24653 - Changes to enable forbidden error logging for AUTH (#3177)

bcgov · Dec 12, 2024 · 020b4eb · 020b4eb
1 parent d56df39
commit 020b4eb
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/auth-api/devops/vaults.gcp.env b/auth-api/devops/vaults.gcp.env
@@ -57,3 +57,4 @@ DIRECT_PAY_ENABLED="op://relationship/$APP_ENV/pay-api/DIRECT_PAY_ENABLED"
 DISABLE_ACTIVITY_LOGS="op://relationship/$APP_ENV/pay-api/DISABLE_ACTIVITY_LOGS"
 AUTH_LD_SDK_KEY="op://launchdarkly/$APP_ENV/auth/AUTH_LD_SDK_KEY"
 VPC_CONNECTOR="op://CD/$APP_ENV/auth-api/VPC_CONNECTOR"
+ENABLE_403_LOGGING="op://relationship/$APP_ENV/auth-api/ENABLE_403_LOGGING"
diff --git a/auth-api/src/auth_api/__init__.py b/auth-api/src/auth_api/__init__.py
@@ -18,7 +18,7 @@
 import os
 import traceback
 
-from flask import Flask
+from flask import Flask, request
 from flask_cors import CORS
 from flask_migrate import Migrate, upgrade
 from sbc_common_components.utils.camel_case_response import convert_to_camel
@@ -33,6 +33,7 @@
 from auth_api.services.gcp_queue import queue
 from auth_api.utils.auth import jwt
 from auth_api.utils.cache import cache
+from auth_api.utils.user_context import _get_context
 
 logger = StructuredLogging.get_logger()
 
@@ -62,13 +63,31 @@ def create_app(run_mode=os.getenv("DEPLOYMENT_ENV", "production")):
         app.after_request(convert_to_camel)
 
         ExceptionHandler(app)
+        setup_403_logging(app)
         setup_jwt_manager(app, jwt)
         register_shellcontext(app)
         build_cache(app)
 
     return app
 
 
+def setup_403_logging(app):
+    """Log setup for forbidden."""
+    if app.config.get("ENABLE_403_LOGGING") is True:
+
+        @app.errorhandler(403)
+        def handle_403_error(error):
+            user_context = _get_context()
+
+            user_name = user_context.user_name[:5] + "..."
+            roles = user_context.roles
+            app.logger.error(f"403 Forbidden - {request.method} {request.url} - {user_name} - {roles}")
+
+            message = {"message": getattr(error, "message", error.description)}
+            headers = {"Content-Type": "application/json", "Access-Control-Allow-Origin": "*"}
+            return message, error.code, headers
+
+
 def execute_migrations(app):
     """Execute the database migrations."""
     try:

diff --git a/auth-api/src/auth_api/config.py b/auth-api/src/auth_api/config.py
@@ -199,6 +199,7 @@ class _Config:  # pylint: disable=too-few-public-methods
 
     # LaunchDarkly SDK key
     AUTH_LD_SDK_KEY = os.getenv("AUTH_LD_SDK_KEY", None)
+    ENABLE_403_LOGGING = os.getenv("ENABLE_403_LOGGING", "False").lower() == "true"
 
 
 class DevConfig(_Config):  # pylint: disable=too-few-public-methods