chore(client): Aggregate errors that get passed back to Command and return Warning instead of Error if partial error occurs in Inventory

Author: m8rmclaren

AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator_AzureAppGW.cs

@@ -14,7 +14,6 @@
 
 using System.Security.Cryptography.X509Certificates;
 using Azure.ResourceManager.Network.Models;
-using AzureApplicationGatewayOrchestratorExtension;
 using AzureApplicationGatewayOrchestratorExtension.AppGatewayCertificateJobs;
 using AzureApplicationGatewayOrchestratorExtension.Client;
 using Keyfactor.Logging;

AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator_Client.cs

@@ -87,12 +87,12 @@ public void AzureClientIntegrationTest()
         // Step 3 - Get the certificates that exist on the app gateway
 
         // Act
-        IEnumerable<Keyfactor.Orchestrators.Extensions.CurrentInventoryItem> certs = client.GetAppGatewaySslCertificates();
+        OperationResult<IEnumerable<Keyfactor.Orchestrators.Extensions.CurrentInventoryItem>> certs = client.GetAppGatewaySslCertificates();
 
         // Assert
-        Assert.NotNull(certs);
-        Assert.NotEmpty(certs);
-        Assert.Contains(certs, c => c.Alias == certName);
+        Assert.NotNull(certs.Result);
+        Assert.NotEmpty(certs.Result);
+        Assert.Contains(certs.Result, c => c.Alias == certName);
 
         // Step 4 - Try to remove the certificate from the app gateway, which should fail 
         // since it's bound to an HTTPS listener
@@ -119,7 +119,7 @@ public void AzureClientIntegrationTest()
         // Rebind the HTTPS listener with the original certificate, if there was only 1 certificate
         // previously, otherwise bind it with the first certificate in the list.
 
-        ApplicationGatewaySslCertificate replacement = client.GetAppGatewayCertificateByName(certs.First(c => c.Alias != certName).Alias);
+        ApplicationGatewaySslCertificate replacement = client.GetAppGatewayCertificateByName(certs.Result.First(c => c.Alias != certName).Alias);
 
         client.UpdateHttpsListenerCertificate(replacement, httpsListenerName);
 

AzureAppGatewayOrchestrator.Tests/AzureAppGatewayOrchestrator_FakeClient.cs

@@ -74,7 +74,7 @@ public IAzureAppGatewayClient Build()
     public IEnumerable<string>? AppGatewaysAvailableOnFakeTenant { get; set; }
     public Dictionary<string, ApplicationGatewaySslCertificate>? CertificatesAvailableOnFakeAppGateway { get; set; }
 
-    public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
+    public OperationResult<IEnumerable<CurrentInventoryItem>> GetAppGatewaySslCertificates()
     {
         _logger.LogDebug("Getting App Gateway SSL Certificates from fake app gateway");
 
@@ -84,6 +84,8 @@ public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
         }
 
         List<CurrentInventoryItem> inventoryItems = new List<CurrentInventoryItem>();
+        OperationResult<IEnumerable<CurrentInventoryItem>> result = new(inventoryItems);
+
         foreach (ApplicationGatewaySslCertificate cert in CertificatesAvailableOnFakeAppGateway.Values)
         {
             inventoryItems.Add(new CurrentInventoryItem
@@ -98,7 +100,7 @@ public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
 
         _logger.LogDebug($"Fake client has {inventoryItems.Count} certificates in inventory");
 
-        return inventoryItems;
+        return result;
     }
 
     public ApplicationGatewaySslCertificate AddCertificate(string certificateName, string certificateData, string certificatePassword)

