Add debug logging

brandond · Sep 12, 2019 · 16c024b · 16c024b
1 parent 9c7a166
commit 16c024b
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 7 deletions.
diff --git a/.flake8 b/.flake8
@@ -0,0 +1,2 @@
+[flake8]
+max-line-length = 160
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
 dist
 docs
+build
 *.egg-info
diff --git a/.travis.yml b/.travis.yml
@@ -20,7 +20,7 @@ install:
   - pip install --upgrade flake8
 
 script:
-  - flake8 --max-line-length 160
+  - flake8
 
 notifications:
   email: false
diff --git a/flask_authnz_ldap_rbac/flask_authnz_ldap_rbac.py b/flask_authnz_ldap_rbac/flask_authnz_ldap_rbac.py
@@ -1,3 +1,4 @@
+import logging
 from flask import request, abort
 
 DEFAULT_GROUPS_VARIABLE = 'AUTHENTICATE_MEMBEROF'
@@ -6,6 +7,8 @@
 DEFAULT_WRITE_GROUPS = []
 DEFAULT_READ_GROUPS = ['ANY']
 
+logger = logging.getLogger(__name__)
+
 
 class GroupRBAC(object):
     """
@@ -35,29 +38,37 @@ def init_app(self, app):
         app.before_request(self._authorize)
 
     def _authorize(self):
-        if request.method in self.write_methods:
-            self._check_membership(self.write_groups)
-        elif request.method in self.read_methods:
+        if request.method in self.read_methods:
+            logging.debug('Checking auth for read')
             self._check_membership(self.read_groups)
+        elif request.method in self.write_methods:
+            logging.debug('Checking auth for write')
+            self._check_membership(self.write_groups)
         else:
+            logger.debug('Auth Failed: unhandled method')
             abort(403)
 
     def _check_membership(self, grouplist):
-        groups = request.environ.get(self.groups_var, None)
+        groups = set(g for g in request.environ.get(self.groups_var, '').split('; ') if g)
+        logger.debug('groups_variable {}={}'.format(self.groups_var, list(groups)))
 
         if groups:
             if 'ANY' in grouplist:
                 # Allow if method allows any authenticated user
+                logger.debug('Auth OK: ANY')
                 return
 
-            groups = set(groups.split('; '))
-            if len(groups.intersection(grouplist)):
+            found_groups = groups.intersection(grouplist)
+            if len(found_groups):
                 # Allow if member is in one or more required groups
+                logger.debug('Auth OK: {}'.format(list(found_groups)))
                 return
 
         if 'ANONYMOUS' in grouplist:
             # Allow if anonymous access is allowed
+            logger.debug('Auth OK: ANONYMOUS')
             return
 
         # Deny by default
+        logger.debug('Auth Failed: No matching groups')
         abort(403)