openstack/ironic-lib
Code Issues Proposed changes

Add logging to the HTTP basic auth code

Browse Source 
It's tricky to debug authentication when we leave no traces in the
logs and the client only receives a generic error.

Change-Id: I2c248b94938ec37f4b28e0fda4eded51ee48cdc6
This commit is contained in:
Dmitry Tantsur 2020-08-05 14:47:59 +02:00
parent 28b64d27c0
commit 4e0846d208
2 changed files with 14 additions and 6 deletions

18
ironic_lib/auth_basic.py

@ -81,10 +81,13 @@ def authenticate(auth_file, username, password):
entry = line.strip() entry = line.strip()
if entry and entry.startswith(line_prefix): if entry and entry.startswith(line_prefix):
return auth_entry(entry, password) return auth_entry(entry, password)
except OSError: except OSError as exc:
LOG.error('Problem reading auth user file: %s', exc)
raise exception.ConfigInvalid( raise exception.ConfigInvalid(
error_msg=_('Problem reading auth user file')) error_msg=_('Problem reading auth user file'))
# reached end of file with no matches # reached end of file with no matches
LOG.info('User %s not found', username)
unauthorized() unauthorized()
@ -100,6 +103,7 @@ def auth_entry(entry, password):
username, crypted = parse_entry(entry) username, crypted = parse_entry(entry)
if not bcrypt.checkpw(password, crypted): if not bcrypt.checkpw(password, crypted):
LOG.info('Password for %s does not match', username)
unauthorized() unauthorized()
return { return {
@ -158,7 +162,8 @@ def parse_token(token):
(username, password) = auth_pair.split(b':', maxsplit=1) (username, password) = auth_pair.split(b':', maxsplit=1)
return (username.decode('utf-8'), password) return (username.decode('utf-8'), password)
except (TypeError, binascii.Error, ValueError): except (TypeError, binascii.Error, ValueError) as exc:
LOG.info('Could not decode authorization token: %s', exc)
raise exception.BadRequest(_('Could not decode authorization token')) raise exception.BadRequest(_('Could not decode authorization token'))
@ -172,15 +177,18 @@ def parse_header(env):
try: try:
auth_header = env.pop('HTTP_AUTHORIZATION') auth_header = env.pop('HTTP_AUTHORIZATION')
except KeyError: except KeyError:
LOG.info('No authorization token received')
unauthorized(_('Authorization required')) unauthorized(_('Authorization required'))
try: try:
auth_type, token = auth_header.strip().split(maxsplit=1) auth_type, token = auth_header.strip().split(maxsplit=1)
except (ValueError, AttributeError): except (ValueError, AttributeError) as exc:
LOG.info('Could not parse Authorization header: %s', exc)
raise exception.BadRequest(_('Could not parse Authorization header')) raise exception.BadRequest(_('Could not parse Authorization header'))
if auth_type.lower() != 'basic': if auth_type.lower() != 'basic':
raise exception.BadRequest(_('Unsupported authorization type: ' msg = _('Unsupported authorization type "%s"') % auth_type
'%(auth_type)s') % {'auth_type': auth_type}) LOG.info(msg)
raise exception.BadRequest(msg)
return token return token

2
ironic_lib/tests/test_basic_auth.py

@ -212,7 +212,7 @@ class TestAuthBasic(base.IronicLibTestCase):
e = self.assertRaises(exception.BadRequest, e = self.assertRaises(exception.BadRequest,
auth_basic.parse_header, auth_basic.parse_header,
{'HTTP_AUTHORIZATION': digest_value}) {'HTTP_AUTHORIZATION': digest_value})
self.assertEqual('Unsupported authorization type: Digest', str(e)) self.assertEqual('Unsupported authorization type "Digest"', str(e))
def test_unauthorized(self): def test_unauthorized(self):
e = self.assertRaises(exception.Unauthorized, e = self.assertRaises(exception.Unauthorized,