Improve error messages for invalid identities (#4848)

* If we get a 401, 403, or 404 getting a MI, give the error to the user - otherwise return an internal server error

* Fix typo

* Appease CI

* PR feedback response - handle 429s

* PR feedback response - rename helper function to align with others

* PR feedback response - factor out some duplicated error type checking

* Remove original helper function to check for 4xx errors - it's unused now

Author: kimorris27

pkg/cluster/clustermsi.go

@@ -49,7 +49,7 @@ func EnsureClusterMsiCertificateWithParams(ctx context.Context, clusterDocID str
 	secretName := dataplane.IdentifierForManagedIdentityCredentials(clusterDocID)
 
 	existingMsiCertificate, err := kvStore.GetSecret(ctx, secretName, "", nil)
-	if err != nil && !azureerrors.IsNotFoundError(err) {
+	if err != nil && !azureerrors.IsStatusNotFoundError(err) {
 		return MsiCertificateRefreshResultUnchanged, err
 	}
 

pkg/cluster/delete.go

@@ -49,7 +49,7 @@ func (m *manager) deleteNic(ctx context.Context, nicName string) error {
 
 	// nic is already gone which typically happens on PLS / PE nics
 	// as they are deleted in a different step
-	if azureerrors.IsNotFoundError(err) {
+	if azureerrors.IsStatusNotFoundError(err) {
 		return nil
 	}
 	if err != nil {
@@ -382,7 +382,7 @@ func (m *manager) deleteClusterMsiCertificate(ctx context.Context) error {
 
 	secretName := dataplane.IdentifierForManagedIdentityCredentials(m.doc.ID)
 
-	if _, err := m.clusterMsiKeyVaultStore.DeleteSecret(ctx, secretName, nil); err != nil && !azureerrors.IsNotFoundError(err) {
+	if _, err := m.clusterMsiKeyVaultStore.DeleteSecret(ctx, secretName, nil); err != nil && !azureerrors.IsStatusNotFoundError(err) {
 		return err
 	}
 
@@ -425,7 +425,7 @@ func (m *manager) deleteFederatedCredentials(ctx context.Context) error {
 			&armmsi.FederatedIdentityCredentialsClientListOptions{},
 		)
 		if err != nil {
-			if azureerrors.IsNotFoundError(err) {
+			if azureerrors.IsStatusNotFoundError(err) {
 				m.log.Infof("federated identity credentials not found for %s: %v", identity.ResourceID, err.Error())
 			} else {
 				m.log.Errorf("failed to list federated identity credentials for %s: %v", identity.ResourceID, err.Error())
@@ -452,7 +452,7 @@ func (m *manager) deleteFederatedCredentials(ctx context.Context) error {
 					&armmsi.FederatedIdentityCredentialsClientDeleteOptions{},
 				)
 				if err != nil {
-					if azureerrors.IsNotFoundError(err) {
+					if azureerrors.IsStatusNotFoundError(err) {
 						m.log.Infof("federated identity credentials not found for %s: %v", identity.ResourceID, err.Error())
 					} else {
 						m.log.Errorf("failed to delete federated identity credentials for %s: %v", identity.ResourceID, err.Error())

pkg/cluster/platformworkloadidentities.go

@@ -44,11 +44,10 @@ func (m *manager) platformWorkloadIdentityIDs(ctx context.Context) error {
 
 		identityDetails, err := m.userAssignedIdentities.Get(ctx, resourceId.ResourceGroupName, resourceId.Name, &armmsi.UserAssignedIdentitiesClientGetOptions{})
 		if err != nil {
-			if azureerrors.Is4xxError(err) {
-				m.log.Error(err)
-				return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidPlatformWorkloadIdentity, fmt.Sprintf(`.properties.platformWorkloadIdentityProfile.platformWorkloadIdentities["%s"]`, operatorName), fmt.Sprintf("platform workload identity '%s' is invalid", operatorName))
+			if azureerrors.IsStatusUnauthorizedError(err) || azureerrors.IsStatusForbiddenError(err) || azureerrors.IsStatusNotFoundError(err) || azureerrors.IsRetryableError(err) {
+				return api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidPlatformWorkloadIdentity, fmt.Sprintf(`.properties.platformWorkloadIdentityProfile.platformWorkloadIdentities["%s"]`, operatorName), err.Error())
 			} else {
-				return fmt.Errorf("error occured when retrieving platform workload identity '%s' details: %w", operatorName, err)
+				return fmt.Errorf("error occurred when retrieving platform workload identity '%s' details: %w", operatorName, err)
 			}
 		}
 

