4 files changed, 35 insertions, 17 deletions
diff --git a/oslo_rootwrap/daemon.py b/oslo_rootwrap/daemon.py
index 5409dfd..cf7f03e 100644
--- a/oslo_rootwrap/daemon.py
+++ b/oslo_rootwrap/daemon.py
@@ -27,6 +27,7 @@ import sys
 import tempfile
 import threading
 
+from oslo_rootwrap import cmd
 from oslo_rootwrap import jsonrpc
 from oslo_rootwrap import subprocess
 from oslo_rootwrap import wrapper
@@ -45,14 +46,25 @@ class RootwrapClass(object):
         self.filters = filters
 
     def run_one_command(self, userargs, stdin=None):
-        obj = wrapper.start_subprocess(
-            self.filters, userargs,
-            exec_dirs=self.config.exec_dirs,
-            log=self.config.use_syslog,
-            close_fds=True,
-            stdin=subprocess.PIPE,
-            stdout=subprocess.PIPE,
-            stderr=subprocess.PIPE)
+        try:
+            obj = wrapper.start_subprocess(
+                self.filters, userargs,
+                exec_dirs=self.config.exec_dirs,
+                log=self.config.use_syslog,
+                close_fds=True,
+                stdin=subprocess.PIPE,
+                stdout=subprocess.PIPE,
+                stderr=subprocess.PIPE)
+        except wrapper.FilterMatchNotExecutable:
+            LOG.warning("Executable not found for: %s",
+                        ' '.join(userargs))
+            return cmd.RC_NOEXECFOUND, "", ""
+
+        except wrapper.NoFilterMatched:
+            LOG.warning("Unauthorized command: %s (no filter matched)",
+                        ' '.join(userargs))
+            return cmd.RC_UNAUTHORIZED, "", ""
+
         if six.PY3 and stdin is not None:
             stdin = os.fsencode(stdin)
         out, err = obj.communicate(stdin)
diff --git a/oslo_rootwrap/tests/test_functional.py b/oslo_rootwrap/tests/test_functional.py
index a23d9f1..83825a5 100644
--- a/oslo_rootwrap/tests/test_functional.py
+++ b/oslo_rootwrap/tests/test_functional.py
@@ -34,9 +34,9 @@ import testtools
 from testtools import content
 
 from oslo_rootwrap import client
+from oslo_rootwrap import cmd
 from oslo_rootwrap import subprocess
 from oslo_rootwrap.tests import run_daemon
-from oslo_rootwrap import wrapper
 
 
 class _FunctionalBase(object):
@@ -57,6 +57,7 @@ echo: CommandFilter, /bin/echo, root
 cat: CommandFilter, /bin/cat, root
 sh: CommandFilter, /bin/sh, root
 id: CommandFilter, /usr/bin/id, nobody
+unknown_cmd: CommandFilter, /unknown/unknown_cmd, root
 """)
 
     def _test_run_once(self, expect_byte=True):
@@ -83,6 +84,14 @@ id: CommandFilter, /usr/bin/id, nobody
         self.assertEqual(expect_out, out)
         self.assertEqual(expect_err, err)
 
+    def test_run_command_not_found(self):
+        code, out, err = self.execute(['unknown_cmd'])
+        self.assertEqual(cmd.RC_NOEXECFOUND, code)
+
+    def test_run_unauthorized_command(self):
+        code, out, err = self.execute(['unauthorized_cmd'])
+        self.assertEqual(cmd.RC_UNAUTHORIZED, code)
+
     def test_run_as(self):
         if os.getuid() != 0:
             self.skip('Test requires root (for setuid)')
@@ -183,9 +192,6 @@ class RootwrapDaemonTest(_FunctionalBase, testtools.TestCase):
     def test_run_with_stdin(self):
         self._test_run_with_stdin(expect_byte=False)
 
-    def test_error_propagation(self):
-        self.assertRaises(wrapper.NoFilterMatched, self.execute, ['other'])
-
     def test_daemon_ressurection(self):
         # Let the client start a daemon
         self.execute(['cat'])
diff --git a/oslo_rootwrap/tests/test_rootwrap.py b/oslo_rootwrap/tests/test_rootwrap.py
index d023d5f..200c4f0 100644
--- a/oslo_rootwrap/tests/test_rootwrap.py
+++ b/oslo_rootwrap/tests/test_rootwrap.py
@@ -156,7 +156,7 @@ class RootwrapTestCase(testtools.TestCase):
         # check that environment variables are set
         self.assertEqual('/some/thing', env.get('A'))
         self.assertEqual('somethingelse', env.get('B'))
-        self.assertFalse('sleep' in env.keys())
+        self.assertNotIn('sleep', env.keys())
 
     def test_EnvFilter_without_leading_env(self):
         envset = ['A=/some/thing', 'B=somethingelse']
@@ -175,7 +175,7 @@ class RootwrapTestCase(testtools.TestCase):
         # check that environment variables are set
         self.assertEqual('/some/thing', env.get('A'))
         self.assertEqual('somethingelse', env.get('B'))
-        self.assertFalse('sleep' in env.keys())
+        self.assertNotIn('sleep', env.keys())
 
     def test_KillFilter(self):
         if not os.path.exists("/proc/%d" % os.getpid()):
diff --git a/test-requirements.txt b/test-requirements.txt
index aee933f..daad9c4 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -11,8 +11,8 @@ testscenarios>=0.4 # Apache-2.0/BSD
 testtools>=1.4.0 # MIT
 
 # this is required for the docs build jobs
-sphinx!=1.3b1,<1.3,>=1.2.1 # BSD
-oslosphinx!=3.4.0,>=2.5.0 # Apache-2.0
+sphinx!=1.3b1,<1.4,>=1.2.1 # BSD
+oslosphinx>=4.7.0 # Apache-2.0
 oslotest>=1.10.0 # Apache-2.0
 
 
@@ -22,4 +22,4 @@ mock>=2.0 # BSD
 # rootwrap daemon's client should be verified to run in eventlet
 eventlet!=0.18.3,>=0.18.2 # MIT
 
-reno>=1.8.0 # Apache2
+reno>=1.8.0 # Apache-2.0