ldap: Return special error messages for write to log from ldap auth provider (#11404)

Author: molotkov-and

ydb/core/security/ldap_auth_provider/ldap_auth_provider.cpp

@@ -179,9 +179,10 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
             LDAP_LOG_D("start TLS");
             result = NKikimrLdap::StartTLS(*ld);
             if (!NKikimrLdap::IsSuccess(result)) {
-                LDAP_LOG_D("Could not start TLS. " << NKikimrLdap::ErrorToString(result));
+                TStringBuilder logErrorMessage;
+                logErrorMessage << "Could not start TLS. " << NKikimrLdap::ErrorToString(result);
                 TEvLdapAuthProvider::TError error {
-                    .Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)
+                    .Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = NKikimrLdap::IsRetryableError(result)
                 };
                 // The Unbind operation is not the antithesis of the Bind operation as the name implies.
                 // Close the LDAP connection, free the resources contained in the LDAP structure
@@ -193,10 +194,11 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
         LDAP_LOG_D("bind: bindDn: " << Settings.GetBindDn());
         result = NKikimrLdap::Bind(*ld, Settings.GetBindDn(), Settings.GetBindPassword());
         if (!NKikimrLdap::IsSuccess(result)) {
-            LDAP_LOG_D("Could not perform initial LDAP bind for dn " << Settings.GetBindDn() << " on server " + UrisCreator.GetUris() << ". "
-                            << NKikimrLdap::ErrorToString(result));
+            TStringBuilder logErrorMessage;
+            logErrorMessage << "Could not perform initial LDAP bind for dn " << Settings.GetBindDn() << " on server " + UrisCreator.GetUris() << ". "
+                            << NKikimrLdap::ErrorToString(result);
             TEvLdapAuthProvider::TError error {
-                .Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)
+                .Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = NKikimrLdap::IsRetryableError(result)
             };
             // The Unbind operation is not the antithesis of the Bind operation as the name implies.
             // Close the LDAP connection, free the resources contained in the LDAP structure
@@ -216,37 +218,41 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
             const TString& caCertificateFile = Settings.GetUseTls().GetCaCertFile();
             result = NKikimrLdap::SetOption(*ld, NKikimrLdap::EOption::TLS_CACERTFILE, caCertificateFile.c_str());
             if (!NKikimrLdap::IsSuccess(result)) {
-                LDAP_LOG_D("Could not set LDAP ca certificate file \"" << caCertificateFile + "\": " << NKikimrLdap::ErrorToString(result));
+                TStringBuilder logErrorMessage;
+                logErrorMessage << "Could not set LDAP ca file \"" << caCertificateFile + "\": " << NKikimrLdap::ErrorToString(result);
                 NKikimrLdap::Unbind(*ld);
                 return {{NKikimrLdap::ErrorToStatus(result),
-                        {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}}};
+                        {.Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = NKikimrLdap::IsRetryableError(result)}}};
             }
         }
 
         LDAP_LOG_D("init: scheme: " << Settings.GetScheme() << ", uris: " << UrisCreator.GetUris() << ", port: " << UrisCreator.GetConfiguredPort());
         result = NKikimrLdap::Init(ld, Settings.GetScheme(), UrisCreator.GetUris(), UrisCreator.GetConfiguredPort());
         if (!NKikimrLdap::IsSuccess(result)) {
-            LDAP_LOG_D("Could not initialize LDAP connection for uris: " << UrisCreator.GetUris() << ". " << NKikimrLdap::LdapError(*ld));
+            TStringBuilder logErrorMessage;
+            logErrorMessage << "Could not initialize LDAP connection for uris: " << UrisCreator.GetUris() << ". " << NKikimrLdap::LdapError(*ld);
             return {{TEvLdapAuthProvider::EStatus::UNAVAILABLE,
-                    {.Message = ERROR_MESSAGE, .Retryable = false}}};
+                    {.Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = false}}};
         }
 
         result = NKikimrLdap::SetProtocolVersion(*ld);
         if (!NKikimrLdap::IsSuccess(result)) {
             NKikimrLdap::Unbind(*ld);
-            LDAP_LOG_D("Could not set LDAP protocol version: " << NKikimrLdap::ErrorToString(result));
+            TStringBuilder logErrorMessage;
+            logErrorMessage << "Could not set LDAP protocol version: " << NKikimrLdap::ErrorToString(result);
             return {{NKikimrLdap::ErrorToStatus(result),
-                    {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}}};
+                    {.Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = NKikimrLdap::IsRetryableError(result)}}};
         }
 
         if (Settings.GetScheme() == NKikimrLdap::LDAPS_SCHEME || Settings.GetUseTls().GetEnable()) {
             int requireCert = NKikimrLdap::ConvertRequireCert(Settings.GetUseTls().GetCertRequire());
             result = NKikimrLdap::SetOption(*ld, NKikimrLdap::EOption::TLS_REQUIRE_CERT, &requireCert);
             if (!NKikimrLdap::IsSuccess(result)) {
                 NKikimrLdap::Unbind(*ld);
-                LDAP_LOG_D("Could not set require certificate option: " << NKikimrLdap::ErrorToString(result));
+                TStringBuilder logErrorMessage;
+                logErrorMessage << "Could not set require certificate option: " << NKikimrLdap::ErrorToString(result);
                 return {{NKikimrLdap::ErrorToStatus(result),
-                        {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)}}};
+                        {.Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = NKikimrLdap::IsRetryableError(result)}}};
             }
         }
 
