chore: improve comments, error handling, logging, and edge cases

Changes in addition to minor cleanups:
- `authentication.Store` can now log info and warnings
- Improved logic in `UpdateAuthorization` when both Token and HashedToken
  are set. Added supporting test cases.

Author: gwossum

authorization/hasher.go

@@ -50,7 +50,7 @@ func WithDecoderVariants(variants []influxdb2_algo.Variant) AuthorizationHasherO
 
 // NewAuthorizationHasher creates an AuthorizationHasher for influxdb2 algorithm hashed tokens.
 // variantName specifies which token hashing variant to use, with blank indicating to use the default
-// hashing variant. By defaults, all variants of the influxdb2 hashing scheme are supported for
+// hashing variant. By default, all variants of the influxdb2 hashing scheme are supported for
 // maximal compatibility.
 func NewAuthorizationHasher(opts ...AuthorizationHasherOption) (*AuthorizationHasher, error) {
 	options := authorizationHasherOptions{
@@ -80,8 +80,8 @@ func NewAuthorizationHasher(opts ...AuthorizationHasherOption) (*AuthorizationHa
 		}
 	}
 
-	// Create all variant hashers needed for requested decoder variants. This is for operations where all
-	// potential variations of a raw token must be hashed.
+	// Create all variant hashers needed for requested decoder variants. This is required for operations where
+	// all potential variations of a raw token must be hashed, such as looking up a hash in the hashed token index.
 	var allHashers []algorithm.Hash
 	for _, variant := range options.decoderVariants {
 		h, err := influxdb2_algo.New(influxdb2_algo.WithVariant(variant))
@@ -110,11 +110,11 @@ func (h *AuthorizationHasher) Hash(token string) (string, error) {
 // AllHashes generates a list of PHC-encoded hashes of token for all deterministic (i.e. non-salted) supported hashes.
 func (h *AuthorizationHasher) AllHashes(token string) ([]string, error) {
 	hashes := make([]string, len(h.allHashers))
-	for idx, h := range h.allHashers {
-		digest, err := h.Hash(token)
+	for idx, hasher := range h.allHashers {
+		digest, err := hasher.Hash(token)
 		if err != nil {
 			variantName := "N/A"
-			if influxdb_hasher, ok := h.(*influxdb2_algo.Hasher); ok {
+			if influxdb_hasher, ok := hasher.(*influxdb2_algo.Hasher); ok {
 				variantName = influxdb_hasher.Variant().Prefix()
 			}
 			return nil, fmt.Errorf("hashing raw token failed (variant=%s): %w", variantName, err)

authorization/http_server_test.go

@@ -183,15 +183,16 @@ func TestService_handlePostAuthorization(t *testing.T) {
 
 				res := w.Result()
 				contentType := res.Header.Get("Content-Type")
-				body, _ := io.ReadAll(res.Body)
+				body, err := io.ReadAll(res.Body)
+				require.NoError(t, err)
 
 				require.Equalf(t, tt.wants.statusCode, res.StatusCode, "headers: %v body: %s", res.Header, body)
 				if tt.wants.contentType != "" {
 					require.Equal(t, tt.wants.contentType, contentType)
 				}
 				diff, err := jsonDiff(string(body), tt.wants.body)
 				require.NoError(t, err)
-				require.Empty(t, diff)
+				require.Empty(t, diff, "authorization endpoint returned unexpected result")
 			})
 		}
 	}
@@ -346,15 +347,16 @@ func TestService_handleGetAuthorization(t *testing.T) {
 
 			res := w.Result()
 			contentType := res.Header.Get("Content-Type")
-			body, _ := io.ReadAll(res.Body)
+			body, err := io.ReadAll(res.Body)
+			require.NoError(t, err)
 
 			require.Equalf(t, tt.wants.statusCode, res.StatusCode, "headers: %v body: %s", res.Header, body)
 			if tt.wants.contentType != "" {
 				require.Equal(t, tt.wants.contentType, contentType)
 			}
 			diff, err := jsonDiff(string(body), tt.wants.body)
 			require.NoError(t, err)
-			require.Empty(t, diff)
+			require.Empty(t, diff, "authorization endpoint returned unexpected result")
 		})
 	}
 }
@@ -730,15 +732,16 @@ func TestService_handleGetAuthorizations(t *testing.T) {
 
 				res := w.Result()
 				contentType := res.Header.Get("Content-Type")
-				body, _ := io.ReadAll(res.Body)
+				body, err := io.ReadAll(res.Body)
+				require.NoError(t, err)
 
 				require.Equal(t, tt.wants.statusCode, res.StatusCode)
 				if tt.wants.contentType != "" {
 					require.Equal(t, tt.wants.contentType, contentType)
 				}
 				diff, err := jsonDiff(string(body), tt.wants.body)
 				require.NoError(t, err)
-				require.Empty(t, diff)
+				require.Empty(t, diff, "authorization endpoint returned unexpected results")
 			})
 		}
 	}
@@ -827,17 +830,18 @@ func TestService_handleDeleteAuthorization(t *testing.T) {
 
