context for access controls errors

coupergateway · Mar 18, 2021 · 3396db5 · 3396db5
1 parent cf5fd7e
commit 3396db5
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 3 deletions.
diff --git a/config/request/context_key.go b/config/request/context_key.go
@@ -4,6 +4,7 @@ type ContextKey uint8
 
 const (
 	UID ContextKey = iota
+	AccessControl
 	AccessControls
 	BackendName
 	Endpoint

diff --git a/config/runtime/server.go b/config/runtime/server.go
@@ -27,6 +27,7 @@ import (
 	"github.com/avenga/couper/errors"
 	"github.com/avenga/couper/eval"
 	"github.com/avenga/couper/handler"
+	hac "github.com/avenga/couper/handler/ac"
 	"github.com/avenga/couper/handler/middleware"
 	"github.com/avenga/couper/handler/producer"
 	"github.com/avenga/couper/handler/transport"
@@ -550,7 +551,7 @@ func configureProtectedHandler(m ac.Map, errTpl *errors.Template, parentAC, hand
 		acList = append(acList, m[acName])
 	}
 	if len(acList) > 0 {
-		return handler.NewAccessControl(h, errTpl, acList...)
+		return hac.NewAccessControl(h, errTpl, acList...)
 	}
 	return h
 }

diff --git a/handler/access_control.go → handler/ac/access_control.go b/handler/access_control.go → handler/ac/access_control.go
@@ -1,9 +1,10 @@
-package handler
+package ac
 
 import (
 	"net/http"
 
 	ac "github.com/avenga/couper/accesscontrol"
+	"github.com/avenga/couper/config/request"
 	"github.com/avenga/couper/errors"
 )
 
@@ -47,6 +48,9 @@ func (a *AccessControl) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 				default:
 					code = errors.AuthorizationFailed
 				}
+				if ctx, ok := req.Context().Value(request.AccessControl).(*AccessControlContext); ok {
+					ctx.errors = append(ctx.errors, err)
+				}
 			}
 			a.errorTpl.ServeError(code).ServeHTTP(rw, req)
 			return

diff --git a/handler/ac/access_control_context.go b/handler/ac/access_control_context.go
@@ -0,0 +1,27 @@
+package ac
+
+import (
+	"context"
+
+	"github.com/avenga/couper/config/request"
+)
+
+type AccessControlContext struct {
+	errors []error
+}
+
+func NewWithContext(ctx context.Context) (context.Context, *AccessControlContext) {
+	octx := &AccessControlContext{}
+	return context.WithValue(ctx, request.AccessControl, octx), octx
+}
+
+func (o *AccessControlContext) Errors() []string {
+	if len(o.errors) == 0 {
+		return nil
+	}
+	var result []string
+	for _, e := range o.errors {
+		result = append(result, e.Error())
+	}
+	return result
+}
diff --git a/handler/access_control_test.go → handler/ac/access_control_test.go b/handler/access_control_test.go → handler/ac/access_control_test.go
@@ -1,4 +1,4 @@
-package handler
+package ac
 
 import (
 	"fmt"

diff --git a/logging/access_log.go b/logging/access_log.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/avenga/couper/config/request"
 	"github.com/avenga/couper/errors"
+	"github.com/avenga/couper/handler/ac"
 )
 
 type RoundtripHandlerFunc http.HandlerFunc
@@ -35,13 +36,20 @@ func (log *AccessLog) ServeHTTP(rw http.ResponseWriter, req *http.Request, nextH
 	statusRecorder := NewStatusRecorder(rw)
 	rw = statusRecorder
 
+	oCtx, acContext := ac.NewWithContext(req.Context())
+	*req = *req.WithContext(oCtx)
+
 	nextHandler.ServeHTTP(rw, req)
 	serveDone := time.Now()
 
 	fields := Fields{
 		"proto": req.Proto,
 	}
 
+	if acErrors := acContext.Errors(); len(acErrors) > 0 {
+		fields["access_control"] = acErrors
+	}
+
 	backendName, _ := req.Context().Value(request.BackendName).(string)
 	if backendName == "" {
 		endpointName, _ := req.Context().Value(request.Endpoint).(string)