Don't print stack traces when failing to get remote keys

This commit is contained in:
Erik Johnston 2016-08-10 10:44:37 +01:00
parent cd41c6ece2
commit fa1ce4d8ad
2 changed files with 19 additions and 13 deletions

View File

@ -61,6 +61,10 @@ Attributes:
""" """
class KeyLookupError(ValueError):
pass
class Keyring(object): class Keyring(object):
def __init__(self, hs): def __init__(self, hs):
self.store = hs.get_datastore() self.store = hs.get_datastore()
@ -363,7 +367,7 @@ class Keyring(object):
) )
except Exception as e: except Exception as e:
logger.info( logger.info(
"Unable to getting key %r for %r directly: %s %s", "Unable to get key %r for %r directly: %s %s",
key_ids, server_name, key_ids, server_name,
type(e).__name__, str(e.message), type(e).__name__, str(e.message),
) )
@ -425,7 +429,7 @@ class Keyring(object):
for response in responses: for response in responses:
if (u"signatures" not in response if (u"signatures" not in response
or perspective_name not in response[u"signatures"]): or perspective_name not in response[u"signatures"]):
raise ValueError( raise KeyLookupError(
"Key response not signed by perspective server" "Key response not signed by perspective server"
" %r" % (perspective_name,) " %r" % (perspective_name,)
) )
@ -448,7 +452,7 @@ class Keyring(object):
list(response[u"signatures"][perspective_name]), list(response[u"signatures"][perspective_name]),
list(perspective_keys) list(perspective_keys)
) )
raise ValueError( raise KeyLookupError(
"Response not signed with a known key for perspective" "Response not signed with a known key for perspective"
" server %r" % (perspective_name,) " server %r" % (perspective_name,)
) )
@ -491,10 +495,10 @@ class Keyring(object):
if (u"signatures" not in response if (u"signatures" not in response
or server_name not in response[u"signatures"]): or server_name not in response[u"signatures"]):
raise ValueError("Key response not signed by remote server") raise KeyLookupError("Key response not signed by remote server")
if "tls_fingerprints" not in response: if "tls_fingerprints" not in response:
raise ValueError("Key response missing TLS fingerprints") raise KeyLookupError("Key response missing TLS fingerprints")
certificate_bytes = crypto.dump_certificate( certificate_bytes = crypto.dump_certificate(
crypto.FILETYPE_ASN1, tls_certificate crypto.FILETYPE_ASN1, tls_certificate
@ -508,7 +512,7 @@ class Keyring(object):
response_sha256_fingerprints.add(fingerprint[u"sha256"]) response_sha256_fingerprints.add(fingerprint[u"sha256"])
if sha256_fingerprint_b64 not in response_sha256_fingerprints: if sha256_fingerprint_b64 not in response_sha256_fingerprints:
raise ValueError("TLS certificate not allowed by fingerprints") raise KeyLookupError("TLS certificate not allowed by fingerprints")
response_keys = yield self.process_v2_response( response_keys = yield self.process_v2_response(
from_server=server_name, from_server=server_name,
@ -560,14 +564,14 @@ class Keyring(object):
server_name = response_json["server_name"] server_name = response_json["server_name"]
if only_from_server: if only_from_server:
if server_name != from_server: if server_name != from_server:
raise ValueError( raise KeyLookupError(
"Expected a response for server %r not %r" % ( "Expected a response for server %r not %r" % (
from_server, server_name from_server, server_name
) )
) )
for key_id in response_json["signatures"].get(server_name, {}): for key_id in response_json["signatures"].get(server_name, {}):
if key_id not in response_json["verify_keys"]: if key_id not in response_json["verify_keys"]:
raise ValueError( raise KeyLookupError(
"Key response must include verification keys for all" "Key response must include verification keys for all"
" signatures" " signatures"
) )
@ -635,15 +639,15 @@ class Keyring(object):
if ("signatures" not in response if ("signatures" not in response
or server_name not in response["signatures"]): or server_name not in response["signatures"]):
raise ValueError("Key response not signed by remote server") raise KeyLookupError("Key response not signed by remote server")
if "tls_certificate" not in response: if "tls_certificate" not in response:
raise ValueError("Key response missing TLS certificate") raise KeyLookupError("Key response missing TLS certificate")
tls_certificate_b64 = response["tls_certificate"] tls_certificate_b64 = response["tls_certificate"]
if encode_base64(x509_certificate_bytes) != tls_certificate_b64: if encode_base64(x509_certificate_bytes) != tls_certificate_b64:
raise ValueError("TLS certificate doesn't match") raise KeyLookupError("TLS certificate doesn't match")
# Cache the result in the datastore. # Cache the result in the datastore.
@ -659,7 +663,7 @@ class Keyring(object):
for key_id in response["signatures"][server_name]: for key_id in response["signatures"][server_name]:
if key_id not in response["verify_keys"]: if key_id not in response["verify_keys"]:
raise ValueError( raise KeyLookupError(
"Key response must include verification keys for all" "Key response must include verification keys for all"
" signatures" " signatures"
) )

View File

@ -15,6 +15,7 @@
from synapse.http.server import request_handler, respond_with_json_bytes from synapse.http.server import request_handler, respond_with_json_bytes
from synapse.http.servlet import parse_integer, parse_json_object_from_request from synapse.http.servlet import parse_integer, parse_json_object_from_request
from synapse.api.errors import SynapseError, Codes from synapse.api.errors import SynapseError, Codes
from synapse.crypto.keyring import KeyLookupError
from twisted.web.resource import Resource from twisted.web.resource import Resource
from twisted.web.server import NOT_DONE_YET from twisted.web.server import NOT_DONE_YET
@ -210,9 +211,10 @@ class RemoteKey(Resource):
yield self.keyring.get_server_verify_key_v2_direct( yield self.keyring.get_server_verify_key_v2_direct(
server_name, key_ids server_name, key_ids
) )
except KeyLookupError as e:
logger.info("Failed to fetch key: %s", e)
except: except:
logger.exception("Failed to get key for %r", server_name) logger.exception("Failed to get key for %r", server_name)
pass
yield self.query_keys( yield self.query_keys(
request, query, query_remote_on_cache_miss=False request, query, query_remote_on_cache_miss=False
) )