 			res := w.Result()
 			contentType := res.Header.Get("Content-Type")
-			body, _ := io.ReadAll(res.Body)
+			body, err := io.ReadAll(res.Body)
+			require.NoError(t, err)
 
 			require.Equal(t, tt.wants.statusCode, res.StatusCode)
 			if tt.wants.contentType != "" {
-				require.Equal(t, tt.wants.contentType, contentType)
+				require.Equal(t, tt.wants.contentType, contentType, "handleDeleteAuthorization")
 			}
 
 			if tt.wants.body != "" {
 				diff, err := jsonDiff(string(body), tt.wants.body)
 				require.NoError(t, err)
-				require.Empty(t, diff)
+				require.Empty(t, diff, "authorization endpoint returned unexpected results")
 			}
 		})
 	}

authorization/storage.go

@@ -14,6 +14,7 @@ import (
 	"github.com/influxdata/influxdb/v2/kv"
 	influxdb2_algo "github.com/influxdata/influxdb/v2/pkg/crypt/algorithm/influxdb2"
 	"github.com/influxdata/influxdb/v2/snowflake"
+	"go.uber.org/zap"
 )
 
 /*---
@@ -126,6 +127,9 @@ type Store struct {
 	// Indicates if tokens should be stored in hashed PHC format.
 	useHashedTokens bool
 
+	// Logger
+	log *zap.Logger
+
 	// Indicates if Store is read-only.
 	readOnly bool
 
@@ -153,15 +157,21 @@ func WithAuthorizationHashVariantName(name string) StoreOption {
 	}
 }
 
-func WithReadOnly(readOnly bool) StoreOption {
+func WithIgnoreMissingHashIndex(allowMissing bool) StoreOption {
 	return func(s *storePlusOptions) {
-		s.readOnly = readOnly
+		s.ignoreMissingHashIndex = allowMissing
 	}
 }
 
-func WithIgnoreMissingHashIndex(allowMissing bool) StoreOption {
+func WithLogger(log *zap.Logger) StoreOption {
 	return func(s *storePlusOptions) {
-		s.ignoreMissingHashIndex = allowMissing
+		s.log = log
+	}
+}
+
+func WithReadOnly(readOnly bool) StoreOption {
+	return func(s *storePlusOptions) {
+		s.readOnly = readOnly
 	}
 }
 
@@ -180,6 +190,10 @@ func NewStore(ctx context.Context, kvStore kv.Store, useHashedTokens bool, opts
 		o(s)
 	}
 
+	if s.log == nil {
+		s.log = zap.NewNop()
+	}
+
 	if err := s.setup(ctx); err != nil {
 		return nil, err
 	}
@@ -264,8 +278,12 @@ func (s *Store) hashedTokenMigration(ctx context.Context) error {
 	var authsNeedingUpdate []*influxdb.Authorization
 	err := s.View(ctx, func(tx kv.Tx) error {
 		s.forEachAuthorization(ctx, tx, nil, func(a *influxdb.Authorization) bool {
-			if a.HashedToken == "" && a.Token != "" {
-				authsNeedingUpdate = append(authsNeedingUpdate, a)
+			if a.HashedToken == "" {
+				if a.Token != "" {
+					authsNeedingUpdate = append(authsNeedingUpdate, a)
+				} else {
+					s.log.Warn("found authorization without any token set during hashed token migration", zap.Uint64("ID", uint64(a.ID)), zap.String("description", a.Description))
+				}
 			}
 			return true
 		})

authorization/storage_authorization.go

@@ -13,6 +13,7 @@ import (
 	"github.com/influxdata/influxdb/v2/kit/platform/errors"
 	"github.com/influxdata/influxdb/v2/kv"
 	jsonp "github.com/influxdata/influxdb/v2/pkg/jsonparser"
+	"go.uber.org/zap"
 )
 
 var (
@@ -80,38 +81,42 @@ func decodeAuthorization(b []byte, a *influxdb.Authorization) error {
 	return nil
 }
 
