Skip to content

Commit

Permalink
Refine logging on revocation failures.
Browse files Browse the repository at this point in the history
We now log token accessors if a token revocation has failed.

Closes gh-766
  • Loading branch information
mp911de committed Mar 20, 2023
1 parent aeaf571 commit 480a295
Show file tree
Hide file tree
Showing 3 changed files with 30 additions and 10 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import org.springframework.scheduling.TaskScheduler;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.event.*;
import org.springframework.vault.client.VaultHttpHeaders;
Expand Down Expand Up @@ -167,7 +168,14 @@ protected void revoke(VaultToken token) {
dispatch(new AfterLoginTokenRevocationEvent(token));
}
catch (RuntimeException e) {
this.logger.warn(String.format("Cannot revoke VaultToken: %s", token.getToken()), e);
if (LoginToken.hasAccessor(token)) {
this.logger.warn(
String.format("Cannot revoke VaultToken with accessor: %s", ((LoginToken) token).getAccessor()),
e);
}
else {
this.logger.warn("Cannot revoke VaultToken", e);
}
dispatch(new LoginTokenRevocationFailedEvent(token, e));
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,11 @@
import java.time.Duration;
import java.util.Arrays;

import org.apache.commons.logging.Log;

import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.vault.support.VaultToken;

/**
Expand Down Expand Up @@ -202,6 +205,10 @@ public static LoginToken renewable(char[] token, Duration leaseDuration) {
return new LoginToken(token, leaseDuration, true, null, null);
}

static boolean hasAccessor(VaultToken token) {
return token instanceof LoginToken && StringUtils.hasText(((LoginToken) token).getAccessor());
}

/**
* @return the lease duration in seconds. May be {@literal 0} if none.
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
import org.springframework.scheduling.TaskScheduler;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.event.*;
import org.springframework.vault.client.VaultHttpHeaders;
Expand Down Expand Up @@ -168,19 +169,23 @@ protected Mono<Void> revoke(VaultToken token) {
}).retrieve().bodyToMono(String.class)
.doOnSubscribe(ignore -> dispatch(new BeforeLoginTokenRevocationEvent(token)))
.doOnNext(ignore -> dispatch(new AfterLoginTokenRevocationEvent(token)))
.onErrorResume(WebClientResponseException.class, e -> {
.onErrorResume(WebClientResponseException.class, e -> onRevokeFailed(token, e))
.onErrorResume(Exception.class, e -> onRevokeFailed(token, e)).then();
}

this.logger.warn(format("Could not revoke token", e));
dispatch(new LoginTokenRevocationFailedEvent(token, e));
private Mono<String> onRevokeFailed(VaultToken token, Throwable e) {

return Mono.empty();
}).onErrorResume(Exception.class, e -> {
if (LoginToken.hasAccessor(token)) {
this.logger.warn(
String.format("Cannot revoke VaultToken with accessor: %s", ((LoginToken) token).getAccessor()), e);
}
else {
this.logger.warn("Cannot revoke VaultToken", e);
}

this.logger.warn("Could not revoke token", e);
dispatch(new LoginTokenRevocationFailedEvent(token, e));
dispatch(new LoginTokenRevocationFailedEvent(token, e));

return Mono.empty();
}).then();
return Mono.empty();
}

/**
Expand Down

0 comments on commit 480a295

Please sign in to comment.