diff --git a/confluent_server/confluent/config/configmanager.py b/confluent_server/confluent/config/configmanager.py index 34557d7c..9db29d68 100644 --- a/confluent_server/confluent/config/configmanager.py +++ b/confluent_server/confluent/config/configmanager.py @@ -67,6 +67,7 @@ import base64 import confluent.config.attributes as allattributes import confluent.log import confluent.util +import confluent.exceptions as exc import copy import cPickle import errno @@ -117,13 +118,13 @@ def _get_protected_key(keydict, password, paramname): # TODO(jbjohnso): check for TPM sealing if 'passphraseprotected' in keydict: if password is None: - raise Exception("Passphrase protected secret requires password") + raise exc.LockedCredentials("Passphrase protected secret requires password") pp = keydict['passphraseprotected'] salt = pp[0] privkey, integkey = _derive_keys(password, salt) return decrypt_value(pp[1:], key=privkey, integritykey=integkey) else: - raise Exception("No available decryption key") + raise exc.LockedCredentials("No available decryption key") def _format_key(key, password=None): diff --git a/confluent_server/confluent/exceptions.py b/confluent_server/confluent/exceptions.py index 67a39a41..822b1713 100644 --- a/confluent_server/confluent/exceptions.py +++ b/confluent_server/confluent/exceptions.py @@ -42,6 +42,11 @@ class TargetEndpointBadCredentials(ConfluentException): # failed pass +class LockedCredentials(ConfluentException): + # A request was performed that required a credential, but the credential + # store is locked + pass + class ForbiddenRequest(ConfluentException): # The client request is not allowed by authorization engine diff --git a/confluent_server/confluent/httpapi.py b/confluent_server/confluent/httpapi.py index 0256113c..f061b3f3 100644 --- a/confluent_server/confluent/httpapi.py +++ b/confluent_server/confluent/httpapi.py @@ -432,6 +432,9 @@ def resourcehandler_backend(env, start_response): except exc.TargetEndpointBadCredentials: start_response('502 Bad Credentials', headers) yield '502 - Bad Credentials' + except exc.LockedCredentials: + start_response('500 Locked credential store', headers) + yield '500 - Credential store locked' except exc.NotImplementedException: start_response('501 Not Implemented', headers) yield '501 Not Implemented' diff --git a/confluent_server/confluent/sockapi.py b/confluent_server/confluent/sockapi.py index 0a7d2e63..9a67c3ca 100644 --- a/confluent_server/confluent/sockapi.py +++ b/confluent_server/confluent/sockapi.py @@ -141,6 +141,10 @@ def sessionhdl(connection, authname, skipauth=False): send_data(connection, {'errorcode': 400, 'error': 'Bad Request - ' + str(iae)}) send_data(connection, {'_requestdone': 1}) + except exc.LockedCredentials as lockedcred: + send_data(connection, {'errorcode': 500, + 'error': 'Locked Credential Store'}) + send_data(connection, {'_requestdone': 1}) except SystemExit: sys.exit(0) except: