diff options
author | Martin Polden <mpolden@mpolden.no> | 2024-01-24 09:29:12 +0100 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2024-01-24 09:29:12 +0100 |
commit | 19062b9bc4a7f4e5c2570466befa02ffdd9557c7 (patch) | |
tree | cb344f984bcc21c193d58fb1fda9b8db6be217b0 | |
parent | 056a486a55fd66c39b9b30065865d29655f338f7 (diff) |
Treat TLS alert as authentication failure
When a service call fails due to a TLS alert, for example "unknown certificate",
we want `--wait` to abort immediately as there is point in retrying.
-rw-r--r-- | client/go/internal/vespa/crypto.go | 13 | ||||
-rw-r--r-- | client/go/internal/vespa/target.go | 6 |
2 files changed, 18 insertions, 1 deletions
diff --git a/client/go/internal/vespa/crypto.go b/client/go/internal/vespa/crypto.go index 9b4d776d97d..568d7a84d18 100644 --- a/client/go/internal/vespa/crypto.go +++ b/client/go/internal/vespa/crypto.go @@ -13,6 +13,7 @@ import ( "encoding/base64" "encoding/hex" "encoding/pem" + "errors" "fmt" "io" "math/big" @@ -220,3 +221,15 @@ func randomSerialNumber() (*big.Int, error) { serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) return rand.Int(rand.Reader, serialNumberLimit) } + +// isTLSAlert returns whether err contains a TLS alert error. +func isTLSAlert(err error) bool { + for ; err != nil; err = errors.Unwrap(err) { + // This is ugly, but alert types are currently not exposed: + // https://github.com/golang/go/issues/35234 + if fmt.Sprintf("%T", err) == "tls.alert" { + return true + } + } + return false +} diff --git a/client/go/internal/vespa/target.go b/client/go/internal/vespa/target.go index 90d1e1997da..ed3cb146eb1 100644 --- a/client/go/internal/vespa/target.go +++ b/client/go/internal/vespa/target.go @@ -153,7 +153,11 @@ func (s *Service) Do(request *http.Request, timeout time.Duration) (*http.Respon if err := s.CurlWriter.print(request, s.TLSOptions, timeout); err != nil { return nil, err } - return s.httpClient.Do(request, timeout) + resp, err := s.httpClient.Do(request, timeout) + if isTLSAlert(err) { + return nil, fmt.Errorf("%w: %s", errAuth, err) + } + return resp, err } // SetClient sets a custom HTTP client that this service should use. |