@@ -256,23 +262,27 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
     TAuthenticateUserResponse AuthenticateUser(const TAuthenticateUserRequest& request) {
         char* dn = NKikimrLdap::GetDn(*request.Ld, request.Entry);
         if (dn == nullptr) {
-            LDAP_LOG_D("Could not get dn for the first entry matching " << FilterCreator.GetFilter(request.Login) << " on server " << UrisCreator.GetUris() << ". "
-                            << NKikimrLdap::LdapError(*request.Ld));
+            TStringBuilder logErrorMessage;
+            logErrorMessage << "Could not get dn for the first entry matching " << FilterCreator.GetFilter(request.Login)
+                            << " on server " << UrisCreator.GetUris() << ". " << NKikimrLdap::LdapError(*request.Ld);
             return {{TEvLdapAuthProvider::EStatus::UNAUTHORIZED,
-                    {.Message = ERROR_MESSAGE, .Retryable = false}}};
+                    {.Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = false}}};
         }
         if (request.Password.empty()) {
-            LDAP_LOG_D("LDAP login failed for user " << TString(dn) << ". Empty password");
+            TStringBuilder logErrorMessage;
+            logErrorMessage << "LDAP login failed for user " << TString(dn) << ". Empty password";
             NKikimrLdap::MemFree(dn);
-            return {{.Status = TEvLdapAuthProvider::EStatus::UNAUTHORIZED, .Error = {.Message = TString(ERROR_MESSAGE) + ". Empty password", .Retryable = false}}};
+            return {{.Status = TEvLdapAuthProvider::EStatus::UNAUTHORIZED, .Error = {.Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = false}}};
         }
         TEvLdapAuthProvider::TError error;
         LDAP_LOG_D("bind: bindDn: " << dn);
         int result = NKikimrLdap::Bind(*request.Ld, dn, request.Password);
         if (!NKikimrLdap::IsSuccess(result)) {
-            LDAP_LOG_D("LDAP login failed for user " << TString(dn) << " on server " << UrisCreator.GetUris() << ". "
-                            << NKikimrLdap::ErrorToString((result)));
+            TStringBuilder logErrorMessage;
+            logErrorMessage << "LDAP login failed for user " << TString(dn) << " on server " << UrisCreator.GetUris() << ". "
+                            << NKikimrLdap::ErrorToString((result));
             error.Message = ERROR_MESSAGE;
+            error.LogMessage = logErrorMessage;
             error.Retryable = NKikimrLdap::IsRetryableError(result);
         }
         NKikimrLdap::MemFree(dn);
@@ -296,22 +306,24 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
                                         &searchMessage);
         TSearchUserResponse response;
         if (!NKikimrLdap::IsSuccess(result)) {
-            LDAP_LOG_D("Could not search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << ". "
-                                         << NKikimrLdap::ErrorToString(result));
+            TStringBuilder logErrorMessage;
+            logErrorMessage << "Could not perform search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << ". "
+                            << NKikimrLdap::ErrorToString(result);
             response.Status = NKikimrLdap::ErrorToStatus(result);
-            response.Error = {.Message = ERROR_MESSAGE, .Retryable = NKikimrLdap::IsRetryableError(result)};
+            response.Error = {.Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = NKikimrLdap::IsRetryableError(result)};
             return response;
         }
         const int countEntries = NKikimrLdap::CountEntries(request.Ld, searchMessage);
         if (countEntries != 1) {
+            TStringBuilder logErrorMessage;
             if (countEntries == 0) {
-                LDAP_LOG_D("LDAP user " << request.User << " does not exist. "
-                           "LDAP search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << " return no entries");
+                logErrorMessage << "LDAP user " << request.User << " does not exist. "
+                                   "LDAP search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << " return no entries";
             } else {
-                LDAP_LOG_D("LDAP user " << request.User << " is not unique. "
-                           "LDAP search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << " return " << countEntries << " entries");
+                logErrorMessage << "LDAP user " << request.User << " is not unique. "
+                                   "LDAP search for filter " << searchFilter << " on server " << UrisCreator.GetUris() << " return " << countEntries << " entries";
             }
-            response.Error = {.Message = ERROR_MESSAGE, .Retryable = false};
+            response.Error = {.Message = ERROR_MESSAGE, .LogMessage = logErrorMessage, .Retryable = false};
             response.Status = TEvLdapAuthProvider::EStatus::UNAUTHORIZED;
             NKikimrLdap::MsgFree(searchMessage);
             return response;
@@ -411,16 +423,16 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
 
