gcpkms: tweak obtaining of credentials

This ensures the error which can occur due to e.g. an invalid file path
being set still surfaces, while simultaneously addressing the other
concerns from review comments.

Signed-off-by: Hidde Beydals <hidde@hhh.computer>

Author: hiddeco

gcpkms/keysource.go

@@ -246,20 +246,21 @@ func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
 	case key.credentialJSON != nil:
 		opts = append(opts, option.WithCredentialsJSON(key.credentialJSON))
 	default:
-		credentials, errCredentialsFile := getGoogleCredentials()
+		credentials, err := getGoogleCredentials()
+		if err != nil {
+			return nil, fmt.Errorf("credentials: failed to obtain credentials from %q: %w", SopsGoogleCredentialsEnv, err)
+		}
 		if credentials != nil {
 			opts = append(opts, option.WithCredentialsJSON(credentials))
 			break
 		}
 
-		atCredentials, errCredentialsToken := getGoogleOAuthTokenFromEnv()
-		if atCredentials != nil {
+		if atCredentials := getGoogleOAuthTokenFromEnv(); atCredentials != nil {
 			opts = append(opts, option.WithTokenSource(atCredentials))
+			break
 		}
 
-		if errCredentialsFile != nil && errCredentialsToken != nil {
-			return nil, fmt.Errorf("credentials: failed to get credentials for gcp kms, add default credentials or oauth access token from env")
-		}
+		return nil, fmt.Errorf("credentials: none found: missing %q or %q environment variable", SopsGoogleCredentialsEnv, SopsGoogleCredentialsOAuthTokenEnv)
 	}
 
 	if key.grpcConn != nil {
@@ -278,30 +279,26 @@ func (key *MasterKey) newKMSClient() (*kms.KeyManagementClient, error) {
 // getGoogleCredentials returns the SopsGoogleCredentialsEnv variable, as
 // either the file contents of the path of a credentials file, or as value in
 // JSON format.
-// It returns an error and a nil byte slice  if the environment variable is not set,
-// or the file cannot be read.
+// It returns an error and a nil byte slice if the file cannot be read.
 func getGoogleCredentials() ([]byte, error) {
 	if defaultCredentials, ok := os.LookupEnv(SopsGoogleCredentialsEnv); ok && len(defaultCredentials) > 0 {
 		if _, err := os.Stat(defaultCredentials); err == nil {
 			return os.ReadFile(defaultCredentials)
 		}
-
 		return []byte(defaultCredentials), nil
 	}
-	return nil, fmt.Errorf("could not find Google credential file")
+	return nil, nil
 }
 
 // getGoogleOAuthTokenFromEnv returns the SopsGoogleCredentialsOauthTokenEnv variable,
 // as the OAauth 2.0 token.
 // It returns an error and a nil byte slice if the envrionment variable is not set.
-func getGoogleOAuthTokenFromEnv() (oauth2.TokenSource, error) {
+func getGoogleOAuthTokenFromEnv() oauth2.TokenSource {
 	if token, isSet := os.LookupEnv(SopsGoogleCredentialsOAuthTokenEnv); isSet && len(token) > 0 {
 		tokenSource := oauth2.StaticTokenSource(
 			&oauth2.Token{AccessToken: token},
 		)
-
-		return tokenSource, nil
+		return tokenSource
 	}
-
-	return nil, fmt.Errorf("could not find Google OAuth token")
+	return nil
 }

gcpkms/keysource_test.go

@@ -150,7 +150,7 @@ func TestMasterKey_createCloudKMSService_withCredentialsFile(t *testing.T) {
 			key: MasterKey{
 				ResourceID: testResourceID,
 			},
-			errString: "credentials: failed to get credentials",
+			errString: `credentials: failed to obtain credentials from "SOPS_GOOGLE_CREDENTIALS"`,
 		},
 	}