Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insufficient detail logged on connection failure to IdP metadata URL #7089

Open
wfchandler opened this issue Nov 18, 2024 · 2 comments
Open

Insufficient detail logged on connection failure to IdP metadata URL #7089

wfchandler opened this issue Nov 18, 2024 · 2 comments
Labels
customer For any bug reports or feature requests tied to customer requests Debugging For when you want better data in debugging an issue (log messages, post mortem debugging, and more)

Comments

@wfchandler
Copy link
Contributor

This issue arose recently when a customer is attempting to register a new SAMP IdP provider.

Nexus was unable to connect to the metadata URL provided, but we do not log enough information to say why the connection failed, returning only "error sending request for url".

Error Response:
status: 400 Bad Request;
headers: {
  "content-type": "application/json",
  "x-request-id": "xxx",
  "content-length": "248",
  "date": "Fri, 12 Nov 2024 22:52:59 GMT"
};
value:Error {
  error_code: Some("InvalidValue"),
  message: "unsupported value for \"url\": error querying url: error sending request for url (https://sso.example- 
  keycloak.com/realms/myrealm/protocol/saml/descriptor)",
  request_id: "xxx"
}

We have a couple similar issues, #6717 and #6716 around vague connection errors. The underlying issue is probably related to seanmonstar/reqwest#2342, which has some suggestions around ways to extract more detail.

A systematic way to ensure we're logging sufficient detail on chained errors seems necessary.
@wfchandler wfchandler added customer For any bug reports or feature requests tied to customer requests Debugging For when you want better data in debugging an issue (log messages, post mortem debugging, and more) labels Nov 18, 2024
@davepacheco
Copy link
Collaborator

For what it's worth, we do have good infrastructure here using https://github.com/oxidecomputer/slog-error-chain (which, despite the name, is useful outside of logging, too). This is relatively recent and we may need to go through the places mentioned here and make sure they're using it to provide a complete message to the user.

@wfchandler
Copy link
Contributor Author

@davepacheco thanks, that's good context. I see we're using slog-error-chain pretty extensively in our internal errors, e.g. gateway::error::SpLookupError, which seems like a nice solution.

However, on omicron_common::api::external::Error it looks like we're deliberately using strings in the error type to avoid leaking internal information, does that seem right? This requires each call site to create an error chain, so unless the source error is already using InlineErrorChain in its Display impl we're probably not going to get one.

Would a constructor along the lines of the example below be a security risk?

pub fn internal_error_from_err(err: &dyn std::error::Error) -> Error {
    Error::InternalError {
        internal_message: format!("{}", InlineErrorChain::new(&err)),
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
customer For any bug reports or feature requests tied to customer requests Debugging For when you want better data in debugging an issue (log messages, post mortem debugging, and more)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davepacheco @wfchandler