Merge pull request #22 from Comcast/error-response-reason

Added Error Response Reason, sent to new function on decorator error

bascule/basculehttp/constructor.go

@@ -2,6 +2,8 @@ package basculehttp
 
 import (
 	"context"
+	"errors"
+	"fmt"
 	"net/http"
 	"net/textproto"
 	"strings"
@@ -15,9 +17,10 @@ const (
 )
 
 type constructor struct {
-	headerName     string
-	authorizations map[bascule.Authorization]TokenFactory
-	getLogger      func(context.Context) bascule.Logger
+	headerName      string
+	authorizations  map[bascule.Authorization]TokenFactory
+	getLogger       func(context.Context) bascule.Logger
+	onErrorResponse OnErrorResponse
 }
 
 func (c *constructor) decorate(next http.Handler) http.Handler {
@@ -28,15 +31,16 @@ func (c *constructor) decorate(next http.Handler) http.Handler {
 		}
 		authorization := request.Header.Get(c.headerName)
 		if len(authorization) == 0 {
-			logger.Log(level.Key(), level.ErrorValue(), bascule.ErrorKey, "no authorization header")
+			err := errors.New("no authorization header")
+			c.error(logger, MissingHeader, "", err)
 			response.WriteHeader(http.StatusForbidden)
 			return
 		}
 
 		i := strings.IndexByte(authorization, ' ')
 		if i < 1 {
-			logger.Log(level.Key(), level.ErrorValue(), bascule.ErrorKey, "unexpected authorization header value",
-				"auth", authorization)
+			err := errors.New("unexpected authorization header value")
+			c.error(logger, InvalidHeader, authorization, err)
 			response.WriteHeader(http.StatusBadRequest)
 			return
 		}
@@ -47,17 +51,16 @@ func (c *constructor) decorate(next http.Handler) http.Handler {
 
 		tf, supported := c.authorizations[key]
 		if !supported {
-			logger.Log(level.Key(), level.ErrorValue(), bascule.ErrorKey, "key not supported", "key", key,
-				"auth", authorization[i+1:])
+			err := fmt.Errorf("key not supported: [%v]", key)
+			c.error(logger, KeyNotSupported, authorization, err)
 			response.WriteHeader(http.StatusForbidden)
 			return
 		}
 
 		ctx := request.Context()
 		token, err := tf.ParseAndValidate(ctx, request, key, authorization[i+1:])
 		if err != nil {
-			logger.Log(level.Key(), level.ErrorValue(), bascule.ErrorKey, err.Error(), "key", key,
-				"auth", authorization[i+1:])
+			c.error(logger, ParseFailed, authorization, err)
 			WriteResponse(response, http.StatusForbidden, err)
 			return
 		}
@@ -80,6 +83,11 @@ func (c *constructor) decorate(next http.Handler) http.Handler {
 	})
 }
 
+func (c *constructor) error(logger bascule.Logger, e ErrorResponseReason, auth string, err error) {
+	logger.Log(level.Key(), level.ErrorValue(), bascule.ErrorKey, err.Error(), "auth", auth)
+	c.onErrorResponse(e, err)
+}
+
 type COption func(*constructor)
 
 func WithHeaderName(headerName string) COption {
@@ -104,12 +112,19 @@ func WithCLogger(getLogger func(context.Context) bascule.Logger) COption {
 	}
 }
 
+func WithCErrorResponseFunc(f OnErrorResponse) COption {
+	return func(c *constructor) {
+		c.onErrorResponse = f
+	}
+}
+
 // New returns an Alice-style constructor which decorates HTTP handlers with security code
 func NewConstructor(options ...COption) func(http.Handler) http.Handler {
 	c := &constructor{
-		headerName:     DefaultHeaderName,
-		authorizations: make(map[bascule.Authorization]TokenFactory),
-		getLogger:      bascule.GetDefaultLoggerFunc,
+		headerName:      DefaultHeaderName,
+		authorizations:  make(map[bascule.Authorization]TokenFactory),
+		getLogger:       bascule.GetDefaultLoggerFunc,
+		onErrorResponse: DefaultOnErrorResponse,
 	}
 
 	for _, o := range options {

bascule/basculehttp/constructor_test.go

@@ -20,6 +20,7 @@ func TestConstructor(t *testing.T) {
 		WithCLogger(func(_ context.Context) bascule.Logger {
 			return bascule.Logger(log.NewJSONLogger(log.NewSyncWriter(os.Stdout)))
 		}),
+		WithCErrorResponseFunc(DefaultOnErrorResponse),
 	)
 	c2 := NewConstructor(
 		WithHeaderName(""),

bascule/basculehttp/enforcer.go

@@ -2,6 +2,7 @@ package basculehttp
 
 import (
 	"context"
+	"errors"
 	"net/http"
 
