[TT-14494] improve error logging for JWKS URL handling

NurayAhmadova · NurayAhmadova · commit 9ce9d86605a0 · 2025-12-04T16:00:14.000+04:00
diff --git a/gateway/log_helpers.go b/gateway/log_helpers.go
@@ -1,7 +1,11 @@
 package gateway
 
 import (
+	"encoding/json"
+	"errors"
 	"net/http"
+	"net/url"
+	"strings"
 
 	"github.com/sirupsen/logrus"
 
@@ -65,3 +69,26 @@ func (gw *Gateway) getExplicitLogEntryForRequest(logger *logrus.Entry, path stri
 	}
 	return logger.WithFields(fields)
 }
+
+func (gw *Gateway) logJWKError(logger *logrus.Entry, jwkURL string, err error) {
+	if err == nil {
+		return
+	}
+
+	// invalid content (JSON errors)
+	var syntaxErr *json.SyntaxError
+	var unmarshalErr *json.UnmarshalTypeError
+	if errors.As(err, &syntaxErr) || errors.As(err, &unmarshalErr) || strings.Contains(err.Error(), "invalid character") {
+		logger.WithError(err).Errorf("Invalid JWKS retrieved from endpoint: %s", jwkURL)
+		return
+	}
+
+	// network/URL errors (DNS, TCP, Refused)
+	var urlErr *url.Error
+	if errors.As(err, &urlErr) || strings.Contains(err.Error(), "dial tcp") || strings.Contains(err.Error(), "no such host") || strings.Contains(err.Error(), "connection refused") {
+		logger.WithError(err).Errorf("JWKS endpoint resolution failed: invalid or unreachable host %s", jwkURL)
+		return
+	}
+
+	logger.WithError(err).Errorf("Failed to fetch or decode JWKs from %s", jwkURL)
+}
diff --git a/gateway/log_helpers_test.go b/gateway/log_helpers_test.go
@@ -1,10 +1,15 @@
 package gateway
 
 import (
+	"encoding/json"
+	"errors"
 	"net/http/httptest"
+	"net/url"
 	"testing"
 
 	"github.com/sirupsen/logrus"
+	"github.com/sirupsen/logrus/hooks/test"
+	"github.com/stretchr/testify/assert"
 )
 