AzureAppGatewayOrchestrator/AppGatewayCertificateJobs/Inventory.cs

@@ -51,9 +51,32 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
         try
         {
-            inventoryItems = Client.GetAppGatewaySslCertificates().ToList();
+            OperationResult<IEnumerable<CurrentInventoryItem>> inventoryResult = Client.GetAppGatewaySslCertificates();
+            if (!inventoryResult.Success)
+            {
+                // Aggregate the messages into the failure message. Since an exception wasn't thrown,
+                // we still have a partial success. We want to return a warning.
+                result.FailureMessage += inventoryResult.ErrorMessage; 
+                result.Result = OrchestratorJobStatusJobResult.Warning;
+                _logger.LogWarning(result.FailureMessage);
+            } 
+            else
+            {
+                result.Result = OrchestratorJobStatusJobResult.Success;
+            }
+
+            // At least partial success is guaranteed, so we can continue with the inventory items
+            // that we were able to pull down.
+            inventoryItems = inventoryResult.Result.ToList();
+
         } catch (Exception ex)
         {
+            // Exception is triggered if we weren't able to pull down the list of certificates
+            // from Azure. This could be due to a number of reasons, including network issues,
+            // or the user not having the correct permissions. An exception won't be triggered
+            // if there are no certificates in the App Gateway, or if we weren't able to assemble
+            // the list of certificates into a CurrentInventoryItem.
+
             _logger.LogError(ex, "Error getting App Gateway SSL Certificates:\n" + ex.Message);
             result.FailureMessage = "Error getting App Gateway SSL Certificates:\n" + ex.Message;
             return result;
@@ -64,7 +87,6 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
         //cb.DynamicInvoke(inventoryItems);
         cb(inventoryItems);
 
-        result.Result = OrchestratorJobStatusJobResult.Success;
         return result;
     }
 }

AzureAppGatewayOrchestrator/Client/GatewayClient.cs

@@ -273,15 +273,16 @@ public ApplicationGatewaySslCertificate GetAppGatewayCertificateByName(string ce
         return gatewaySslCertificate;
     }
 
-    public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
+    public OperationResult<IEnumerable<CurrentInventoryItem>> GetAppGatewaySslCertificates()
     {
-
         ApplicationGatewayResource appGatewayResource =
             _armClient.GetApplicationGatewayResource(AppGatewayResourceId).Get();
         _logger.LogDebug($"Getting SSL certificates from App Gateway called \"{appGatewayResource.Data.Name}\"");
         _logger.LogDebug($"There are {appGatewayResource.Data.SslCertificates.Count()} certificates in the response.");
         List<CurrentInventoryItem> inventoryItems = new List<CurrentInventoryItem>();
 
+        OperationResult<IEnumerable<CurrentInventoryItem>> result = new(inventoryItems);
+
         foreach (ApplicationGatewaySslCertificate certObject in appGatewayResource.Data.SslCertificates)
         {
             List<string> b64EncodedDerCertificateList = new List<string>();
@@ -316,15 +317,19 @@ public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
                 }
                 catch (Exception e)
                 {
-                    string error = $"Error retrieving certificate from Azure Key Vault with ID {certObject.KeyVaultSecretId}: {e.Message}";
-                    _logger.LogError(error);
-                    throw new Exception(error);
+                    string error = $"Failed to download certificate from Azure Key Vault with ID {certObject.KeyVaultSecretId}";
+                    _logger.LogError(error + $": {e.Message}");
+
+                    result.AddRuntimeErrorMessage(error);
+                    continue;
                 }
             }
             else 
             {
-                _logger.LogError($"Certificate called \"{certObject.Name}\" ({certObject.Id}) does not have any public certificate data or Key Vault secret ID.");
+                string error = $"Certificate called \"{certObject.Name}\" ({certObject.Id}) does not have any public certificate data or Key Vault secret ID.";
+                _logger.LogError(error);
 
+                result.AddRuntimeErrorMessage(error);
                 continue;
             }
 
@@ -341,8 +346,13 @@ public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates()
             inventoryItems.Add(inventoryItem);
         }
 
+        if (!result.Success)
+        {
+            result.ErrorSummary = $"Application Gateway Certificate inventory may be incomplete. Successfully read {inventoryItems.Count()}/{appGatewayResource.Data.SslCertificates.Count()} certificates present in the Application Gateway called {AppGatewayResourceId.Name} ({AppGatewayResourceId})\nPlease see Orchestrator logs for more details. Error summary:";
+        }
+
         _logger.LogDebug($"Found {inventoryItems.Count()} certificates in app gateway");
-        return inventoryItems;
+        return result;
     }
 
     public void UpdateHttpsListenerCertificate(ApplicationGatewaySslCertificate certificate, string listenerName)

