application: improve auth handling

if all auth methods rejected, just return 'unauthorised', dont tell the user why (we don't want to leak the auth information to a bad actor)

src/application.py

@@ -27,14 +27,17 @@ import logging
 import time
 
 
-def _authorize(environ, *auth_funcs):
+
+def _authorize(admin, environ, *auth_funcs):
     """Authorize a response.
 
     This function loops through the ``auth_funcs``, and returns as soon
     as an authorised response comes back.
     """
+    method = environ["REQUEST_METHOD"]
+    uri = environ["REQUEST_URI"]
     # if request is not a GET, it's a write operation
-    iswrite = environ["REQUEST_METHOD"].upper() != "GET"
+    iswrite = method.upper() != "GET"
 
     res = None
     for auth_func in auth_funcs:
@@ -42,8 +45,8 @@ def _authorize(environ, *auth_funcs):
         try:
             res = auth_func(
                 environ,
-                environ['REQUEST_METHOD'],
-                environ['REQUEST_URI'],
+                method,
+                uri,
                 iswrite,
             )
         except:  # something went wrong, try the next method
@@ -52,12 +55,12 @@ def _authorize(environ, *auth_funcs):
         if res[0] == 200:
             return res
 
+    # all of the authorisation functions _failed_!
     if res is None:
-        # all of the authorisation functions failed!
         raise RuntimeError("no authorisation available")
 
-    # return unauthorised response (likely 401)
-    return res
+    # all of the authorisation functions rejected the request
+    return admin.log_and_set_http_code(401, 36, method, "Unauthorised", uri)
 
 
 def application(environ, start_response):
@@ -79,6 +82,7 @@ def application(environ, start_response):
     # Attempt authorisation
     try:
         res = _authorize(
+            admin,
             environ,
             ldbdsauth.check_authorization_scitoken,
             ldbdwauth.check_authorization_gridmap,