 func TestGetLogEntryForRequest(t *testing.T) {
@@ -135,3 +140,97 @@ func TestGetLogEntryForRequest(t *testing.T) {
 		}
 	}
 }
+
+func TestGatewayLogJWKError(t *testing.T) {
+	// Setup logrus hook to capture logs
+	logger, hook := test.NewNullLogger()
+	entry := logrus.NewEntry(logger)
+
+	// We only need a minimal Gateway struct since logJWKError doesn't access Gateway fields
+	gw := &Gateway{}
+	testURL := "https://idp.example.com/jwks"
+
+	tests := []struct {
+		name        string
+		err         error
+		expectedLog string
+		shouldLog   bool
+	}{
+		{
+			name:      "No error (nil)",
+			err:       nil,
+			shouldLog: false,
+		},
+		{
+			name:        "JSON Syntax Error",
+			err:         &json.SyntaxError{},
+			expectedLog: "Invalid JWKS retrieved from endpoint: " + testURL,
+			shouldLog:   true,
+		},
+		{
+			name:        "JSON Unmarshal Type Error",
+			err:         &json.UnmarshalTypeError{},
+			expectedLog: "Invalid JWKS retrieved from endpoint: " + testURL,
+			shouldLog:   true,
+		},
+		{
+			name:        "String error containing 'invalid character'",
+			err:         errors.New("invalid character 'x' looking for beginning of value"),
+			expectedLog: "Invalid JWKS retrieved from endpoint: " + testURL,
+			shouldLog:   true,
+		},
+		{
+			name:        "URL Error type",
+			err:         &url.Error{Op: "Get", URL: testURL, Err: errors.New("timeout")},
+			expectedLog: "JWKS endpoint resolution failed: invalid or unreachable host " + testURL,
+			shouldLog:   true,
+		},
+		{
+			name:        "String error containing 'dial tcp'",
+			err:         errors.New("dial tcp: lookup failed"),
+			expectedLog: "JWKS endpoint resolution failed: invalid or unreachable host " + testURL,
+			shouldLog:   true,
+		},
+		{
+			name:        "String error containing 'no such host'",
+			err:         errors.New("Get: no such host"),
+			expectedLog: "JWKS endpoint resolution failed: invalid or unreachable host " + testURL,
+			shouldLog:   true,
+		},
+		{
+			name:        "String error containing 'connection refused'",
+			err:         errors.New("connect: connection refused"),
+			expectedLog: "JWKS endpoint resolution failed: invalid or unreachable host " + testURL,
+			shouldLog:   true,
+		},
+		{
+			name:        "Generic/Fallback Error",
+			err:         errors.New("unknown internal server error"),
+			expectedLog: "Failed to fetch or decode JWKs from " + testURL,
+			shouldLog:   true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			hook.Reset()
+
+			gw.logJWKError(entry, testURL, tc.err)
+
+			if !tc.shouldLog {
+				assert.Empty(t, hook.Entries)
+				return
+			}
+
+			// Verify log was written
+			assert.Len(t, hook.Entries, 1)
+			assert.Equal(t, logrus.ErrorLevel, hook.LastEntry().Level)
+
+			// Verify message matches ticket requirements
+			assert.Equal(t, tc.expectedLog, hook.LastEntry().Message)
+
+			// Verify the original error is attached
+			assert.Equal(t, tc.err, hook.LastEntry().Data["error"])
+		})
+	}
+}
diff --git a/gateway/mw_external_oauth.go b/gateway/mw_external_oauth.go
@@ -182,11 +182,13 @@ func (k *ExternalOAuthMiddleware) getSecretFromJWKURL(url string, kid interface{
 			// Fallback to original method if client factory fails
 			k.Logger().Debug("[ExternalServices] Falling back to legacy JWK client due to factory error")
 			if jwkSet, err = getJWK(url, k.Gw.GetConfig().JWTSSLInsecureSkipVerify); err != nil {
+				k.Gw.logJWKError(k.Logger(), url, err)
 				return nil, err
 			}
 		} else {
 			k.Logger().Debugf("[ExternalServices] Using external services JWK client to fetch: %s", url)
 			if jwkSet, err = getJWKWithClient(url, client); err != nil {
+				k.Gw.logJWKError(k.Logger(), url, err)
 				return nil, err
 			}
 		}
@@ -215,6 +217,7 @@ func (k *ExternalOAuthMiddleware) getSecretFromJWKOrConfig(kid interface{}, jwtV
 
 	decodedSource, err := base64.StdEncoding.DecodeString(jwtValidation.Source)
 	if err != nil {
+		k.Logger().WithError(err).Errorf("JWKS source decode failed: %s is not a base64 string", jwtValidation.Source)
 		return nil, err
 	}
 
diff --git a/gateway/mw_jwt.go b/gateway/mw_jwt.go
@@ -97,7 +97,7 @@ func (k *JWTMiddleware) Init() {
 				}
 
 				if err != nil {
-					k.Logger().WithError(err).Infof("Failed to fetch or decode JWKs from %s", jwk.URL)
+					k.Gw.logJWKError(k.Logger(), jwk.URL, err)
 					continue
 				}
 
@@ -180,14 +180,14 @@ func (k *JWTMiddleware) legacyGetSecretFromURL(url, kid, keyType string) (interf
 	if !found {
 		resp, err := client.Get(url)
 		if err != nil {
-			k.Logger().WithError(err).Error("Failed to get resource URL")
+			k.Logger().WithError(err).Errorf("JWKS endpoint resolution failed: invalid or unreachable host %s", url)
 			return nil, err
 		}
 		defer resp.Body.Close()
 
 		// Decode it
 		if err := json.NewDecoder(resp.Body).Decode(&jwkSet); err != nil {
-			k.Logger().WithError(err).Error("Failed to decode body JWK")
+			k.Logger().WithError(err).Errorf("Invalid JWKS retrieved from endpoint: %s", url)
 			return nil, err
 		}
 
