[Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy

Tue, 07 Jul 2015 07:13:59 -0700 

Hi,

the patch addresses the error handling of ipa-httpd-kdcproxy as
discussed in the other thread.

Christian

From 85dc0cc3f597accdee6f6de9d7b4d41b2173a8d9 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Tue, 7 Jul 2015 16:05:48 +0200
Subject: [PATCH] Improve error handling in ipa-httpd-kdcproxy

The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles
connection and authentication errors more gracefully. If the script is
not able to conenct to LDAP, it only prints a warning and exits with
status code 0. All other errors are still reported as fatal error and
result in a non-zero exit code.

This fixes a problem with offline RPM updates. A restart of Apache no
longer fails when LDAP is not running.
---
 install/tools/ipa-httpd-kdcproxy | 75 +++++++++++++++++++++++++++++-----------
 1 file changed, 55 insertions(+), 20 deletions(-)

diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy
index c71f9cccfe0c05e1484aac7cfcd6801050ed51ab..60b22f2cc321d416871c74f3b4d580594c186a85 100755
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -37,8 +37,26 @@ DEBUG = False
 TIME_LIMIT = 2
 
 
-class CheckError(Exception):
-    """An unrecoverable error has occured"""
+class Error(Exception):
+    """Base error class"""
+
+
+class ConfigFileError(Error):
+    """Something is wrong with the config file"""
+
+
+class CheckError(Error):
+    """An unrecoverable error has occured
+
+    The exit code is 0.
+    """
+
+
+class FatalError(Error):
+    """A fatal error has occured
+
+    Fatal errors cause the command to exit with a non-null exit code.
+    """
 
 
 class KDCProxyConfig(object):
@@ -64,14 +82,16 @@ class KDCProxyConfig(object):
             self.con.ldapi = True
             self.con.do_bind(timeout=self.time_limit)
         except errors.NetworkError as e:
-            msg = 'Failed to get setting from dirsrv: %s' % e
-            self.log.exception(msg)
+            msg = 'Unable to connect to dirsrv: %s' % e
+            raise CheckError(msg)
+        except errors.AuthorizationError as e:
+            msg = 'Authorization error: %s' % e
             raise CheckError(msg)
         except Exception as e:
             msg = ('Unknown error while retrieving setting from %s: %s' %
                    (self.ldap_uri, e))
             self.log.exception(msg)
-            raise CheckError(msg)
+            raise FatalError(msg)
 
     def _find_entry(self, dn, attrs, filter, scope=IPAdmin.SCOPE_BASE):
         """Find an LDAP entry, handles NotFound and Limit"""
@@ -87,7 +107,7 @@ class KDCProxyConfig(object):
             msg = ('Unknown error while retrieving setting from %s: %s' %
                    (self.ldap_uri, e))
             self.log.exception(msg)
-            raise CheckError(msg)
+            raise FatalError(msg)
         return entries[0]
 
     def is_host_enabled(self):
@@ -105,19 +125,21 @@ class KDCProxyConfig(object):
         if not os.path.exists(self.conflink):
             return False
         if not os.path.islink(self.conflink):
-            raise CheckError("'%s' already exists, but it is not a symlink" %
-                             self.conflink)
+            raise ConfigFileError(
+                "'%s' already exists, but it is not a symlink"
+                % self.conflink)
         dest = os.readlink(self.conflink)
         if dest != self.conf:
-            raise CheckError("'%s' points to '%s', expected '%s'"
-                             % (self.conflink, dest, self.conf))
+            raise ConfigFileError(
+                "'%s' points to '%s', expected '%s'"
+                % (self.conflink, dest, self.conf))
         return True
 
     def create_symlink(self):
         """Create symlink to enable KDC proxy support"""
         try:
             valid = self.validate_symlink()
-        except CheckError as e:
+        except ConfigFileError as e:
             self.log.warn("Cannot enable KDC proxy: %s " % e)
             return False
 
@@ -165,16 +187,29 @@ class KDCProxyConfig(object):
 def main(debug=DEBUG, time_limit=TIME_LIMIT):
     # initialize API without file logging
     if not api.isdone('bootstrap'):
-        api.bootstrap(context='kdcproxyshim', log=None, debug=debug)
+        api.bootstrap(context='ipa-httpd-kdcproxy', log=None, debug=debug)
         standard_logging_setup(verbose=True, debug=debug)
 
-    with KDCProxyConfig(time_limit) as cfg:
-        if cfg.is_host_enabled():
-            if cfg.create_symlink():
-                api.log.info('KDC proxy enabled')
-        else:
-            if cfg.remove_symlink():
-                api.log.info('KDC proxy disabled')
+    try:
+        cfg = KDCProxyConfig(time_limit)
+        with cfg:
+            if cfg.is_host_enabled():
+                if cfg.create_symlink():
+                    api.log.info('KDC proxy enabled')
+                    return 0
+            else:
+                if cfg.remove_symlink():
+                    api.log.info('KDC proxy disabled')
+                    return 0
+    except CheckError as e:
+        api.log.warn(str(e))
+        api.log.warn('Disabling KDC proxy')
+        cfg.remove_symlink()
+        return 0
+    except Exception as e:
+        api.log.error(str(e))
+        return 1
+
 
 if __name__ == '__main__':
-    main()
+    sys.exit(main())
-- 
2.4.3

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to