fix: improve credential graph error handling and resolution logic (#602)

jakobmoellerdev · web-flow · commit 5c315c9cf5a2 · 2025-09-03T11:16:48.000+02:00
&lt;!-- markdownlint-disable MD041 --&gt;
#### What this PR does / why we need it

- Refined error messages for better clarity when credential resolution
fails.
- Introduced `ErrNoIndirectCredentials` for clear distinction between
direct and indirect resolution failures.
- Enhanced `ToGraph` to handle `nil` configurations and added fallback
logic for indirect resolution.
- Updated method signatures to support the new `GraphResolver`
interface.
- Adjusted indirect resolution logic to signal failure without excessive
verbosity.
- Incorporated tests to validate updated error handling and resolution
workflows.

#### Which issue(s) this PR fixes

Improves the readability and maintainability of credential graph
resolution errors and ensures consistency across direct and indirect
resolution paths. (noticed during testing of CLI interaction with
credential graph)

---------

Signed-off-by: Jakob Möller &lt;jakob.moeller@sap.com&gt;
diff --git a/bindings/go/credentials/graph.go b/bindings/go/credentials/graph.go
@@ -16,6 +16,11 @@ import (
 // plugins which can be resolved at runtime.
 var ErrNoDirectCredentials = errors.New("no direct credentials found in graph")
 
+// ErrNoIndirectCredentials is returned when no indirect credentials are found in the graph.
+// This can happen if no repository plugin is configured or if no repository plugin can resolve
+// credentials for the given identity.
+var ErrNoIndirectCredentials = errors.New("no indirect credentials found in graph")
+
 var scheme = runtime.NewScheme()
 
 func init() {
@@ -29,10 +34,14 @@ type Options struct {
 	CredentialRepositoryTypeScheme *runtime.Scheme
 }
 
+type GraphResolver interface {
+	Resolve(ctx context.Context, identity runtime.Identity) (map[string]string, error)
+}
+
 // ToGraph creates a new credential graph from the provided configuration and options.
 // It initializes the graph structure and ingests the configuration into the graph.
 // Returns an error if the configuration cannot be properly ingested.
-func ToGraph(ctx context.Context, config *cfgRuntime.Config, opts Options) (*Graph, error) {
+func ToGraph(ctx context.Context, config *cfgRuntime.Config, opts Options) (GraphResolver, error) {
 	g := &Graph{
 		syncedDag:                newSyncedDag(),
 		credentialPluginProvider: opts.CredentialPluginProvider,
@@ -70,16 +79,15 @@ func (g *Graph) Resolve(ctx context.Context, identity runtime.Identity) (map[str
 	// Attempt direct resolution via the DAG.
 	creds, err := g.resolveFromGraph(ctx, identity)
 
-	switch {
-	case errors.Is(err, ErrNoDirectCredentials):
-		// fall back to indirect resolution
-		return g.resolveFromRepository(ctx, identity)
-	case err != nil:
-		return nil, err
+	// fall back to indirect resolution if we have a repository plugin provider
+	// otherwise leave error as is
+	if g.repositoryPluginProvider != nil && errors.Is(err, ErrNoDirectCredentials) {
+		creds, err = g.resolveFromRepository(ctx, identity)
 	}
 
-	if len(creds) > 0 {
-		return creds, nil
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve credentials for identity %q: %w", identity.String(), err)
 	}
-	return nil, fmt.Errorf("failed to resolve credentials for identity %v", identity)
+
+	return creds, nil
 }
diff --git a/bindings/go/credentials/graph_test.go b/bindings/go/credentials/graph_test.go
@@ -144,7 +144,7 @@ const invalidRecursionYAML = testYAML + `
         secretId: "recursive-creds"
 `
 
-func GetGraph(t testing.TB, yaml string) (*credentials.Graph, error) {
+func GetGraph(t testing.TB, yaml string) (credentials.GraphResolver, error) {
 	t.Helper()
 	r := require.New(t)
 	scheme := runtime.NewScheme()
@@ -487,3 +487,34 @@ consumers:
 		})
 	}
 }
+
+func TestResolutionErrors(t *testing.T) {
+	id := runtime.Identity{
+		"type": "not exists",
+	}
+
+	r := require.New(t)
+	g, err := credentials.ToGraph(t.Context(), &credentialruntime.Config{}, credentials.Options{})
+	require.NoError(t, err)
+	creds, err := g.Resolve(t.Context(), id)
+	r.Empty(creds)
+	r.Error(err)
+	r.ErrorIs(err, credentials.ErrNoDirectCredentials)
+	r.ErrorContains(err, fmt.Sprintf("failed to resolve credentials for identity %q: failed to match any node: no direct credentials found in graph", id.String()))
+
+	g, err = credentials.ToGraph(t.Context(), &credentialruntime.Config{}, credentials.Options{
+		RepositoryPluginProvider: credentials.GetRepositoryPluginFn(func(ctx context.Context, repoType runtime.Typed) (credentials.RepositoryPlugin, error) {
+			return RepositoryPlugin{
+				RepositoryIdentityFunc: func(config runtime.Typed) (runtime.Identity, error) {
+					return runtime.Identity{}, nil
+				},
+			}, nil
+		}),
+	})
+	r.NoError(err)
+	creds, err = g.Resolve(t.Context(), id)
+	r.Empty(creds)
+	r.Error(err)
+	r.ErrorIs(err, credentials.ErrNoIndirectCredentials)
+	r.ErrorContains(err, fmt.Sprintf("failed to resolve credentials for identity %q: no indirect credentials found in graph", id.String()))
+}
diff --git a/bindings/go/credentials/resolve_direct.go b/bindings/go/credentials/resolve_direct.go
@@ -35,21 +35,21 @@ func (g *Graph) resolveFromGraph(ctx context.Context, identity runtime.Identity)
 	for id := range vertex.Edges {
 		childID, ok := g.getIdentity(id)
 		if !ok {
-			return nil, fmt.Errorf("failed to resolve credentials for node %q: child node %q not found", vertex.ID, id)
+			return nil, fmt.Errorf("no credentials for node %q available: child node %q not found", vertex.ID, id)
 		}
 		childCredentials, err := g.resolveFromGraph(ctx, childID)
 		if err != nil {
 			return nil, err
 		}
 		plugin, err := g.credentialPluginProvider.GetCredentialPlugin(ctx, childID)
 		if err != nil {
-			return nil, fmt.Errorf("failed to resolve credentials for node %q: %w", childID, err)
+			return nil, fmt.Errorf("could not get credential plugin for node %q: %w", childID, err)
 		}
 
