Added more information when permission is denied

sbuliarca · sbuliarca · commit 98210dadc263 · 2024-09-23T10:12:24.000+03:00
diff --git a/backend/acl/config.go b/backend/acl/config.go
@@ -16,11 +16,6 @@ import (
 	"gopkg.in/yaml.v2"
 )
 
-var (
-	// ErrUnauthorized indicates that a client doesn't have access to a resource
-	ErrUnauthorized = status.Errorf(codes.PermissionDenied, "unauthorised")
-)
-
 // Config allows retrieve of access scope for the current client
 type Config interface {
 	GetClientScope(ctx context.Context) (*Scope, error)
@@ -103,29 +98,29 @@ func (s *config) GetClientScope(ctx context.Context) (*Scope, error) {
 
 	basicAuth, err := grpc_auth.AuthFromMD(ctx, "Bearer")
 	if err != nil {
-		return nil, ErrUnauthorized
+		return nil, status.Errorf(codes.PermissionDenied, "failed getting Bearrer auth, %v", err)
 	}
 
 	payload, err := base64.StdEncoding.DecodeString(basicAuth)
 	if err != nil {
-		return nil, ErrUnauthorized
+		return nil, status.Errorf(codes.PermissionDenied, "failed getting payload: %v", err)
 	}
 
 	pair := strings.SplitN(string(payload), ":", 2)
 
 	if len(pair) != 2 {
-		return nil, ErrUnauthorized
+		return nil, status.Errorf(codes.PermissionDenied, "malformed payload: should contain 2 pairs, but got %d", len(pair))
 	}
 
 	id, secret := pair[0], pair[1]
 
 	hashPass, ok := s.auth[id]
 	if !ok {
-		return nil, ErrUnauthorized
+		return nil, status.Errorf(codes.PermissionDenied, "no password configured for id %v", id)
 	}
 
 	if err := bcrypt.CompareHashAndPassword(hashPass, []byte(secret)); err != nil {
-		return nil, ErrUnauthorized
+		return nil, status.Errorf(codes.PermissionDenied, "passwords do not match for id %v", id)
 	}
 
 	return s.scopes[id], nil
diff --git a/backend/acl/config_test.go b/backend/acl/config_test.go
@@ -7,7 +7,9 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/require"
+	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
 )
 
 var (
@@ -85,7 +87,14 @@ clients:
 	ctx := createCtx("dog-consumer", "123")
 	_, err = c.GetClientScope(ctx)
 
-	assert.Equal(err, ErrUnauthorized)
+	assertPermissionDenied(t, err, "passwords do not match")
+}
+
+func assertPermissionDenied(t *testing.T, err error, expString string) {
+	s, ok := status.FromError(err)
+	require.True(t, ok)
+	require.Equal(t, codes.PermissionDenied, s.Code())
+	require.ErrorContains(t, err, expString)
 }
 
 func Test_ClientWithNoAuthHasDefaultAccess(t *testing.T) {
diff --git a/backend/acl/sink.go b/backend/acl/sink.go
@@ -6,6 +6,8 @@ import (
 	"github.com/uw-labs/proximo"
 	"github.com/uw-labs/proximo/proto"
 	"github.com/uw-labs/substrate"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )
 
 type AsyncSinkFactory struct {
@@ -20,7 +22,7 @@ func (s AsyncSinkFactory) NewAsyncSink(ctx context.Context, req *proto.StartPubl
 	}
 
 	if !containsRegex(scope.Publish, req.Topic) {
-		return nil, ErrUnauthorized
+		return nil, status.Errorf(codes.PermissionDenied, "no publish permissions for topic %v", req.Topic)
 	}
 
 	return s.Next.NewAsyncSink(ctx, req)
diff --git a/backend/acl/sink_test.go b/backend/acl/sink_test.go
@@ -11,7 +11,6 @@ import (
 )
 
 func Test_FactoryConsumeOnlyClientCannotPublish(t *testing.T) {
-	assert := require.New(t)
 
 	c, err := ConfigFromString(fmt.Sprintf(`
 default:
@@ -37,7 +36,7 @@ clients:
 		Topic: "dogs",
 	})
 
