From ee2bd594c831351e2ba93a163a304a8cf1ddcd96 Mon Sep 17 00:00:00 2001
From: mountford <mountford@google.com>
Date: Thu, 2 Mar 2017 14:53:03 -0800
Subject: [PATCH] Change new authorization logic to log a warning rather than
 rejecting the request

This is the first step in rolling out the changes so that we can check via logging whether turning on the logic would reject anything it should not.

-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=149050878
---
 java/google/registry/request/RequestHandler.java         | 4 ++--
 .../google/registry/request/RequestHandlerTest.java      | 9 +++++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/java/google/registry/request/RequestHandler.java b/java/google/registry/request/RequestHandler.java
index e671ae9f2..5ed57bb95 100644
--- a/java/google/registry/request/RequestHandler.java
+++ b/java/google/registry/request/RequestHandler.java
@@ -171,8 +171,8 @@ public class RequestHandler<C> {
     Optional<AuthResult> authResult =
         requestAuthenticator.authorize(route.get().action().auth(), req);
     if (!authResult.isPresent()) {
-      rsp.sendError(SC_FORBIDDEN);
-      return;
+      logger.warning("Request would not have been authorized");
+      // TODO(b/28219927): Change this to call rsp.sendError(SC_FORBIDDEN) and return
     }
 
     // Build a new request component using any modules we've constructed by this point.
diff --git a/javatests/google/registry/request/RequestHandlerTest.java b/javatests/google/registry/request/RequestHandlerTest.java
index 5520b3103..63fd8c8c9 100644
--- a/javatests/google/registry/request/RequestHandlerTest.java
+++ b/javatests/google/registry/request/RequestHandlerTest.java
@@ -48,6 +48,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import org.junit.After;
 import org.junit.Before;
+import org.junit.Ignore;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.runner.RunWith;
@@ -426,6 +427,8 @@ public final class RequestHandlerTest {
     verify(usersOnlyAction).run();
   }
 
+  // TODO(b/28219927): turn this on once we actually do authorization
+  @Ignore
   @Test
   public void testNoAuthNeeded_success() throws Exception {
     when(req.getMethod()).thenReturn("GET");
@@ -436,6 +439,8 @@ public final class RequestHandlerTest {
     assertThat(providedAuthResult.userAuthInfo()).isAbsent();
   }
 
+  // TODO(b/28219927): turn this on once we actually do authorization
+  @Ignore
   @Test
   public void testAuthNeeded_notLoggedIn() throws Exception {
     when(req.getMethod()).thenReturn("GET");
@@ -445,6 +450,8 @@ public final class RequestHandlerTest {
     assertThat(providedAuthResult).isNull();
   }
 
+  // TODO(b/28219927): turn this on once we actually do authorization
+  @Ignore
   @Test
   public void testAuthNeeded_notAuthorized() throws Exception {
     userService.setUser(testUser,  false);
@@ -455,6 +462,8 @@ public final class RequestHandlerTest {
     assertThat(providedAuthResult).isNull();
   }
 
+  // TODO(b/28219927): turn this on once we actually do authorization
+  @Ignore
   @Test
   public void testAuthNeeded_success() throws Exception {
     userService.setUser(testUser,  true);