objectstore_server/auth/
error.rs

1use objectstore_types::auth::Permission;
2use thiserror::Error;
3
4/// Error type for different authorization failure scenarios.
5#[derive(Error, Debug, PartialEq)]
6pub enum AuthError {
7    /// Indicates that something about the request prevented authorization verification from
8    /// happening properly.
9    #[error("bad request: {0}")]
10    BadRequest(&'static str),
11
12    /// Indicates that something about Objectstore prevented authorization verification from
13    /// happening properly.
14    #[error("internal error: {0}")]
15    InternalError(String),
16
17    /// Indicates that the provided authorization token is invalid (e.g. expired or malformed).
18    #[error("failed to decode token: {0}")]
19    ValidationFailure(#[from] jsonwebtoken::errors::Error),
20
21    /// Indicates that an otherwise-valid token was unable to be verified with configured keys.
22    #[error("failed to verify token")]
23    VerificationFailure,
24
25    /// Indicates that the requested operation is not authorized and auth enforcement is enabled.
26    #[error("operation not allowed")]
27    NotPermitted,
28}
29
30impl AuthError {
31    /// Return a shortname for the failure reason that can be used to tag metrics.
32    pub fn code(&self) -> &'static str {
33        match self {
34            Self::BadRequest(_) => "bad_request",
35            Self::InternalError(_) => "internal_error",
36            Self::ValidationFailure(_) => "validation_failure",
37            Self::VerificationFailure => "verification_failure",
38            Self::NotPermitted => "not_permitted",
39        }
40    }
41
42    /// Increment a counter and emit a debug log for this auth failure.
43    ///
44    /// If `enforce` is false, authentication failures will be logged as warnings to ensure they
45    /// are found and fixed to unblock enabling enforcement.
46    pub fn log(&self, permission: Option<Permission>, usecase: Option<&str>, enforce: bool) {
47        let code = self.code();
48        objectstore_metrics::count!("server.auth.failure", code = code);
49        let msg = self.to_string();
50        if !enforce {
51            objectstore_log::warn!(?permission, ?usecase, ?code, ?msg, "Auth failure");
52        } else {
53            objectstore_log::debug!(?permission, ?usecase, ?code, ?msg, "Auth failure");
54        }
55    }
56}