Improve rest.NewClient error handling. (#218)

josephlr · web-flow · commit 6b74ec9c9a2a · 2022-07-08T15:16:10.000-07:00
We now get better error messages. For example: No credentials: ``` Getting HTTP Client: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information. ``` Credentials, but invalid project: ``` Creating Verifier Client: listing regions in project "confidentialcomputing-e2eee": googleapi: Error 403: Permission denied on resource project confidentialcomputing-e2eee. Details: [ { "@type": "type.googleapis.com/google.rpc.Help", "links": [ { "description": "Google developer console API key", "url": "https://console.developers.google.com/project/confidentialcomputing-e2eee/apiui/credential" } ] }, { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "domain": "googleapis.com", "metadata": { "consumer": "projects/confidentialcomputing-e2eee", "service": "confidentialcomputing.googleapis.com" }, "reason": "CONSUMER_INVALID" } ] , forbidden ``` Credentials, valid project, invalid region: ``` Creating Verifier Client: invalid region "us-central3", avaiable regions are [us-central1]: googleapi: Error 403: Location us-central3 is not found or access is unauthorized., forbidden ``` Creaentials with valid project/region passes: ``` Got Token: |eyJhbGciOiJSUzI1NiIsImtpZCI6IjluRmdNWWVCZ1A2U1N4V19kZGpiQndJSFB2WEVNTGdZQVh2dU1iS1JrV0EiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJodHRwczovL3N0cy5nb29nbGVhcGlzLmNvbSIsImV4cCI6MTY1NzE0NjE0NSwiaWF0IjoxNjU3MTM4OTQ1LCJpc3MiOiJodHRwczovL2NvbmZpZGVudGlhbGNvbXB1dGluZy5nb29nbGVhcGlzLmNvbSIsIm5iZiI6MTY1NzEzODk0NSwic3ViIjoiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vY29tcHV0ZS92MS9wcm9qZWN0cy9iaXRsb2NrZXItZGFuY2UtZGVtby96b25lcy91cy13ZXN0Mi1jL2luc3RhbmNlcy91YnUyMCIsInRlZSI6eyJ2ZXJzaW9uIjp7Im1ham9yIjowLCJtaW5vciI6MX0sInBsYXRmb3JtIjp7ImhhcmR3YXJlX3RlY2hub2xvZ3kiOiJBTURfU0VWIn0sImNvbnRhaW5lciI6eyJpbWFnZV9yZWZlcmVuY2UiOiJsYXVuY2hlci5nY3IuaW8vZ29vZ2xlL2RlYmlhbjEwOmxhdGVzdCIsImltYWdlX2RpZ2VzdCI6InNoYTI1NjpmZjE2NGE2NzY2YmQ4YmQyZDdkNWU5NGRiNDE4NjQ2NDI2ZTU4NzJjNjY0YzZhMjcwYzY4OWYwYjFkMjhmODZmIiwicmVzdGFydF9wb2xpY3kiOiJOZXZlciIsImltYWdlX2lkIjoic2hhMjU2OjMwZTM4MDUyNDJlNTAyMjMyM2E5N2Y4YjZkZWVjODRmZTU4MzIwYzNjYzFlNzE3NDI5ZGY3ZjQ3YjViMzE3YmUiLCJlbnYiOnsiRk9PIjoiQkFSIiwiUEFUSCI6Ii91c3IvbG9jYWwvc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2JpbiIsIlNPTUVfTkFNRSI6IlNPTUVfVkFMVUUifSwiYXJncyI6WyItLWZvbyIsImJhciIsImJheiJdfSwiZ2NlIjp7InpvbmUiOiJ1cy13ZXN0Mi1jIiwicHJvamVjdF9pZCI6ImJpdGxvY2tlci1kYW5jZS1kZW1vIiwicHJvamVjdF9udW1iZXIiOjU2NzA0NTA1Mzg3OCwiaW5zdGFuY2VfbmFtZSI6InVidTIwIiwiaW5zdGFuY2VfaWQiOiIyOTk0MDE1NTM3NjgyNTU0NzA5In0sImVtYWlscyI6WyJjeWhhbmlzaEBnb29nbGUuY29tIiwiamVzc2llcWxpdUBnb29nbGUuY29tIl19fQ.EpDSQqR5E9rS6FWsX2CeS2HVfvcITG3vScpyNPV7OSLR7uBFVh6RZTPqOOu5qPRT_Wox2jxRwDTAa8uqQyCwPAJnpJbMSXSD4qkOK72osYVfW-h6nanAsM8pFOYY4xyW9jhqegIopken6yBmhxzvH9sMsslDRbNXRN1OQZ0rhp0Sb3uJNfXRx52ewJepuNSaq-uV4SbqphwnkqkrxgewmgdNYlNFeHhP2krZXqfyWpjeFkQzQzcZf-epoIGAC-DSoPGLZKvXyyDz1vufW7SdB5pmOK0eEADCzeTPyaSN-RJm1hKaWL2YmkvsLwdOaLPystIGqsy8oScZVffB1Z5ESQ| ``` Signed-off-by: Joe Richey <joerichey@google.com>
diff --git a/launcher/verifier/rest/rest.go b/launcher/verifier/rest/rest.go
@@ -11,12 +11,32 @@ import (
 	"github.com/google/go-tpm-tools/launcher/verifier"
 