 		// Let the plugin resolve the child's credentials.
 		credentials, err := plugin.Resolve(ctx, childID, childCredentials)
 		if err != nil {
-			return nil, fmt.Errorf("failed to resolve credentials for node %q: %w", childID, err)
+			return nil, fmt.Errorf("no credentials for node %q resolved from plugin: %w", childID, err)
 		}
 
 		// Merge the resolved credentials into the result
diff --git a/bindings/go/credentials/resolve_indirect.go b/bindings/go/credentials/resolve_indirect.go
@@ -3,7 +3,6 @@ package credentials
 import (
 	"context"
 	"errors"
-	"fmt"
 	"log/slog"
 	"sync"
 
@@ -79,8 +78,11 @@ func (g *Graph) resolveFromRepository(ctx context.Context, identity runtime.Iden
 	}
 
 	wg.Wait()
+
 	if resolved == nil {
-		return nil, fmt.Errorf("failed to resolve credentials for %q indirectly using repository plugins: %w", identity, errors.Join(errs...))
+		// If we get here, then all repository plugins failed to resolve credentials.
+		// This is not an error, but rather a signal that the identity could not be resolved indirectly.
+		return nil, errors.Join(ErrNoIndirectCredentials, errors.Join(errs...))
 	}
 
 	// Cache the resolved credentials for future use.
diff --git a/bindings/go/credentials/synced_dag.go b/bindings/go/credentials/synced_dag.go
@@ -83,7 +83,7 @@ func (g *syncedDag) matchAnyNode(identity runtime.Identity) (*dag.Vertex[string]
 			return vertex, nil
 		}
 	}
-	return nil, fmt.Errorf("failed to resolve credentials for node %v: %w", node, ErrNoDirectCredentials)
+	return nil, fmt.Errorf("failed to match any node: %w", ErrNoDirectCredentials)
 }
 
 // addIdentity ensures that a given identity is represented as a vertex in the graph.

Original file line number	Diff line number	Diff line change
`@@ -35,21 +35,21 @@ func (g *Graph) resolveFromGraph(ctx context.Context, identity runtime.Identity)`
`35`	`35`	`for id := range vertex.Edges {`
`36`	`36`	`childID, ok := g.getIdentity(id)`
`37`	`37`	`if !ok {`
`38`		`- return nil, fmt.Errorf("failed to resolve credentials for node %q: child node %q not found", vertex.ID, id)`
	`38`	`+ return nil, fmt.Errorf("no credentials for node %q available: child node %q not found", vertex.ID, id)`
`39`	`39`	`}`
`40`	`40`	`childCredentials, err := g.resolveFromGraph(ctx, childID)`
`41`	`41`	`if err != nil {`
`42`	`42`	`return nil, err`
`43`	`43`	`}`
`44`	`44`	`plugin, err := g.credentialPluginProvider.GetCredentialPlugin(ctx, childID)`
`45`	`45`	`if err != nil {`
`46`		`- return nil, fmt.Errorf("failed to resolve credentials for node %q: %w", childID, err)`
	`46`	`+ return nil, fmt.Errorf("could not get credential plugin for node %q: %w", childID, err)`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`// Let the plugin resolve the child's credentials.`
`50`	`50`	`credentials, err := plugin.Resolve(ctx, childID, childCredentials)`
`51`	`51`	`if err != nil {`
`52`		`- return nil, fmt.Errorf("failed to resolve credentials for node %q: %w", childID, err)`
	`52`	`+ return nil, fmt.Errorf("no credentials for node %q resolved from plugin: %w", childID, err)`
`53`	`53`	`}`
`54`	`54`
`55`	`55`	`// Merge the resolved credentials into the result`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ func (g syncedDag) matchAnyNode(identity runtime.Identity) (dag.Vertex[string]`
`83`	`83`	`return vertex, nil`
`84`	`84`	`}`
`85`	`85`	`}`
`86`		`- return nil, fmt.Errorf("failed to resolve credentials for node %v: %w", node, ErrNoDirectCredentials)`
	`86`	`+ return nil, fmt.Errorf("failed to match any node: %w", ErrNoDirectCredentials)`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`// addIdentity ensures that a given identity is represented as a vertex in the graph.`