From c1eef6d0793defc2748913de92a6fbb3767dfa3b Mon Sep 17 00:00:00 2001 From: Clement Delafargue Date: Mon, 25 Nov 2024 15:01:31 +0100 Subject: [PATCH] fixup! errors: display more info about failed checks and policies --- biscuit-auth/src/error.rs | 37 +++++++++++++++++++++++++++++++++---- biscuit-capi/tests/capi.rs | 2 +- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/biscuit-auth/src/error.rs b/biscuit-auth/src/error.rs index 295b2228..4e61adbe 100644 --- a/biscuit-auth/src/error.rs +++ b/biscuit-auth/src/error.rs @@ -173,7 +173,7 @@ pub enum Signature { pub enum Logic { #[error("a rule provided by a block is producing a fact with unbound variables")] InvalidBlockRule(u32, String), - #[error("{policy}, and the following checks failed: {checks:?}")] + #[error("{policy}, and the following checks failed: {}", display_failed_checks(.checks))] Unauthorized { /// the policy that matched policy: MatchedPolicy, @@ -182,7 +182,7 @@ pub enum Logic { }, #[error("the authorizer already contains a token")] AuthorizerNotEmpty, - #[error("no matching policy was found, and the following checks failed: {checks:?}")] + #[error("no matching policy was found, and the following checks failed: {}", display_failed_checks(.checks))] NoMatchingPolicy { /// list of checks that failed validation checks: Vec, @@ -202,12 +202,19 @@ pub enum MatchedPolicy { #[derive(Error, Clone, Debug, PartialEq, Eq)] #[cfg_attr(feature = "serde-error", derive(serde::Serialize, serde::Deserialize))] pub enum FailedCheck { - #[error("a check failed in a block: {0}")] + #[error("{0}")] Block(FailedBlockCheck), - #[error("a check provided by the authorizer failed: {0}")] + #[error("{0}")] Authorizer(FailedAuthorizerCheck), } +fn display_failed_checks(c: &[FailedCheck]) -> String { + c.iter() + .map(|c| c.to_string()) + .collect::>() + .join(", ") +} + #[derive(Clone, Debug, PartialEq, Eq)] #[cfg_attr(feature = "serde-error", derive(serde::Serialize, serde::Deserialize))] pub struct FailedBlockCheck { @@ -302,5 +309,27 @@ mod tests { format!("{}", Token::Base64(Base64Error::InvalidLength)), "Cannot decode base64 token: Encoded text cannot have a 6-bit remainder." ); + + assert_eq!( + format!( + "{}", + Token::FailedLogic(Logic::Unauthorized { + policy: MatchedPolicy::Allow(0), + checks: vec![ + FailedCheck::Authorizer(FailedAuthorizerCheck { + check_id: 0, + rule: "check if false".to_string() + }), + FailedCheck::Block(FailedBlockCheck { + block_id: 0, + check_id: 0, + rule: "check if false".to_string() + }) + ] + }) + ) + .to_string(), + "authorization failed: an allow policy matched (policy index: 0), and the following checks failed: Check n°0 in authorizer: check if false, Check n°0 in block n°0: check if false" + ); } } diff --git a/biscuit-capi/tests/capi.rs b/biscuit-capi/tests/capi.rs index d6eefba0..a168f2e6 100644 --- a/biscuit-capi/tests/capi.rs +++ b/biscuit-capi/tests/capi.rs @@ -114,7 +114,7 @@ biscuit append error? (null) authorizer creation error? (null) authorizer add check error? (null) authorizer add policy error? (null) -authorizer error(code = 21): authorization failed: an allow policy matched (policy index: 0), and the following checks failed: [Authorizer(FailedAuthorizerCheck { check_id: 0, rule: "check if right(\"efgh\")" }), Block(FailedBlockCheck { block_id: 1, check_id: 0, rule: "check if operation(\"read\")" })] +authorizer error(code = 21): authorization failed: an allow policy matched (policy index: 0), and the following checks failed: Check n°0 in authorizer: check if right("efgh"), Check n°0 in block n°1: check if operation("read") failed checks (2): Authorizer check 0: check if right("efgh") Block 1, check 0: check if operation("read")