 	v1alpha1 "google.golang.org/api/confidentialcomputing/v1alpha1"
-	"google.golang.org/api/googleapi"
 	"google.golang.org/api/option"
 )
 
+// BadRegionError indicates that:
+//   - the requested Region cannot be used with this API
+//   - other Regions _can_ be used with this API
+type BadRegionError struct {
+	RequestedRegion  string
+	AvailableRegions []string
+	err              error
+}
+
+func (e *BadRegionError) Error() string {
+	return fmt.Sprintf(
+		"invalid region %q, available regions are [%s]: %v",
+		e.RequestedRegion, strings.Join(e.AvailableRegions, ", "), e.err,
+	)
+}
+
+func (e *BadRegionError) Unwrap() error {
+	return e.err
+}
+
 // NewClient creates a new REST client which is configured to perform
-// attestations in a particular project and region.
+// attestations in a particular project and region. Returns a *BadRegionError
+// if the requested project is valid, but the region is invalid.
 func NewClient(ctx context.Context, projectID string, region string, opts ...option.ClientOption) (verifier.Client, error) {
 	service, err := v1alpha1.NewService(ctx, opts...)
 	if err != nil {
@@ -26,27 +46,28 @@ func NewClient(ctx context.Context, projectID string, region string, opts ...opt
 	projectName := fmt.Sprintf("projects/%s", projectID)
 	locationName := fmt.Sprintf("%s/locations/%v", projectName, region)
 
-	location, err := service.Projects.Locations.Get(locationName).Do()
-	if err == nil {
+	location, getErr := service.Projects.Locations.Get(locationName).Do()
+	if getErr == nil {
 		return &restClient{service, location}, nil
 	}
 
-	// Check if the error was due to a bad region name
-	if apiErr, ok := err.(*googleapi.Error); ok && apiErr.Code == 403 {
-		// In this case, inform the user about the allowed regions
-		if list, listErr := service.Projects.Locations.List(projectName).Do(); listErr == nil {
-			locations := make([]string, len(list.Locations))
-			for i, loc := range list.Locations {
-				locations[i] = loc.LocationId
-			}
-			return nil, fmt.Errorf(
-				"unable to find region %q, available regions are [%s]: %w",
-				region, strings.Join(locations, ", "), err,
-			)
-		}
+	// If we can't get the location, try to list the locations. This handles
+	// situations where the projectID is invalid.
+	list, listErr := service.Projects.Locations.List(projectName).Do()
+	if listErr != nil {
+		return nil, fmt.Errorf("listing regions in project %q: %w", projectID, listErr)
 	}
 
-	return nil, fmt.Errorf("unable to use project %q and region %q: %w", projectID, region, err)
+	// The project is valid, but can't get the desired region.
+	regions := make([]string, len(list.Locations))
+	for i, loc := range list.Locations {
+		regions[i] = loc.LocationId
+	}
+	return nil, &BadRegionError{
+		RequestedRegion:  region,
+		AvailableRegions: regions,
+		err:              getErr,
+	}
 }
 
 type restClient struct {
