fix(config): distinguish client_id UUID errors from dataset_id errors

tobyhede · tobyhede · commit 0fd8e0eb28d4 · 2026-03-24T12:09:10.000+11:00
Invalid client_id UUIDs were incorrectly mapped to InvalidDatasetId,
producing the misleading message "Dataset id is not a valid UUID".
Now extracts the field name from the config error string and routes
client_id failures to InvalidParameter instead.
diff --git a/packages/cipherstash-proxy/src/config/tandem.rs b/packages/cipherstash-proxy/src/config/tandem.rs
@@ -198,7 +198,16 @@ impl TandemConfig {
                 //  - missing parameters are returned by at least two different errors, depending the source of the error
                 // Easier to inspect the error message.
                 match err.to_string() {
-                    s if s.contains("UUID parsing failed") => ConfigError::InvalidDatasetId,
+                    s if s.contains("UUID parsing failed") => {
+                        if s.contains("client_id") && !s.contains("keyset") {
+                            ConfigError::InvalidParameter {
+                                name: "client_id".to_string(),
+                                value: "invalid UUID".to_string(),
+                            }
+                        } else {
+                            ConfigError::InvalidDatasetId
+                        }
+                    }
                     s if s.contains("missing field") => {
                         let (field, key) = extract_missing_field_and_key(&s);
                         match (field, key) {
@@ -510,6 +519,22 @@ mod tests {
         });
     }
 
+    #[test]
+    fn invalid_client_id_uuid() {
+        with_no_cs_vars(|| {
+            let result =
+                TandemConfig::build_path("tests/config/cipherstash-proxy-bad-client-id.toml");
+            assert!(result.is_err());
+            let err = result.unwrap_err();
+            // Should produce InvalidParameter for client_id, not InvalidDatasetId
+            assert!(
+                err.to_string().contains("Invalid client_id"),
+                "Expected 'Invalid client_id' but got: {}",
+                err
+            );
+        });
+    }
+
     #[test]
     fn prometheus_config() {
         with_no_cs_vars(|| {
diff --git a/packages/cipherstash-proxy/tests/config/cipherstash-proxy-bad-client-id.toml b/packages/cipherstash-proxy/tests/config/cipherstash-proxy-bad-client-id.toml
@@ -0,0 +1,19 @@
+[tls]
+certificate_path = "tests/tls/server.cert"
+private_key_path = "tests/tls/server.key"
+
+[database]
+name = "cipherstash"
+host = "localhost"
+port = 5532
+username = "cipherstash"
+password = "password"
+
+[auth]
+workspace_crn = "crn:ap-southeast-2.aws:E4UMRN47WJNSMAKR"
+client_access_key = "client_access_key"
+
+[encrypt]
+default_keyset_id = "484cd205-99e8-41ca-acfe-55a7e25a8ec2"
+client_id = "not-a-uuid"
+client_key = "a4627031a16b7065726d75746174696f6e900e05030d0608090007020c04010b0a0f6770325f66726f6da16b7065726d75746174696f6e900608000a0204030f01070d090e0b0c056570325f746fa16b7065726d75746174696f6e90000908060701030a05040e020d0b0c0f627033a16b7065726d75746174696f6e982107181d130d05181f08040a181c1002181e010311181818200b0f0e0915181b0c16171819060012181a14"
