include source stack in aggregated errors in DefaultAzureCredential (#1546)

demoray · web-flow · commit 612e0d551cff · 2024-01-05T13:36:54.000-05:00
* include source stack in aggregated errors in DefaultAzureCredential As indicated in #1543, error details are swallowed when building an aggregate error message. Currently, we format each of the errors using to_string, which results in the following: ``` Error { context: Full( Custom { kind: Credential, error: Error { context: Message { kind: Credential, message: "Multiple errors were encountered while attempting to authenticate:\nenvironment credential\nIMDS timeout\naz-cli", }, }, }, "failed to get bearer token", ), } ``` This doesn't help the user understand how to fix the issue. With this update, we recurse through the error sources, building a more detailed message. This results in: ``` Error { context: Full( Custom { kind: Credential, error: Error { context: Message { kind: Credential, message: "Multiple errors were encountered while attempting to authenticate:\nenvironment credential - request token error - Server returned error response\nIMDS timeout - operation timed out\naz-cli - 'az account get-access-token' command failed: ERROR: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://storage.azure.com/ offline_access openid profile is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>. Trace ID: 346f391a-48f2-4e96-849f-9ecd6c589d02 Correlation ID: 7888c325-56ff-4100-8ce2-c8cf41561b40 Timestamp: 2024-01-05 01:31:04Z\nInteractive authentication is needed. Please run:\naz login --scope https://storage.azure.com/\n", }, }, }, "failed to get bearer token", ), } ``` When printed, this message looks like: ``` Multiple errors were encountered while attempting to authenticate: environment credential - request token error - Server returned error response IMDS timeout - operation timed out az-cli - 'az account get-access-token' command failed: ERROR: AADSTS70011: The provided request must include a 'scope' input parameter. The provided value for the input parameter 'scope' is not valid. The scope https://storage.azure.com/ offline_access openid profile is not valid. The scope format is invalid. Scope must be in a valid URI form <https://example/scope> or a valid Guid <guid/scope>. Trace ID: 02aecb08-69b4-4a5d-9ebb-784ea788c102 Correlation ID: dddc061a-ca11-4b21-b857-6d765a564597 Timestamp: 2024-01-05 01:43:45Z Interactive authentication is needed. Please run: az login --scope https://storage.azure.com/ ```
diff --git a/sdk/identity/src/token_credentials/default_credentials.rs b/sdk/identity/src/token_credentials/default_credentials.rs
@@ -92,33 +92,23 @@ pub enum DefaultAzureCredentialEnum {
 impl TokenCredential for DefaultAzureCredentialEnum {
     async fn get_token(&self, scopes: &[&str]) -> azure_core::Result<AccessToken> {
         match self {
-            DefaultAzureCredentialEnum::Environment(credential) => {
-                credential.get_token(scopes).await.context(
-                    ErrorKind::Credential,
-                    "error getting environment credential",
-                )
-            }
+            DefaultAzureCredentialEnum::Environment(credential) => credential
+                .get_token(scopes)
+                .await
+                .context(ErrorKind::Credential, "environment credential"),
             DefaultAzureCredentialEnum::ManagedIdentity(credential) => {
                 // IMSD timeout is only limited to 1 second when used in DefaultAzureCredential
                 credential
                     .get_token(scopes)
                     .timeout(Duration::from_secs(1))
                     .await
-                    .context(
-                        ErrorKind::Credential,
-                        "getting managed identity credential timed out",
-                    )?
-                    .context(
-                        ErrorKind::Credential,
-                        "error getting managed identity credential",
-                    )
-            }
-            DefaultAzureCredentialEnum::AzureCli(credential) => {
-                credential.get_token(scopes).await.context(
-                    ErrorKind::Credential,
-                    "error getting token credential from Azure CLI",
-                )
+                    .context(ErrorKind::Credential, "IMDS timeout")?
+                    .context(ErrorKind::Credential, "IMDS")
             }
+            DefaultAzureCredentialEnum::AzureCli(credential) => credential
+                .get_token(scopes)
+                .await
+                .context(ErrorKind::Credential, "az-cli"),
         }
     }
 
@@ -205,9 +195,18 @@ impl TokenCredential for DefaultAzureCredential {
 }
 
 fn format_aggregate_error(errors: &[Error]) -> String {
+    use std::error::Error;
     errors
         .iter()
-        .map(ToString::to_string)
+        .map(|e| {
+            let mut current: Option<&dyn Error> = Some(e);
+            let mut stack = vec![];
+            while let Some(err) = current.take() {
+                stack.push(err.to_string());
+                current = err.source();
+            }
+            stack.join(" - ")
+        })
         .collect::<Vec<String>>()
         .join("\n")
 }