AzureAppGatewayOrchestrator/Client/IAzureAppGatewayClient.cs

@@ -28,11 +28,31 @@ public interface IAzureAppGatewayClientBuilder
         public IAzureAppGatewayClient Build();
     }
 
+    public class OperationResult<T>
+    {
+        public T Result { get; set; }
+        public string ErrorSummary { get; set; }
+        public List<string> Messages { get; set; } = new List<string>();
+        public bool Success => Messages.Count == 0;
+
+        public OperationResult(T result)
+        {
+            Result = result;
+        }
+
+        public void AddRuntimeErrorMessage(string message)
+        {
+            Messages.Add("  - " + message);
+        }
+
+        public string ErrorMessage => $"{ErrorSummary}\n{string.Join("\n", Messages)}";
+    }
+
     public interface IAzureAppGatewayClient
     {
         public ApplicationGatewaySslCertificate AddCertificate(string certificateName, string certificateData, string certificatePassword);
         public void RemoveCertificate(string certificateName);
-        public IEnumerable<CurrentInventoryItem> GetAppGatewaySslCertificates();
+        public OperationResult<IEnumerable<CurrentInventoryItem>> GetAppGatewaySslCertificates();
         public ApplicationGatewaySslCertificate GetAppGatewayCertificateByName(string certificateName);
         public bool CertificateExists(string certificateName);
         public IEnumerable<string> DiscoverApplicationGateways();

AzureAppGatewayOrchestrator/ListenerBindingJobs/Inventory.cs

@@ -44,7 +44,8 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
         JobResult result = new JobResult
         {
             Result = OrchestratorJobStatusJobResult.Failure,
-                   JobHistoryId = config.JobHistoryId
+                   JobHistoryId = config.JobHistoryId,
+                   FailureMessage = ""
         };
 
         List<CurrentInventoryItem> appGatewayCertificateInventory;
@@ -62,9 +63,32 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
         try
         {
-            appGatewayCertificateInventory = Client.GetAppGatewaySslCertificates().ToList();
+            OperationResult<IEnumerable<CurrentInventoryItem>> inventoryResult = Client.GetAppGatewaySslCertificates();
+            if (!inventoryResult.Success)
+            {
+                // Aggregate the messages into the failure message. Since an exception wasn't thrown,
+                // we still have a partial success. We want to return a warning.
+                result.FailureMessage += inventoryResult.ErrorMessage; 
+                result.Result = OrchestratorJobStatusJobResult.Warning;
+                _logger.LogWarning(result.FailureMessage);
+            } 
+            else
+            {
+                result.Result = OrchestratorJobStatusJobResult.Success;
+            }
+
+            // At least partial success is guaranteed, so we can continue with the inventory items
+            // that we were able to pull down.
+            appGatewayCertificateInventory = inventoryResult.Result.ToList();
+
         } catch (Exception ex)
         {
+            // Exception is triggered if we weren't able to pull down the list of certificates
+            // from Azure. This could be due to a number of reasons, including network issues,
+            // or the user not having the correct permissions. An exception won't be triggered
+            // if there are no certificates in the App Gateway, or if we weren't able to assemble
+            // the list of certificates into a CurrentInventoryItem.
+
             _logger.LogError(ex, "Error getting App Gateway SSL Certificates:\n" + ex.Message);
             result.FailureMessage = "Error getting App Gateway SSL Certificates:\n" + ex.Message;
             return result;
@@ -81,7 +105,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
         } catch (Exception ex)
         {
             _logger.LogError(ex, "Error getting bound App Gateway HTTPS Listener Certificates:\n" + ex.Message);
-            result.FailureMessage = "Error getting bound App Gateway HTTPS Listener Certificates:\n" + ex.Message;
+            result.FailureMessage += "Error getting bound App Gateway HTTPS Listener Certificates:\n" + ex.Message;
             return result;
         }
 
@@ -129,7 +153,7 @@ public JobResult ProcessJob(InventoryJobConfiguration config, SubmitInventoryUpd
 
         cb.DynamicInvoke(certificateBindingInventory);
 
-        result.Result = OrchestratorJobStatusJobResult.Success;
+        // Result is already set correctly by this point.
         return result;
     }
 }