Improve error messages for JWT rotation (#364)

nikita-vanyasin · web-flow · commit 37a0acecb2cc · 2023-07-04T09:56:15.000+02:00
diff --git a/service/jwt.go b/service/jwt.go
@@ -88,7 +88,7 @@ func (j jwtManager) add(d []byte) error {
 	return nil
 }
 
-func (j jwtManager) remove(i *api.ClusterInventory, p *Peer, s string, d []byte) error {
+func (j jwtManager) remove(i *api.ClusterInventory, p *Peer, hash string, token []byte) error {
 	if i.Error != nil {
 		return errors.Errorf("Unable to remove token if member is failed: %s", i.Error.Error)
 	}
@@ -99,13 +99,13 @@ func (j jwtManager) remove(i *api.ClusterInventory, p *Peer, s string, d []byte)
 				return errors.Errorf("Unable to get hashes - probably not supported by server")
 			}
 
-			if n.Hashes.JWT.Active.GetSHA().Checksum() == Sha256sum(d) {
-				return errors.Errorf("JWT token %s is active on peer %s and member %s", Sha256sum(d), pname, mname)
+			if n.Hashes.JWT.Active.GetSHA().Checksum() == Sha256sum(token) {
+				return errors.Errorf("JWT token %s is active on peer %s and member %s", Sha256sum(token), pname, mname)
 			}
 		}
 	}
 
-	return os.Remove(path.Join(j.dir, s))
+	return os.Remove(path.Join(j.dir, hash))
 }
 
 type tokens map[string][]byte
@@ -201,9 +201,9 @@ func (s *httpServer) jwtActivateE(r *http.Request) (int, error) {
 
 	switch r.Method {
 	case http.MethodPost:
-		s.log.Info().Msgf("Received JWT Refresh call")
+		s.log.Info().Msgf("Received JWT Activate call")
 		if err := s.synchronizeJWTOnMembers(i, token); err != nil {
-			s.log.Warn().Err(err).Msgf("JWT Refresh call failed")
+			s.log.Warn().Err(err).Msgf("JWT Activate call failed")
 			return 0, err
 		}
 		s.log.Info().Msgf("JWT Refresh call done")
@@ -284,7 +284,6 @@ func (s *httpServer) synchronizeJWTOnMembers(ci *api.ClusterInventory, active st
 		}
 
 		f := newJWTManager(path.Join(d, definitions.ArangodJWTSecretFolderName))
-
 		fTokens, err := f.tokens()
 		if err != nil {
 			return err
@@ -313,7 +312,6 @@ func (s *httpServer) synchronizeJWTOnMembers(ci *api.ClusterInventory, active st
 		}
 
 		cActive, ok := fTokens[definitions.ArangodJWTSecretActive]
-
 		if !ok {
 			_, d, ok := fTokens.getAny()
 			if !ok {
@@ -335,7 +333,7 @@ func (s *httpServer) synchronizeJWTOnMembers(ci *api.ClusterInventory, active st
 		if active != "" && active != Sha256sum(cActive) {
 			eActive, ok := fTokens[active]
 			if !ok {
-				return errors.Errorf("Unable to find key which needs to be activated")
+				return errors.Errorf("Unable to find key which needs to be activated on peer %s and member %s", p.ID, t)
 			}
 
 			if err := f.setActive(ci, Sha256sum(eActive)); err != nil {
@@ -370,13 +368,13 @@ func (s *httpServer) synchronizeJWTOnMembers(ci *api.ClusterInventory, active st
 			return errors.Errorf("Invalid tokens length")
 		}
 
-		for t := range fTokens {
-			if t == definitions.ArangodJWTSecretActive {
+		for tok := range fTokens {
+			if tok == definitions.ArangodJWTSecretActive {
 				continue
 			}
 
