search

zalando-stups / kio

The application registry in the STUPS ecosystem
http://docs.stups.io/en/latest/components/kio.html
Other
23 stars 11 forks source link

Improve logging #67

Open harti2006 opened 8 years ago

harti2006 commented 8 years ago

...especially for the authorization logic, which is really complex:

(defn require-write-authorization
  "If user is employee, check that is in correct team.
   If user is service, check that it has application_write.all scope OR has application.write and is correct team"
  [request team]
  (require-uid request)
  (let [has-auth? (auth/get-auth request team)
        realm (from-token request "realm")
        is-robot? (= "/services" realm)
        is-human? (= "/employees" realm)
        has-scope? (set (from-token request "scope"))]
    (if is-human?
      (when-not has-auth?
        (api/throw-error 403 "Unauthorized")))
    (if is-robot?
      (if-not (has-scope? "application.write_all")
        (when-not (and
                    (has-scope? "application.write")
                    has-auth?)
          (api/throw-error 403 "Unauthorized"))
        (require-special-uid request)))))
maxim-tschumak commented 5 years ago

In case of an error, the application also logs the database password:

 {"log":"ERROR [main] o.z.s.k.core - Could not start system because of [\"clojure.lang.ExceptionInfo: Error in component :api in system com.stuartsierra.component.SystemMap calling #'com.stuartsierra.component/start {:reason :com.stuartsierra.component/component-function-threw-exception, :function #'com.stuartsierra.component/start, :system-key :api, :component #org.zalando.stups.kio.api.API{:configuration {:kio-url \\\"http://localhost:8080\\\", :admin-users \\\"...o\\\", :magnificent-policy \\\"..\\\", :team-service-url \\\"...\\\", :port 8080, :username-prefix \\\"stups_\\\", :magnificent-url \\\"...\\\"}, :httpd nil, :metrics #org.zalando.stups.friboo.system.metrics.Metrics{:configuration {}, :metrics-registry #object[com.codahale.metrics.MetricRegistry 0xe822394 \\\"com.codahale.metrics.MetricRegistry@e822394\\\"]}, :audit-log #org.zalando.stups.friboo.system.audit_log.AuditLog{:configuration {}}, :db #org.zalando.stups.kio.sql.DB{:configuration {:init-sql \\\"SET search_path TO zk_data, public\\\", :subprotocol \\\"postgresql\\\", :subname \\\"//kio-db.stups.zalan.do:5432/kio?ssl=true\\\", :user \\\"kio_service\\\", :password \\\"${HERE_WAS_THE_PASSWORD}\\\", :classname \\\"org.postgresql.Driver\\\"}, :datasource #object[com.jolbox.bonecp.BoneCPDataSource 0x3ef97efc \\\"JDBC URL = jdbc:postgresql://...?ssl=true, Username = kio_service, partitions = 3, max (per partition) = 7, min (per partition) = 2, idle max age = 10 min, idle test period = 2 min, strategy = DEFAULT\\\"]}, :http-audit-logger #org.zalando.stups.friboo.system.audit_logger.http.HTTP{:configuration {:api-url \\\"...\\\", :token-name \\\"...\\\"}, :tokens #org.zalando.stups.friboo.system.oauth2.OAuth2TokenRefresher{:configuration {:access-token-url \\\"...\\\", :credentials-dir \\\"/meta/credentials\\\", :tokeninfo-uri \\\"...\\\"}, :tokens {\\\"http-audit-logger\\\" [\\\"uid\\\"]}, :token-storage #object[org.zalando.stups.tokens.fs.FilesystemSecretRefresher 0x67add4c9 \\\"org.zalando.stups.tokens.fs.FilesystemSecretRefresher@67add4c9\\\"], :static-tokens nil}, :log-fn #object[clojure.core$partial$fn__4759 0x147a8d7c \\\"clojure.core$partial$fn__4759@147a8d7c\\\"]}, :app-metrics #org.zalando.stups.kio.metrics.DeprecationMetrics{:metrics #org.zalando.stups.friboo.system.metrics.Metrics{:configuration {}, :metrics-registry #object[com.codahale.metrics.MetricRegistry 0xe822394 \\\"com.codahale.metrics.MetricRegistry@e822394\\\"]}, :deprecation-versions-get #object[com.codahale.metrics.Meter 0x373e09c7 \\\"com.codahale.metrics.Meter@373e09c7\\\"], :deprecation-version-get #object[com.codahale.metrics.Meter 0x3f04847e \\\"com.codahale.metrics.Meter@3f04847e\\\"], :deprecation-version-put #object[com.codahale.metrics.Meter 0x2a7b4b19 \\\"com.codahale.metrics.Meter@2a7b4b19\\\"], :deprecation-application-approvals-get #object[com.codahale.metrics.Meter 0x26415b5e \\\"com.codahale.metrics.Meter@26415b5e\\\"], :deprecation-version-approvals-get #object[com.codahale.metrics.Meter 0x61761e60 \\\"com.codahale.metrics.Meter@61761e60\\\"], :deprecation-version-approvals-put #object[com.codahale.metrics.Meter 0x7aca4144 \\\"com.codahale.metrics.Meter@7aca4144\\\"]}}, :system #<SystemMap>}\"].