Merge pull request ManageIQ#20315 from abellotti/auth_debugging

Added support for optional auth debugging
RedekG · Jul 8, 2020 · b6652de · b6652de
2 parents bc0b66a + 63ee9d5
commit b6652de
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/app/models/authenticator/base.rb b/app/models/authenticator/base.rb
@@ -52,6 +52,8 @@ def authorize_user_with_system_token(userid, user_metadata = {})
     end
 
     def authenticate(username, password, request = nil, options = {})
+      log_auth_debug("authenticate(username=#{username}, options=#{options})")
+
       options = options.dup
       options[:require_user] ||= false
       options[:authorize_only] ||= false
@@ -325,6 +327,14 @@ def normalize_username(username)
       username.downcase
     end
 
+    def debug_auth?
+      !!Settings.authentication.debug
+    end
+
+    def log_auth_debug(msgs)
+      Array(msgs).each { |msg| _log.info(msg) } if debug_auth?
+    end
+
     private def audit_success(options)
       AuditEvent.success(options)
     end

diff --git a/app/models/authenticator/httpd.rb b/app/models/authenticator/httpd.rb
@@ -5,6 +5,8 @@ def self.proper_name
     end
 
     def authorize_queue(username, request, options, *_args)
+      log_auth_debug("authorize_queue(username=#{username}, options=#{options})")
+
       user_attrs, membership_list =
         if options[:authorize_only]
           if options[:authorize_with_system_token].present?
@@ -16,6 +18,12 @@ def authorize_queue(username, request, options, *_args)
           user_details_from_headers(username, request)
         end
 
+      if debug_auth?
+        log_auth_debug("authorize_queue user details:")
+        user_attrs.each { |k, v| log_auth_debug("  %-12{key} = %{val}" % {:key => k, :val => v}) }
+        log_auth_debug("  %-12{key} = %{val}" % {:key => "groups", :val => membership_list.join(', ')})
+      end
+
       super(username, request, {}, user_attrs, membership_list)
     end
 
@@ -122,6 +130,15 @@ def user_details_from_external_directory(username)
     end
 
     def user_details_from_headers(username, request)
+      if debug_auth?
+        log_auth_debug("user_details_from_headers(username=#{username})")
+
+        remote_user_headers = %w[X-REMOTE-USER X-REMOTE-USER-FIRSTNAME X-REMOTE-USER-LASTNAME X-REMOTE-USER-FULLNAME X-REMOTE-USER-EMAIL X-REMOTE-USER-DOMAIN X-REMOTE-USER-GROUPS]
+        logged_headers = remote_user_headers.map { |rh| "  %-24{key} = \"%{val}\"" % {:key => rh, :val => request.headers[rh]} }
+
+        log_auth_debug("External-Auth remote user request.headers:")
+        log_auth_debug(logged_headers)
+      end
       user_attrs = {:username  => username,
                     :fullname  => request.headers['X-REMOTE-USER-FULLNAME'],
                     :firstname => request.headers['X-REMOTE-USER-FIRSTNAME'],

diff --git a/config/settings.yml b/config/settings.yml
@@ -4,6 +4,7 @@
   :bind_dn:
   :bind_pwd:
   :bind_timeout: 30
+  :debug: false
   :follow_referrals: false
   :get_direct_groups: true
   :group_memberships_max_depth: 2