fix(auth): fallback cert lookups for missing files (#11013)

Similar to #10696, we need to be careful of the case where we are trying to open files that may not exist. For instance trying to open something that does not exist in /dev/null/ is not a standard file does not exist err. Fixes: #10844
googleapis · Oct 22, 2024 · bd76695 · bd76695
1 parent e0759f4
commit bd76695
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 9 deletions.
diff --git a/auth/internal/transport/cert/enterprise_cert.go b/auth/internal/transport/cert/enterprise_cert.go
@@ -16,7 +16,6 @@ package cert
 
 import (
 	"crypto/tls"
-	"errors"
 
 	"github.com/googleapis/enterprise-certificate-proxy/client"
 )
@@ -37,10 +36,9 @@ type ecpSource struct {
 func NewEnterpriseCertificateProxyProvider(configFilePath string) (Provider, error) {
 	key, err := client.Cred(configFilePath)
 	if err != nil {
-		if errors.Is(err, client.ErrCredUnavailable) {
-			return nil, errSourceUnavailable
-		}
-		return nil, err
+		// TODO(codyoss): once this is fixed upstream can handle this error a
+		// little better here. But be safe for now and assume unavailable.
+		return nil, errSourceUnavailable
 	}
 
 	return (&ecpSource{

diff --git a/auth/internal/transport/cert/workload_cert.go b/auth/internal/transport/cert/workload_cert.go
@@ -82,10 +82,7 @@ func (s *workloadSource) getClientCertificate(info *tls.CertificateRequestInfo)
 func getCertAndKeyFiles(configFilePath string) (string, string, error) {
 	jsonFile, err := os.Open(configFilePath)
 	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			return "", "", errSourceUnavailable
-		}
-		return "", "", err
+		return "", "", errSourceUnavailable
 	}
 
 	byteValue, err := io.ReadAll(jsonFile)