fix(authorization): Log deny actions only if not empty (kroxylicious#3001)

* fix(authorization): Log deny actions only if not empty

Signed-off-by: Keith Wall <kwall@apache.org>

* Add test asserting we don't log empty deny events.

Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Assert that we log an outcome for every request.

Note we draw a distinction between things which cannot be authorized, API_VERSIONS for example, and requests which contained no authorizable actions.

Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Fix formatting

Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

---------

Signed-off-by: Keith Wall <kwall@apache.org>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>
Co-authored-by: Sam Barker <sam@quadrocket.co.uk>

Author: k-wall

kroxylicious-filters/kroxylicious-authorization/pom.xml

@@ -102,7 +102,11 @@
             <artifactId>mockito-junit-jupiter</artifactId>
             <scope>test</scope>
         </dependency>
-
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>logcaptor</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
 </project>

kroxylicious-filters/kroxylicious-authorization/src/main/java/io/kroxylicious/filter/authorization/AuthorizationFilter.java

@@ -58,6 +58,7 @@ public class AuthorizationFilter implements RequestFilter, ResponseFilter {
             @Override
             CompletionStage<ResponseFilterResult> onResponse(ResponseHeaderData header, ApiVersionsResponseData response, FilterContext context,
                                                              AuthorizationFilter authorizationFilter) {
+                AuthorizationFilter.nonAuthorizableRequest(context);
                 return authorizationFilter.checkCompat(header, response, context);
             }
         });
@@ -150,11 +151,27 @@ public AuthorizationFilter(Authorizer authorizer) {
     CompletionStage<AuthorizeResult> authorization(FilterContext context, List<Action> actions) {
         return authorizer.authorize(context.authenticatedSubject(), actions)
                 .thenApply(authz -> {
-                    LOG.info("DENY {} to {}", authz.denied(), authz.subject());
+                    if (!authz.denied().isEmpty()) {
+                        LOG.info("DENY {} to {}", authz.denied(), authz.subject());
+                    }
+                    else if (!authz.allowed().isEmpty()) {
+                        LOG.debug("ALLOW {} to {}", authz.allowed(), authz.subject());
+                    }
+                    else if (actions.isEmpty()) {
+                        LOG.debug("ALLOW {} no authorizable actions", authz.subject());
+                    }
                     return authz;
                 });
     }
 
+    static void nonAuthorizableRequest(FilterContext context) {
+        LOG.debug("NON-AUTHORIZABLE request from {}", context.authenticatedSubject());
+    }
+
+    static void nonAuthorizableResponse(FilterContext context) {
+        LOG.debug("NON-AUTHORIZABLE response from {}", context.authenticatedSubject());
+    }
+
     <R> void pushInflightState(RequestHeaderData header, InflightState<R> inflightState) {
         var existing = this.inflightState.put(header.correlationId(), inflightState);
         if (existing != null) {

kroxylicious-filters/kroxylicious-authorization/src/main/java/io/kroxylicious/filter/authorization/Passthrough.java

@@ -54,6 +54,7 @@ CompletionStage<RequestFilterResult> onRequest(RequestHeaderData header,
                                                    Q request,
                                                    FilterContext context,
                                                    AuthorizationFilter authorizationFilter) {
+        AuthorizationFilter.nonAuthorizableRequest(context);
         return context.forwardRequest(header, request);
     }
 
@@ -62,7 +63,7 @@ CompletionStage<ResponseFilterResult> onResponse(ResponseHeaderData header,
                                                      S response,
                                                      FilterContext context,
                                                      AuthorizationFilter authorizationFilter) {
-
+        AuthorizationFilter.nonAuthorizableResponse(context);
         return context.forwardResponse(header, response);
     }
 }

kroxylicious-filters/kroxylicious-authorization/src/test/java/io/kroxylicious/filter/authorization/AuthorizationFilterTest.java

@@ -42,18 +42,22 @@
 import io.kroxylicious.test.requestresponsetestdef.KafkaApiMessageConverter;
 
 import edu.umd.cs.findbugs.annotations.NonNull;
+import nl.altindag.log.LogCaptor;
 
 import static java.util.EnumSet.complementOf;
 import static java.util.EnumSet.copyOf;
 import static java.util.EnumSet.of;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.fail;
 
 class AuthorizationFilterTest {
 
     private static final ObjectMapper MAPPER = new ObjectMapper(new YAMLFactory());
 
     private static final Pattern TEST_RESOURCE_FILTER = Pattern.compile("scenarios/.*\\.yaml");
 
+    private static final LogCaptor logCaptor = LogCaptor.forClass(AuthorizationFilter.class);
+
     static Stream<Arguments> authorization() throws Exception {
         List<ClassPath.ResourceInfo> resources = ClassPath.from(AuthorizationFilterTest.class.getClassLoader()).getResources().stream()
                 .filter(ri -> TEST_RESOURCE_FILTER.matcher(ri.getResourceName()).matches()).toList();
@@ -96,13 +100,37 @@ void authorization(ScenarioDefinition definition) {
         if (!mockUpstream.isFinished()) {
             throw new IllegalStateException("test has finished, but mock responses are still queued");
         }
+
+        assertOutcomeLogged();
         // we expect that any inflight state pushed during a request is always popped on the corresponding response
         // if it is non-empty then we may have a memory leak
         assertThat(authorizationFilter.inflightState())
                 .describedAs("inflight state")
                 .isEmpty();
     }
 
+    private static void assertOutcomeLogged() {
+        assertThat(logCaptor.getLogEvents())
+                .isNotEmpty()
+                .allSatisfy(event -> {
+                    if ("INFO".equalsIgnoreCase(event.getLevel())) {
+                        assertThat(event.getFormattedMessage())
+                                .startsWith("DENY")
+                                .doesNotContain("[]");
+                    }
+                    else if ("DEBUG".equalsIgnoreCase(event.getLevel())) {
+                        assertThat(event.getFormattedMessage())
+                                .containsAnyOf("ALLOW", "NON-AUTHORIZABLE")
+                                .doesNotContain("[]");
+                    }
+                    else {
+                        // false positive `fail` is annotated `CanIgnoreReturnValue` which is not supposed to trigger the warnings
+                        // noinspection ResultOfMethodCallIgnored
+                        fail("unexpected event logged: %s", event.getFormattedMessage());
+                    }
+                });
+    }
+
     private static void handleRequestForward(ScenarioDefinition definition, CompletionStage<RequestFilterResult> stage, MockUpstream mockUpstream, Subject subject,
                                              Map<Uuid, String> topicNames, AuthorizationFilter authorizationFilter, ApiKeys apiKeys, short version) {
         RequestFilterResult actual = assertThat(stage).succeedsWithin(Duration.ZERO).actual();
@@ -147,9 +175,8 @@ private static void handleRequestForward(ScenarioDefinition definition, Completi
                     throw new IllegalStateException("mock upstream still has responses queued, but filter short circuit responded");
                 }
                 if (definition.then().expectedErrorResponse() != null) {
-                    assertThat(actual).isInstanceOfSatisfying(MockFilterContext.ErrorRequestFilterResult.class, result -> {
-                        assertThat(result.apiException()).isEqualTo(definition.then().expectedErrorResponse().exception());
-                    });
+                    assertThat(actual).isInstanceOfSatisfying(MockFilterContext.ErrorRequestFilterResult.class,
+                            result -> assertThat(result.apiException()).isEqualTo(definition.then().expectedErrorResponse().exception()));
                 }
                 else {
                     if (definition.then().expectedResponseHeader() != null) {