add error messages for vault authentication (#88)

* add error messages for vault authentication Signed-off-by: Doron Chen <[email protected]> * added additional error log messages when things go wrong Signed-off-by: [email protected] <[email protected]> * make sure that ther secret_key and access_key are non-empty Signed-off-by: [email protected] <[email protected]> * check whether raw secret was returned Signed-off-by: Doron Chen <[email protected]> * check access_key and secret-key separately, to report what is missing Signed-off-by: Doron Chen <[email protected]> Co-authored-by: [email protected] <[email protected]>
fybrik · Jul 7, 2021 · c2d0e06 · c2d0e06
1 parent b91d0bd
commit c2d0e06
Showing 1 changed file with 26 additions and 3 deletions.
diff --git a/afm/filesystems/vault.py b/afm/filesystems/vault.py
@@ -20,22 +20,34 @@ def vault_jwt_auth(jwt, vault_address, vault_path, role):
     response = requests.post(full_auth_path, json=json)
     if response.status_code == 200:
         return response.json()
+    logging.critical("Got error code %d from Vault authentication", response.status_code)
+    logging.critical("Error response: %s", str(response.json()))
     return None
 
 def get_raw_secret_from_vault(jwt, secret_path, vault_address, vault_path, role):
     """Get a raw secret from vault by providing a valid jwt token"""
     vault_auth_response = vault_jwt_auth(jwt, vault_address, vault_path, role)
     if vault_auth_response is None:
+        logging.critical("Empty vault authorization response")
+        return None
+    if not "auth" in vault_auth_response or not "client_token" in vault_auth_response["auth"]:
+        logging.critical("Malformed vault authorization response")
         return None
     client_token = vault_auth_response["auth"]["client_token"]
     logging.debug("client_token: %s", str(client_token))
     secret_full_path = vault_address + secret_path
     logging.debug("secret_full_path = %s", str(secret_full_path))
     response = requests.get(secret_full_path, headers={"X-Vault-Token" : client_token})
-    logging.debug("response: %s", str(response.json()))
     logging.critical("Status code from Vault response: " + str(response.status_code))
     if response.status_code == 200:
-        return response.json()['data']
+        response_json = response.json()
+        if 'data' in response_json:
+            return response_json['data']
+        else:
+            logging.critical("Malformed secret response. Expected the 'data' field in JSON")
+    else:
+        logging.critical("Got error code %d requesting Vault secret", response.status_code)
+        logging.critical("Error response: %s", str(response.json()))
     return None
 
 def get_credentials_from_vault(vault_credentials):
@@ -51,4 +63,15 @@ def get_credentials_from_vault(vault_credentials):
     role = vault_credentials.get('role', 'demo')
     logging.critical("role = %s", str(role))
     credentials = get_raw_secret_from_vault(jwt, secret_path, vault_address, vault_auth, role)
-    return credentials['access_key'], credentials['secret_key']
+    if not credentials:
+        return None, None
+    if 'access_key' in credentials and 'secret_key' in credentials:
+        if credentials['access_key'] and credentials['secret_key']:
+            return credentials['access_key'], credentials['secret_key']
+        else:
+            if not credentials['access_key']:
+                logging.credentials("'access_key' must be non-empty")
+            if not credentials['secret_key']:
+                logging.credentials("'secret_key' must be non-empty")
+    logging.critical("Expected both 'access_key' and 'secret_key' fields in vault secret")
+    return None, None