Merge branch 'aduth-lg-15232-issuer-fetch-error-logging' into 'main'

Log URL and response body for failed issuer request

See merge request lg/identity-pki!64

Author: aduth

.rubocop.yml

@@ -19,7 +19,7 @@ AllCops:
     - "lib/deploy/*"
     - "node_modules/**/*"
     - "vendor/**/*"
-  TargetRubyVersion: 3.0
+  TargetRubyVersion: 3.3
   TargetRailsVersion: 6.1
   UseCache: true
   DisabledByDefault: true

app/services/issuing_ca_service.rb

@@ -67,11 +67,23 @@ def self.fetch_certificates(issuer_uri)
     if response.kind_of?(Net::HTTPSuccess)
       OpenSSL::PKCS7.new(response.body).certificates || []
     else
-      NewRelic::Agent.notice_error(UnexpectedPKCS7Response.new(response.body))
+      NewRelic::Agent.notice_error(
+        UnexpectedPKCS7Response.new(response.body),
+        custom_params: { issuer_uri: issuer_uri.to_s },
+      )
+
       []
     end
-  rescue OpenSSL::PKCS7::PKCS7Error, ArgumentError, Errno::ECONNREFUSED, Net::ReadTimeout, Net::OpenTimeout => e
-    NewRelic::Agent.notice_error(e)
+  rescue OpenSSL::PKCS7::PKCS7Error,
+         ArgumentError,
+         Errno::ECONNREFUSED,
+         Net::ReadTimeout,
+         Net::OpenTimeout => error
+    NewRelic::Agent.notice_error(
+      error,
+      custom_params: { issuer_uri: issuer_uri.to_s, response_body: response&.body },
+    )
+
     []
   end
 

spec/services/issuing_ca_service_spec.rb

@@ -56,11 +56,32 @@
 
     context 'when there is an HTTP error fetching the certificate' do
       it 'returns nil and logs the error' do
-        stub_request(:get, 'http://example.com').to_return(status: [500, 'Internal Server Error'])
+        stub_request(:get, 'http://example.com/').to_return(
+          status: [500, 'Internal Server Error'],
+          body: 'Internal Server Error',
+        )
 
         certificate = certificates_in_collection(certificate_set, :type, :leaf).first
         expect(NewRelic::Agent).to receive(:notice_error).with(
-          IssuingCaService::UnexpectedPKCS7Response
+          IssuingCaService::UnexpectedPKCS7Response.new('Internal Server Error'),
+          custom_params: { issuer_uri: 'http://example.com/' },
+        )
+        fetched_cert = described_class.fetch_signing_key_for_cert(certificate)
+        expect(fetched_cert).to eq nil
+      end
+    end
+
+    context 'when there is an HTTP timeout fetching the certificate' do
+      it 'returns nil and logs the error' do
+        stub_request(:get, 'http://example.com/').to_timeout
+
+        certificate = certificates_in_collection(certificate_set, :type, :leaf).first
+        expect(NewRelic::Agent).to receive(:notice_error).with(
+          Net::OpenTimeout,
+          custom_params: {
+            issuer_uri: 'http://example.com/',
+            response_body: nil,
+          },
         )
         fetched_cert = described_class.fetch_signing_key_for_cert(certificate)
         expect(fetched_cert).to eq nil
@@ -69,10 +90,16 @@
 
     context 'when the PKCS7 response is invalid' do
       it 'returns nil and logs the error' do
-        stub_request(:get, 'http://example.com').to_return(body: 'bad pkcs7 response')
+        stub_request(:get, 'http://example.com/').to_return(body: 'bad pkcs7 response')
 
         certificate = certificates_in_collection(certificate_set, :type, :leaf).first
-        expect(NewRelic::Agent).to receive(:notice_error).with(ArgumentError)
+        expect(NewRelic::Agent).to receive(:notice_error).with(
+          ArgumentError,
+          custom_params: {
+            issuer_uri: 'http://example.com/',
+            response_body: 'bad pkcs7 response',
+          },
+        )
         fetched_cert = described_class.fetch_signing_key_for_cert(certificate)
         expect(fetched_cert).to eq nil
       end