New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Throw exception on 403 response #1508
Comments
@samdark completely agreed! Now, in case of a typo in AWS credentials, 403 are silently ignored and that's just not a great "feature" The code below is fair enough... # lib/Elastica//Transport/Guzzle.php
$client = $this->_getGuzzleClient($this->_getBaseUrl($connection), $connection->isPersistent(), $request);
$options = [
'exceptions' => false, // 4xx and 5xx is expected and NOT an exceptions in this context
];
// options then passed to $res = $client->send($req, $options); ...because a few lines later, response is re-packaged and create a new Response object $response = new Response((string) $res->getBody(), $res->getStatusCode());
...
if ($response->hasError()) {
throw new ResponseException($request, $response);
} However, that's really limited because Response hasError assumes that the response comes from ES cluster. If AWS credentials are wrong (eg a because of a typo) this will never be transparent to the user /**
* True if response has error.
*
* @return bool True if response has error
*/
public function hasError()
{
$response = $this->getData();
return isset($response['error']);
} In case of invalid AWS credentials the status code is 403 and the response looks like
|
This is the commit that introduced the problem 47e6d70#diff-77a5691dc6944986e3f43e8d562514d3 4xx and 5xx are not crashing to be handled later, except for some of them that are not, because hasErrors assumes $response['error'] is the source of truth |
Any suggestions on how to fix it? |
Setup the docker container via the makefile and had like 3 ideas, all ugly. So will get back with something more "kosher" in the next few days. Thanks for getting back! |
Very annoying issue that lost me a bunch of time. Also when attempting AWS connection, but this time a 400 for HTTP/HTTPS incompatibility was ignored because I didn't realize |
@Destroy666x agreed, this is not a great behaviour at present. Spent a some time last night how it all fits together
Thus, it is instead down to downstream client to implement an error check. in this case FOSElasticaBundle extends the base client class and should do the check. The existing tests in FosElasticaBundle rely on NullTransport from ruflin/Elastica to send a mock response. This class could be either duplicated (easy) or refactored (harder) to be more generic and test different use-cases. The PR is available here #1529 I'm keen to hear your comments – this is my first contribution here and i'm sure this may not be 100% correct @ruflin |
This is now resolved by two PRs |
What about those of us who are using AWS Elasticsearch without In my particular case I'm using AWS v4 auth and my server's date drifted 5 minutes into the future. I started getting weird errors from Elastica because the response from AWS doesn't contain an |
@NathanBaulch What would the changes to Elastica be to support this? |
Following the principle of least surprise, I would expect |
I agree, though it looks like there's already an open discussion on this in #1396. One exception to this (which bit me yesterday) are the I don't know what the best long term solution is, but for now I've sub-classed class Client extends \Elastica\Client
{
public function request($path, $method = Request::GET, $data = [], array $query = []) {
$res = parent::request($path, $method, $data, $query);
// workaround for Elastica issue #1508
$info = $res->getTransferInfo();
if (($code = $info['http_code'] ?? null) && $code >= 400 && !($code === 404 && $method === Request::HEAD)) {
$data = $res->getData();
$body = is_array($data) ? ($data['message'] ?? json_encode($data)) : $data;
throw new ClientException("HTTP $code error: $body");
}
return $res;
}
} |
As we started to do breaking changes in Elastica for 7.0 we can also tackled this with potential breaking changes. Should we move the discussion to #1396 ? |
What I do
In case you deny access in AWS policies, user would get 403 response with "User: anonymous is not authorized to perform" message.
Expected
Exception containing a response code and a message.
Actual
Elastica ignores the fact so I have to check each call to the library like the following:
The text was updated successfully, but these errors were encountered: