RSPEED-2466: Replace verbose rh-identity error messages with opaque responses

major · major · commit 52bf158fd1ea · 2026-02-19T10:04:39.000-06:00
Error messages in rh-identity auth revealed the full expected JSON
structure of the x-rh-identity header, allowing attackers to
reconstruct the schema in ~9 iterative requests.

Replace all 11 verbose validation errors with generic responses
("Invalid identity data" / "Insufficient entitlements") and move
detailed diagnostics to logger.warning() for ops troubleshooting.

Signed-off-by: Major Hayden &lt;major@redhat.com&gt;
diff --git a/src/authentication/rh_identity.py b/src/authentication/rh_identity.py
@@ -54,45 +54,56 @@ def _validate_structure(self) -> None:
             "identity" not in self.identity_data
             or self.identity_data["identity"] is None
         ):
-            raise HTTPException(status_code=400, detail="Missing 'identity' field")
+            logger.warning("Identity validation failed: missing 'identity' field")
+            raise HTTPException(status_code=400, detail="Invalid identity data")
 
         identity = self.identity_data["identity"]
         if "type" not in identity:
-            raise HTTPException(status_code=400, detail="Missing identity 'type' field")
+            logger.warning("Identity validation failed: missing 'type' field")
+            raise HTTPException(status_code=400, detail="Invalid identity data")
 
         identity_type = identity["type"]
         if identity_type == "User":
             if "user" not in identity:
-                raise HTTPException(
-                    status_code=400, detail="Missing 'user' field for User type"
+                logger.warning(
+                    "Identity validation failed: missing 'user' field for User type"
                 )
+                raise HTTPException(status_code=400, detail="Invalid identity data")
             user = identity["user"]
             if "user_id" not in user:
-                raise HTTPException(
-                    status_code=400, detail="Missing 'user_id' in user data"
+                logger.warning(
+                    "Identity validation failed: missing 'user_id' in user data"
                 )
+                raise HTTPException(status_code=400, detail="Invalid identity data")
             if "username" not in user:
-                raise HTTPException(
-                    status_code=400, detail="Missing 'username' in user data"
+                logger.warning(
+                    "Identity validation failed: missing 'username' in user data"
                 )
+                raise HTTPException(status_code=400, detail="Invalid identity data")
         elif identity_type == "System":
             if "system" not in identity:
-                raise HTTPException(
-                    status_code=400, detail="Missing 'system' field for System type"
+                logger.warning(
+                    "Identity validation failed: missing 'system' field for System type"
                 )
+                raise HTTPException(status_code=400, detail="Invalid identity data")
             system = identity["system"]
             if "cn" not in system:
-                raise HTTPException(
-                    status_code=400, detail="Missing 'cn' in system data"
+                logger.warning(
+                    "Identity validation failed: missing 'cn' in system data"
                 )
+                raise HTTPException(status_code=400, detail="Invalid identity data")
             if "account_number" not in identity:
-                raise HTTPException(
-                    status_code=400, detail="Missing 'account_number' for System type"
+                logger.warning(
+                    "Identity validation failed: "
+                    "missing 'account_number' for System type"
                 )
+                raise HTTPException(status_code=400, detail="Invalid identity data")
         else:
-            raise HTTPException(
-                status_code=400, detail=f"Unsupported identity type: {identity_type}"
+            logger.warning(
+                "Identity validation failed: unsupported identity type '%s'",
+                identity_type,
             )
+            raise HTTPException(status_code=400, detail="Invalid identity data")
 
     def _get_identity_type(self) -> str:
         """Get the identity type (User or System).
@@ -169,10 +180,13 @@ def validate_entitlements(self) -> None:
 
         missing = [s for s in self.required_entitlements if not self.has_entitlement(s)]
         if missing:
-            entitlement_word = "entitlement" if len(missing) == 1 else "entitlements"
+            logger.warning(
+                "Entitlement validation failed: missing required entitlements: %s",
+                ", ".join(missing),
+            )
             raise HTTPException(
                 status_code=403,
-                detail=f"Missing required {entitlement_word}: {', '.join(missing)}",
+                detail="Insufficient entitlements",
             )
 
 
diff --git a/tests/unit/authentication/test_rh_identity.py b/tests/unit/authentication/test_rh_identity.py
@@ -195,12 +195,12 @@ def test_has_entitlements(
             (
                 ["openshift"],
                 True,
-                "Missing required entitlement: openshift",
+                "Insufficient entitlements",
             ),  # Single missing
             (
                 ["rhel", "ansible", "openshift"],
                 True,
-                "Missing required entitlement: openshift",
+                "Insufficient entitlements",
             ),  # Multiple with one missing
         ],
     )
@@ -236,11 +236,11 @@ def test_validate_entitlements(
     @pytest.mark.parametrize(
         "missing_field,expected_error",
         [
-            ({"identity": None}, "Missing 'identity' field"),
-            ({"identity": {"org_id": "123"}}, "Missing identity 'type' field"),
+            ({"identity": None}, "Invalid identity data"),
+            ({"identity": {"org_id": "123"}}, "Invalid identity data"),
             (
                 {"identity": {"type": "User", "org_id": "123"}},
-                "Missing 'user' field for User type",
+                "Invalid identity data",
             ),
             (
                 {
@@ -250,7 +250,7 @@ def test_validate_entitlements(
                         "user": {"username": "test"},
                     }
                 },
-                "Missing 'user_id' in user data",
+                "Invalid identity data",
             ),
             (
                 {
@@ -260,15 +260,15 @@ def test_validate_entitlements(
                         "user": {"user_id": "123"},
                     }
                 },
-                "Missing 'username' in user data",
+                "Invalid identity data",
             ),
             (
                 {"identity": {"type": "System", "org_id": "123"}},
-                "Missing 'system' field for System type",
+                "Invalid identity data",
             ),
             (
                 {"identity": {"type": "System", "org_id": "123", "system": {}}},
-                "Missing 'cn' in system data",
+                "Invalid identity data",
             ),
             (
                 {
@@ -278,7 +278,7 @@ def test_validate_entitlements(
                         "system": {"cn": "test"},
                     }
                 },
-                "Missing 'account_number' for System type",
+                "Invalid identity data",
             ),
         ],
     )
@@ -300,7 +300,7 @@ def test_unsupported_identity_type(self) -> None:
             RHIdentityData(invalid_data)
 
