RoleCheckResult

simonredfern · simonredfern · commit 1b60ab5df9ca · 2026-02-20T11:33:45.000+01:00
diff --git a/src/main/scala/com/tesobe/oidc/auth/ObpApiCredentialsService.scala b/src/main/scala/com/tesobe/oidc/auth/ObpApiCredentialsService.scala
@@ -576,7 +576,7 @@ class ObpApiCredentialsService(
                     }
                   case status =>
                     response.as[String].flatMap { body =>
-                      logger.warn(s"User lookup via OBP API returned $status: $body")
+                      logger.warn(s"User lookup via OBP API: GET $uri returned $status: $body")
                       IO.pure(None)
                     }
                 }
@@ -616,15 +616,26 @@ object ObpApiCredentialsService {
   private val logger = LoggerFactory.getLogger(getClass)
   private val RequiredRole = "CanVerifyUserCredentials"
 
+  /** Result of checking required roles, including per-role status. */
+  case class RoleCheckResult(
+      userRoles: Set[String],
+      requiredRoles: List[String]
+  ) {
+    def roleStatus(role: String): Boolean = userRoles.contains(role)
+    def missing: List[String] = requiredRoles.filterNot(userRoles.contains)
+    def allPresent: Boolean = missing.isEmpty
+  }
+
   /** Check that the OBP API user has all the specified required roles.
-    * Returns Right with success message if all roles are present,
-    * or Left with error message listing missing roles.
-    * This is intended as a hard startup check - callers should abort on Left.
+    * Returns Right with RoleCheckResult if entitlements could be fetched
+    * (even if some roles are missing), or Left with error message if
+    * the check itself failed.
+    * Callers should inspect RoleCheckResult.allPresent to decide whether to abort.
     */
   def checkRequiredRoles(
       config: OidcConfig,
       requiredRoles: List[String]
-  ): IO[Either[String, String]] = {
+  ): IO[Either[String, RoleCheckResult]] = {
     val username = config.obpApiUsername.getOrElse("unknown")
     val baseUrl = config.obpApiUrl.getOrElse("unknown")
 
@@ -659,20 +670,7 @@ object ObpApiCredentialsService {
                         case Right(entitlements) => entitlements.map(_.role_name).toSet
                         case Left(_) => Set.empty[String]
                       }
-                      val present = requiredRoles.filter(userRoles.contains)
-                      val missing = requiredRoles.filterNot(userRoles.contains)
-                      if (missing.isEmpty) {
-                        Right(
-                          s"Role check passed: OBP API user '$username' has all ${requiredRoles.size} required roles: ${requiredRoles.mkString(", ")}"
-                        )
-                      } else {
-                        Left(
-                          s"STARTUP ABORTED: OBP API user '$username' is missing required role(s): ${missing.mkString(", ")}. " +
-                          s"Please grant these roles to user '$username' at $baseUrl and restart. " +
-                          s"Roles present: ${if (present.nonEmpty) present.mkString(", ") else "none"}. " +
-                          s"All required roles: ${requiredRoles.mkString(", ")}"
-                        )
-                      }
+                      Right(RoleCheckResult(userRoles, requiredRoles))
                     }
                   case status =>
                     response.as[String].map { body =>
diff --git a/src/main/scala/com/tesobe/oidc/server/OidcServer.scala b/src/main/scala/com/tesobe/oidc/server/OidcServer.scala
@@ -158,6 +158,7 @@ object OidcServer extends IOApp {
       } else IO.unit
 
       // Test OBP API connection and verify all required roles
+      roleCheckRef <- cats.effect.Ref.of[IO, Option[ObpApiCredentialsService.RoleCheckResult]](None)
       _ <- {
         val requiredRoles = List.empty[String] ++
           (config.verifyCredentialsMethod match {
@@ -179,7 +180,18 @@ object OidcServer extends IOApp {
           ).flatMap(msg => IO(println(msg))) *>
           // Step 2: Check all required roles (abort immediately if any are missing)
           ObpApiCredentialsService.checkRequiredRoles(config, requiredRoles).flatMap {
-            case Right(msg) => IO(println(msg))
+            case Right(roleCheck) =>
+              val username = config.obpApiUsername.getOrElse("unknown")
+              val baseUrl = config.obpApiUrl.getOrElse("unknown")
+              roleCheckRef.set(Some(roleCheck)) *>
+              (if (roleCheck.allPresent) {
+                IO(println(s"Role check passed: OBP API user '$username' has all ${requiredRoles.size} required roles"))
+              } else {
+                IO.raiseError(new RuntimeException(
+                  s"STARTUP ABORTED: OBP API user '$username' is missing required role(s): ${roleCheck.missing.mkString(", ")}. " +
+                  s"Please grant these roles to user '$username' at $baseUrl and restart."
+                ))
+              })
             case Left(error) => IO.raiseError(new RuntimeException(error))
           }
         } else {
@@ -951,13 +963,24 @@ object OidcServer extends IOApp {
                 IO(println(s"USE_VERIFY_ENDPOINTS: ${config.useVerifyEndpoints}")) *>
                 (if (config.useVerifyEndpoints) {
                   val username = config.obpApiUsername.getOrElse("unknown")
+                  val roleEndpoints = List(
+                    ("CanVerifyUserCredentials", "POST /obp/v6.0.0/users/verify-credentials"),
+                    ("CanGetAnyUser", "GET /obp/v6.0.0/users/provider/PROVIDER/username/USERNAME"),
+                    ("CanGetOidcClient", "GET /obp/v6.0.0/oidc/clients/CLIENT_ID"),
+                    ("CanGetConsumers", "GET /obp/v6.0.0/management/consumers")
+                  )
                   IO(println("  All verification methods use OBP API endpoints")) *>
                   IO(println(s"  OBP API Username: $username")) *>
                   IO(println(s"  Required roles for OBP_API_USERNAME '$username':")) *>
-                  IO(println(s"    - CanVerifyUserCredentials (for POST /obp/v6.0.0/users/verify-credentials)")) *>
-                  IO(println(s"    - CanGetAnyUser (for GET /obp/v6.0.0/users/provider/PROVIDER/username/USERNAME)")) *>
-                  IO(println(s"    - CanGetOidcClient (for GET /obp/v6.0.0/oidc/clients/CLIENT_ID)")) *>
-                  IO(println(s"    - CanGetConsumers (for GET /obp/v6.0.0/management/consumers)")) *>
+                  roleCheckRef.get.flatMap { roleCheckOpt =>
+                    roleEndpoints.foldLeft(IO.unit) { case (acc, (role, endpoint)) =>
+                      val status = roleCheckOpt match {
+                        case Some(rc) => if (rc.roleStatus(role)) "OK" else "NOT OK"
+                        case None => "UNKNOWN"
+                      }
+                      acc *> IO(println(s"    - $role (for $endpoint) ... $status"))
+                    }
+                  } *>
                   IO(println(s"  No special role required for GET /obp/v6.0.0/providers (just authentication)"))
                 } else {
                   IO(println("  Credential verification: v_oidc_users (database view)")) *>
