fixup! errors: display more info about failed checks and policies

biscuit-auth · Nov 25, 2024 · c1eef6d · c1eef6d
1 parent 6ffe3ac
commit c1eef6d
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 5 deletions.
diff --git a/biscuit-auth/src/error.rs b/biscuit-auth/src/error.rs
@@ -173,7 +173,7 @@ pub enum Signature {
 pub enum Logic {
     #[error("a rule provided by a block is producing a fact with unbound variables")]
     InvalidBlockRule(u32, String),
-    #[error("{policy}, and the following checks failed: {checks:?}")]
+    #[error("{policy}, and the following checks failed: {}", display_failed_checks(.checks))]
     Unauthorized {
         /// the policy that matched
         policy: MatchedPolicy,
@@ -182,7 +182,7 @@ pub enum Logic {
     },
     #[error("the authorizer already contains a token")]
     AuthorizerNotEmpty,
-    #[error("no matching policy was found, and the following checks failed: {checks:?}")]
+    #[error("no matching policy was found, and the following checks failed: {}", display_failed_checks(.checks))]
     NoMatchingPolicy {
         /// list of checks that failed validation
         checks: Vec<FailedCheck>,
@@ -202,12 +202,19 @@ pub enum MatchedPolicy {
 #[derive(Error, Clone, Debug, PartialEq, Eq)]
 #[cfg_attr(feature = "serde-error", derive(serde::Serialize, serde::Deserialize))]
 pub enum FailedCheck {
-    #[error("a check failed in a block: {0}")]
+    #[error("{0}")]
     Block(FailedBlockCheck),
-    #[error("a check provided by the authorizer failed: {0}")]
+    #[error("{0}")]
     Authorizer(FailedAuthorizerCheck),
 }
 
+fn display_failed_checks(c: &[FailedCheck]) -> String {
+    c.iter()
+        .map(|c| c.to_string())
+        .collect::<Vec<_>>()
+        .join(", ")
+}
+
 #[derive(Clone, Debug, PartialEq, Eq)]
 #[cfg_attr(feature = "serde-error", derive(serde::Serialize, serde::Deserialize))]
 pub struct FailedBlockCheck {
@@ -302,5 +309,27 @@ mod tests {
             format!("{}", Token::Base64(Base64Error::InvalidLength)),
             "Cannot decode base64 token: Encoded text cannot have a 6-bit remainder."
         );
+
+        assert_eq!(
+            format!(
+                "{}",
+                Token::FailedLogic(Logic::Unauthorized {
+                    policy: MatchedPolicy::Allow(0),
+                    checks: vec![
+                        FailedCheck::Authorizer(FailedAuthorizerCheck {
+                            check_id: 0,
+                            rule: "check if false".to_string()
+                        }),
+                        FailedCheck::Block(FailedBlockCheck {
+                            block_id: 0,
+                            check_id: 0,
+                            rule: "check if false".to_string()
+                        })
+                    ]
+                })
+            )
+            .to_string(),
+            "authorization failed: an allow policy matched (policy index: 0), and the following checks failed: Check n°0 in authorizer: check if false, Check n°0 in block n°0: check if false"
+        );
     }
 }
diff --git a/biscuit-capi/tests/capi.rs b/biscuit-capi/tests/capi.rs
@@ -114,7 +114,7 @@ biscuit append error? (null)
 authorizer creation error? (null)
 authorizer add check error? (null)
 authorizer add policy error? (null)
-authorizer error(code = 21): authorization failed: an allow policy matched (policy index: 0), and the following checks failed: [Authorizer(FailedAuthorizerCheck { check_id: 0, rule: "check if right(\"efgh\")" }), Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if operation(\"read\")" })]
+authorizer error(code = 21): authorization failed: an allow policy matched (policy index: 0), and the following checks failed: Check n°0 in authorizer: check if right("efgh"), Check n°0 in block n°1: check if operation("read")
 failed checks (2):
   Authorizer check 0: check if right("efgh")
   Block 1, check 0: check if operation("read")