2.0-alpha1: 404 when listing empty cubbyhole

sebastian-luna-valero commented 1 year ago

Initial checklist

[X] I read the support docs
[X] I read the contributing guide
[X] I agree to follow the code of conduct
[X] I searched issues and couldn’t find anything (or linked relevant results below)

Affected packages and versions

2.0-alpha1

Link to runnable example

No response

Steps to reproduce

fedcloud secret locker create
export FEDCLOUD_LOCKER_TOKEN=hvs.CAESIXXX
fedcloud secret list

Expected behavior

Return empty list.

Actual behavior

fedcloud secret list
Traceback (most recent call last):
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/locker_auth.py", line 74, in vault_command
    response.raise_for_status()
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/requests/models.py", line 1021, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 404 Client Error: Not Found for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/bin/fedcloud", line 10, in <module>
    sys.exit(cli())
             ^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/decorators.py", line 398, in wrapper
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/secret.py", line 169, in list_
    response = token.vault_command(command="list", path=short_path, data={})
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/locker_auth.py", line 82, in vault_command
    log_and_raise(error_msg, ServiceError)
  File "/tmp/tmp.PhAbWjrhhn/conda-install/envs/fedcloudclient/lib/python3.12/site-packages/fedcloudclient/logger.py", line 35, in log_and_raise
    raise exception(error_msg)
fedcloudclient.exception.ServiceError: Error: Error when accessing secrets on server. Server response: HTTPError: 404 Client Error: Not Found for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

Affected runtime and version

python@3.12

Affected package manager and version

No response

Affected OS and version

No response

Build and bundle tools

No response

tdviet commented 1 year ago

Fixed in https://github.com/tdviet/fedcloudclient/commit/c14ea4d4ebe7571fbd580ee381aae5e64c1ad482

Vault does not distinguish whether listing empty or nonexistent folder. Therefore, a friendly message "The target path is empty or does not exist." will be printed in stderr instead of blank output.

sebastian-luna-valero commented 1 year ago

Now I am getting:

$ fedcloud secret list

An unexpected error occurred: Error: Error when accessing secrets on server. Server response: HTTPError: 403 Client Error: Forbidden for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

Would it be correct to simply print out instead:

No lockers found.

tdviet commented 1 year ago

$ fedcloud secret list

An unexpected error occurred: Error: Error when accessing secrets on server. Server response: HTTPError: 403 Client Error: Forbidden for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

This is another error, authentication error, because the locker token is expired (either number of use or lifetime)

No lockers found.

Excellent idea, thank you for suggestion. I would change the message little "No secrets found". If the locker was created, it does exist, but only is empty. Furthermore, the fedcloud secret list command is used also for accessing permanent secret storage (key/value engine) and users get the same error when listing empty or non-existent path

sebastian-luna-valero commented 1 year ago

Then No secrets found is more appropriate, thanks!

tdviet commented 1 year ago

Fixed. https://github.com/tdviet/fedcloudclient/commit/64b66f9fb64a6757ecba13a8f88985626854b2b8

sebastian-luna-valero commented 1 year ago

Thanks!

This works now when FEDCLOUD_LOCKER_TOKEN is set and no lockers have been created.

But there are two other scenarios where I think the No secrets found could also be better than the current behavior:

When FEDCLOUD_LOCKER_TOKEN is not set and there are no secrets, I get:

fedcloud secret list
An unexpected error occurred: Error: Error when accessing secrets on server. Server response: InvalidPath: None, on list https://vault.services.fedcloud.eu:8200/v1/secrets/users/<EGI-ID>egi.eu

When FEDCLOUD_LOCKER_TOKEN is set and the locker is expired, I get:

fedcloud secret locker check
Error: Error when accessing secrets on server. Server response: Forbidden: permission denied, on get https://vault.services.fedcloud.eu:8200/v1/auth/token/lookup-self

fedcloud secret list
An unexpected error occurred: Error: Error when accessing secrets on server. Server response: HTTPError: 403 Client Error: Forbidden for url: https://vault.services.fedcloud.eu:8200/v1/cubbyhole/?list=true

tdviet commented 1 year ago

We need to catch exceptions and manage the error messages systematically. So far put it on hold as a request for improvement

tdviet / fedcloudclient