pkg/cluster/platformworkloadidentities_test.go

@@ -6,13 +6,15 @@ package cluster
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"strings"
 	"testing"
 
 	"github.com/sirupsen/logrus"
 	"github.com/stretchr/testify/assert"
 	"go.uber.org/mock/gomock"
 
+	azruntime "github.com/Azure/azure-sdk-for-go/sdk/azcore/runtime"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/msi/armmsi"
 
 	"github.com/Azure/ARO-RP/pkg/api"
@@ -37,6 +39,11 @@ func TestPlatformWorkloadIdentityIDs(t *testing.T) {
 	identityBarResourceId := fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s", subscriptionId, clusterRG, identityBarName)
 	identityBarClientId := "0ba40ba4-0ba4-0ba4-0ba4-0ba40ba40ba4"
 	identityBarObjectId := "1ba41ba4-1ba4-1ba4-1ba4-1ba41ba41ba4"
+	fooTarget := `.properties.platformWorkloadIdentityProfile.platformWorkloadIdentities["foo"]`
+	unauthorizedErr := azruntime.NewResponseError(&http.Response{StatusCode: http.StatusUnauthorized})
+	forbiddenErr := azruntime.NewResponseError(&http.Response{StatusCode: http.StatusForbidden})
+	notFoundErr := azruntime.NewResponseError(&http.Response{StatusCode: http.StatusNotFound})
+	tooManyRequestsErr := azruntime.NewResponseError(&http.Response{StatusCode: http.StatusTooManyRequests})
 