         assert exc_info.value.status_code == 400
-        assert "Unsupported identity type: Unknown" in str(exc_info.value.detail)
+        assert "Invalid identity data" in str(exc_info.value.detail)
 
 
 class TestRHIdentityAuthDependency:
@@ -406,12 +406,12 @@ async def test_invalid_json(self) -> None:
             (
                 ["openshift"],
                 True,
-                "Missing required entitlement: openshift",
+                "Insufficient entitlements",
             ),  # Single missing
             (
                 ["rhel", "ansible", "openshift"],
                 True,
-                "Missing required entitlement: openshift",
+                "Insufficient entitlements",
             ),  # Multiple with one missing
         ],
     )

Original file line number	Diff line number	Diff line change
`@@ -195,12 +195,12 @@ def test_has_entitlements(`
`195`	`195`	`(`
`196`	`196`	`["openshift"],`
`197`	`197`	`True,`
`198`		`- "Missing required entitlement: openshift",`
	`198`	`+ "Insufficient entitlements",`
`199`	`199`	`), # Single missing`
`200`	`200`	`(`
`201`	`201`	`["rhel", "ansible", "openshift"],`
`202`	`202`	`True,`
`203`		`- "Missing required entitlement: openshift",`
	`203`	`+ "Insufficient entitlements",`
`204`	`204`	`), # Multiple with one missing`
`205`	`205`	`],`
`206`	`206`	`)`
`@@ -236,11 +236,11 @@ def test_validate_entitlements(`
`236`	`236`	`@pytest.mark.parametrize(`
`237`	`237`	`"missing_field,expected_error",`
`238`	`238`	`[`
`239`		`- ({"identity": None}, "Missing 'identity' field"),`
`240`		`- ({"identity": {"org_id": "123"}}, "Missing identity 'type' field"),`
	`239`	`+ ({"identity": None}, "Invalid identity data"),`
	`240`	`+ ({"identity": {"org_id": "123"}}, "Invalid identity data"),`
`241`	`241`	`(`
`242`	`242`	`{"identity": {"type": "User", "org_id": "123"}},`
`243`		`- "Missing 'user' field for User type",`
	`243`	`+ "Invalid identity data",`
`244`	`244`	`),`
`245`	`245`	`(`
`246`	`246`	`{`
`@@ -250,7 +250,7 @@ def test_validate_entitlements(`
`250`	`250`	`"user": {"username": "test"},`
`251`	`251`	`}`
`252`	`252`	`},`
`253`		`- "Missing 'user_id' in user data",`
	`253`	`+ "Invalid identity data",`
`254`	`254`	`),`
`255`	`255`	`(`
`256`	`256`	`{`
`@@ -260,15 +260,15 @@ def test_validate_entitlements(`
`260`	`260`	`"user": {"user_id": "123"},`
`261`	`261`	`}`
`262`	`262`	`},`
`263`		`- "Missing 'username' in user data",`
	`263`	`+ "Invalid identity data",`
`264`	`264`	`),`
`265`	`265`	`(`
`266`	`266`	`{"identity": {"type": "System", "org_id": "123"}},`
`267`		`- "Missing 'system' field for System type",`
	`267`	`+ "Invalid identity data",`
`268`	`268`	`),`
`269`	`269`	`(`
`270`	`270`	`{"identity": {"type": "System", "org_id": "123", "system": {}}},`
`271`		`- "Missing 'cn' in system data",`
	`271`	`+ "Invalid identity data",`
`272`	`272`	`),`
`273`	`273`	`(`
`274`	`274`	`{`
`@@ -278,7 +278,7 @@ def test_validate_entitlements(`
`278`	`278`	`"system": {"cn": "test"},`
`279`	`279`	`}`
`280`	`280`	`},`
`281`		`- "Missing 'account_number' for System type",`
	`281`	`+ "Invalid identity data",`
`282`	`282`	`),`
`283`	`283`	`],`
`284`	`284`	`)`
`@@ -300,7 +300,7 @@ def test_unsupported_identity_type(self) -> None:`
`300`	`300`	`RHIdentityData(invalid_data)`
`301`	`301`
`302`	`302`	`assert exc_info.value.status_code == 400`
`303`		`- assert "Unsupported identity type: Unknown" in str(exc_info.value.detail)`
	`303`	`+ assert "Invalid identity data" in str(exc_info.value.detail)`
`304`	`304`
`305`	`305`
`306`	`306`	`class TestRHIdentityAuthDependency:`
`@@ -406,12 +406,12 @@ async def test_invalid_json(self) -> None:`
`406`	`406`	`(`
`407`	`407`	`["openshift"],`
`408`	`408`	`True,`
`409`		`- "Missing required entitlement: openshift",`
	`409`	`+ "Insufficient entitlements",`
`410`	`410`	`), # Single missing`
`411`	`411`	`(`
`412`	`412`	`["rhel", "ansible", "openshift"],`
`413`	`413`	`True,`
`414`		`- "Missing required entitlement: openshift",`
	`414`	`+ "Insufficient entitlements",`
`415`	`415`	`), # Multiple with one missing`
`416`	`416`	`],`
`417`	`417`	`)`