Better errors response for failing TPM inventory calls

Author: ibuildthecloud

pkg/cacerts/cacerts.go

@@ -99,7 +99,7 @@ func get(server, token, path string, clusterToken bool) ([]byte, string, error)
 
 	data, err := ioutil.ReadAll(resp.Body)
 	if resp.StatusCode != http.StatusOK {
-		return nil, "", fmt.Errorf("%s: %s", resp.Status, data)
+		return nil, "", fmt.Errorf("%s: %s", data, resp.Status)
 	}
 	return data, caChecksum, err
 }

pkg/config/remote.go

@@ -18,12 +18,12 @@ func processRemote(cfg Config) (Config, error) {
 	logrus.Infof("server and token set but required role is not set. Trying to bootstrapping config from machine inventory")
 	resp, _, err := cacerts.MachineGet(cfg.Server, cfg.Token, "/v1-rancheros/inventory")
 	if err != nil {
-		return cfg, fmt.Errorf("bootstrapping config from machine inventory: %w", err)
+		return cfg, fmt.Errorf("from machine inventory: %w", err)
 	}
 
 	config := map[string]interface{}{}
 	if err := json.Unmarshal(resp, &config); err != nil {
-		return cfg, fmt.Errorf("decoding inventory response: %w", err)
+		return cfg, fmt.Errorf("inventory response: %s: %w", resp, err)
 	}
 
 	currentConfig, err := convert.EncodeToMap(cfg)

pkg/rancherd/rancher.go

@@ -60,7 +60,7 @@ func (r *Rancherd) Info(ctx context.Context) error {
 func (r *Rancherd) Upgrade(ctx context.Context, upgradeConfig UpgradeConfig) error {
 	cfg, err := config.Load(r.cfg.ConfigPath)
 	if err != nil {
-		return fmt.Errorf("loading config from %s: %w", r.cfg.ConfigPath, err)
+		return fmt.Errorf("loading config: %w", err)
 	}
 
 	rancherVersion, err := versions.RancherVersion(upgradeConfig.RancherVersion)
@@ -145,7 +145,7 @@ func (r *Rancherd) Upgrade(ctx context.Context, upgradeConfig UpgradeConfig) err
 func (r *Rancherd) execute(ctx context.Context) error {
 	cfg, err := config.Load(r.cfg.ConfigPath)
 	if err != nil {
-		return fmt.Errorf("loading config from %s: %w", r.cfg.ConfigPath, err)
+		return fmt.Errorf("loading config: %w", err)
 	}
 
 	if err := r.setWorking(cfg); err != nil {

pkg/tpm/get.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/google/go-attestation/attest"
 	"github.com/gorilla/websocket"
+	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 )
 
@@ -34,6 +35,11 @@ func Get(cacerts []byte, url string, header http.Header) ([]byte, error) {
 		return nil, err
 	}
 
+	hash, err := GetPubHash()
+	if err != nil {
+		return nil, err
+	}
+
 	token, err := getToken(attestationData)
 	if err != nil {
 		return nil, err
@@ -44,9 +50,15 @@ func Get(cacerts []byte, url string, header http.Header) ([]byte, error) {
 	}
 	header.Add("Authorization", token)
 	wsURL := strings.Replace(url, "http", "ws", 1)
-	logrus.Infof("Dialing %s with Authorization: %s", wsURL, token)
-	conn, _, err := dialer.Dial(wsURL, header)
+	logrus.Infof("Using TPMHash %s to dial %s", hash, wsURL)
+	conn, resp, err := dialer.Dial(wsURL, header)
 	if err != nil {
+		if resp != nil && resp.StatusCode == http.StatusUnauthorized {
+			data, err := ioutil.ReadAll(resp.Body)
+			if err == nil {
+				return nil, errors.New(string(data))
+			}
+		}
 		return nil, err
 	}
 	defer conn.Close()
@@ -61,7 +73,7 @@ func Get(cacerts []byte, url string, header http.Header) ([]byte, error) {
 		return nil, fmt.Errorf("unmarshaling Challenge: %w", err)
 	}
 
-	resp, err := getChallengeResponse(challenge.EC, aikBytes)
+	challengeResp, err := getChallengeResponse(challenge.EC, aikBytes)
 	if err != nil {
 		return nil, err
 	}
@@ -72,7 +84,7 @@ func Get(cacerts []byte, url string, header http.Header) ([]byte, error) {
 	}
 	defer writer.Close()
 
-	if err := json.NewEncoder(writer).Encode(resp); err != nil {
+	if err := json.NewEncoder(writer).Encode(challengeResp); err != nil {
 		return nil, fmt.Errorf("encoding ChallengeResponse: %w", err)
 	}