Provide specific error on locked credential store

When the credential store is locked, provide a specific message and avoid triggering a trace log on a well characterized situation.
2025-07-09 06:11:40 +00:00 · 2015-07-08 16:47:58 -04:00
parent 4aef8524e9
commit d27df8fffc
4 changed files with 15 additions and 2 deletions
--- a/confluent_server/confluent/config/configmanager.py
+++ b/confluent_server/confluent/config/configmanager.py
@ -67,6 +67,7 @@ import base64
 import confluent.config.attributes as allattributes
 import confluent.log
 import confluent.util
+import confluent.exceptions as exc
 import copy
 import cPickle
 import errno
@ -117,13 +118,13 @@ def _get_protected_key(keydict, password, paramname):
    # TODO(jbjohnso): check for TPM sealing
    if 'passphraseprotected' in keydict:
        if password is None:
-            raise Exception("Passphrase protected secret requires password")
+            raise exc.LockedCredentials("Passphrase protected secret requires password")
        pp = keydict['passphraseprotected']
        salt = pp[0]
        privkey, integkey = _derive_keys(password, salt)
        return decrypt_value(pp[1:], key=privkey, integritykey=integkey)
    else:
-        raise Exception("No available decryption key")
+        raise exc.LockedCredentials("No available decryption key")


 def _format_key(key, password=None):
--- a/confluent_server/confluent/exceptions.py
+++ b/confluent_server/confluent/exceptions.py
@ -42,6 +42,11 @@ class TargetEndpointBadCredentials(ConfluentException):
    # failed
    pass

+class LockedCredentials(ConfluentException):
+    # A request was performed that required a credential, but the credential
+    # store is locked
+    pass
+

 class ForbiddenRequest(ConfluentException):
    # The client request is not allowed by authorization engine
--- a/confluent_server/confluent/httpapi.py
+++ b/confluent_server/confluent/httpapi.py
@ -432,6 +432,9 @@ def resourcehandler_backend(env, start_response):
        except exc.TargetEndpointBadCredentials:
            start_response('502 Bad Credentials', headers)
            yield '502 - Bad Credentials'
+        except exc.LockedCredentials:
+            start_response('500 Locked credential store', headers)
+            yield '500 - Credential store locked'
        except exc.NotImplementedException:
            start_response('501 Not Implemented', headers)
            yield '501 Not Implemented'
--- a/confluent_server/confluent/sockapi.py
+++ b/confluent_server/confluent/sockapi.py
@ -141,6 +141,10 @@ def sessionhdl(connection, authname, skipauth=False):
            send_data(connection, {'errorcode': 400,
                                      'error': 'Bad Request - ' + str(iae)})
            send_data(connection, {'_requestdone': 1})
+        except exc.LockedCredentials as lockedcred:
+            send_data(connection, {'errorcode': 500,
+                                      'error': 'Locked Credential Store'})
+            send_data(connection, {'_requestdone': 1})
        except SystemExit:
            sys.exit(0)
        except: