VAULT-24386 better erroring for Proxy static secret caching for CE (#…

…25661)
hashicorp · Feb 27, 2024 · fbfe661 · fbfe661
1 parent f94e215
commit fbfe661
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 11 deletions.
diff --git a/command/agentproxyshared/cache/static_secret_cache_updater.go b/command/agentproxyshared/cache/static_secret_cache_updater.go
@@ -115,7 +115,7 @@ func (updater *StaticSecretCacheUpdater) streamStaticSecretEvents(ctx context.Co
 	updater.client.SetToken(updater.tokenSink.(sink.SinkReader).Token())
 	conn, err := updater.openWebSocketConnection(ctx)
 	if err != nil {
-		return fmt.Errorf("error when opening event stream: %w", err)
+		return err
 	}
 	defer conn.Close(websocket.StatusNormalClosure, "")
 
@@ -337,8 +337,8 @@ func (updater *StaticSecretCacheUpdater) openWebSocketConnection(ctx context.Con
 
 	// We do ten attempts, to ensure we follow forwarding to the leader.
 	var conn *websocket.Conn
+	var resp *http.Response
 	for attempt := 0; attempt < 10; attempt++ {
-		var resp *http.Response
 		conn, resp, err = websocket.Dial(ctx, wsURL, &websocket.DialOptions{
 			HTTPClient: httpClient,
 			HTTPHeader: headers,
@@ -359,8 +359,13 @@ func (updater *StaticSecretCacheUpdater) openWebSocketConnection(ctx context.Con
 	}
 
 	if err != nil {
+		if resp != nil {
+			if resp.StatusCode == http.StatusNotFound {
+				return nil, fmt.Errorf("received 404 when opening web socket to %s, ensure Vault is Enterprise version 1.16 or above", wsURL)
+			}
+		}
 		return nil, fmt.Errorf("error returned when opening event stream web socket to %s, ensure auto-auth token"+
-			" has correct permissions and Vault is version 1.16 or above: %w", wsURL, err)
+			" has correct permissions and Vault is Enterprise version 1.16 or above: %w", wsURL, err)
 	}
 
 	if conn == nil {
@@ -408,7 +413,7 @@ tokenLoop:
 			}
 			err := updater.streamStaticSecretEvents(ctx)
 			if err != nil {
-				updater.logger.Warn("error occurred during streaming static secret cache update events:", err)
+				updater.logger.Error("error occurred during streaming static secret cache update events", "err", err)
 				shouldBackoff = true
 				continue
 			}

diff --git a/command/agentproxyshared/cache/static_secret_cache_updater_test.go b/command/agentproxyshared/cache/static_secret_cache_updater_test.go
@@ -135,11 +135,9 @@ func TestNewStaticSecretCacheUpdater(t *testing.T) {
 }
 
 // TestOpenWebSocketConnection tests that the openWebSocketConnection function
-// works as expected. This uses a TLS enabled (wss) WebSocket connection.
+// works as expected (fails on CE, succeeds on ent).
+// This uses a TLS enabled (wss) WebSocket connection.
 func TestOpenWebSocketConnection(t *testing.T) {
-	if !constants.IsEnterprise {
-		t.Skip("test can only run on enterprise due to requiring the event notification system")
-	}
 	t.Parallel()
 	// We need a valid cluster for the connection to succeed.
 	cluster := minimal.NewTestSoloCluster(t, nil)
@@ -149,10 +147,13 @@ func TestOpenWebSocketConnection(t *testing.T) {
 	updater.tokenSink.WriteToken(client.Token())
 
 	conn, err := updater.openWebSocketConnection(context.Background())
-	if err != nil {
-		t.Fatal(err)
+	if constants.IsEnterprise {
+		require.NoError(t, err)
+		require.NotNil(t, conn)
+	} else {
+		require.Nil(t, conn)
+		require.Errorf(t, err, "ensure Vault is Enterprise version 1.16 or above")
 	}
-	require.NotNil(t, conn)
 }
 
 // TestOpenWebSocketConnectionReceivesEventsDefaultMount tests that the openWebSocketConnection function