From c285be743f0bb43b1b05fe503bdf25d7a5f5d43a Mon Sep 17 00:00:00 2001
From: Bjørn Christian Seime <bjorncs@verizonmedia.com>
Date: Thu, 5 Mar 2020 16:27:18 +0100
Subject: Improve error message on when all allowed credentials are missing

---
 .../security/athenz/AthenzAuthorizationFilter.java | 22 +++++++++++++++++++++-
 .../athenz/AthenzAuthorizationFilterTest.java      | 10 ++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

(limited to 'jdisc-security-filters')

diff --git a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
index f3d9fa9583c..81ccef651e9 100644
--- a/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
+++ b/jdisc-security-filters/src/main/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilter.java
@@ -21,6 +21,7 @@ import java.util.EnumSet;
 import java.util.List;
 import java.util.Optional;
 import java.util.logging.Logger;
+import java.util.stream.Collectors;
 
 import static com.yahoo.jdisc.Response.Status.FORBIDDEN;
 import static com.yahoo.jdisc.Response.Status.UNAUTHORIZED;
@@ -104,7 +105,7 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
             return checkAccessWithRoleToken(request, resourceAndAction);
         } else {
             throw new IllegalArgumentException(
-                    "Not authorized - request did not contain any of the allowed credentials: " + enabledCredentials);
+                    "Not authorized - request did not contain any of the allowed credentials: " + toPrettyString(enabledCredentials));
         }
     }
 
@@ -153,6 +154,25 @@ public class AthenzAuthorizationFilter extends JsonSecurityRequestFilterBase {
         return new ZToken(request.getHeader(roleTokenHeaderName));
     }
 
+    private static String toPrettyString(EnumSet<EnabledCredentials.Enum> enabledCredentialSet) {
+        return enabledCredentialSet.stream()
+                .map(AthenzAuthorizationFilter::toPrettyString)
+                .collect(Collectors.joining(", ", "[", "]"));
+    }
+
+    private static String toPrettyString(EnabledCredentials.Enum enabledCredential) {
+        switch (enabledCredential) {
+            case ACCESS_TOKEN:
+                return "Athenz access token with X.509 identity certificate";
+            case ROLE_TOKEN:
+                return "Athenz role token (ZToken)";
+            case ROLE_CERTIFICATE:
+                return "Athenz X.509 role certificate";
+            default:
+                throw new IllegalArgumentException("Unknown credential type: " + enabledCredential);
+        }
+    }
+
     private static void populateRequestWithResult(DiscFilterRequest request, Result result) {
         request.setUserPrincipal(
                 new AthenzPrincipal(result.identity, result.zpeResult.matchedRole().map(List::of).orElse(List.of())));
diff --git a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
index 1fe8d73eb44..530e0447619 100644
--- a/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
+++ b/jdisc-security-filters/src/test/java/com/yahoo/jdisc/http/filter/security/athenz/AthenzAuthorizationFilterTest.java
@@ -34,6 +34,7 @@ import static com.yahoo.jdisc.http.filter.security.athenz.AthenzAuthorizationFil
 import static com.yahoo.security.SignatureAlgorithm.SHA256_WITH_ECDSA;
 import static com.yahoo.security.SubjectAlternativeName.Type.RFC822_NAME;
 import static com.yahoo.vespa.athenz.zpe.AuthorizationResult.Type;
+import static org.hamcrest.CoreMatchers.containsString;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.notNullValue;
 import static org.hamcrest.CoreMatchers.nullValue;
@@ -108,6 +109,8 @@ public class AthenzAuthorizationFilterTest {
         filter.filter(request, responseHandler);
 
         assertStatusCode(responseHandler, 401);
+        assertErrorMessage(responseHandler, "Not authorized - request did not contain any of the allowed credentials: " +
+                "[Athenz X.509 role certificate, Athenz access token with X.509 identity certificate]");
     }
 
     @Test
@@ -184,6 +187,13 @@ public class AthenzAuthorizationFilterTest {
         verify(request).setAttribute(MATCHED_ROLE_ATTRIBUTE, role.roleName());
     }
 
+    private static void assertErrorMessage(MockResponseHandler responseHandler, String errorMessage) {
+        Response response = responseHandler.getResponse();
+        assertThat(response, notNullValue());
+        String content = responseHandler.readAll();
+        assertThat(content, containsString(errorMessage));
+    }
+
     private static class AllowingZpe implements Zpe {
 
         @Override
-- 
cgit v1.2.3