From 8fe771ceb51c6905189651d602a6294534d09005 Mon Sep 17 00:00:00 2001
From: gaobinlong <gbl_long@163.com>
Date: Mon, 11 Sep 2023 17:40:06 +0800
Subject: [PATCH] Add debug log when encounters permission check failure (#125)

* Add debug log when encounters permission check failure

Signed-off-by: gaobinlong <gbinlong@amazon.com>

* Use template string for debug log

Signed-off-by: gaobinlong <gbinlong@amazon.com>

* Only log saved object which have no permission

Signed-off-by: gaobinlong <gbinlong@amazon.com>

---------

Signed-off-by: gaobinlong <gbinlong@amazon.com>
---
 .../permission_control/client.ts              | 68 ++++++++++++++-----
 .../saved_objects/saved_objects_service.ts    |  2 +-
 2 files changed, 53 insertions(+), 17 deletions(-)

diff --git a/src/core/server/saved_objects/permission_control/client.ts b/src/core/server/saved_objects/permission_control/client.ts
index 4eb8f6ed7436..11e3d6e58dc8 100644
--- a/src/core/server/saved_objects/permission_control/client.ts
+++ b/src/core/server/saved_objects/permission_control/client.ts
@@ -8,6 +8,7 @@ import { ensureRawRequest } from '../../http/router';
 import { SavedObjectsServiceStart } from '../saved_objects_service';
 import { SavedObjectsBulkGetObject, SavedObjectsRepository, SavedObjectsUtils } from '../service';
 import { ACL, Principals, TransformedPermission, PrincipalType } from './acl';
+import { Logger } from '../../logging';
 
 export type SavedObjectsPermissionControlContract = Pick<
   SavedObjectsPermissionControl,
@@ -22,10 +23,16 @@ export interface AuthInfo {
 }
 
 export class SavedObjectsPermissionControl {
+  private readonly logger: Logger;
   private createInternalRepository?: SavedObjectsServiceStart['createInternalRepository'];
   private getInternalRepository() {
     return this.createInternalRepository?.();
   }
+
+  constructor(logger: Logger) {
+    this.logger = logger;
+  }
+
   public getPrincipalsFromRequest(request: OpenSearchDashboardsRequest): Principals {
     const rawRequest = ensureRawRequest(request);
     const authInfo = rawRequest?.auth?.credentials?.authInfo as AuthInfo | null;
@@ -85,27 +92,56 @@ export class SavedObjectsPermissionControl {
     permissionModes: SavedObjectsPermissionModes
   ) {
     const savedObjectsGet = await this.bulkGetSavedObjects(request, savedObjects);
-    if (savedObjectsGet) {
-      const principals = this.getPrincipalsFromRequest(request);
-      const hasAllPermission = savedObjectsGet.every((item) => {
-        // for object that doesn't contain ACL like config, return true
-        if (!item.permissions) {
-          return true;
-        }
-        const aclInstance = new ACL(item.permissions);
-        return aclInstance.hasPermission(permissionModes, principals);
-      });
+    if (!savedObjectsGet) {
+      return {
+        success: false,
+        error: i18n.translate('savedObjects.permission.notFound', {
+          defaultMessage: 'Can not find target saved objects.',
+        }),
+      };
+    }
+
+    if (savedObjectsGet.length === 1 && !!savedObjectsGet[0].error) {
       return {
-        success: true,
-        result: hasAllPermission,
+        success: false,
+        error: savedObjectsGet[0].error,
       };
     }
 
+    const principals = this.getPrincipalsFromRequest(request);
+    let savedObjectsBasicInfo: any[] = [];
+    const hasAllPermission = savedObjectsGet.every((item) => {
+      // for object that doesn't contain ACL like config, return true
+      if (!item.permissions) {
+        return true;
+      }
+      const aclInstance = new ACL(item.permissions);
+      const hasPermission = aclInstance.hasPermission(permissionModes, principals);
+      if (!hasPermission) {
+        savedObjectsBasicInfo = [
+          ...savedObjectsBasicInfo,
+          {
+            id: item.id,
+            type: item.type,
+            workspaces: item.workspaces,
+            permissions: item.permissions,
+          },
+        ];
+      }
+      return hasPermission;
+    });
+    if (!hasAllPermission) {
+      this.logger.debug(
+        `Authorization failed, principals: ${JSON.stringify(
+          principals
+        )} has no [${permissionModes}] permissions on the requested saved object: ${JSON.stringify(
+          savedObjectsBasicInfo
+        )}`
+      );
+    }
     return {
-      success: false,
-      error: i18n.translate('savedObjects.permission.notFound', {
-        defaultMessage: 'Can not find target saved objects.',
-      }),
+      success: true,
+      result: hasAllPermission,
     };
   }
 
diff --git a/src/core/server/saved_objects/saved_objects_service.ts b/src/core/server/saved_objects/saved_objects_service.ts
index 6108bc20a06d..2750e276e4b0 100644
--- a/src/core/server/saved_objects/saved_objects_service.ts
+++ b/src/core/server/saved_objects/saved_objects_service.ts
@@ -349,7 +349,7 @@ export class SavedObjectsService
       migratorPromise: this.migrator$.pipe(first()).toPromise(),
     });
 
-    this.permissionControl = new SavedObjectsPermissionControl();
+    this.permissionControl = new SavedObjectsPermissionControl(this.logger);
 
     registerPermissionCheckRoutes({
       http: setupDeps.http,