fix: surface a tampered capability flag as a clean error, not a traceback
a tampered or foreign GCM capability flag raises cryptography's InvalidTag (subclasses Exception, not ValueError/RuntimeError), which escaped the CLI's catch tuple as a raw traceback on the authorize/verify paths. main() now catches InvalidTag and surfaces '[\xe2\x9c\x98] capability flag failed authentication — tampered or wrong DEK'. also corrected the stale CLAUDE.md storage note that still described the swallow-wrapped mongo methods instead of the fail-loud raw-collection path. Signed-off-by: disqualifier <dev@disqualifier.me>
This commit is contained in:
parent
13bf77f0f4
commit
eced5333d6
@ -9,6 +9,8 @@ command loads config and resolves a storage backend first. expected failures
|
|||||||
import argparse
|
import argparse
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
|
from cryptography.exceptions import InvalidTag
|
||||||
|
|
||||||
from . import __version__
|
from . import __version__
|
||||||
from .config import ConfigError, load_config
|
from .config import ConfigError, load_config
|
||||||
from .commands import CommandError, authorize, config_init, init, list_keys, revoke, verify
|
from .commands import CommandError, authorize, config_init, init, list_keys, revoke, verify
|
||||||
@ -88,6 +90,8 @@ def main() -> int:
|
|||||||
storage = resolve(config)
|
storage = resolve(config)
|
||||||
handlers[args.cmd](config, storage, args)
|
handlers[args.cmd](config, storage, args)
|
||||||
return 0
|
return 0
|
||||||
|
except InvalidTag:
|
||||||
|
return _fail("capability flag failed authentication — tampered or wrong DEK")
|
||||||
except (ConfigError, CommandError, RuntimeError, ValueError, FileNotFoundError) as error:
|
except (ConfigError, CommandError, RuntimeError, ValueError, FileNotFoundError) as error:
|
||||||
return _fail(str(error))
|
return _fail(str(error))
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user