diff --git a/server/auth/gitlab/gitlab.go b/server/auth/gitlab/gitlab.go
index 5e1f95f7d3c497aee921ce59d92fc9d0afa80405..650b34fc32d013aa1ff24bdf146f9c891c0a4d40 100644
--- a/server/auth/gitlab/gitlab.go
+++ b/server/auth/gitlab/gitlab.go
@@ -2,6 +2,7 @@ package gitlab
import (
"errors"
+ "log"
"strconv"
"github.com/nsheridan/cashier/server/config"
@@ -46,6 +47,7 @@ func New(c *config.Auth) (*Config, error) {
return nil, errors.New("gitlab_opts if allusers is set, siteurl must be set")
}
}
+ oauth2.RegisterBrokenAuthHeaderProvider(siteURL)
return &Config{
config: &oauth2.Config{
@@ -75,18 +77,22 @@ func (c *Config) Name() string {
// Valid validates the oauth token.
func (c *Config) Valid(token *oauth2.Token) bool {
if !token.Valid() {
+ log.Printf("Auth fail (oauth2 Valid failure)")
return false
}
if c.allusers {
+ log.Printf("Auth success (allusers)")
metrics.M.AuthValid.WithLabelValues("gitlab").Inc()
return true
}
if len(c.whitelist) > 0 && !c.whitelist[c.Username(token)] {
+ log.Printf("Auth fail (not in whitelist)")
return false
}
if c.group == "" {
// There's no group and token is valid. Can only reach
// here if user whitelist is set and user is in whitelist.
+ log.Printf("Auth success (no groups specified in server config)")
metrics.M.AuthValid.WithLabelValues("gitlab").Inc()
return true
}
@@ -94,14 +100,17 @@ func (c *Config) Valid(token *oauth2.Token) bool {
client.SetBaseURL(c.baseurl)
groups, _, err := client.Groups.SearchGroup(c.group)
if err != nil {
+ log.Printf("Auth failure (error fetching groups: %s)", err)
return false
}
for _, g := range groups {
if g.Path == c.group {
metrics.M.AuthValid.WithLabelValues("gitlab").Inc()
+ log.Printf("Auth success (in allowed group)")
return true
}
}
+ log.Printf("Auth failure (not in allowed groups)")
return false
}
diff --git a/server/handlers.go b/server/handlers.go
index 4d9543bfaae9a118bd739cfff524fe79e6fc1af9..0ade8ad7ecc5c088ee5ab6bee7d3e01ed8ded616 100644
--- a/server/handlers.go
+++ b/server/handlers.go
@@ -88,6 +88,7 @@ func (a *app) auth(w http.ResponseWriter, r *http.Request) {
case "/auth/callback":
state := a.getSessionVariable(r, "state")
if r.FormValue("state") != state {
+ log.Printf("Not authorized on /auth/callback")
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte(http.StatusText(http.StatusUnauthorized)))
break
@@ -99,11 +100,13 @@ func (a *app) auth(w http.ResponseWriter, r *http.Request) {
code := r.FormValue("code")
token, err := a.authprovider.Exchange(code)
if err != nil {
+ log.Printf("Error on /auth/callback: %v", err)
w.WriteHeader(http.StatusInternalServerError)
w.Write([]byte(http.StatusText(http.StatusInternalServerError)))
w.Write([]byte(err.Error()))
break
}
+ log.Printf("Token found on /auth/callback, redirecting to %s", originURL)
a.setAuthToken(w, r, token)
http.Redirect(w, r, originURL, http.StatusFound)
default:
@@ -112,7 +115,9 @@ func (a *app) auth(w http.ResponseWriter, r *http.Request) {
}
func (a *app) index(w http.ResponseWriter, r *http.Request) {
+ log.Printf("Entering index handler.")
tok := a.getAuthToken(r)
+ log.Printf("Token found: %v\n", tok)
page := struct {
Token string
}{tok.AccessToken}
diff --git a/server/server.go b/server/server.go
index 2a6af15b8dea9299e7a303fff7723e7b9dd806b4..10b67633ce35c632215883561052655b8c540678 100644
--- a/server/server.go
+++ b/server/server.go
@@ -251,8 +251,11 @@ func (a *app) setSessionVariable(w http.ResponseWriter, r *http.Request, key, va
func (a *app) authed(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ log.Printf("Checking auth for %s.", r.URL.EscapedPath())
t := a.getAuthToken(r)
+ log.Printf("Token is: %v.", t)
if !t.Valid() || !a.authprovider.Valid(t) {
+ log.Printf("Invalid token t.Valid() = %s.", t.Valid())
a.setSessionVariable(w, r, "origin_url", r.URL.EscapedPath())
http.Redirect(w, r, "/auth/login", http.StatusSeeOther)
return