diff --git a/internal/credentials/aws/secretmanager.go b/internal/credentials/aws/secretmanager.go index 09633b39e..21110c2e1 100644 --- a/internal/credentials/aws/secretmanager.go +++ b/internal/credentials/aws/secretmanager.go @@ -116,9 +116,11 @@ func (m *Manager) ReadCredentials(ctx context.Context, secretID string, creds an case (&types.ResourceNotFoundException{}).ErrorCode(): return fmt.Errorf("%w: path=%s", credentials.ErrNotFound, secretID) default: - return err + return fmt.Errorf("getting AWS Secret Value: %w", err) } } + + return fmt.Errorf("getting AWS Secret Value: %w", err) } return json.Unmarshal([]byte(*resp.SecretString), creds) diff --git a/internal/credentials/aws/secretmanager_test.go b/internal/credentials/aws/secretmanager_test.go index 17e4268fa..d42659a7d 100644 --- a/internal/credentials/aws/secretmanager_test.go +++ b/internal/credentials/aws/secretmanager_test.go @@ -18,12 +18,14 @@ package aws import ( "context" "encoding/json" + "errors" "reflect" "testing" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/secretsmanager" "github.com/aws/aws-sdk-go-v2/service/sso/types" + "github.com/aws/smithy-go" "github.com/chainloop-dev/chainloop/internal/credentials" mclient "github.com/chainloop-dev/chainloop/internal/credentials/aws/mocks" "github.com/stretchr/testify/assert" @@ -67,6 +69,72 @@ const defaultRegion = "default-region" const defaultAccessKey = "access-key-not-a-real-key" const defaultSecretKey = "secret-key-not-a-real-key" +func (s *testSuite) TestReadCredentialsErrorHandling() { + fakeSecretID := "fakeSecretID" + genericErr := errors.New("generic error") + genericAPIErr := &smithy.GenericAPIError{Code: "AnotherAPIError", Message: "Some message"} + + testCases := []struct { + name string + wantedError error + expectedError error + }{ + { + "GetSecretValue returns no error", + nil, + nil, + }, { + "GetSecretValue returns a smithy.APIError error of type 'resource not found'", + &smithy.GenericAPIError{Code: "ResourceNotFoundException", Message: "Some message"}, + credentials.ErrNotFound, + }, { + "GetSecretValue returns a smithy.APIError error of type 'other type'", + genericAPIErr, + genericAPIErr, + }, { + "GetSecretValue returns an error that is not smithy.APIError", + genericErr, + genericErr, + }, + } + + for _, tc := range testCases { + s.Run(tc.name, func() { + // re-set the manager mocked expectations + initMockedManager(s) + m := s.mockedManager + mc, _ := m.client.(*mclient.SecretsManagerIface) + ctx := context.Background() + + // mock response for method GetSecretValue(..) + var getSecretValueResp secretsmanager.GetSecretValueOutput + if tc.wantedError == nil { + validAPICreds := &credentials.APICreds{Host: "h", Key: "k"} + mockedResp, _ := json.Marshal(validAPICreds) + getSecretValueResp = secretsmanager.GetSecretValueOutput{ + SecretString: aws.String(string(mockedResp)), + } + } + + // mock call to GetSecretValue to return the wanted error + mc.On("GetSecretValue", ctx, &secretsmanager.GetSecretValueInput{ + SecretId: aws.String(fakeSecretID), + }).Return(&getSecretValueResp, tc.wantedError) + + // call + creds := &credentials.APICreds{} + err := m.ReadCredentials(ctx, fakeSecretID, creds) + + // test + if tc.expectedError == nil { + require.NoError(s.T(), err) + } else { + require.ErrorIs(s.T(), err, tc.expectedError) + } + }) + } +} + func (s *testSuite) TestReadWriteCredentials() { assert := assert.New(s.T()) validOCICreds := &credentials.OCIKeypair{Repo: "test-repo", Username: "username", Password: "password"}