@@ -242,6 +242,7 @@ func (k *JWTMiddleware) getSecretFromURL(url string, kidVal interface{}, keyType
 
 		decodedURL, err := base64.StdEncoding.DecodeString(cachedAPIDef.JWTSource)
 		if err != nil {
+			k.Logger().WithError(err).Errorf("JWKS source decode failed: %s is not a base64 string", cachedAPIDef.JWTSource)
 			return nil, err
 		}
 
@@ -269,14 +270,17 @@ func (k *JWTMiddleware) getSecretFromURL(url string, kidVal interface{}, keyType
 		client, clientErr := clientFactory.CreateJWKClient()
 		if clientErr == nil {
 			if jwkSet, err = getJWKWithClient(url, client); err != nil {
-				k.Logger().WithError(err).Info("Failed to decode JWKs body with factory client. Trying x5c PEM fallback.")
+				k.Gw.logJWKError(k.Logger(), url, err)
+				k.Logger().Info("Failed to decode JWKs body with factory client. Trying x5c PEM fallback.")
 			}
 		}
 
 		// Fallback to original method if factory fails or JWK fetch fails
 		if clientErr != nil || err != nil {
 			if jwkSet, err = GetJWK(url, k.Gw.GetConfig().JWTSSLInsecureSkipVerify); err != nil {
-				k.Logger().WithError(err).Info("Failed to decode JWKs body. Trying x5c PEM fallback.")
+				// CHANGED: Call shared helper
+				k.Gw.logJWKError(k.Logger(), url, err)
+				k.Logger().Info("Failed to decode JWKs body. Trying x5c PEM fallback.")
 
 				key, legacyError := k.legacyGetSecretFromURL(url, kid, keyType)
 				if legacyError == nil {
@@ -341,6 +345,7 @@ func (k *JWTMiddleware) getSecretToVerifySignature(r *http.Request, token *jwt.T
 		// If not, return the actual value
 		decodedCert, err := base64.StdEncoding.DecodeString(config.JWTSource)
 		if err != nil {
+			k.Logger().WithError(err).Errorf("JWKS source decode failed: %s is not a base64 string", config.JWTSource)
 			return nil, err
 		}
 
@@ -452,7 +457,7 @@ func (k *JWTMiddleware) getSecretFromMultipleJWKURIs(jwkURIs []apidef.JWK, kidVa
 			}
 
 			if err != nil {
-				k.Logger().WithError(err).Infof("Failed to fetch or decode JWKs from %s", jwk.URL)
+				k.Gw.logJWKError(k.Logger(), jwk.URL, err)
 				fallbackJWKURIs = append(fallbackJWKURIs, jwk)
 				continue
 			}

Original file line number	Diff line number	Diff line change
`@@ -182,11 +182,13 @@ func (k *ExternalOAuthMiddleware) getSecretFromJWKURL(url string, kid interface{`
`182`	`182`	`// Fallback to original method if client factory fails`
`183`	`183`	`k.Logger().Debug("[ExternalServices] Falling back to legacy JWK client due to factory error")`
`184`	`184`	`if jwkSet, err = getJWK(url, k.Gw.GetConfig().JWTSSLInsecureSkipVerify); err != nil {`
	`185`	`+ k.Gw.logJWKError(k.Logger(), url, err)`
`185`	`186`	`return nil, err`
`186`	`187`	`}`
`187`	`188`	`} else {`
`188`	`189`	`k.Logger().Debugf("[ExternalServices] Using external services JWK client to fetch: %s", url)`
`189`	`190`	`if jwkSet, err = getJWKWithClient(url, client); err != nil {`
	`191`	`+ k.Gw.logJWKError(k.Logger(), url, err)`
`190`	`192`	`return nil, err`
`191`	`193`	`}`
`192`	`194`	`}`
`@@ -215,6 +217,7 @@ func (k *ExternalOAuthMiddleware) getSecretFromJWKOrConfig(kid interface{}, jwtV`
`215`	`217`
`216`	`218`	`decodedSource, err := base64.StdEncoding.DecodeString(jwtValidation.Source)`
`217`	`219`	`if err != nil {`
	`220`	`+ k.Logger().WithError(err).Errorf("JWKS source decode failed: %s is not a base64 string", jwtValidation.Source)`
`218`	`221`	`return nil, err`
`219`	`222`	`}`
`220`	`223`