From 0a8099d006404f8d2d93869dd0f4a0073201bb9d Mon Sep 17 00:00:00 2001 From: Johan Lundberg Date: Tue, 24 Oct 2023 18:01:10 +0200 Subject: [PATCH] tidying and more debug logging --- src/auth_server/flows.py | 3 +-- src/auth_server/proof/mtls.py | 11 +++++++---- src/auth_server/routers/root.py | 7 +++++-- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/auth_server/flows.py b/src/auth_server/flows.py index 9a39604..17ec0e3 100644 --- a/src/auth_server/flows.py +++ b/src/auth_server/flows.py @@ -120,7 +120,7 @@ async def _run_steps(self, steps: List[str]) -> Optional[GrantResponse]: logger.debug(f"step {flow_step} done, next step will be called") return None - async def continue_transaction(self, continue_request: ContinueRequest): + async def continue_transaction(self, continue_request: ContinueRequest) -> Optional[GrantResponse]: # check the client authentication for the continuation request against the same key used for the grant request self.state.proof_ok = await self.check_proof( gnap_key=self.state.grant_request.client.key, gnap_request=continue_request @@ -326,7 +326,6 @@ async def handle_interaction(self) -> Optional[GrantResponse]: ) wait = 30 # I guess it takes at least 30 seconds for a user to authenticate - # TODO: create jwt for continue access token? self.state.continue_access_token = get_hex_uuid4() continue_response = Continue( uri=str(continue_url), diff --git a/src/auth_server/proof/mtls.py b/src/auth_server/proof/mtls.py index 02dabaf..af4f035 100644 --- a/src/auth_server/proof/mtls.py +++ b/src/auth_server/proof/mtls.py @@ -27,16 +27,19 @@ async def check_mtls_proof(gnap_key: Key, cert: str) -> bool: if gnap_key.cert_S256 is not None: logger.debug(f"cert#S256: {gnap_key.cert_S256}") if tls_fingerprint == gnap_key.cert_S256: - logger.info(f"TLS cert fingerprint matches grant request cert#S256") + logger.info("TLS cert fingerprint matches grant request cert#S256") return True - logger.info(f"TLS cert fingerprint does NOT match grant request cert#S256") + logger.info("TLS cert fingerprint does NOT match grant request cert#S256") elif gnap_key.cert is not None: grant_cert = load_cert_from_str(gnap_key.cert) grant_cert_fingerprint = b64encode(grant_cert.fingerprint(algorithm=SHA256())).decode("utf-8") logger.debug(f"grant cert fingerprint: {grant_cert_fingerprint}") if tls_fingerprint == grant_cert_fingerprint: - logger.info(f"TLS cert fingerprint matches grant request cert fingerprint") + logger.info("TLS cert fingerprint matches grant request cert fingerprint") return True - logger.info(f"TLS cert fingerprint does NOT match grant request cert fingerprint") + logger.info("TLS cert fingerprint does NOT match grant request cert fingerprint") + logger.info("TLS cert does NOT match grant request cert") + logger.debug(f"tried gnap_key.cert_S256: {bool(gnap_key.cert_S256)}") + logger.debug(f"tried gnap_key.cert: {bool(gnap_key.cert)}") return False diff --git a/src/auth_server/routers/root.py b/src/auth_server/routers/root.py index 4b7c911..eaed396 100644 --- a/src/auth_server/routers/root.py +++ b/src/auth_server/routers/root.py @@ -130,16 +130,19 @@ async def continue_transaction( raise HTTPException(status_code=404, detail="transaction not found") transaction_state = TransactionState(**transaction_doc) + logger.debug(f"transaction_state loaded: {transaction_state}") # check continue access token if authorization != f"GNAP {transaction_state.continue_access_token}": raise HTTPException(status_code=401, detail="permission denied") - # return continue response again if interaction is not completed + # return continue response again if interaction is not completed or interaction reference is not used if transaction_state.flow_state != FlowState.APPROVED: - # TODO: update expires_in and return error message to clients not waiting long enough + logger.debug(f"transaction state: {transaction_state.flow_state}. Can not continue yet.") + # TODO: update expires_in, auth token and return error message to clients not waiting long enough return transaction_state.grant_response + logger.debug(f"transaction state: {transaction_state.flow_state}. Continuing flow") # initialize flow to continue auth_flow_name = transaction_state.flow_name auth_flow = request.app.auth_flows.get(auth_flow_name)