diff options
| author | Dolph Mathews <dolph.mathews@gmail.com> | 2012-11-14 11:59:26 -0600 |
|---|---|---|
| committer | Dolph Mathews <dolph.mathews@gmail.com> | 2012-11-15 11:26:10 -0600 |
| commit | c7066a9fed611dc32e7c5fb490c61121cc5b68a5 (patch) | |
| tree | 1aaecbef59a6f90cbddb78eb1e50ee5db42ae194 /keystone/exception.py | |
| parent | ac2d5b85b16da31ebf4833b6264961c567125249 (diff) | |
| download | keystone-c7066a9fed611dc32e7c5fb490c61121cc5b68a5.tar.gz keystone-c7066a9fed611dc32e7c5fb490c61121cc5b68a5.tar.xz keystone-c7066a9fed611dc32e7c5fb490c61121cc5b68a5.zip | |
Expose authn/z failure info to API in debug mode
This allows us to raise exceptions with very specific messages:
raise Unauthorized('User name not recognized')
In debug mode, this feedback would be exposed to the API user; without
debug mode, these details are suppressed.
Change-Id: I05c5dce3b1e2ba1123450b302e10b8ba3c265557
Diffstat (limited to 'keystone/exception.py')
| -rw-r--r-- | keystone/exception.py | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/keystone/exception.py b/keystone/exception.py index cc61a632..65596d4a 100644 --- a/keystone/exception.py +++ b/keystone/exception.py @@ -15,6 +15,13 @@ # under the License. import re +from keystone.common import logging +from keystone import config + + +CONF = config.CONF +LOG = logging.getLogger(__name__) + class Error(StandardError): """Base error class. @@ -27,9 +34,24 @@ class Error(StandardError): def __init__(self, message=None, **kwargs): """Use the doc string as the error message by default.""" - message = message or self.__doc__ % kwargs + + try: + message = self._build_message(message, **kwargs) + except KeyError: + # if you see this warning in your logs, please raise a bug report + LOG.warning('missing expected exception kwargs (programmer error)') + message = self.__doc__ + super(Error, self).__init__(message) + def _build_message(self, message, **kwargs): + """Builds and returns an exception message. + + :raises: KeyError given insufficient kwargs + + """ + return message or self.__doc__ % kwargs + def __str__(self): """Cleans up line breaks and indentation from doc strings.""" string = super(Error, self).__str__() @@ -51,13 +73,24 @@ class ValidationError(Error): title = 'Bad Request' -class Unauthorized(Error): +class SecurityError(Error): + """Avoids exposing details of security failures, unless in debug mode.""" + + def _build_message(self, message, **kwargs): + """Only returns detailed messages in debug mode.""" + if CONF.debug: + return message or self.__doc__ % kwargs + else: + return self.__doc__ % kwargs + + +class Unauthorized(SecurityError): """The request you have made requires authentication.""" code = 401 title = 'Not Authorized' -class Forbidden(Error): +class Forbidden(SecurityError): """You are not authorized to perform the requested action.""" code = 403 title = 'Not Authorized' |