From 59f9380c325af4f177cb9ac3f05c840c6f5bc26c Mon Sep 17 00:00:00 2001
From: Ivan Kolodyazhny <e0ne@e0ne.info>
Date: Fri, 12 Jun 2020 12:01:37 +0300
Subject: [PATCH] Add handler for Bad Request error during Vault authentication

Vault returns Bad Request error if invalid secret ID is provided. It's
better to have such errors handled instad of generic "KeyError: 'auth'"
execption.

Change-Id: Ibc068af70de4022f544d394ec4b014443a9c16b5
---
 castellan/key_manager/vault_key_manager.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/castellan/key_manager/vault_key_manager.py b/castellan/key_manager/vault_key_manager.py
index ad1424f0..8d9a8958 100644
--- a/castellan/key_manager/vault_key_manager.py
+++ b/castellan/key_manager/vault_key_manager.py
@@ -173,10 +173,14 @@ class VaultKeyManager(key_manager.KeyManager):
             if resp.status_code == requests.codes['forbidden']:
                 raise exception.Forbidden()
 
-            resp = resp.json()
-            self._cached_approle_token_id = resp['auth']['client_token']
+            resp_data = resp.json()
+
+            if resp.status_code == requests.codes['bad_request']:
+                raise exception.KeyManagerError(', '.join(resp_data['errors']))
+
+            self._cached_approle_token_id = resp_data['auth']['client_token']
             self._approle_token_issue = token_issue_utc
-            self._approle_token_ttl = resp['auth']['lease_duration']
+            self._approle_token_ttl = resp_data['auth']['lease_duration']
             return {'X-Vault-Token': self._approle_token_id}
 
         return {}