From 16c024b9a6794dd3dddc1130c0bafdc9f42d079d Mon Sep 17 00:00:00 2001
From: Brad Davidson <brad@oatmail.org>
Date: Thu, 12 Sep 2019 09:50:57 +0000
Subject: [PATCH] Add debug logging

---
 .flake8                                       |  2 ++
 .gitignore                                    |  1 +
 .travis.yml                                   |  2 +-
 .../flask_authnz_ldap_rbac.py                 | 23 ++++++++++++++-----
 4 files changed, 21 insertions(+), 7 deletions(-)
 create mode 100644 .flake8

diff --git a/.flake8 b/.flake8
new file mode 100644
index 0000000..1fd4893
--- /dev/null
+++ b/.flake8
@@ -0,0 +1,2 @@
+[flake8]
+max-line-length = 160
diff --git a/.gitignore b/.gitignore
index e6e2746..8bea611 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 dist
 docs
+build
 *.egg-info
diff --git a/.travis.yml b/.travis.yml
index eb0c0c1..863c59b 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -20,7 +20,7 @@ install:
   - pip install --upgrade flake8
 
 script:
-  - flake8 --max-line-length 160
+  - flake8
 
 notifications:
   email: false
diff --git a/flask_authnz_ldap_rbac/flask_authnz_ldap_rbac.py b/flask_authnz_ldap_rbac/flask_authnz_ldap_rbac.py
index a9ef7a6..c862776 100644
--- a/flask_authnz_ldap_rbac/flask_authnz_ldap_rbac.py
+++ b/flask_authnz_ldap_rbac/flask_authnz_ldap_rbac.py
@@ -1,3 +1,4 @@
+import logging
 from flask import request, abort
 
 DEFAULT_GROUPS_VARIABLE = 'AUTHENTICATE_MEMBEROF'
@@ -6,6 +7,8 @@
 DEFAULT_WRITE_GROUPS = []
 DEFAULT_READ_GROUPS = ['ANY']
 
+logger = logging.getLogger(__name__)
+
 
 class GroupRBAC(object):
     """
@@ -35,29 +38,37 @@ def init_app(self, app):
         app.before_request(self._authorize)
 
     def _authorize(self):
-        if request.method in self.write_methods:
-            self._check_membership(self.write_groups)
-        elif request.method in self.read_methods:
+        if request.method in self.read_methods:
+            logging.debug('Checking auth for read')
             self._check_membership(self.read_groups)
+        elif request.method in self.write_methods:
+            logging.debug('Checking auth for write')
+            self._check_membership(self.write_groups)
         else:
+            logger.debug('Auth Failed: unhandled method')
             abort(403)
 
     def _check_membership(self, grouplist):
-        groups = request.environ.get(self.groups_var, None)
+        groups = set(g for g in request.environ.get(self.groups_var, '').split('; ') if g)
+        logger.debug('groups_variable {}={}'.format(self.groups_var, list(groups)))
 
         if groups:
             if 'ANY' in grouplist:
                 # Allow if method allows any authenticated user
+                logger.debug('Auth OK: ANY')
                 return
 
-            groups = set(groups.split('; '))
-            if len(groups.intersection(grouplist)):
+            found_groups = groups.intersection(grouplist)
+            if len(found_groups):
                 # Allow if member is in one or more required groups
+                logger.debug('Auth OK: {}'.format(list(found_groups)))
                 return
 
         if 'ANONYMOUS' in grouplist:
             # Allow if anonymous access is allowed
+            logger.debug('Auth OK: ANONYMOUS')
             return
 
         # Deny by default
+        logger.debug('Auth Failed: No matching groups')
         abort(403)