-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Throwing ForbiddenException if OidcUtils.findRoles throws an exception #5815
Throwing ForbiddenException if OidcUtils.findRoles throws an exception #5815
Conversation
@gsmet Hi, if it is approved and looks good to you too then please consider it for 1.0.1.Final. |
} catch (Exception e) { | ||
result.completeExceptionally(e); | ||
} catch (OIDCException e) { | ||
result.completeExceptionally(new ForbiddenException()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What bugs me a bit is that we don't handle the other exceptions if they happen?
This probably needs to be discussed so will be a bit late for 1.0.1.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gsmet Hi Guillaume, yes, sure. FYI, inside OidcUtils.findRoles there is only unchecked exception which can happen which is OIDCException
when some paths can not be resolved (all that code does is it iterates over already prepared JSONObject). If something else escapes then I'd consider enhancing OidcUtils
further.
However I can also add a RuntimeException catch to catch everything else ? Let me know what you think please, but yes, it can wait
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add the OIDCException
as the cause of the ForbuddenException
to not loose the exception context
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm OK with all other exceptions being not handled, they will all result to a ServerError.
We only want authentication exceptions being transformed to ForbiddenException.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we keep the previous branch too?
I mean having something like:
} catch (OIDCException e) {
result.completeExceptionally(new ForbiddenException());
} catch (Exception e) {
result.completeExceptionally(e);
}
That would have my preference.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gsmet sure
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gsmet done
} catch (Exception e) { | ||
result.completeExceptionally(e); | ||
} catch (OIDCException e) { | ||
result.completeExceptionally(new ForbiddenException()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add the OIDCException
as the cause of the ForbuddenException
to not loose the exception context
} catch (Exception e) { | ||
result.completeExceptionally(e); | ||
} catch (OIDCException e) { | ||
result.completeExceptionally(new ForbiddenException()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm OK with all other exceptions being not handled, they will all result to a ServerError.
We only want authentication exceptions being transformed to ForbiddenException.
} | ||
} else if (step + 1 < pathArray.length) { | ||
if (claimValue instanceof JsonObject) { | ||
int nextStep = step + 1; | ||
return findClaimValue(claimPath, (JsonObject) claimValue, pathArray, nextStep, mustExist); | ||
} else { | ||
throw new OIDCException("Claim value at the path " + claimPath + " is not a json object"); | ||
LOG.warn("Claim value at the path " + claimPath + " is not a json object"); | ||
throw new OIDCException(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you explain why you chose to do that this way? I.e. going from an exception message to a warn?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gsmet Please see my response to Loic, at the moment it is not possible to wrap the OIDC exception. I'll make it the error message again once ForbiddenException
/etc are updated, does it sound OK ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll open an issue to track it so as I don't forget
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm going to do a small PR to the quarkus-security and will follow up with the updates to this code but also to other Quarkus code where the causes are not included for those exceptions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI #5952
Not possible at the moment, since
Restoring that block would only make sure the future is cleanly completed exceptionally. |
@sberyozkin I tought it was the JAX-RS ForbiddenException ... |
@loicmathieu @gsmet FYI, #5826 |
@gsmet, @loicmathieu Hi, FYI, I've now updated this PR to have the cause exception included across the Quarkus code :-), after Stuart has released the latest |
Fixes #5750
Fixes #5826
This PR simply completes the future with
ForbiddenException
, instead of propagatingOIDCException
. NoteOidcUtils.findRoles
does not itself throwForbiddenException
because it is not guaranteed to be called during the authentication, but it logs a warning now.OidcUtilsTest
has a test confirmingOidcUtils.findRoles
throws an exception with the invalid path