-	assert.Equal(err, ErrUnauthorized)
+	assertPermissionDenied(t, err, "no publish permissions for topic dogs")
 }
 
 func Test_FactoryPublishOnlyClientCanPublish(t *testing.T) {
diff --git a/backend/acl/source.go b/backend/acl/source.go
@@ -6,6 +6,8 @@ import (
 	"github.com/uw-labs/proximo"
 	"github.com/uw-labs/proximo/proto"
 	"github.com/uw-labs/substrate"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )
 
 type AsyncSourceFactory struct {
@@ -20,7 +22,7 @@ func (s AsyncSourceFactory) NewAsyncSource(ctx context.Context, req *proto.Start
 	}
 
 	if !containsRegex(scope.Consume, req.Topic) {
-		return nil, ErrUnauthorized
+		return nil, status.Errorf(codes.PermissionDenied, "no consume permissions for topic %v", req.Topic)
 	}
 
 	return s.Next.NewAsyncSource(ctx, req)
diff --git a/backend/acl/source_test.go b/backend/acl/source_test.go
@@ -9,7 +9,6 @@ import (
 )
 
 func Test_FactoryPublishOnlyClientCannotConsume(t *testing.T) {
-	assert := require.New(t)
 
 	c, err := ConfigFromString(fmt.Sprintf(`
 default:
@@ -35,7 +34,7 @@ clients:
 		Topic: "dogs",
 	})
 
-	assert.Equal(err, ErrUnauthorized)
+	assertPermissionDenied(t, err, "no consume permissions for topic dogs")
 }
 
 func Test_FactoryConsumeOnlyClientCanConsume(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,8 @@ import (`
`6`	`6`	`"github.com/uw-labs/proximo"`
`7`	`7`	`"github.com/uw-labs/proximo/proto"`
`8`	`8`	`"github.com/uw-labs/substrate"`
	`9`	`+ "google.golang.org/grpc/codes"`
	`10`	`+ "google.golang.org/grpc/status"`
`9`	`11`	`)`
`10`	`12`
`11`	`13`	`type AsyncSinkFactory struct {`
`@@ -20,7 +22,7 @@ func (s AsyncSinkFactory) NewAsyncSink(ctx context.Context, req *proto.StartPubl`
`20`	`22`	`}`
`21`	`23`
`22`	`24`	`if !containsRegex(scope.Publish, req.Topic) {`
`23`		`- return nil, ErrUnauthorized`
	`25`	`+ return nil, status.Errorf(codes.PermissionDenied, "no publish permissions for topic %v", req.Topic)`
`24`	`26`	`}`
`25`	`27`
`26`	`28`	`return s.Next.NewAsyncSink(ctx, req)`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,6 @@ import (`
`11`	`11`	`)`
`12`	`12`
`13`	`13`	`func Test_FactoryConsumeOnlyClientCannotPublish(t *testing.T) {`
`14`		`- assert := require.New(t)`
`15`	`14`
`16`	`15`	c, err := ConfigFromString(fmt.Sprintf(`
`17`	`16`	`default:`
`@@ -37,7 +36,7 @@ clients:`
`37`	`36`	`Topic: "dogs",`
`38`	`37`	`})`
`39`	`38`
`40`		`- assert.Equal(err, ErrUnauthorized)`
	`39`	`+ assertPermissionDenied(t, err, "no publish permissions for topic dogs")`
`41`	`40`	`}`
`42`	`41`
`43`	`42`	`func Test_FactoryPublishOnlyClientCanPublish(t *testing.T) {`
Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,6 @@ import (`
`9`	`9`	`)`
`10`	`10`
`11`	`11`	`func Test_FactoryPublishOnlyClientCannotConsume(t *testing.T) {`
`12`		`- assert := require.New(t)`
`13`	`12`
`14`	`13`	c, err := ConfigFromString(fmt.Sprintf(`
`15`	`14`	`default:`
`@@ -35,7 +34,7 @@ clients:`
`35`	`34`	`Topic: "dogs",`
`36`	`35`	`})`
`37`	`36`
`38`		`- assert.Equal(err, ErrUnauthorized)`
	`37`	`+ assertPermissionDenied(t, err, "no consume permissions for topic dogs")`
`39`	`38`	`}`
`40`	`39`
`41`	`40`	`func Test_FactoryConsumeOnlyClientCanConsume(t *testing.T) {`