sts-sponsors team mailing list archive

[Igor Brovtsin <mp+433305@xxxxxxxxxxxxxxxxxx>]

See inline comment

Diff comments:

> diff --git a/src/maasserver/vault.py b/src/maasserver/vault.py
> index 5b4e80b..269c983 100644
> --- a/src/maasserver/vault.py
> +++ b/src/maasserver/vault.py
> @@ -15,10 +16,34 @@ TOKEN_BEFORE_EXPIRY_LIMIT = timedelta(seconds=10)
>  SecretValue = dict[str, Any]
>  
>  
> +class VaultError(Exception):
> +    """Raised to wrap the hvac.exception.VaultError one."""
> +
> +
> +class UnknownSecretPath(Exception):
> +    """Raised when the path for a secret is unknown."""
> +
> +
>  class WrappedSecretError(Exception):
>      """Raised when the provided token could not be used to obtain secret_id by unwrapping"""
>  
>  
> +def wrap_errors(func: Callable) -> Callable:

Please be advised that unless we have additional logging somewhere, this will result in CLI commands reporting "Vault connection failed" without any additional information that could be used for troubleshooting (like "Vault is sealed" message, since AFAIR CommandError won't use `__cause__` IIRC)

> +    """Wrap hvac exceptions with local ones."""
> +
> +    @wraps(func)
> +    def wrapper(*args, **kwargs):
> +        try:
> +            return func(*args, **kwargs)
> +        except requests.exceptions.ConnectionError as e:
> +            raise VaultError("Vault connection failed") from e
> +        except hvac.exceptions.VaultError as e:
> +            raise VaultError("Vault request failed") from e
> +
> +    return wrapper
> +
> +
> +@wrap_errors
>  def unwrap_secret(url: str, wrapped_token: str) -> str:
>      """Helper function to unwrap approle secret id from wrapped token"""
>      client = hvac.Client(url=url, token=wrapped_token)


-- 
https://code.launchpad.net/~ack/maas/+git/maas/+merge/433305
Your team MAAS Maintainers is requested to review the proposed merge of ~ack/maas:vault-client-error-wrap into maas:master.