internal/iapclient, cmd/gomote: handle authentication failures

cagedmantis · cagedmantis · commit fa5685c391f1 · 2024-09-24T17:11:31.000Z
When a gomote client attempts oauth authentication via GCP Identity-Aware Proxy and fails it will log an authentication error. It will also ask the user to issue the gomote login command. This should clarify any confusion around when a user is expected to re-authenticate and how to do so. Fixes golang/go#68612 Change-Id: I1afe501829f0bba4d3bf7c369115520243bc892f Reviewed-on: https://go-review.googlesource.com/c/build/+/615435 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
diff --git a/cmd/gomote/gomote.go b/cmd/gomote/gomote.go
@@ -292,6 +292,10 @@ func main() {
 func gomoteServerClient(ctx context.Context) protos.GomoteServiceClient {
 	grpcClient, err := iapclient.GRPCClient(ctx, *serverAddr)
 	if err != nil {
+		var authErr iapclient.AuthenticationError
+		if errors.As(err, &authErr) {
+			logAndExitf("Authentication error: %s\n\tLogin via: gomote login\n", err)
+		}
 		logAndExitf("dialing the server=%s failed with: %s\n", *serverAddr, err)
 	}
 	return protos.NewGomoteServiceClient(grpcClient)
diff --git a/internal/iapclient/iapclient.go b/internal/iapclient/iapclient.go
@@ -177,7 +177,6 @@ func TokenSource(ctx context.Context) (oauth2.TokenSource, error) {
 			return idtoken.NewTokenSource(ctx, audience)
 		}
 	}
-
 	refresh, err := cachedToken()
 	if err != nil {
 		return nil, err
@@ -243,7 +242,15 @@ func (s *jwtTokenSource) Token() (*oauth2.Token, error) {
 	defer resp.Body.Close()
 	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(io.LimitReader(resp.Body, 4<<10))
-		return nil, fmt.Errorf("IAP token exchange failed: status %v, body %q", resp.Status, body)
+		tokenRespErr := struct {
+			Err         string `json:"error"`
+			Description string `json:"error_description"`
+		}{}
+		err := fmt.Errorf("IAP token exchange failed: status %v, body %q", resp.Status, body)
+		if unmarshErr := json.Unmarshal(body, &tokenRespErr); unmarshErr == nil && tokenRespErr.Err == "invalid_grant" {
+			return nil, AuthenticationError{Err: err, Description: tokenRespErr.Description}
+		}
+		return nil, err
 	}
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
@@ -262,3 +269,12 @@ func (s *jwtTokenSource) Token() (*oauth2.Token, error) {
 type jwtTokenJSON struct {
 	IDToken string `json:"id_token"`
 }
+
+// AuthenticationError records an authentication error.
+type AuthenticationError struct {
+	Description string
+	Err         error
+}
+
+func (ar AuthenticationError) Error() string { return ar.Description }
+func (ar AuthenticationError) Unwrap() error { return ar.Err }
