From 9d1e128df9c05e4531c675dedde9b589e7474788 Mon Sep 17 00:00:00 2001
From: t4niwa <114040262+t4niwa@users.noreply.github.com>
Date: Mon, 14 Nov 2022 17:10:50 +0900
Subject: [PATCH] [patch] add log on authZ error (#96)

* [patch] add log on authZ error

* update

* fix

* fix
---
 authorizerd.go    | 7 ++++---
 role/processor.go | 4 ++--
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/authorizerd.go b/authorizerd.go
index 0115660d..954c4acf 100644
--- a/authorizerd.go
+++ b/authorizerd.go
@@ -408,7 +408,7 @@ func (a *authority) authorize(ctx context.Context, m mode, tok, act, res, query
 	case roleToken:
 		rt, err := a.roleProcessor.ParseAndValidateRoleToken(tok)
 		if err != nil {
-			glg.Debugf("error parse and validate role token, err: %v", err)
+			glg.Infof("error parse and validate role token, err: %v", err)
 			return nil, errors.Wrap(err, "error authorize role token")
 		}
 		domain = rt.Domain
@@ -423,7 +423,7 @@ func (a *authority) authorize(ctx context.Context, m mode, tok, act, res, query
 	case accessToken:
 		ac, err := a.accessProcessor.ParseAndValidateOAuth2AccessToken(tok, cert)
 		if err != nil {
-			glg.Debugf("error parse and validate access token, err: %v", err)
+			glg.Infof("error parse and validate access token, err: %v", err)
 			return nil, errors.Wrap(err, "error authorize access token")
 		}
 		domain = ac.Audience
@@ -445,6 +445,7 @@ func (a *authority) authorize(ctx context.Context, m mode, tok, act, res, query
 			var err error
 			act, res, err = a.translator.Translate(domain, act, res, query)
 			if err != nil {
+				glg.Infof("translator error, err: %v, principal: %s, action: %s, resource: %s", err, p.Name(), act, res)
 				return nil, err
 			}
 		}
@@ -452,7 +453,7 @@ func (a *authority) authorize(ctx context.Context, m mode, tok, act, res, query
 		res = a.resourcePrefix + res
 		authorizedRoles, err := a.policyd.CheckPolicyRoles(ctx, domain, roles, act, res)
 		if err != nil {
-			glg.Debugf("error check, err: %v", err)
+			glg.Infof("check policy error, err: %v, principal: %s, action: %s, resource: %s", err, p.Name(), act, res)
 			return nil, errors.Wrap(err, "token unauthorized")
 		}
 
diff --git a/role/processor.go b/role/processor.go
index 8e4a6f6b..6aeb539d 100644
--- a/role/processor.go
+++ b/role/processor.go
@@ -82,11 +82,11 @@ func (r *rtp) parseToken(tok string) (*Token, error) {
 
 func (r *rtp) validate(rt *Token) error {
 	if rt.Expired() {
-		return errors.Wrapf(ErrRoleTokenExpired, "token expired")
+		return errors.Wrapf(ErrRoleTokenExpired, "token expired. principal %s", rt.Principal)
 	}
 	ver := r.pkp(pubkey.EnvZTS, rt.KeyID)
 	if ver == nil {
-		return errors.Wrapf(ErrRoleTokenInvalid, "invalid role token key ID %s", rt.KeyID)
+		return errors.Wrapf(ErrRoleTokenInvalid, "invalid role token key ID %s. principal %s", rt.KeyID, rt.Principal)
 	}
 	return ver.Verify(rt.UnsignedToken, rt.Signature)
 }