Better logging

- Add more logging to our macaroon discharger - Reduce logging on our model proxy
canonical · Sep 7, 2023 · 6425f16 · 6425f16
1 parent 48fff0e
commit 6425f16
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/internal/rpc/proxy.go b/internal/rpc/proxy.go
@@ -186,7 +186,7 @@ func (p *clientProxy) start(ctx context.Context) error {
 		zapctx.Debug(ctx, "Reading on client connection")
 		msg := new(message)
 		if err := p.src.readJson(&msg); err != nil {
-			zapctx.Error(ctx, "clientProxy error reading from src", zap.Error(err))
+			// Error reading on the socket implies it is closed, simply return.
 			return err
 		}
 		zapctx.Debug(ctx, "Read message from client", zap.Any("message", msg))
@@ -286,7 +286,6 @@ func (p *controllerProxy) start(ctx context.Context) error {
 		zapctx.Debug(ctx, "Reading on controller connection")
 		msg := new(message)
 		if err := p.src.readJson(msg); err != nil {
-			zapctx.Error(ctx, "controllerProxy error reading from src", zap.Error(err))
 			// Error reading on the socket implies it is closed, simply return.
 			return err
 		}

diff --git a/service.go b/service.go
@@ -598,28 +598,33 @@ func (s *Service) thirdPartyCaveatCheckerFunction(ofgaClient *openfga.OFGAClient
 	return func(ctx context.Context, req *http.Request, cavInfo *bakery.ThirdPartyCaveatInfo, _ *httpbakery.DischargeToken) ([]checkers.Caveat, error) {
 		caveatTokens := strings.Split(string(cavInfo.Condition), " ")
 		if len(caveatTokens) != 3 {
+			zapctx.Error(ctx, "caveat token length incorrect", zap.Int("length", len(caveatTokens)))
 			return nil, checkers.ErrCaveatNotRecognized
 		}
 		relationString := caveatTokens[0]
 		userTagString := caveatTokens[1]
 		objectTagString := caveatTokens[2]
 
 		if !strings.HasPrefix(relationString, "is-") {
+			zapctx.Error(ctx, "caveat token relation string missing prefix")
 			return nil, checkers.ErrCaveatNotRecognized
 		}
 		relationString = strings.TrimPrefix(relationString, "is-")
 		relation, err := ofganames.ParseRelation(relationString)
 		if err != nil {
+			zapctx.Error(ctx, "caveat token relation invalid", zap.Error(err))
 			return nil, checkers.ErrCaveatNotRecognized
 		}
 
 		userTag, err := names.ParseUserTag(userTagString)
 		if err != nil {
+			zapctx.Error(ctx, "failed to parse caveat user tag", zap.Error(err))
 			return nil, checkers.ErrCaveatNotRecognized
 		}
 
 		objectTag, err := jimmnames.ParseTag(objectTagString)
 		if err != nil {
+			zapctx.Error(ctx, "failed to parse caveat object tag", zap.Error(err))
 			return nil, checkers.ErrCaveatNotRecognized
 		}
 
@@ -632,6 +637,7 @@ func (s *Service) thirdPartyCaveatCheckerFunction(ofgaClient *openfga.OFGAClient
 
 		allowed, err := openfga.CheckRelation(ctx, user, objectTag, relation)
 		if err != nil {
+			zapctx.Error(ctx, "failed to check request caveat relation", zap.Error(err))
 			return nil, errors.E(err)
 		}
 
@@ -640,6 +646,7 @@ func (s *Service) thirdPartyCaveatCheckerFunction(ofgaClient *openfga.OFGAClient
 				checkers.TimeBeforeCaveat(time.Now().Add(defaultDischargeExpiry)),
 			}, nil
 		}
+		zapctx.Debug(ctx, "macaroon dishcharge denied", zap.String("user", user.Username), zap.String("object", objectTag.Id()))
 		return nil, httpbakery.ErrPermissionDenied
 	}
 }