SATOSA
SATOSA copied to clipboard
IdentityPython
Clean error reporting
If an exception is well understood and reported, there is no point in adding a stacktrace. E.g.: currently a saml2.s_utils.UnknownSystemEntity exception will result in a stacktrace (and disguise it as an "unknow error", btw). As the reason is a missing entry in metadata, a concise "configuration error: unknown system entity https://sp.example.org/sp" is suffient. Therefore I propose to add in base:run
except UnknownSystemEntity as err:
satosa_logging(logger, logging.ERROR,
"configuration error: unknown system entity " + str(err),
context.state, exc_info=False)
raise
However, proxy_server:run will handle the raised exception as a general Exception and print the stack trace. A possible solution would be to define a generic SatosaAlreadyReportedException that will silentce the traceback by adding the second line in following snippet from proxy_server.
except (Exception, SatosaAlreadyReportedException) as err:
if type(err) != SatosaAlreadyReportedException:
logger.exception("%s" % err)
if debug:
raise
resp = ServiceError("%s" % err)
return resp(environ, start_response)
What do people think?
Further to this issue the current scheme will create an inappropriate Status message. A saml2.response.StatusInvalidNameidPolicy exception will create a urn:oasis:names:tc:SAML:2.0:status:AuthnFailed message, whereas urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy would be correct.
More: The exception saml2.validate.ToEarly thrown when processing the response in the backend is wrapped in "satosa.exception.SATOSAAuthenticationError: Failed to parse authn request". Expected behavior: only the original exception should be logged, the traceback is not helpful.
Even tho I have entry in the metadata I am still getting the unknown system entity error. Please help