-// verifyTokensMatch returns an error if a.Token and a.HashedToken are set
-// but do not match.
-func (s *Store) verifyTokensMatch(a *influxdb.Authorization) error {
-	if a.Token == "" || a.HashedToken == "" {
-		return nil
-	}
-
-	// If both Token and HashedToken are set, make sure they are equivalent before continuing.
-	match, err := s.hasher.Match(a.HashedToken, a.Token)
-	if err != nil {
-		return fmt.Errorf("error matching tokens: %w", err)
-	}
-	if !match {
-		return ErrHashedTokenMismatch
-	}
-	return nil
-}
-
-// hashToken hashes a.Token to a.HashedToken, if needed.
-func (s *Store) hashToken(a *influxdb.Authorization) error {
-	if !s.useHashedTokens || a.HashedToken != "" || a.Token == "" {
-		// Either we're not using token hashing, the token has already been hashed,
-		// or there's no token to be hashed.
-		return nil
+// transformToken updates a.Token and a.HashedToken to match configuration state,
+// if needed. If needed, transformToken generates the a.HashedToken from a.Token when
+// token hashing is enabled. transformToken will also clear a.HashedToken if token
+// hashing is turned off and a.Token is set to the matching token. If a.HashedToken and
+// a.Token are both set but do not match (a.HashedToken is a hash of a.Token), then an
+// error is returned.
+func (s *Store) transformToken(a *influxdb.Authorization) error {
+	// Verify Token and HashedToken match if both are set.
+	if a.Token != "" && a.HashedToken != "" {
+		match, err := s.hasher.Match(a.HashedToken, a.Token)
+		if err != nil {
+			return fmt.Errorf("error matching tokens: %w", err)
+		}
+		if !match {
+			return ErrHashedTokenMismatch
+		}
 	}
 
-	// Hash the token. Redaction of the hashed token takes place when the record is written.
-	hashedToken, err := s.hasher.Hash(a.Token)
-	if err != nil {
-		return fmt.Errorf("error hashing token: %w", err)
+	if a.Token != "" {
+		if s.useHashedTokens {
+			// Need to generate HashedToken from Token. Redaction of the hashed token takes
+			// place when the record is written to the KV store. In some cases the client
+			// code that triggered commit needs access to the raw Token, such as when a
+			// token is initially created so it can be shown to the user.
+			// Note that even if a.HashedToken is set, we will regenerate it here. This ensures
+			// that a.HashedToken will be stored using the currently configured hashing algoirithm.
+			if hashedToken, err := s.hasher.Hash(a.Token); err != nil {
+				return fmt.Errorf("error hashing token: %w", err)
+			} else {
+				a.HashedToken = hashedToken
+			}
+		} else {
+			// Token hashing disabled, a.Token is available, clear a.HashedToken if set.
+			a.HashedToken = ""
+		}
 	}
-	a.HashedToken = hashedToken
 
 	return nil
 }
@@ -177,7 +182,7 @@ func (s *Store) GetAuthorizationByID(ctx context.Context, tx kv.Tx, id platform.
 	return a, nil
 }
 
-// validateToken checks if token matches tht token stored in auth. If auth.Token is set, that is
+// validateToken checks if token matches that token stored in auth. If auth.Token is set, that is
 // compared first. Otherwise, auth.HashedToken is used to verify token. If neither field in auth is set, then
 // the comparison fails.
 func (s *Store) validateToken(auth *influxdb.Authorization, token string) (bool, error) {
@@ -349,11 +354,7 @@ func (s *Store) forEachAuthorization(ctx context.Context, tx kv.Tx, pred kv.Curs
 // and makes sure indices point to it. It does not delete any indices. The updated authorization is
 // returned on success.
 func (s *Store) commitAuthorization(ctx context.Context, tx kv.Tx, a *influxdb.Authorization) error {
-	if err := s.verifyTokensMatch(a); err != nil {
-		return errors.ErrInternalServiceError(err, errors.WithErrorCode(errors.EInvalid))
-	}
-
-	if err := s.hashToken(a); err != nil {
+	if err := s.transformToken(a); err != nil {
 		return errors.ErrInternalServiceError(err, errors.WithErrorCode(errors.EInternal))
 	}
 
@@ -602,7 +603,12 @@ func (s *Store) authorizationsPredicateFn(f influxdb.AuthorizationFilter) kv.Cur
 
 	if f.Token != nil {
 		token := *f.Token
-		allHashes, _ := s.hasher.AllHashes(token) // on error, allHashes is empty and we'll ignore hashedToken
+		allHashes, err := s.hasher.AllHashes(token)
+		if err != nil {
+			s.log.Error("error generating hashes in authorizationsPredicateFn", zap.Error(err))
+			// On error, continue onward. allHashes is empty and we'll effectively ignore hashedToken,
+			// but we'll still look at the unhashed Token if it is available.
+		}
 		return func(_, value []byte) bool {
 			// it is assumed that token never has escaped string data
 			if got, _, _, err := jsonparser.Get(value, "token"); err == nil {
@@ -652,8 +658,13 @@ func (s *Store) filterAuthorizationsFn(filter influxdb.AuthorizationFilter) func
 
 	if filter.Token != nil {
 		token := *filter.Token
-		// if AllHashes returns an error, allHashes will be empty and we will ignore a.HashedToken.
-		allHashes, _ := s.hasher.AllHashes(token)
+		allHashes, err := s.hasher.AllHashes(token)
+		if err != nil {
+			s.log.Error("error generating hashes in filterPredicateFn", zap.Error(err))
+			// On error, continue onward. allHashes is empty and we'll effectively ignore hashedToken,
+			// but we'll still look at the unhashed Token if it is available.
+		}
+
 		return func(a *influxdb.Authorization) bool {
 			if a.Token == token {
 				return true