From 6c8347cfe2b88b9a3ee773fe95f95961a1ee3ace Mon Sep 17 00:00:00 2001
From: Daniele Martinoli <86618610+dmartinol@users.noreply.github.com>
Date: Thu, 8 Aug 2024 18:21:42 +0200
Subject: [PATCH] Small fixes (#71)

* Improved permission denial log

Signed-off-by: Daniele Martinoli <86618610+dmartinol@users.noreply.github.com>

* Added leeway option to accept tokens released in the past (up to 10")

Signed-off-by: Daniele Martinoli <86618610+dmartinol@users.noreply.github.com>

---------

Signed-off-by: Daniele Martinoli <86618610+dmartinol@users.noreply.github.com>
Signed-off-by: Abdul Hameed <ahameed@redhat.com>
---
 sdk/python/feast/permissions/auth/oidc_token_parser.py | 1 +
 sdk/python/feast/permissions/enforcer.py               | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/sdk/python/feast/permissions/auth/oidc_token_parser.py b/sdk/python/feast/permissions/auth/oidc_token_parser.py
index 355004f4de..91d3709744 100644
--- a/sdk/python/feast/permissions/auth/oidc_token_parser.py
+++ b/sdk/python/feast/permissions/auth/oidc_token_parser.py
@@ -78,6 +78,7 @@ async def user_details_from_access_token(self, access_token: str) -> User:
                     "verify_signature": True,
                     "verify_exp": True,
                 },
+                leeway=10,  # accepts tokens generated up to 10 seconds in the past, in case of clock skew
             )
 
             if "preferred_username" not in data:
diff --git a/sdk/python/feast/permissions/enforcer.py b/sdk/python/feast/permissions/enforcer.py
index f2b700b01d..af41d12a2c 100644
--- a/sdk/python/feast/permissions/enforcer.py
+++ b/sdk/python/feast/permissions/enforcer.py
@@ -44,7 +44,7 @@ def enforce_policy(
     _permitted_resources: list[FeastObject] = []
     for resource in resources:
         logger.debug(
-            f"Enforcing permission policies for {type(resource)}:{resource.name} to execute {actions}"
+            f"Enforcing permission policies for {type(resource).__name__}:{resource.name} to execute {actions}"
         )
         matching_permissions = [
             p
@@ -60,7 +60,7 @@ def enforce_policy(
                 )
                 evaluator.add_grant(
                     permission_grant,
-                    f"Permission {p.name} denied access: {permission_explanation}",
+                    f"Permission {p.name} denied execution of {[a.value.upper() for a in actions]} to {type(resource).__name__}:{resource.name}: {permission_explanation}",
                 )
 
                 if evaluator.is_decided():