 	"github.com/goph/emperror"
@@ -24,6 +25,7 @@ type enforcer struct {
 	notFoundBehavior NotFoundBehavior
 	rules            map[bascule.Authorization]bascule.Validators
 	getLogger        func(context.Context) bascule.Logger
+	onErrorResponse  OnErrorResponse
 }
 
 func (e *enforcer) decorate(next http.Handler) http.Handler {
@@ -35,35 +37,35 @@ func (e *enforcer) decorate(next http.Handler) http.Handler {
 		}
 		auth, ok := bascule.FromContext(ctx)
 		if !ok {
-			logger.Log(level.Key(), level.ErrorValue(), bascule.ErrorKey, "no authentication found")
+			err := errors.New("no authentication found")
+			logger.Log(level.Key(), level.ErrorValue(), bascule.ErrorKey, err.Error())
+			e.onErrorResponse(MissingAuthentication, err)
 			response.WriteHeader(http.StatusForbidden)
 			return
 		}
 		rules, ok := e.rules[auth.Authorization]
 		if !ok {
+			err := errors.New("no rules found for authorization")
 			logger.Log(level.Key(), level.ErrorValue(),
-				bascule.ErrorKey, "no rules found for authorization", "rules", rules,
+				bascule.ErrorKey, err.Error(), "rules", rules,
 				"authorization", auth.Authorization, "behavior", e.notFoundBehavior)
 			switch e.notFoundBehavior {
 			case Forbid:
+				e.onErrorResponse(ChecksNotFound, err)
 				response.WriteHeader(http.StatusForbidden)
 				return
 			case Allow:
 				// continue
 			default:
+				e.onErrorResponse(ChecksNotFound, err)
 				response.WriteHeader(http.StatusForbidden)
 				return
 			}
 		} else {
 			err := rules.Check(ctx, auth.Token)
 			if err != nil {
-				errs := []string{err.Error()}
-				if es, ok := err.(bascule.Errors); ok {
-					for _, e := range es {
-						errs = append(errs, e.Error())
-					}
-				}
-				logger.Log(append(emperror.Context(err), level.Key(), level.ErrorValue(), bascule.ErrorKey, errs)...)
+				logger.Log(append(emperror.Context(err), level.Key(), level.ErrorValue(), bascule.ErrorKey, err)...)
+				e.onErrorResponse(ChecksFailed, err)
 				WriteResponse(response, http.StatusForbidden, err)
 				return
 			}
@@ -93,10 +95,17 @@ func WithELogger(getLogger func(context.Context) bascule.Logger) EOption {
 	}
 }
 
+func WithEErrorResponseFunc(f OnErrorResponse) EOption {
+	return func(e *enforcer) {
+		e.onErrorResponse = f
+	}
+}
+
 func NewEnforcer(options ...EOption) func(http.Handler) http.Handler {
 	e := &enforcer{
-		rules:     make(map[bascule.Authorization]bascule.Validators),
-		getLogger: bascule.GetDefaultLoggerFunc,
+		rules:           make(map[bascule.Authorization]bascule.Validators),
+		getLogger:       bascule.GetDefaultLoggerFunc,
+		onErrorResponse: DefaultOnErrorResponse,
 	}
 
 	for _, o := range options {

bascule/basculehttp/enforcer_test.go

@@ -22,6 +22,7 @@ func TestEnforcer(t *testing.T) {
 		WithELogger(func(_ context.Context) bascule.Logger {
 			return bascule.Logger(log.NewJSONLogger(log.NewSyncWriter(os.Stdout)))
 		}),
+		WithEErrorResponseFunc(DefaultOnErrorResponse),
 	)
 	tests := []struct {
 		description        string

bascule/basculehttp/errorResponseReason.go

@@ -0,0 +1,22 @@
+package basculehttp
+
+//go:generate stringer -type=ErrorResponseReason
+type ErrorResponseReason int
+
+// Behavior on not found
+const (
+	MissingHeader ErrorResponseReason = iota
+	InvalidHeader
+	KeyNotSupported
+	ParseFailed
+	MissingAuthentication
+	ChecksNotFound
+	ChecksFailed
+)
+
+type OnErrorResponse func(ErrorResponseReason, error)
+
+// default function does nothing
+func DefaultOnErrorResponse(_ ErrorResponseReason, _ error) {
+	return
+}

bascule/token.go

@@ -4,6 +4,9 @@ type Attributes map[string]interface{}
 
 // TODO: Add dotted path support and support for common concrete types, e.g. GetString
 func (a Attributes) Get(key string) (interface{}, bool) {
+	if a == nil {
+		return nil, false
+	}
 	v, ok := a[key]
 	return v, ok
 }

bascule/token_test.go

@@ -31,4 +31,9 @@ func TestGet(t *testing.T) {
 	val, ok = attributes.Get("noval")
 	assert.Empty(val)
 	assert.False(ok)
+
+	emptyAttributes := Attributes(nil)
+	val, ok = emptyAttributes.Get("test")
+	assert.Nil(val)
+	assert.False(ok)
 }