Improve error message for prepare step

[sukhil-suresh]

• wrap unhandled server errors returned by container registry with a more reasonable error message
• removed redundant code from test file

Before:

[prepare] GET https://dev.registry.pivotal.io/service/token?scope=repository%3Agarbage%3Apush%2Cpull&service=harbor-registry: unsupported status code 500

After:

[prepare] Error validating write permission to dev.registry.pivotal.io/garbage. GET https://dev.registry.pivotal.io/service/token?scope=repository%3Agarbage%3Apush%2Cpull&service=harbor-registry: unsupported status code 500

Signed-off-by: Sukhil Suresh ssuresh@pivotal.io

[thisisnotashwin]

I think there is a matcher called EqualError that allows one to also assert on the error message in the same require, but that is a minor nit.

[codecov-io]

Codecov Report

Merging #375 into master will increase coverage by 0.00%.
The diff coverage is 100.00%.

@@           Coverage Diff           @@
##           master     #375   +/-   ##
=======================================
  Coverage   67.52%   67.53%           
=======================================
  Files          81       81           
  Lines        3307     3308    +1     
=======================================
+ Hits         2233     2234    +1     
  Misses        800      800           
  Partials      274      274           

Impacted Files	Coverage Δ
pkg/dockercreds/access_checker.go	80.48% <100.00%> (+0.48%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 019fd44...09939ba. Read the comment docs.

[matthewmcnew]

Errors are always confusing in go but, this should be an error wrap.

errors.Wrapf(err, "message %s", thing)

[matthewmcnew]

Right now we have two mechanisms to print errors to the user. Either the HasWriteAccess returns false or we get an unexpected error and print that out.

I wonder if HasWriteAccess should just become VerifyWriteAccess that only returns an error and print that error out if it is not nil.

[thisisnotashwin]

Right now we have two mechanisms to print errors to the user. Either the HasWriteAccess returns false or we get an unexpected error and print that out.

I wonder if HasWriteAccess should just become VerifyWriteAccess that only returns an error and print that error out if it is not nil.

im into this!!

[sukhil-suresh]

Right now we have two mechanisms to print errors to the user. Either the HasWriteAccess returns false or we get an unexpected error and print that out.

I wonder if HasWriteAccess should just become VerifyWriteAccess that only returns an error and print that error out if it is not nil.

Aye. that makes sense. Apply the same approach to HasReadAccess check too? i.e return only an error and rename to VerifyReadAccess

[matthewmcnew]

VerifyReadAccess sounds like a great idea, @sukhil-suresh !

[matthewmcnew]

Awesome!

What does the updated output look like for 401 and 500 cases?

[sukhil-suresh]

What does the updated output look like for 401 and 500 cases?

I captured the output for 500 in the commit message. Also below:

[prepare] Error verifying write access to "dev.registry.pivotal.io/garbage": GET https://dev.registry.pivotal.io/service/token?scope=repository%3Agarbage%3Apush%2Cpull&service=harbor-registry: unsupported status code 500

Did not keep a copy of the output for a 401.. But, the message should be prefixed identically [prepare] Error verifying write access to

Let me grab the output from an actual run and will update soon.

[sukhil-suresh]

Checked against dockerhub with invalid creds for the 401 case:

[prepare] Error verifying write access to "index.docker.io/sukhilsuresh/spring-petclinic": Unauthorized: GET https://auth.docker.io/token?scope=repository%3Asukhilsuresh%2Fspring-petclinic%3Apush%2Cpull&service=registry.docker.io: unsupported status code 401

[sukhil-suresh]

(Harbor specific weird case)

also the dev.registry.pivotal.io/garbage/garbage, which previously failed with the message [prepare] invalid credentials to build to dev.registry.pivotal.io/garbage/garbage

now fails with the consistent prefix and a lot more verbose error message. The additional error message was previously lost behind the false boolean, nil error return

[prepare] Error verifying write access to "dev.registry.pivotal.io/garbage/garbage": POST https://dev.registry.pivotal.io/v2/garbage/garbage/blobs/uploads/: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:garbage/garbage Type:repository] map[Action:push Class: Name:garbage/garbage Type:repository]]

[matthewmcnew]

I think we can merge.

I know in the past we explicitly made the decision to not show the entire verbose error message on common 401s because it is a bit confusing message with information they don't need to understand. Do you think that extra information is valuable in the 401 case?

[sukhil-suresh]

I know in the past we explicitly made the decision to not show the entire verbose error message on common 401s because it is a bit confusing message with information they don't need to understand. Do you think that extra information is valuable in the 401 case?

Sorry, was not aware of the preference to limit the verbose error message!
The original error was wrapped and bubbled up with the Unauthorized message, as part of dropping the boolean return.

From what, I understand it's a case of seeing

[prepare] Error verifying write access to "index.docker.io/sukhilsuresh/spring-petclinic": Unauthorized

vs

[prepare] Error verifying write access to "index.docker.io/sukhilsuresh/spring-petclinic": Unauthorized: GET https://auth.docker.io/token?scope=repository%3Asukhilsuresh%2Fspring-petclinic%3Apush%2Cpull&service=registry.docker.io: unsupported status code 401`

To be honest, I like seeing as much detail as possible :)
Not strongly opinionated about it, so I am very open to making the error less verbose. Let me know, very minor change - drop the wrapping of error @ https://github.com/pivotal/kpack/blob/issue_357/pkg/dockercreds/access_checker.go#L33-L38

[sukhil-suresh]

Made error messages less verbose for known errors

How errors look now:

• 500

[prepare] Error verifying write access to "dev.registry.pivotal.io/garbage": GET https://dev.registry.pivotal.io/service/token?scope=repository%3Agarbage%3Apush%2Cpull&service=harbor-registry: unsupported status code 500

• 401

[prepare] Error verifying write access to "index.docker.io/sukhilsuresh/spring-petclinic": UNAUTHORIZED

• harbor special case (diagnosed as unauthorized)

[prepare] Error verifying write access to "dev.registry.pivotal.io/garbage/garbage": UNAUTHORIZED

[sukhil-suresh]

harbor special case (diagnosed as unauthorized)
[prepare] Error verifying write access to "dev.registry.pivotal.io/garbage/garbage": UNAUTHORIZED

I know it's merged, but noticed when testing (again) that the above statement is inaccurate. The harbor special case dev.registry.pivotal.io/garbage/garbage behaves differently.

[prepare] Error verifying write access to "dev.registry.pivotal.io/garbage/garbage": POST https://dev.registry.pivotal.io/v2/garbage/garbage/blobs/uploads/: UNAUTHORIZED: authentication required; [map[Action:pull Class: Name:garbage/garbage Type:repository] map[Action:push Class: Name:garbage/garbage Type:repository]]

To be fair, this is bit of an outlier case/error, but still... :(

The 401s and 500 work as expected.