[TT-14494] improve error logging for JWKS URL handling - visor comments

Author: NurayAhmadova

gateway/log_helpers.go

@@ -3,9 +3,11 @@ package gateway
 import (
 	"encoding/json"
 	"errors"
+	"net"
 	"net/http"
 	"net/url"
 	"strings"
+	"syscall"
 
 	"github.com/sirupsen/logrus"
 
@@ -75,17 +77,43 @@ func (gw *Gateway) logJWKError(logger *logrus.Entry, jwkURL string, err error) {
 		return
 	}
 
-	// invalid content (JSON errors)
+	// content/JSON errors
 	var syntaxErr *json.SyntaxError
 	var unmarshalErr *json.UnmarshalTypeError
 	if errors.As(err, &syntaxErr) || errors.As(err, &unmarshalErr) || strings.Contains(err.Error(), "invalid character") {
 		logger.WithError(err).Errorf("Invalid JWKS retrieved from endpoint: %s", jwkURL)
 		return
 	}
 
-	// network/URL errors (DNS, TCP, Refused)
+	// network errors
 	var urlErr *url.Error
-	if errors.As(err, &urlErr) || strings.Contains(err.Error(), "dial tcp") || strings.Contains(err.Error(), "no such host") || strings.Contains(err.Error(), "connection refused") {
+	var netOpErr *net.OpError
+	var dnsErr *net.DNSError
+
+	if errors.As(err, &urlErr) {
+		logger.WithError(err).Errorf("JWKS endpoint resolution failed: invalid or unreachable host %s", jwkURL)
+		return
+	}
+
+	// DNS errors
+	if errors.As(err, &dnsErr) {
+		logger.WithError(err).Errorf("JWKS endpoint resolution failed: invalid or unreachable host %s", jwkURL)
+		return
+	}
+
+	// connection refused
+	if errors.As(err, &netOpErr) {
+		if errors.Is(netOpErr, syscall.ECONNREFUSED) {
+			logger.WithError(err).Errorf("JWKS endpoint resolution failed: invalid or unreachable host %s", jwkURL)
+			return
+		}
+	}
+
+	// fallback check strings
+	errStr := err.Error()
+	if strings.Contains(errStr, "dial tcp") ||
+		strings.Contains(errStr, "no such host") ||
+		strings.Contains(errStr, "connection refused") {
 		logger.WithError(err).Errorf("JWKS endpoint resolution failed: invalid or unreachable host %s", jwkURL)
 		return
 	}

gateway/log_helpers_test.go

@@ -3,8 +3,10 @@ package gateway
 import (
 	"encoding/json"
 	"errors"
+	"net"
 	"net/http/httptest"
 	"net/url"
+	"syscall"
 	"testing"
 
 	"github.com/sirupsen/logrus"
@@ -142,11 +144,9 @@ func TestGetLogEntryForRequest(t *testing.T) {
 }
 
 func TestGatewayLogJWKError(t *testing.T) {
-	// Setup logrus hook to capture logs
 	logger, hook := test.NewNullLogger()
 	entry := logrus.NewEntry(logger)
 
-	// We only need a minimal Gateway struct since logJWKError doesn't access Gateway fields
 	gw := &Gateway{}
 	testURL := "https://idp.example.com/jwks"
 
@@ -185,6 +185,18 @@ func TestGatewayLogJWKError(t *testing.T) {
 			expectedLog: "JWKS endpoint resolution failed: invalid or unreachable host " + testURL,
 			shouldLog:   true,
 		},
+		{
+			name:        "Net DNS Error",
+			err:         &net.DNSError{Err: "no such host", Name: "example.com"},
+			expectedLog: "JWKS endpoint resolution failed: invalid or unreachable host " + testURL,
+			shouldLog:   true,
+		},
+		{
+			name:        "Net OpError (Connection Refused)",
+			err:         &net.OpError{Op: "dial", Err: syscall.ECONNREFUSED},
+			expectedLog: "JWKS endpoint resolution failed: invalid or unreachable host " + testURL,
+			shouldLog:   true,
+		},
 		{
 			name:        "String error containing 'dial tcp'",
 			err:         errors.New("dial tcp: lookup failed"),
@@ -222,14 +234,11 @@ func TestGatewayLogJWKError(t *testing.T) {
 				return
 			}
 
-			// Verify log was written
 			assert.Len(t, hook.Entries, 1)
 			assert.Equal(t, logrus.ErrorLevel, hook.LastEntry().Level)
 
-			// Verify message matches ticket requirements
 			assert.Equal(t, tc.expectedLog, hook.LastEntry().Message)
 
-			// Verify the original error is attached
 			assert.Equal(t, tc.err, hook.LastEntry().Data["error"])
 		})
 	}

gateway/mw_jwt.go

@@ -180,14 +180,14 @@ func (k *JWTMiddleware) legacyGetSecretFromURL(url, kid, keyType string) (interf
 	if !found {
 		resp, err := client.Get(url)
 		if err != nil {
-			k.Logger().WithError(err).Errorf("JWKS endpoint resolution failed: invalid or unreachable host %s", url)
+			k.Gw.logJWKError(k.Logger(), url, err)
 			return nil, err
 		}
 		defer resp.Body.Close()
 
 		// Decode it
 		if err := json.NewDecoder(resp.Body).Decode(&jwkSet); err != nil {
-			k.Logger().WithError(err).Errorf("Invalid JWKS retrieved from endpoint: %s", url)
+			k.Gw.logJWKError(k.Logger(), url, err)
 			return nil, err
 		}