diff --git a/internal/authn/oidc/oidc.go b/internal/authn/oidc/oidc.go index c4be9922..c99639ff 100644 --- a/internal/authn/oidc/oidc.go +++ b/internal/authn/oidc/oidc.go @@ -62,11 +62,13 @@ func (o *OAuth2Authenticator) Authenticate(ctx context.Context, t transport.Tran u := &Claims{} err = tok.Claims(u) if err != nil { + log.Errorf("failed to extract claims: %v", err) return nil, api.Deny } if o.EnforceAudCheck { if u.Audience != o.CompletedConfig.ClientId { + log.Debugf("aud does not match the requesting client-id -- decision DENY") return nil, api.Deny } } diff --git a/internal/authn/psk/config.go b/internal/authn/psk/config.go index 121a4076..596a0ba6 100644 --- a/internal/authn/psk/config.go +++ b/internal/authn/psk/config.go @@ -2,10 +2,9 @@ package psk import ( "fmt" + "gopkg.in/yaml.v3" "io" "os" - - "gopkg.in/yaml.v3" ) type Config struct { @@ -49,10 +48,10 @@ func (c *Config) loadPreSharedKeys() error { data, err := io.ReadAll(file) if err == nil { if err := yaml.Unmarshal(data, &c.Keys); err != nil { - return err + return fmt.Errorf("failed to unmarshall preshared key: %v", err) } } else { - return err + return fmt.Errorf("failed to read preshared key file: %v", err) } } else { return fmt.Errorf("Error opening preshared key file: %s [%s]", c.PreSharedKeyFile, err.Error()) diff --git a/internal/authz/kessel/kessel.go b/internal/authz/kessel/kessel.go index e8fb4416..3d90ae43 100644 --- a/internal/authz/kessel/kessel.go +++ b/internal/authz/kessel/kessel.go @@ -105,7 +105,7 @@ func (a *KesselAuthz) getCallOptions() ([]grpc.CallOption, error) { if a.tokenClient.EnableOIDCAuth { token, err := a.tokenClient.getToken() if err != nil { - return nil, err + return nil, fmt.Errorf("failed to request token: %v", err) } if a.tokenClient.Insecure { opts = append(opts, WithInsecureBearerToken(token.AccessToken)) diff --git a/internal/authz/kessel/token.go b/internal/authz/kessel/token.go index dea22964..fdb6f693 100644 --- a/internal/authz/kessel/token.go +++ b/internal/authz/kessel/token.go @@ -5,13 +5,14 @@ import ( "context" "encoding/json" "fmt" - "github.com/golang-jwt/jwt/v5" - "github.com/patrickmn/go-cache" - "google.golang.org/grpc" "io" "net/http" "net/url" "time" + + "github.com/golang-jwt/jwt/v5" + "github.com/patrickmn/go-cache" + "google.golang.org/grpc" ) const ( @@ -111,7 +112,7 @@ func (a *tokenClient) getToken() (*TokenResponse, error) { data.Set("grant_type", client_credentials_granttype) req, err := http.NewRequest("POST", a.URL, bytes.NewBufferString(data.Encode())) if err != nil { - return nil, err + return nil, fmt.Errorf("failed to create token request: %v", err) } req.Header.Set("Content-Type", "application/x-www-form-urlencoded") @@ -119,13 +120,14 @@ func (a *tokenClient) getToken() (*TokenResponse, error) { resp, err := client.Do(req) if err != nil { - return nil, err + return nil, fmt.Errorf("token request failed: %v", err) } defer resp.Body.Close() body, err := io.ReadAll(resp.Body) if err != nil { - return nil, err + + return nil, fmt.Errorf("failed to parse token response: %v", err) } if resp.StatusCode != http.StatusOK { @@ -134,7 +136,7 @@ func (a *tokenClient) getToken() (*TokenResponse, error) { var tokenResponse TokenResponse if err := json.Unmarshal(body, &tokenResponse); err != nil { - return nil, err + return nil, fmt.Errorf("failed to unmarshal token response: %v", err) } a.cache.Set(cachedTokenKey, tokenResponse.AccessToken, cacheCleanupInterval) return &tokenResponse, nil diff --git a/internal/server/grpc/config.go b/internal/server/grpc/config.go index 094d8780..b626f557 100644 --- a/internal/server/grpc/config.go +++ b/internal/server/grpc/config.go @@ -4,6 +4,7 @@ import ( "context" "crypto/tls" "crypto/x509" + "fmt" "io" "os" "time" @@ -45,7 +46,7 @@ func (c *Config) getTSLConfig() (*tls.Config, error) { var err error config.Certificates = make([]tls.Certificate, 1) if config.Certificates[0], err = tls.LoadX509KeyPair(c.Options.ServingCertFile, c.Options.PrivateKeyFile); err != nil { - return nil, err + return nil, fmt.Errorf("failed to load X509 key pair: %v", err) } if c.Options.CertOpt > int(tls.NoClientCert) && c.Options.ClientCAFile != "" { @@ -55,7 +56,7 @@ func (c *Config) getTSLConfig() (*tls.Config, error) { caCertPool = x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) } else { - return nil, err + return nil, fmt.Errorf("failed to load CA certificate: %v", err) } } diff --git a/internal/server/http/config.go b/internal/server/http/config.go index 36f9ac92..45e53c3a 100644 --- a/internal/server/http/config.go +++ b/internal/server/http/config.go @@ -4,6 +4,7 @@ import ( "context" "crypto/tls" "crypto/x509" + "fmt" "io" "os" "time" @@ -45,7 +46,7 @@ func (c *Config) getTSLConfig() (*tls.Config, error) { var err error config.Certificates = make([]tls.Certificate, 1) if config.Certificates[0], err = tls.LoadX509KeyPair(c.Options.ServingCertFile, c.Options.PrivateKeyFile); err != nil { - return nil, err + return nil, fmt.Errorf("failed to load X509 key pair: %v", err) } if c.Options.CertOpt > int(tls.NoClientCert) && c.Options.ClientCAFile != "" { @@ -55,7 +56,7 @@ func (c *Config) getTSLConfig() (*tls.Config, error) { caCertPool = x509.NewCertPool() caCertPool.AppendCertsFromPEM(caCert) } else { - return nil, err + return nil, fmt.Errorf("failed to load CA certificate: %v", err) } } diff --git a/internal/server/otel.go b/internal/server/otel.go index 1439f4bc..f23a2210 100644 --- a/internal/server/otel.go +++ b/internal/server/otel.go @@ -3,6 +3,8 @@ package server // Taken from Kratos examples: https://github.com/go-kratos/examples/blob/main/otel/internal/dep/otel.go import ( + "fmt" + "github.com/go-kratos/kratos/v2/middleware/metrics" "go.opentelemetry.io/otel" "go.opentelemetry.io/otel/exporters/prometheus" @@ -19,7 +21,7 @@ func NewMeter(provider metric.MeterProvider) (metric.Meter, error) { func NewMeterProvider(s *Server) (metric.MeterProvider, error) { exporter, err := prometheus.New() if err != nil { - return nil, err + return nil, fmt.Errorf("failed to setup exporter for meter provider: %v", err) } provider := sdkmetric.NewMeterProvider(