Merge pull request #711 from xmidt-org/credentiallogs

log credential errors
xmidt-org · Sep 26, 2023 · c8b262f · c8b262f
2 parents 7015ce8 + 57bf11f
commit c8b262f
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 18 deletions.
diff --git a/internal/pkg/appsecret/config_vault.go b/internal/pkg/appsecret/config_vault.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"github.com/rs/zerolog"
 	"github.com/xmidt-org/ears/internal/pkg/config"
 	"github.com/xmidt-org/ears/pkg/secret"
 	"github.com/xmidt-org/ears/pkg/tenant"
@@ -103,25 +104,27 @@ type TenantConfigVault struct {
 	tid          tenant.Id
 	tenantStorer tenant.TenantStorer
 	httpClient   *http.Client
+	logger       *zerolog.Logger
 }
 
-func NewTenantConfigVault(tid tenant.Id, parentVault secret.Vault, tenantStorer tenant.TenantStorer) secret.Vault {
+func NewTenantConfigVault(tid tenant.Id, parentVault secret.Vault, tenantStorer tenant.TenantStorer, logger *zerolog.Logger) secret.Vault {
 	tcv := &TenantConfigVault{
 		parentVault:  parentVault,
 		tid:          tid,
 		tenantStorer: tenantStorer,
+		logger:       logger,
 	}
 	return tcv
 }
 
-func (v *TenantConfigVault) getSatBearerToken(ctx context.Context) string {
+func (v *TenantConfigVault) getSatBearerToken(ctx context.Context) (string, error) {
 	//curl -s -X POST -H "X-Client-Id: ***" -H "X-Client-Secret: ***" -H "Cache-Control: no-cache" https://sat-prod.codebig2.net/oauth/token
 	//echo "Bearer $TOKEN"
 	if time.Now().Unix() >= satToken.ExpiresAt {
 		satToken = SatToken{}
 	}
 	if satToken.AccessToken != "" {
-		return satToken.TokenType + " " + satToken.AccessToken
+		return satToken.TokenType + " " + satToken.AccessToken, nil
 	}
 	if v.httpClient == nil {
 		v.httpClient = &http.Client{
@@ -130,46 +133,46 @@ func (v *TenantConfigVault) getSatBearerToken(ctx context.Context) string {
 	}
 	req, err := http.NewRequest("POST", SAT_URL, nil)
 	if err != nil {
-		return ""
+		return "", err
 	}
 	tenantConfig, err := v.tenantStorer.GetConfig(ctx, v.tid)
 	if err != nil {
-		return ""
+		return "", err
 	}
 	if len(tenantConfig.ClientIds) == 0 {
-		return ""
+		return "", errors.New("tenant has no client IDs")
 	}
 	if tenantConfig.ClientSecret == "" {
-		return ""
+		return "", errors.New("tenant has no client secret")
 	}
 	req.Header.Add("X-Client-Id", tenantConfig.ClientIds[0])
 	req.Header.Add("X-Client-Secret", tenantConfig.ClientSecret)
 	req.Header.Add("Cache-Control", "no-cache")
 	resp, err := v.httpClient.Do(req)
 	if err != nil {
-		return ""
+		return "", err
 	}
 	buf, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
-		return ""
+		return "", err
 	}
 	defer resp.Body.Close()
 	err = json.Unmarshal(buf, &satToken)
 	if err != nil {
-		return ""
+		return "", err
 	}
 	satToken.ExpiresAt = time.Now().Unix() + int64(satToken.ExpiresIn)
-	return satToken.TokenType + " " + satToken.AccessToken
+	return satToken.TokenType + " " + satToken.AccessToken, nil
 }
 
 func (v *TenantConfigVault) GetConfig(ctx context.Context, key string) string {
 	return v.parentVault.GetConfig(ctx, key)
 }
 
 func (v *TenantConfigVault) getCredential(ctx context.Context, key string, credentialType string, field string) (*Credential, error) {
-	token := v.getSatBearerToken(ctx)
-	if token == "" {
-		return nil, errors.New("no bearer token")
+	token, err := v.getSatBearerToken(ctx)
+	if err != nil {
+		return nil, err
 	}
 	if v.httpClient == nil {
 		v.httpClient = &http.Client{
@@ -294,6 +297,7 @@ func (v *TenantConfigVault) Secret(ctx context.Context, key string) string {
 		keys := strings.Split(key, ".")
 		credential, err := v.getCredential(ctx, keys[0], "", "")
 		if err != nil {
+			v.logger.Error().Str("op", "Secret").Str("tid", v.tid.ToString()).Str("gears.app.id", v.tid.AppId).Str("partner.id", v.tid.OrgId).Msg("credential error: " + err.Error())
 			return key
 		}
 		if len(keys) >= 2 {

diff --git a/internal/pkg/appsecret/config_vault_test.go b/internal/pkg/appsecret/config_vault_test.go
@@ -38,7 +38,7 @@ func TestConfigVault(t *testing.T) {
 		t.Fatalf("expected non secret, got %s\n", val)
 	}
 
-	v = appsecret.NewTenantConfigVault(tenant.Id{OrgId: "myorg", AppId: "myapp"}, v, nil)
+	v = appsecret.NewTenantConfigVault(tenant.Id{OrgId: "myorg", AppId: "myapp"}, v, nil, nil)
 	val = v.Secret(ctx, "secret://kafka.secret1")
 	g.Assert(t, "secret1", []byte(val))
 	val = v.Secret(ctx, "secret://kafka.secret2")

diff --git a/internal/pkg/plugin/manager.go b/internal/pkg/plugin/manager.go
@@ -150,7 +150,7 @@ func (m *manager) RegisterReceiver(
 
 		var secrets secret.Vault
 		if m.secrets != nil {
-			secrets = appsecret.NewTenantConfigVault(tid, m.secrets, m.tenantStorer)
+			secrets = appsecret.NewTenantConfigVault(tid, m.secrets, m.tenantStorer, m.logger)
 		}
 
 		receiverChan := make(chan pkgreceiver.Receiver, 1)
@@ -429,7 +429,7 @@ func (m *manager) RegisterFilter(ctx context.Context, plugin string, name string
 
 		var secrets secret.Vault
 		if m.secrets != nil {
-			secrets = appsecret.NewTenantConfigVault(tid, m.secrets, m.tenantStorer)
+			secrets = appsecret.NewTenantConfigVault(tid, m.secrets, m.tenantStorer, m.logger)
 		}
 
 		filterChan := make(chan pkgfilter.Filterer, 1)
@@ -610,7 +610,7 @@ func (m *manager) RegisterSender(
 		var secrets secret.Vault
 
 		if m.secrets != nil {
-			secrets = appsecret.NewTenantConfigVault(tid, m.secrets, m.tenantStorer)
+			secrets = appsecret.NewTenantConfigVault(tid, m.secrets, m.tenantStorer, m.logger)
 		}
 
 		senderChan := make(chan pkgsender.Sender, 1)