Added more audit logs

artem-v · artem-v · commit 89963856a31d · 2025-03-18T23:48:10.000+02:00
diff --git a/Issues.md b/Issues.md
@@ -1,3 +1,3 @@
 * When sending null in ServiceMessage.data - now it's throwing BadRequest, but before it was
   security-exception. Must be changed back to how it was.
-* Add debug logs for Auth/Authz error situations.
+
diff --git a/services-api/src/main/java/io/scalecube/services/RequestContext.java b/services-api/src/main/java/io/scalecube/services/RequestContext.java
@@ -14,11 +14,15 @@
 import java.util.Objects;
 import java.util.StringJoiner;
 import java.util.stream.Stream;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import reactor.core.publisher.Mono;
 import reactor.util.context.Context;
 
 public class RequestContext implements Context {
 
+  private static final Logger LOGGER = LoggerFactory.getLogger(RequestContext.class);
+
   private final Context source;
 
   public RequestContext() {
@@ -178,17 +182,39 @@ public static Mono<RequestContext> deferSecured() {
         .doOnNext(
             context -> {
               if (!context.hasPrincipal()) {
+                if (LOGGER.isDebugEnabled()) {
+                  LOGGER.debug(
+                      "Insufficient permissions for secured method ({}): "
+                          + "request context does not have principal",
+                      context.methodInfo());
+                }
                 throw new ForbiddenException("Insufficient permissions");
               }
 
               final var principal = context.principal();
               final var methodInfo = context.methodInfo();
 
               if (!methodInfo.allowedRoles().contains(principal.role())) {
+                if (LOGGER.isDebugEnabled()) {
+                  LOGGER.debug(
+                      "Insufficient permissions for secured method ({}): "
+                          + "principal role is not allowed (principal: {})",
+                      context.methodInfo(),
+                      principal);
+                }
                 throw new ForbiddenException("Insufficient permissions");
               }
+
               for (var allowedPermission : methodInfo.allowedPermissions()) {
                 if (!principal.hasPermission(allowedPermission)) {
+                  if (LOGGER.isDebugEnabled()) {
+                    LOGGER.debug(
+                        "Insufficient permissions for secured method ({}): "
+                            + "allowed permission: {} is missing (principal: {})",
+                        context.methodInfo(),
+                        allowedPermission,
+                        principal.role());
+                  }
                   throw new ForbiddenException("Insufficient permissions");
                 }
               }
diff --git a/services-api/src/main/java/io/scalecube/services/methods/ServiceMethodInvoker.java b/services-api/src/main/java/io/scalecube/services/methods/ServiceMethodInvoker.java
@@ -16,12 +16,15 @@
 import java.util.Objects;
 import org.reactivestreams.Publisher;
 import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
 import reactor.util.context.Context;
 
 public class ServiceMethodInvoker {
 
+  private static final Logger LOGGER = LoggerFactory.getLogger(ServiceMethodInvoker.class);
+
   private final Method method;
   private final Object service;
   private final MethodInfo methodInfo;
@@ -243,6 +246,12 @@ private Mono<Principal> mapPrincipal(RequestContext context) {
       if (context.hasPrincipal()) {
         return Mono.just(context.principal());
       } else {
+        if (LOGGER.isDebugEnabled()) {
+          LOGGER.debug(
+              "Insufficient permissions for secured method ({}): "
+                  + "request context does not have principal and principalMapper is also not set",
+              methodInfo);
+        }
         throw new ForbiddenException("Insufficient permissions");
       }
     }
diff --git a/services-transport-parent/services-transport-rsocket/src/main/java/io/scalecube/services/transport/rsocket/RSocketServiceAcceptor.java b/services-transport-parent/services-transport-rsocket/src/main/java/io/scalecube/services/transport/rsocket/RSocketServiceAcceptor.java
@@ -50,8 +50,7 @@ private Mono<Principal> authenticate(ByteBuf connectionSetup) {
     final var credentials = new byte[connectionSetup.readableBytes()];
     connectionSetup.getBytes(connectionSetup.readerIndex(), credentials);
 
-    return authenticator
-        .authenticate(credentials)
+    return Mono.defer(() -> authenticator.authenticate(credentials))
         .switchIfEmpty(Mono.just(NULL_PRINCIPAL))
         .doOnSuccess(principal -> LOGGER.debug("Authenticated successfully: {}", principal))
         .doOnError(ex -> LOGGER.error("Authentication failed", ex))