     TInitializeLdapConnectionResponse CheckRequiredSettingsParameters() const {
         if (Settings.GetHosts().empty() && Settings.GetHost().empty()) {
-            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "List of ldap server hosts is empty", .Retryable = false}};
+            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = ERROR_MESSAGE, .LogMessage = "List of ldap server hosts is empty", .Retryable = false}};
         }
         if (Settings.GetBaseDn().empty()) {
-            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "Parameter BaseDn is empty", .Retryable = false}};
+            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = ERROR_MESSAGE, .LogMessage = "Parameter BaseDn is empty", .Retryable = false}};
         }
         if (Settings.GetBindDn().empty()) {
-            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "Parameter BindDn is empty", .Retryable = false}};
+            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = ERROR_MESSAGE, .LogMessage = "Parameter BindDn is empty", .Retryable = false}};
         }
         if (Settings.GetBindPassword().empty()) {
-            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = "Parameter BindPassword is empty", .Retryable = false}};
+            return {TEvLdapAuthProvider::EStatus::UNAVAILABLE, {.Message = ERROR_MESSAGE, .LogMessage = "Parameter BindPassword is empty", .Retryable = false}};
         }
         return {TEvLdapAuthProvider::EStatus::SUCCESS, {}};
     }
@@ -452,7 +464,7 @@ class TLdapAuthProvider : public NActors::TActorBootstrapped<TLdapAuthProvider>
     }
 
 private:
-    static constexpr const char* ERROR_MESSAGE = "User is unauthorized in LDAP server";
+    static constexpr const char* ERROR_MESSAGE = "Could not login via LDAP";
 
     const NKikimrProto::TLdapAuthentication Settings;
     const TSearchFilterCreator FilterCreator;

ydb/core/security/ldap_auth_provider/ldap_auth_provider_ut.cpp

@@ -929,7 +929,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
         TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password);
         TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
         UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
-        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
+        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "Could not login via LDAP");
         UNIT_ASSERT(ticketParserResult->Token == nullptr);
 
         ldapServer.Stop();
@@ -948,7 +948,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
         TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password);
         TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
         UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
-        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
+        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "Could not login via LDAP");
         UNIT_ASSERT(ticketParserResult->Token == nullptr);
 
         ldapServer.Stop();
@@ -983,7 +983,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
         TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, removedUserLogin, removedUserPassword);
         TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
         UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
-        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
+        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "Could not login via LDAP");
 
         ldapServer.Stop();
     }
@@ -1001,7 +1001,7 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
         TAutoPtr<IEventHandle> handle = LdapAuthenticate(server, login, password);
         TEvTicketParser::TEvAuthorizeTicketResult* ticketParserResult = handle->Get<TEvTicketParser::TEvAuthorizeTicketResult>();
         UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
-        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
+        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "Could not login via LDAP");
 
         ldapServer.Stop();
     }
@@ -1162,31 +1162,31 @@ void CheckRequiredLdapSettings(std::function<void(NKikimrProto::TLdapAuthenticat
 
         UNIT_ASSERT_C(!ticketParserResult->Error.empty(), "Expected return error message");
         UNIT_ASSERT(ticketParserResult->Token == nullptr);
-        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "User is unauthorized in LDAP server");
+        UNIT_ASSERT_STRINGS_EQUAL(ticketParserResult->Error.Message, "Could not login via LDAP");
         UNIT_ASSERT_EQUAL(ticketParserResult->Error.Retryable, false);
 
         ldapServer.Stop();
     }
 
 Y_UNIT_TEST_SUITE(LdapAuthProviderTest) {
     Y_UNIT_TEST(LdapServerIsUnavailable) {
-        CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "User is unauthorized in LDAP server", ESecurityConnectionType::START_TLS);
+        CheckRequiredLdapSettings(InitLdapSettingsWithUnavailableHost, "Could not login via LDAP", ESecurityConnectionType::START_TLS);
     }
 
     Y_UNIT_TEST(LdapRequestWithEmptyHost) {
-        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyHost, "List of ldap server hosts is empty");
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyHost, "Could not login via LDAP");
     }
 
     Y_UNIT_TEST(LdapRequestWithEmptyBaseDn) {
-        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBaseDn, "Parameter BaseDn is empty");
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBaseDn, "Could not login via LDAP");
     }
 
     Y_UNIT_TEST(LdapRequestWithEmptyBindDn) {
-        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBindDn, "Parameter BindDn is empty");
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBindDn, "Could not login via LDAP");
     }
 
     Y_UNIT_TEST(LdapRequestWithEmptyBindPassword) {
-        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBindPassword, "Parameter BindPassword is empty");
+        CheckRequiredLdapSettings(InitLdapSettingsWithEmptyBindPassword, "Could not login via LDAP");
     }
 }