diff options
Diffstat (limited to 'fnet')
-rw-r--r-- | fnet/src/vespa/fnet/frt/require_capabilities.cpp | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/fnet/src/vespa/fnet/frt/require_capabilities.cpp b/fnet/src/vespa/fnet/frt/require_capabilities.cpp index c74e9ad648a..fc64621717f 100644 --- a/fnet/src/vespa/fnet/frt/require_capabilities.cpp +++ b/fnet/src/vespa/fnet/frt/require_capabilities.cpp @@ -5,9 +5,25 @@ #include <vespa/fnet/connection.h> #include <vespa/vespalib/net/connection_auth_context.h> +#include <vespa/log/bufferedlogger.h> +LOG_SETUP(".fnet.frt.require_capabilities"); + +using namespace vespalib::net::tls; + bool FRT_RequireCapabilities::allow(FRT_RPCRequest& req) const noexcept { const auto& auth_ctx = req.GetConnection()->auth_context(); - return auth_ctx.capabilities().contains_all(_required_capabilities); + const bool is_authorized = auth_ctx.capabilities().contains_all(_required_capabilities); + if (!is_authorized) { + auto peer_spec = req.GetConnection()->GetPeerSpec(); + std::string method_name(req.GetMethodName(), req.GetMethodNameLen()); + LOGBT(warning, peer_spec, "Permission denied for RPC method '%s'. " + "Peer at %s with %s. Call requires %s, but peer has %s", + method_name.c_str(), peer_spec.c_str(), + to_string(auth_ctx.peer_credentials()).c_str(), + _required_capabilities.to_string().c_str(), + auth_ctx.capabilities().to_string().c_str()); + } + return is_authorized; } |