Fixes #1296

SURFscz · Mar 14, 2024 · 164b817 · 164b817
1 parent 23b8435
commit 164b817
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/server/api/scim.py b/server/api/scim.py
@@ -1,14 +1,16 @@
 import re
+import traceback
 import urllib.parse
 from typing import Union
 
 import requests
+from cryptography.exceptions import InvalidTag
 from flasgger import swag_from
 from flask import Blueprint, Response
 from sqlalchemy import func
 from werkzeug.exceptions import Unauthorized, BadRequest
 
-from server.api.base import json_endpoint, query_param
+from server.api.base import json_endpoint, query_param, send_error_mail
 from server.auth.security import confirm_write_access, is_service_admin
 from server.auth.tokens import validate_service_token
 from server.db.db import db
@@ -149,12 +151,16 @@ def sweep():
         results = perform_sweep(service)
         results["scim_url"] = service.scim_url
         return results, 201
-    except BadRequest as error:
-        return {"error": f"Error from remote scim server: {error.description}",
+    except BadRequest as bad_request:
+        return {"error": f"Error from remote scim server: {bad_request.description}",
                 "scim_url": service.scim_url}, 400
-    except requests.RequestException as e:
-        return {"error": f"Could not connect to remote SCIM server ({type(e).__name__})"
-                         f"{': ' + e.response.text if e.response else ''}",
+    except requests.RequestException as request_exception:
+        return {"error": f"Could not connect to remote SCIM server ({type(request_exception).__name__})"
+                         f"{': ' + request_exception.response.text if request_exception.response else ''}",
+                "scim_url": service.scim_url}, 400
+    except InvalidTag:
+        send_error_mail(tb=traceback.format_exc())
+        return {"error": "Could not decrypt SCIM bearer secret",
                 "scim_url": service.scim_url}, 400
     except Exception:
         return {"error": "Unknown error while connecting to remote SCIM server",

diff --git a/server/auth/secrets.py b/server/auth/secrets.py
@@ -6,8 +6,9 @@
 from secrets import token_urlsafe, SystemRandom
 
 import bcrypt
+from cryptography.exceptions import InvalidTag
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
-from werkzeug.exceptions import SecurityError, BadRequest
+from werkzeug.exceptions import SecurityError
 
 SYSTEM_RANDOM = SystemRandom()
 
@@ -57,5 +58,5 @@ def decrypt_secret(encryption_key: str, encrypted_value: str, context: dict) ->
     original_context = json.loads(decrypted)
     for key, value in context.items():
         if value != original_context[key]:
-            raise BadRequest(f"Invalid value(={original_context[key]}) for {key}, expected {value}")
+            raise InvalidTag(f"Invalid value(={original_context[key]}) for {key}, expected {value}")
     return original_context["plain_secret"]