Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2.0-alpha1: 404 when listing empty cubbyhole #193

Open
4 tasks done
sebastian-luna-valero opened this issue Nov 10, 2023 · 7 comments
Open
4 tasks done

2.0-alpha1: 404 when listing empty cubbyhole #193

sebastian-luna-valero opened this issue Nov 10, 2023 · 7 comments
Labels
enhancement New feature or request

Comments

@sebastian-luna-valero
Copy link
Collaborator

Initial checklist

Affected packages and versions

2.0-alpha1

Link to runnable example

No response

Steps to reproduce

fedcloud secret locker create
export FEDCLOUD_LOCKER_TOKEN=hvs.CAESIXXX
fedcloud secret list

Expected behavior

Return empty list.

Actual behavior

fedcloud secret list
Traceback (most recent call last):
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/locker_auth.py", line 74, in vault_command
    response.raise_for_status()
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/bin/fedcloud", line 10, in <module>
    sys.exit(cli())
             ^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/decorators.py", line 398, in wrapper
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/secret.py", line 169, in list_
    response = token.vault_command(command="list", path=short_path, data={})
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/locker_auth.py", line 82, in vault_command
    log_and_raise(error_msg, ServiceError)
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/logger.py", line 35, in log_and_raise
    raise exception(error_msg)
fedcloudclient.exception.ServiceError: Error: Error when accessing secrets on server. Server response: HTTPError: 404 Client Error: Not Found for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

Affected runtime and version

[email protected]

Affected package manager and version

No response

Affected OS and version

No response

Build and bundle tools

No response
@tdviet
Copy link
Owner

tdviet commented Nov 10, 2023

Fixed in c14ea4d

Vault does not distinguish whether listing empty or nonexistent folder. Therefore, a friendly message "The target path is empty or does not exist." will be printed in stderr instead of blank output.

@sebastian-luna-valero
Copy link
Collaborator Author

Now I am getting:

$ fedcloud secret list

An unexpected error occurred: Error: Error when accessing secrets on server. Server response: HTTPError: 403 Client Error: Forbidden for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

Would it be correct to simply print out instead:

No lockers found.

@tdviet
Copy link
Owner

tdviet commented Nov 10, 2023 

$ fedcloud secret list

An unexpected error occurred: Error: Error when accessing secrets on server. Server response: HTTPError: 403 Client Error: Forbidden for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

This is another error, authentication error, because the locker token is expired (either number of use or lifetime)

No lockers found.

Excellent idea, thank you for suggestion. I would change the message little "No secrets found". If the locker was created, it does exist, but only is empty. Furthermore, the fedcloud secret list command is used also for accessing permanent secret storage (key/value engine) and users get the same error when listing empty or non-existent path

@sebastian-luna-valero
Copy link
Collaborator Author

Then No secrets found is more appropriate, thanks!

@tdviet
Copy link
Owner

tdviet commented Nov 14, 2023

Fixed. 64b66f9

@sebastian-luna-valero
Copy link
Collaborator Author

Thanks!

This works now when FEDCLOUD_LOCKER_TOKEN is set and no lockers have been created.

But there are two other scenarios where I think the No secrets found could also be better than the current behavior:

  1. When FEDCLOUD_LOCKER_TOKEN is not set and there are no secrets, I get:
fedcloud secret list
An unexpected error occurred: Error: Error when accessing secrets on server. Server response: InvalidPath: None, on list https://vault.services.fedcloud.eu:8200/v1/secrets/users/<EGI-ID>egi.eu
  1. When FEDCLOUD_LOCKER_TOKEN is set and the locker is expired, I get:
fedcloud secret locker check
Error: Error when accessing secrets on server. Server response: Forbidden: permission denied, on get https://vault.services.fedcloud.eu:8200/v1/auth/token/lookup-self

fedcloud secret list
An unexpected error occurred: Error: Error when accessing secrets on server. Server response: HTTPError: 403 Client Error: Forbidden for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

@tdviet
Copy link
Owner

tdviet commented Nov 14, 2023

We need to catch exceptions and manage the error messages systematically. So far put it on hold as a request for improvement

@tdviet tdviet added the enhancement New feature or request label Nov 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebastian-luna-valero @tdviet