 	validWIClusterDoc := &api.OpenShiftClusterDocument{
 		ID:  clusterId,
@@ -121,7 +128,99 @@ func TestPlatformWorkloadIdentityIDs(t *testing.T) {
 				mock.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().
 					Return(armmsi.UserAssignedIdentitiesClientGetResponse{}, fmt.Errorf("some error occurred"))
 			},
-			wantErr: "error occured when retrieving platform workload identity 'foo' details: some error occurred",
+			wantErr: "error occurred when retrieving platform workload identity 'foo' details: some error occurred",
+		},
+		{
+			name: "error - unauthorized identity lookup becomes invalid platform workload identity",
+			doc: &api.OpenShiftClusterDocument{
+				ID:  clusterId,
+				Key: clusterId,
+				OpenShiftCluster: &api.OpenShiftCluster{
+					Properties: api.OpenShiftClusterProperties{
+						PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{
+							PlatformWorkloadIdentities: map[string]api.PlatformWorkloadIdentity{
+								identityFooName: {
+									ResourceID: identityFooResourceId,
+								},
+							},
+						},
+					},
+				},
+			},
+			userAssignedIdentitiesClientMocks: func(mock *mock_armmsi.MockUserAssignedIdentitiesClient) {
+				mock.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().
+					Return(armmsi.UserAssignedIdentitiesClientGetResponse{}, unauthorizedErr)
+			},
+			wantErr: api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidPlatformWorkloadIdentity, fooTarget, unauthorizedErr.Error()).Error(),
+		},
+		{
+			name: "error - forbidden identity lookup becomes invalid platform workload identity",
+			doc: &api.OpenShiftClusterDocument{
+				ID:  clusterId,
+				Key: clusterId,
+				OpenShiftCluster: &api.OpenShiftCluster{
+					Properties: api.OpenShiftClusterProperties{
+						PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{
+							PlatformWorkloadIdentities: map[string]api.PlatformWorkloadIdentity{
+								identityFooName: {
+									ResourceID: identityFooResourceId,
+								},
+							},
+						},
+					},
+				},
+			},
+			userAssignedIdentitiesClientMocks: func(mock *mock_armmsi.MockUserAssignedIdentitiesClient) {
+				mock.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().
+					Return(armmsi.UserAssignedIdentitiesClientGetResponse{}, forbiddenErr)
+			},
+			wantErr: api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidPlatformWorkloadIdentity, fooTarget, forbiddenErr.Error()).Error(),
+		},
+		{
+			name: "error - not found identity lookup becomes invalid platform workload identity",
+			doc: &api.OpenShiftClusterDocument{
+				ID:  clusterId,
+				Key: clusterId,
+				OpenShiftCluster: &api.OpenShiftCluster{
+					Properties: api.OpenShiftClusterProperties{
+						PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{
+							PlatformWorkloadIdentities: map[string]api.PlatformWorkloadIdentity{
+								identityFooName: {
+									ResourceID: identityFooResourceId,
+								},
+							},
+						},
+					},
+				},
+			},
+			userAssignedIdentitiesClientMocks: func(mock *mock_armmsi.MockUserAssignedIdentitiesClient) {
+				mock.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().
+					Return(armmsi.UserAssignedIdentitiesClientGetResponse{}, notFoundErr)
+			},
+			wantErr: api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidPlatformWorkloadIdentity, fooTarget, notFoundErr.Error()).Error(),
+		},
+		{
+			name: "error - too many requests identity lookup becomes invalid platform workload identity",
+			doc: &api.OpenShiftClusterDocument{
+				ID:  clusterId,
+				Key: clusterId,
+				OpenShiftCluster: &api.OpenShiftCluster{
+					Properties: api.OpenShiftClusterProperties{
+						PlatformWorkloadIdentityProfile: &api.PlatformWorkloadIdentityProfile{
+							PlatformWorkloadIdentities: map[string]api.PlatformWorkloadIdentity{
+								identityFooName: {
+									ResourceID: identityFooResourceId,
+								},
+							},
+						},
+					},
+				},
+			},
+			userAssignedIdentitiesClientMocks: func(mock *mock_armmsi.MockUserAssignedIdentitiesClient) {
+				mock.EXPECT().Get(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).AnyTimes().
+					Return(armmsi.UserAssignedIdentitiesClientGetResponse{}, tooManyRequestsErr)
+			},
+			wantErr: api.NewCloudError(http.StatusBadRequest, api.CloudErrorCodeInvalidPlatformWorkloadIdentity, fooTarget, tooManyRequestsErr.Error()).Error(),
 		},
 		{
 			name: "success - all clientIDs and objectIDs updated in clusterdoc",

pkg/operator/controllers/storageaccounts/storageaccounts.go

@@ -44,7 +44,7 @@ func (r *reconcileManager) reconcileAccounts(ctx context.Context) error {
 
 		armSubnet, err := r.subnets.Get(ctx, resourceGroupName, vnetName, subnetName, nil)
 		if err != nil {
-			if azureerrors.IsNotFoundError(err) {
+			if azureerrors.IsStatusNotFoundError(err) {
 				r.log.Infof("Subnet %s not found, skipping", subnet.ResourceID)
 				continue
 			}

pkg/operator/controllers/subnets/subnet_nsg.go

@@ -42,7 +42,7 @@ func (r *reconcileManager) ensureSubnetNSG(ctx context.Context, s subnet.Subnet)
 
 	subnetObject, err := r.subnets.Get(ctx, subnetID.ResourceGroupName, subnetID.Parent.Name, subnetID.Name, nil)
 	if err != nil {
-		if azureerrors.IsNotFoundError(err) {
+		if azureerrors.IsStatusNotFoundError(err) {
 			r.log.Infof("Subnet %s not found, skipping", s.ResourceID)
 			return nil
 		}

pkg/operator/controllers/subnets/subnet_serviceendpoint.go

@@ -28,7 +28,7 @@ func (r *reconcileManager) ensureSubnetServiceEndpoints(ctx context.Context, s s
 
