[arvados] created: 2.5.0-5-gade474262

git repository hosting git at public.arvados.org
Sun Jan 15 22:04:40 UTC 2023 

        at  ade4742621d4041c13332d9a97a7b2ddf7f69a16 (commit)


commit ade4742621d4041c13332d9a97a7b2ddf7f69a16
Author: Tom Clegg <tom at curii.com>
Date:   Sun Jan 15 17:02:42 2023 -0500

    19907: Log when caching negative result for OIDC token check.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/controller/localdb/login_oidc.go b/lib/controller/localdb/login_oidc.go
index 05e5e243b..b56f67aa3 100644
--- a/lib/controller/localdb/login_oidc.go
+++ b/lib/controller/localdb/login_oidc.go
@@ -462,6 +462,7 @@ func (ta *oidcTokenAuthorizer) registerToken(ctx context.Context, tok string) er
 		return fmt.Errorf("error setting up OpenID Connect provider: %s", err)
 	}
 	if ok, err := ta.checkAccessTokenScope(ctx, tok); err != nil || !ok {
+		// Note checkAccessTokenScope logs any interesting errors
 		ta.cache.Add(tok, time.Now().Add(tokenCacheNegativeTTL))
 		return err
 	}
@@ -470,6 +471,7 @@ func (ta *oidcTokenAuthorizer) registerToken(ctx context.Context, tok string) er
 	}
 	userinfo, err := ta.ctrl.provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
 	if err != nil {
+		ctxlog.FromContext(ctx).WithError(err).WithField("HMAC", hmac).Info("UserInfo failed (not an OIDC token?), caching negative result")
 		ta.cache.Add(tok, time.Now().Add(tokenCacheNegativeTTL))
 		return nil
 	}
@@ -563,6 +565,6 @@ func (ta *oidcTokenAuthorizer) checkAccessTokenScope(ctx context.Context, tok st
 			return true, nil
 		}
 	}
-	ctxlog.FromContext(ctx).WithFields(logrus.Fields{"have": claims.Scope, "need": ta.ctrl.AcceptAccessTokenScope}).Infof("unacceptable access token scope")
+	ctxlog.FromContext(ctx).WithFields(logrus.Fields{"have": claims.Scope, "need": ta.ctrl.AcceptAccessTokenScope}).Info("unacceptable access token scope")
 	return false, httpserver.ErrorWithStatus(errors.New("unacceptable access token scope"), http.StatusUnauthorized)
 }

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list