Re: [Freeipa-devel] [PATCH 0079] Catch USBError during YubiKey location
On 11/13/2014 07:39 AM, Nathaniel McCallum wrote: > On Mon, 2014-11-10 at 09:08 +0100, Martin Kosek wrote: >> On 11/10/2014 08:31 AM, Alexander Bokovoy wrote: >>> On Mon, 10 Nov 2014, Jan Cholasta wrote: Hi, Dne 7.11.2014 v 16:51 Nathaniel McCallum napsal(a): > https://fedorahosted.org/freeipa/ticket/4693 Is it good enough to just say "No YubiKey found"? Would it make sense to log the original message, for the sake of debugging why the yubikey was not found? >>> This is logged on the client side so it only would be visible if you >>> would run 'ipa' tool with -v. Perhaps useful but my practice with >>> yubikeys says that most of issues are basically permission-related: >>> you've inserted the key and udev rules didn't change access to allow >>> getting to it via libusb. In this case our debugging will hardly be >>> helpful beyond 'yes, it is not accessible' which is already conveyed by >>> the original message. >> >> Ok. Though IMO, passing the USBError string to the error would still be a >> good >> thing to do - unless we have a strong reason to hide it. Error stating >> "Access >> denied (insufficient permissions)" would steer the person closer to the root >> cause that just "No YubiKey found". > > It took a bit to figure out exactly how to handle the errors, but the > attached patch passes the error codes through. > Yup, this is exactly what I wanted to see, ACK! Pushed to: master: b3a6701e73f6ccd4dff1dab47554381f42d40bb4 ipa-4-1: a7a7e967580c8ef4fa4341aa8b8877128e7d822a Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Catch USBError during YubiKey location
On Mon, 2014-11-10 at 09:08 +0100, Martin Kosek wrote:
> On 11/10/2014 08:31 AM, Alexander Bokovoy wrote:
> > On Mon, 10 Nov 2014, Jan Cholasta wrote:
> >> Hi,
> >>
> >> Dne 7.11.2014 v 16:51 Nathaniel McCallum napsal(a):
> >>> https://fedorahosted.org/freeipa/ticket/4693
> >>
> >> Is it good enough to just say "No YubiKey found"? Would it make sense to
> >> log
> >> the original message, for the sake of debugging why the yubikey was not
> >> found?
> > This is logged on the client side so it only would be visible if you
> > would run 'ipa' tool with -v. Perhaps useful but my practice with
> > yubikeys says that most of issues are basically permission-related:
> > you've inserted the key and udev rules didn't change access to allow
> > getting to it via libusb. In this case our debugging will hardly be
> > helpful beyond 'yes, it is not accessible' which is already conveyed by
> > the original message.
>
> Ok. Though IMO, passing the USBError string to the error would still be a good
> thing to do - unless we have a strong reason to hide it. Error stating "Access
> denied (insufficient permissions)" would steer the person closer to the root
> cause that just "No YubiKey found".
It took a bit to figure out exactly how to handle the errors, but the
attached patch passes the error codes through.
From b8b7a4e34309120c012a8ec466f1b66d3a2bff9d Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum
Date: Fri, 7 Nov 2014 10:47:43 -0500
Subject: [PATCH] Catch USBError during YubiKey location
https://fedorahosted.org/freeipa/ticket/4693
---
ipalib/plugins/otptoken_yubikey.py | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ipalib/plugins/otptoken_yubikey.py b/ipalib/plugins/otptoken_yubikey.py
index e70ddb6e42b5ea34d7ebecb252d6bbd73ac64d03..1540117093386ef29c6ec47c07731d7a432d26bf 100644
--- a/ipalib/plugins/otptoken_yubikey.py
+++ b/ipalib/plugins/otptoken_yubikey.py
@@ -25,6 +25,7 @@ from ipalib.plugins.otptoken import otptoken
import os
+import usb.core
import yubico
__doc__ = _("""
@@ -81,8 +82,10 @@ class otptoken_add_yubikey(Command):
# Open the YubiKey
try:
yk = yubico.find_yubikey()
-except yubico.yubikey.YubiKeyError, e:
-raise NotFound(reason=_('No YubiKey found'))
+except usb.core.USBError as e:
+raise NotFound(reason="No YubiKey found: %s" % e.strerror)
+except yubico.yubikey.YubiKeyError as e:
+raise NotFound(reason=e.reason)
assert yk.version_num() >= (2, 1)
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Catch USBError during YubiKey location
On 11/10/2014 08:31 AM, Alexander Bokovoy wrote: > On Mon, 10 Nov 2014, Jan Cholasta wrote: >> Hi, >> >> Dne 7.11.2014 v 16:51 Nathaniel McCallum napsal(a): >>> https://fedorahosted.org/freeipa/ticket/4693 >> >> Is it good enough to just say "No YubiKey found"? Would it make sense to log >> the original message, for the sake of debugging why the yubikey was not >> found? > This is logged on the client side so it only would be visible if you > would run 'ipa' tool with -v. Perhaps useful but my practice with > yubikeys says that most of issues are basically permission-related: > you've inserted the key and udev rules didn't change access to allow > getting to it via libusb. In this case our debugging will hardly be > helpful beyond 'yes, it is not accessible' which is already conveyed by > the original message. Ok. Though IMO, passing the USBError string to the error would still be a good thing to do - unless we have a strong reason to hide it. Error stating "Access denied (insufficient permissions)" would steer the person closer to the root cause that just "No YubiKey found". ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Catch USBError during YubiKey location
On Mon, 10 Nov 2014, Jan Cholasta wrote: Hi, Dne 7.11.2014 v 16:51 Nathaniel McCallum napsal(a): https://fedorahosted.org/freeipa/ticket/4693 Is it good enough to just say "No YubiKey found"? Would it make sense to log the original message, for the sake of debugging why the yubikey was not found? This is logged on the client side so it only would be visible if you would run 'ipa' tool with -v. Perhaps useful but my practice with yubikeys says that most of issues are basically permission-related: you've inserted the key and udev rules didn't change access to allow getting to it via libusb. In this case our debugging will hardly be helpful beyond 'yes, it is not accessible' which is already conveyed by the original message. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0079] Catch USBError during YubiKey location
Hi, Dne 7.11.2014 v 16:51 Nathaniel McCallum napsal(a): https://fedorahosted.org/freeipa/ticket/4693 Is it good enough to just say "No YubiKey found"? Would it make sense to log the original message, for the sake of debugging why the yubikey was not found? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
