Discovered in PR https://github.com/freeipa/freeipa/pull/5637
The reproducer is in the test_client_doesnot_throw_responsenotready_error test in the PR.
File "/usr/share/ipa/wsgi.py", line 59, in application
return api.Backend.wsgi_dispatch(environ, start_response)
File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 296, in __call__
return self.route(environ, start_response)
File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 308, in route
return app(environ, start_response)
File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 894, in __call__
ccache_name = self.get_environ_creds(environ)
File "/usr/lib/python3.9/site-packages/ipaserver/rpcserver.py", line 672, in get_environ_creds
creds = get_credentials_if_valid(name=gss_name,
File "/usr/lib/python3.9/site-packages/ipalib/krb_utils.py", line 199, in get_credentials_if_valid
creds = get_credentials(name=name, ccache_name=ccache_name)
File "/usr/lib/python3.9/site-packages/ipalib/krb_utils.py", line 158, in get_credentials
raise ValueError('"%s", ccache="%s"' % (e, ccache_name))
ValueError: "Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2598845123): No credentials cache found
It looks like even the purposefully raised exception wouldn't be handled. The caller of get_environ_creds() expects either a ccache or None.
So the right fix I think is to catch ValueError around the call to get_credentials_if_valid() and return None if caught.
Metadata Update from @rcritten:
- Issue assigned to rcritten
This is the regression of my change.
Previously, get_credentials re-raised GSSError in case of GSSPROXY_KRB5_FCC_NOFILE error,
with that change it raise ValueError. Since apache uses gssproxy the error has been hided with gssproxy's error offset. In my opinion it will be correct to completely remove try/except and move the responsibility of handle exceptions to a caller. The only clients of get_credentials is ipalib.krb_utils.
The exception seems useful for get_principal() though it needs to be modified to handle ValueError now.
Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
under one-liner rule:
to comment on this ticket.