COOKIE_MISSING:
-            case USER_COOKIE_ALTERNATIVE_MISSING:
-                super.filter(request, responseHandler); // Cookie-based authentication failed, delegate to Athenz
-                break;
-            case USER_COOKIE_OK:
-                rewriteUserPrincipalToAthenz(request);
-                return; // Authenticated using user cookie
-            case USER_COOKIE_INVALID:
-                sendUnauthorized(responseHandler, "Your user cookie is invalid (either expired, tampered or invalid ip)");
-                break;
+        try {
+            switch (getUserAuthenticationResult(request)) {
+                case USER_COOKIE_MISSING:
+                case USER_COOKIE_ALTERNATIVE_MISSING:
+                    super.filter(request, responseHandler); // Cookie-based authentication failed, delegate to Athenz
+                    break;
+                case USER_COOKIE_OK:
+                    rewriteUserPrincipalToAthenz(request);
+                    return; // Authenticated using user cookie
+                case USER_COOKIE_INVALID:
+                    sendErrorResponse(responseHandler,
+                                      Response.Status.UNAUTHORIZED,
+                                      "Your user cookie is invalid (either expired, tampered or invalid ip)");
+                    break;
+            }
+        } catch (Exception e) {
+            log.log(LogLevel.WARNING, "Authentication failed: " + e.getMessage(), e);
+            sendErrorResponse(responseHandler, Response.Status.INTERNAL_SERVER_ERROR, e.getMessage());
         }
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2017-11-22 16:44:31 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2017-11-22 16:44:31 +0100
commit	efa28693c9e9aa0d599f610836d035cd38aa949d (patch)
tree	b685c9a9b9dae851cbda97602ef3c81d60f72ef3 /controller-server
parent	47a72fee625e178d82b494a1f172e9f4b0745fa4 (diff)