-			if !jwt.Result.Passive.ContainsSha(t) {
-				return errors.Errorf("Checksum %s not found on server", t)
+			if !jwt.Result.Passive.ContainsSha(tok) {
+				return errors.Errorf("Checksum %s not found on peer %s and member %s", tok, p.ID, t)
 			}
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ func (j jwtManager) add(d []byte) error {`
`88`	`88`	`return nil`
`89`	`89`	`}`
`90`	`90`
`91`		`-func (j jwtManager) remove(i api.ClusterInventory, p Peer, s string, d []byte) error {`
	`91`	`+func (j jwtManager) remove(i api.ClusterInventory, p Peer, hash string, token []byte) error {`
`92`	`92`	`if i.Error != nil {`
`93`	`93`	`return errors.Errorf("Unable to remove token if member is failed: %s", i.Error.Error)`
`94`	`94`	`}`
`@@ -99,13 +99,13 @@ func (j jwtManager) remove(i api.ClusterInventory, p Peer, s string, d []byte)`
`99`	`99`	`return errors.Errorf("Unable to get hashes - probably not supported by server")`
`100`	`100`	`}`
`101`	`101`
`102`		`- if n.Hashes.JWT.Active.GetSHA().Checksum() == Sha256sum(d) {`
`103`		`- return errors.Errorf("JWT token %s is active on peer %s and member %s", Sha256sum(d), pname, mname)`
	`102`	`+ if n.Hashes.JWT.Active.GetSHA().Checksum() == Sha256sum(token) {`
	`103`	`+ return errors.Errorf("JWT token %s is active on peer %s and member %s", Sha256sum(token), pname, mname)`
`104`	`104`	`}`
`105`	`105`	`}`
`106`	`106`	`}`
`107`	`107`
`108`		`- return os.Remove(path.Join(j.dir, s))`
	`108`	`+ return os.Remove(path.Join(j.dir, hash))`
`109`	`109`	`}`
`110`	`110`
`111`	`111`	`type tokens map[string][]byte`
`@@ -201,9 +201,9 @@ func (s httpServer) jwtActivateE(r http.Request) (int, error) {`
`201`	`201`
`202`	`202`	`switch r.Method {`
`203`	`203`	`case http.MethodPost:`
`204`		`- s.log.Info().Msgf("Received JWT Refresh call")`
	`204`	`+ s.log.Info().Msgf("Received JWT Activate call")`
`205`	`205`	`if err := s.synchronizeJWTOnMembers(i, token); err != nil {`
`206`		`- s.log.Warn().Err(err).Msgf("JWT Refresh call failed")`
	`206`	`+ s.log.Warn().Err(err).Msgf("JWT Activate call failed")`
`207`	`207`	`return 0, err`
`208`	`208`	`}`
`209`	`209`	`s.log.Info().Msgf("JWT Refresh call done")`
`@@ -284,7 +284,6 @@ func (s httpServer) synchronizeJWTOnMembers(ci api.ClusterInventory, active st`
`284`	`284`	`}`
`285`	`285`
`286`	`286`	`f := newJWTManager(path.Join(d, definitions.ArangodJWTSecretFolderName))`
`287`		`-`
`288`	`287`	`fTokens, err := f.tokens()`
`289`	`288`	`if err != nil {`
`290`	`289`	`return err`
`@@ -313,7 +312,6 @@ func (s httpServer) synchronizeJWTOnMembers(ci api.ClusterInventory, active st`
`313`	`312`	`}`
`314`	`313`
`315`	`314`	`cActive, ok := fTokens[definitions.ArangodJWTSecretActive]`
`316`		`-`
`317`	`315`	`if !ok {`
`318`	`316`	`_, d, ok := fTokens.getAny()`
`319`	`317`	`if !ok {`
`@@ -335,7 +333,7 @@ func (s httpServer) synchronizeJWTOnMembers(ci api.ClusterInventory, active st`
`335`	`333`	`if active != "" && active != Sha256sum(cActive) {`
`336`	`334`	`eActive, ok := fTokens[active]`
`337`	`335`	`if !ok {`
`338`		`- return errors.Errorf("Unable to find key which needs to be activated")`
	`336`	`+ return errors.Errorf("Unable to find key which needs to be activated on peer %s and member %s", p.ID, t)`
`339`	`337`	`}`
`340`	`338`
`341`	`339`	`if err := f.setActive(ci, Sha256sum(eActive)); err != nil {`
`@@ -370,13 +368,13 @@ func (s httpServer) synchronizeJWTOnMembers(ci api.ClusterInventory, active st`
`370`	`368`	`return errors.Errorf("Invalid tokens length")`
`371`	`369`	`}`
`372`	`370`
`373`		`- for t := range fTokens {`
`374`		`- if t == definitions.ArangodJWTSecretActive {`
	`371`	`+ for tok := range fTokens {`
	`372`	`+ if tok == definitions.ArangodJWTSecretActive {`
`375`	`373`	`continue`
`376`	`374`	`}`
`377`	`375`
`378`		`- if !jwt.Result.Passive.ContainsSha(t) {`
`379`		`- return errors.Errorf("Checksum %s not found on server", t)`
	`376`	`+ if !jwt.Result.Passive.ContainsSha(tok) {`
	`377`	`+ return errors.Errorf("Checksum %s not found on peer %s and member %s", tok, p.ID, t)`
`380`	`378`	`}`
`381`	`379`	`}`
`382`	`380`