Add extra debug logging for DB connection in minder-server (#3478)

* Add extra debug logging for DB connection in minder-server This is helpful for debugging DB configuration issues in k8s. * added extra logging * add logging for each secret we re-encrypt * even more logging
mindersec · May 31, 2024 · f8c48ba · f8c48ba
1 parent fa764bc
commit f8c48ba
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 8 deletions.
diff --git a/cmd/server/app/common.go b/cmd/server/app/common.go
@@ -29,6 +29,14 @@ import (
 // This file contains logic shared between different commands.
 
 func wireUpDB(ctx context.Context, cfg *serverconfig.Config) (db.Store, func(), error) {
+	zerolog.Ctx(ctx).Debug().
+		Str("name", cfg.Database.Name).
+		Str("host", cfg.Database.Host).
+		Str("user", cfg.Database.User).
+		Str("ssl_mode", cfg.Database.SSLMode).
+		Int("port", cfg.Database.Port).
+		Msg("connecting to minder database")
+
 	dbConn, _, err := cfg.Database.GetDBConnection(ctx)
 	if err != nil {
 		return nil, nil, fmt.Errorf("unable to connect to database: %w", err)

diff --git a/cmd/server/app/encryption_rotate.go b/cmd/server/app/encryption_rotate.go
@@ -57,6 +57,11 @@ var rotateCmd = &cobra.Command{
 
 		ctx := logger.FromFlags(cfg.LoggingConfig).WithContext(context.Background())
 
+		zerolog.Ctx(ctx).Debug().
+			Str("default_key_id", cfg.Crypto.Default.KeyID).
+			Str("default_algorithm", string(crypto.DefaultAlgorithm)).
+			Msg("default encryption settings")
+
 		// instantiate `db.Store` so we can run queries
 		store, closer, err := wireUpDB(ctx, cfg)
 		if err != nil {
@@ -151,32 +156,38 @@ func runRotationBatch(
 		if token.EncryptedAccessToken.Valid {
 			deserialized, err := crypto.DeserializeEncryptedData(token.EncryptedAccessToken.RawMessage)
 			if err != nil {
-				return 0, tokenError(token.ID, err)
+				return 0, tokenError(token.ID, "secret deserialization", err)
 			}
 			oldSecret = deserialized
 		} else if token.EncryptedToken.Valid {
 			oldSecret = crypto.NewBackwardsCompatibleEncryptedData(token.EncryptedToken.String)
 		} else {
 			// this should never happen
-			return 0, tokenError(token.ID, errors.New("no encrypted secret found"))
+			return 0, tokenError(token.ID, "secret retrieval", errors.New("no encrypted secret found"))
 		}
 
+		zerolog.Ctx(ctx).Debug().
+			Int32("token_id", token.ID).
+			Str("key_version", oldSecret.KeyVersion).
+			Str("algorithm", string(oldSecret.Algorithm)).
+			Msg("re-encrypting old secret")
+
 		// decrypt the secret
 		decrypted, err := engine.DecryptOAuthToken(oldSecret)
 		if err != nil {
-			return 0, tokenError(token.ID, err)
+			return 0, tokenError(token.ID, "decryption", err)
 		}
 
 		// re-encrypt it with new key/algorithm
 		encrypted, err := engine.EncryptOAuthToken(&decrypted)
 		if err != nil {
-			return 0, tokenError(token.ID, err)
+			return 0, tokenError(token.ID, "encryption", err)
 		}
 
 		// update DB
 		serialized, err := encrypted.Serialize()
 		if err != nil {
-			return 0, tokenError(token.ID, err)
+			return 0, tokenError(token.ID, "secret serialization", err)
 		}
 
 		zerolog.Ctx(ctx).
@@ -188,15 +199,15 @@ func runRotationBatch(
 			Secret: serialized,
 		})
 		if err != nil {
-			return 0, tokenError(token.ID, err)
+			return 0, tokenError(token.ID, "secret update in database", err)
 		}
 	}
 
 	return int64(len(batch)), nil
 }
 
-func tokenError(tokenID int32, err error) error {
-	return fmt.Errorf("unable to re-encrypt provider token %d: %s", tokenID, err)
+func tokenError(tokenID int32, action string, err error) error {
+	return fmt.Errorf("unable to re-encrypt provider token %d during %s: %s", tokenID, action, err)
 }
 
 func init() {