Fixups for error messages from ACL Errors (#12620)

Fixups for error messages from ACL Errors

Alter error messages to be more verbose and explanatory, something like:

Permission denied: token with AccessorID '8a2d52a0-6b41-7077-8374-09d4fafa2d30 ' lacks permission 'service:read' on "foobar" on "foobar" in partition "foo" in namespace "bar"

Signed-off-by: Mark Anderson <manderson@hashicorp.com>
This commit is contained in:
Mark Anderson 2022-03-25 12:34:59 -07:00 committed by GitHub
parent fb7462c8dd
commit 667fac8db1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 12 additions and 7 deletions

View File

@ -98,9 +98,9 @@ func (e PermissionDeniedError) Error() string {
} }
if e.Accessor == "" { if e.Accessor == "" {
message.WriteString(": provided accessor") message.WriteString(": provided token")
} else { } else {
fmt.Fprintf(&message, ": accessor '%s'", e.Accessor) fmt.Fprintf(&message, ": token with AccessorID '%s'", e.Accessor)
} }
fmt.Fprintf(&message, " lacks permission '%s:%s'", e.Resource, e.AccessLevel.String()) fmt.Fprintf(&message, " lacks permission '%s:%s'", e.Resource, e.AccessLevel.String())

View File

@ -14,5 +14,5 @@ func NewResourceDescriptor(name string, _ *AuthorizerContext) ResourceDescriptor
} }
func (od *ResourceDescriptor) ToString() string { func (od *ResourceDescriptor) ToString() string {
return od.Name return "\"" + od.Name + "\""
} }

View File

@ -29,11 +29,11 @@ func TestPermissionDeniedError(t *testing.T) {
}, },
{ {
err: PermissionDeniedByACL(&auth1, nil, ResourceService, AccessRead, "foobar"), err: PermissionDeniedByACL(&auth1, nil, ResourceService, AccessRead, "foobar"),
expected: "Permission denied: provided accessor lacks permission 'service:read' on foobar", expected: "Permission denied: provided token lacks permission 'service:read' on \"foobar\"",
}, },
{ {
err: PermissionDeniedByACLUnnamed(&auth1, nil, ResourceService, AccessRead), err: PermissionDeniedByACLUnnamed(&auth1, nil, ResourceService, AccessRead),
expected: "Permission denied: provided accessor lacks permission 'service:read'", expected: "Permission denied: provided token lacks permission 'service:read'",
}, },
} }

View File

@ -1,6 +1,7 @@
package acl package acl
import ( import (
"fmt"
"github.com/stretchr/testify/require" "github.com/stretchr/testify/require"
"regexp" "regexp"
"testing" "testing"
@ -23,20 +24,24 @@ func RequirePermissionDeniedError(t testing.TB, err error, authz Authorizer, _ *
func RequirePermissionDeniedMessage(t testing.TB, msg string, authz interface{}, _ *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string) { func RequirePermissionDeniedMessage(t testing.TB, msg string, authz interface{}, _ *AuthorizerContext, resource Resource, accessLevel AccessLevel, resourceID string) {
require.NotEmpty(t, msg, "expected non-empty error message") require.NotEmpty(t, msg, "expected non-empty error message")
baseRegex := ` lacks permission '(\S*):(\S*)' on \"([^\"]*)\"(?: in partition \"([^\"]*)\" in namespace \"([^\"]*)\")?\s*$`
var resourceIDFound string var resourceIDFound string
if authz == nil { if authz == nil {
expr := "^Permission denied" + `: provided accessor lacks permission '(\S*):(\S*)' on (.*)\s*$` expr := "^Permission denied" + `: provided token` + baseRegex
re, _ := regexp.Compile(expr) re, _ := regexp.Compile(expr)
matched := re.FindStringSubmatch(msg) matched := re.FindStringSubmatch(msg)
require.NotNil(t, matched, fmt.Sprintf("RE %q didn't match %q", expr, msg))
require.Equal(t, string(resource), matched[1], "resource") require.Equal(t, string(resource), matched[1], "resource")
require.Equal(t, accessLevel.String(), matched[2], "access level") require.Equal(t, accessLevel.String(), matched[2], "access level")
resourceIDFound = matched[3] resourceIDFound = matched[3]
} else { } else {
expr := "^Permission denied" + `: accessor '(\S*)' lacks permission '(\S*):(\S*)' on (.*)\s*$` expr := "^Permission denied" + `: token with AccessorID '(\S*)'` + baseRegex
re, _ := regexp.Compile(expr) re, _ := regexp.Compile(expr)
matched := re.FindStringSubmatch(msg) matched := re.FindStringSubmatch(msg)
require.NotNil(t, matched, fmt.Sprintf("RE %q didn't match %q", expr, msg))
require.Equal(t, extractAccessorID(authz), matched[1], "auth") require.Equal(t, extractAccessorID(authz), matched[1], "auth")
require.Equal(t, string(resource), matched[2], "resource") require.Equal(t, string(resource), matched[2], "resource")
require.Equal(t, accessLevel.String(), matched[3], "access level") require.Equal(t, accessLevel.String(), matched[3], "access level")