Improve handling of API errors #11343
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Demo starting at https://ubuntu-com-11343.demos.haus |
Codecov Report
@@ Coverage Diff @@
## main #11343 +/- ##
=======================================
Coverage 58.68% 58.68%
=======================================
Files 109 109
Lines 2544 2544
Branches 708 708
=======================================
Hits 1493 1493
Misses 990 990
Partials 61 61 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an attempt to provide a better structure for handling CVE 404 errors following my comment here:
#11305 (comment)
Basically, we ended up in a situation where we were trying to raise a 404 error from within the
security_api_errorerror handler, but we had to do it manually withflask.render_templaterather than the more properflask.abortbecause you can'tabortfrom within an activeerrorhandler.I think this was pointing to a sort of code smell, that we shouldn't really have got as far as raising a
SecurityAPIErrorif really all that happened is that a CVE is missing. In fact, I think it would be much more reasonable forSecurityAPI.get_cveto simply returnNone, rather than an error, if the CVE in question doesn't exist. This is reinforced by the fact that the code to turn thatNoneresponse into aflask.abort(404)actually already existed in thecveview, even though it was not not being used.So I've restructured the code to do the logic of reading the
404code from the API's response inside theSecurityAPIError.get_cvemethod itself, and returnNonein that case. TheSecurityAPIError._getmethod now simply doesraise_for_status(), which seems reasonable as it is simply a generic HTTP request method and shouldn't have any greater knowledge than that, and then it's up to the public methods (currentlyget_cveandget_releases) to turn thoseHTTPErrorexceptions intoSecurityAPIErrors orNoneas appropriate. I hope this makes sense.To facilitate this branch I've also proposed a change to canonicalwebteam.flask-base. This branch uses that new version. A review of this branch is effectively a review of that one. Please go and approve that one once this is reviewed, but don't merge this until that PR is merged and published and this PR's
requirements.txtis updated.QA
Go to https://ubuntu-com-11343.demos.haus/security/CVE-1234-5678, see a beautiful 404 page, with a custom error message.
Go to https://ubuntu-com-11343.demos.haus/zfgzdfsd check the normal 404 page still works.
Go to https://ubuntu-com-11343.demos.haus/security/CVE-2022-23639, check a normal CVE still displays properly.