zilencer: Log why the server got a 401.

2023-12-14 16:18:12 +00:00 · 2023-12-14 16:18:12 +00:00 · 863c1c28f7
parent 036b1156f2
commit 863c1c28f7
1 changed files with 9 additions and 0 deletions
--- a/zilencer/auth.py
+++ b/zilencer/auth.py
@ -73,20 +73,26 @@ def validate_remote_server(
    role: str,
    api_key: str,
 ) -> RemoteZulipServer:
+    log_data = RequestNotes.get_notes(request).log_data
+    assert log_data is not None
    try:
        remote_server = get_remote_server_by_uuid(role)
    except RemoteZulipServer.DoesNotExist:
+        log_data["extra"] = "[invalid-server]"
        raise InvalidZulipServerError(role)
    if not constant_time_compare(api_key, remote_server.api_key):
+        log_data["extra"] = "[invalid-server-key]"
        raise InvalidZulipServerKeyError(role)

    if remote_server.deactivated:
+        log_data["extra"] = "[deactivated-server]"
        raise RemoteServerDeactivatedError
    if (
        get_subdomain(request) != Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
        and not settings.DEVELOPMENT_DISABLE_PUSH_BOUNCER_DOMAIN_CHECK
    ):
        # Sometimes we may want to test push bouncer logic in development.
+        log_data["extra"] = "[invalid-domain]"
        raise JsonableError(_("Invalid subdomain for push notifications bouncer"))
    RequestNotes.get_notes(request).remote_server = remote_server
    process_client(request)
@ -102,6 +108,9 @@ def authenticated_remote_server_view(
    ) -> HttpResponse:
        role, api_key = get_basic_credentials(request)
        if "@" in role:
+            log_data = RequestNotes.get_notes(request).log_data
+            assert log_data is not None
+            log_data["extra"] = "[non-server-key]"
            raise JsonableError(_("Must validate with valid Zulip server API key"))
        try:
            remote_server = validate_remote_server(request, role, api_key)