 		subnetObject, err := r.subnets.Get(ctx, subnetID.ResourceGroupName, subnetID.Parent.Name, subnetID.Name, nil)
 		if err != nil {
-			if azureerrors.IsNotFoundError(err) {
+			if azureerrors.IsStatusNotFoundError(err) {
 				r.log.Infof("Subnet %s not found, skipping. err: %v", s.ResourceID, err)
 				return nil
 			}

pkg/util/acrtoken/acrtoken.go

@@ -209,7 +209,7 @@ func (m *manager) generateTokenPassword(ctx context.Context, passwordName sdkarm
 func (m *manager) Delete(ctx context.Context, registryProfile *api.RegistryProfile) error {
 	err := m.tokens.DeleteAndWait(ctx, m.r.ResourceGroup, m.r.ResourceName, registryProfile.Username)
 	// Ignore not-founds on delete
-	if err != nil && azureerrors.IsNotFoundError(err) {
+	if err != nil && azureerrors.IsStatusNotFoundError(err) {
 		return nil
 	}
 	return err

pkg/util/azureerrors/error.go

@@ -144,32 +144,34 @@ func IsDeploymentActiveError(err error) bool {
 	return false
 }
 
-func IsNotFoundError(err error) bool {
+func isStatusCodeError(err error, statusCode int) bool {
 	var detailedErr autorest.DetailedError
 	if errors.As(err, &detailedErr) {
-		return detailedErr.StatusCode == http.StatusNotFound
+		return detailedErr.StatusCode == statusCode
 	}
 
 	var responseError *azcore.ResponseError
 	if errors.As(err, &responseError) {
-		return responseError.StatusCode == http.StatusNotFound
+		return responseError.StatusCode == statusCode
 	}
 
 	return false
 }
 
+func IsStatusNotFoundError(err error) bool {
+	return isStatusCodeError(err, http.StatusNotFound)
+}
+
 func IsStatusConflictError(err error) bool {
-	var detailedErr autorest.DetailedError
-	if errors.As(err, &detailedErr) {
-		return detailedErr.StatusCode == http.StatusConflict
-	}
+	return isStatusCodeError(err, http.StatusConflict)
+}
 
-	var responseError *azcore.ResponseError
-	if errors.As(err, &responseError) {
-		return responseError.StatusCode == http.StatusConflict
-	}
+func IsStatusUnauthorizedError(err error) bool {
+	return isStatusCodeError(err, http.StatusUnauthorized)
+}
 
-	return false
+func IsStatusForbiddenError(err error) bool {
+	return isStatusCodeError(err, http.StatusForbidden)
 }
 
 // IsInvalidSecretError returns if errors is InvalidCredentials error
@@ -224,15 +226,6 @@ func ResourceGroupNotFound(err error) bool {
 	return false
 }
 
-func Is4xxError(err error) bool {
-	var responseError *azcore.ResponseError
-	if errors.As(err, &responseError) {
-		return responseError.StatusCode >= 400 && responseError.StatusCode < 500
-	}
-
-	return false
-}
-
 // IsVMSKUError checks if the error is a VM SKU availability error and returns
 // which profile (master/worker) is affected.
 // Azure Resource Manager error codes: https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-sku-not-available
@@ -375,20 +368,6 @@ func IsRetryableError(err error) bool {
 		return false
 	}
 
-	var responseError *azcore.ResponseError
-	if errors.As(err, &responseError) {
-		if responseError.StatusCode == http.StatusTooManyRequests {
-			return true
-		}
-	}
-
-	var detailedErr autorest.DetailedError
-	if errors.As(err, &detailedErr) {
-		if detailedErr.StatusCode == http.StatusTooManyRequests {
-			return true
-		}
-	}
-
 	// Check for RetryableError in error message (nested Azure errors)
-	return strings.Contains(err.Error(), "RetryableError")
+	return isStatusCodeError(err, http.StatusTooManyRequests) || strings.Contains(err.Error(), "RetryableError")
 }