zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-05-16 17:37:13 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add logging to OAuth authentication mechanism

Browse source 
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=150194950
This commit is contained in:
mountford 2017-03-15 08:37:53 -07:00 committed by Ben McIlwain
parent e6a5083b55
commit 852f1afb6c
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
java/google/registry/request/auth/OAuthAuthenticationMechanism.java
View file

@ -25,6 +25,7 @@ import com.google.appengine.api.users.User;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableSet; import com.google.common.collect.ImmutableSet;
import google.registry.config.RegistryConfig.Config; import google.registry.config.RegistryConfig.Config;
import google.registry.util.FormattingLogger;
import javax.inject.Inject; import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
@ -37,6 +38,8 @@ public class OAuthAuthenticationMechanism implements AuthenticationMechanism {
private static final String BEARER_PREFIX = "Bearer "; private static final String BEARER_PREFIX = "Bearer ";
private static final FormattingLogger logger = FormattingLogger.getLoggerForCallerClass();
private final OAuthService oauthService; private final OAuthService oauthService;
/** The available OAuth scopes for which {@link OAuthService} should check. */ /** The available OAuth scopes for which {@link OAuthService} should check. */
@ -72,6 +75,7 @@ public class OAuthAuthenticationMechanism implements AuthenticationMechanism {
// OAuthService itself only looks at the first one anyway. // OAuthService itself only looks at the first one anyway.
String header = request.getHeader(AUTHORIZATION); String header = request.getHeader(AUTHORIZATION);
if ((header == null) || !header.startsWith(BEARER_PREFIX)) { if ((header == null) || !header.startsWith(BEARER_PREFIX)) {
logger.infofmt("missing or invalid authorization header");
return AuthResult.create(NONE); return AuthResult.create(NONE);
} }
// Assume that, if a bearer token is found, it's what OAuthService will use to attempt // Assume that, if a bearer token is found, it's what OAuthService will use to attempt
@ -90,10 +94,14 @@ public class OAuthAuthenticationMechanism implements AuthenticationMechanism {
try { try {
currentUser = oauthService.getCurrentUser(availableOauthScopes.toArray(new String[0])); currentUser = oauthService.getCurrentUser(availableOauthScopes.toArray(new String[0]));
isUserAdmin = oauthService.isUserAdmin(availableOauthScopes.toArray(new String[0])); isUserAdmin = oauthService.isUserAdmin(availableOauthScopes.toArray(new String[0]));
logger.infofmt("current user: %s (%s)", currentUser, isUserAdmin ? "admin" : "not admin");
clientId = oauthService.getClientId(availableOauthScopes.toArray(new String[0])); clientId = oauthService.getClientId(availableOauthScopes.toArray(new String[0]));
logger.infofmt("client ID: %s", clientId);
authorizedScopes = ImmutableSet authorizedScopes = ImmutableSet
.copyOf(oauthService.getAuthorizedScopes(availableOauthScopes.toArray(new String[0]))); .copyOf(oauthService.getAuthorizedScopes(availableOauthScopes.toArray(new String[0])));
logger.infofmt("authorized scope(s): %s", authorizedScopes);
} catch (OAuthRequestException | OAuthServiceFailureException e) { } catch (OAuthRequestException | OAuthServiceFailureException e) {
logger.infofmt(e, "unable to get OAuth information");
return AuthResult.create(NONE); return AuthResult.create(NONE);
} }
if ((currentUser == null) || (clientId == null) || (authorizedScopes == null)) { if ((currentUser == null) || (clientId == null) || (authorizedScopes == null)) {
@ -103,11 +111,13 @@ public class OAuthAuthenticationMechanism implements AuthenticationMechanism {
// Make sure that the client ID matches, to avoid a confused deputy attack; see: // Make sure that the client ID matches, to avoid a confused deputy attack; see:
// http://stackoverflow.com/a/17439317/1179226 // http://stackoverflow.com/a/17439317/1179226
if (!allowedOauthClientIds.contains(clientId)) { if (!allowedOauthClientIds.contains(clientId)) {
logger.info("client ID is not allowed");
return AuthResult.create(NONE); return AuthResult.create(NONE);
} }
// Make sure that all required scopes are present. // Make sure that all required scopes are present.
if (!authorizedScopes.containsAll(requiredOauthScopes)) { if (!authorizedScopes.containsAll(requiredOauthScopes)) {
logger.info("required scope(s) missing");
return AuthResult.create(NONE); return AuthResult.create(NONE);
} }