DNM - debug live

ca-gip · Jan 13, 2025 · 181185b · 181185b
1 parent f327384
commit 181185b
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 0 deletions.
diff --git a/internal/ldap/client.go b/internal/ldap/client.go
@@ -64,6 +64,8 @@ func (c *LDAPClient) AuthZ(user *types.User) (*types.User, error) {
 		return &types.User{}, fmt.Errorf("cannot get memberships for user %s in LDAP, %v", user.Username, err)
 	}
 
+	fmt.Print("user is member of the following groups:", ldapMemberships.toGroupNames())
+
 	// We now have all the user details (including special groups).
 	// we can check if the user has the basic right to get a token.
 	// If they do, it means we trust the user, and we'll rely on the authorization db of each asset

diff --git a/internal/ldap/membership.go b/internal/ldap/membership.go
@@ -116,12 +116,17 @@ func (m *LDAPMemberships) isUserAllowedOnCluster(regexpPatterns []string) (bool,
 	if len(m.AdminAccess) > 0 || len(m.AppOpsAccess) > 0 || len(m.CustomerOpsAccess) > 0 || len(m.ViewerAccess) > 0 || len(m.ServiceAccess) > 0 || len(m.CloudOpsAccess) > 0 || len(m.ClusterGroupsAccess) > 0 {
 		allowedInCluster = true
 	} else { // else is not mandatory it's just an optimisation: don't browse all groups if we already know the user has the rights to the cluster
+		fmt.Print("no specific or project acces? no worries, let us search")
 		for _, groupName := range m.NonSpecificGroups {
+			fmt.Print("printing non specific groups from user", m.NonSpecificGroups)
 			for _, pattern := range regexpPatterns {
+				fmt.Printf("DN: %v", groupName.DN)
+				fmt.Printf("pattern %v", pattern)
 				matched, err := regexp.MatchString(pattern, strings.ToUpper(groupName.DN)) // we match on full DN rather than CN because nobody prevents the ppl in the different entities to create a CN identical as the one used for adminGroup. This is purely out of precaution. In the future, we might want to change the regexp to match only the cn of the groups if we have the guarantee the users will not create groups that are duplicate.
 				if err != nil {
 					return false, fmt.Errorf("error matching pattern %v: %v", pattern, err)
 				}
+				fmt.Printf("matched: %v", matched)
 				if matched {
 					allowedInCluster = true
 					break

diff --git a/internal/middlewares/httpauth.go b/internal/middlewares/httpauth.go
@@ -42,6 +42,7 @@ func WithBasicAuth(authenticator Authenticator, next http.HandlerFunc) http.Hand
 			// and only add the user and its group to the request context if successful.
 			user, err = authenticator.AuthZ(user)
 			if err != nil {
+				// todo, log context r.url.
 				slog.Warn(fmt.Sprintf("user %v failed authorization, logging for auditing purposes, reason:  %v", username, err))
 				http.Error(w, "Unauthorized", http.StatusUnauthorized)
 				return