diff --git a/pkg/keymanagementprovider/azurekeyvault/provider.go b/pkg/keymanagementprovider/azurekeyvault/provider.go index 848679b0b..0a27f13d5 100644 --- a/pkg/keymanagementprovider/azurekeyvault/provider.go +++ b/pkg/keymanagementprovider/azurekeyvault/provider.go @@ -41,6 +41,7 @@ import ( "golang.org/x/crypto/pkcs12" kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault" + "github.com/Azure/go-autorest/autorest" "github.com/Azure/go-autorest/autorest/azure" ) @@ -169,20 +170,26 @@ func (s *akvKMProvider) GetCertificates(ctx context.Context) (map[keymanagementp secretBundle, err := s.kvClient.GetSecret(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version) if err != nil { // certificate is disabled, remove it from the map - if strings.Contains(err.Error(), "403") { - certBundle, err := s.kvClient.GetCertificate(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version) - if err != nil { - return nil, nil, fmt.Errorf("failed to get certificate objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err) + if de, ok := err.(autorest.DetailedError); ok { + + if re, ok := de.Original.(*azure.RequestError); ok { + + if re.ServiceError.Code == "SecretDisabled" { + certBundle, err := s.kvClient.GetCertificate(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version) + if err != nil { + return nil, nil, fmt.Errorf("failed to get certificate objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err) + } + + keyVaultCert.Version = getObjectVersion(*certBundle.Kid) + isEnabled := *certBundle.Attributes.Enabled + lastRefreshed := startTime.Format(time.RFC3339) + certProperty := getStatusProperty(keyVaultCert.Name, keyVaultCert.Version, strconv.FormatBool(isEnabled), lastRefreshed) + certsStatus = append(certsStatus, certProperty) + mapKey := keymanagementprovider.KMPMapKey{Name: keyVaultCert.Name, Version: keyVaultCert.Version, Enabled: isEnabled} + keymanagementprovider.DeleteCertificateFromMap(s.resource, mapKey) + continue + } } - - keyVaultCert.Version = getObjectVersion(*certBundle.Kid) - isEnabled := *certBundle.Attributes.Enabled - lastRefreshed := startTime.Format(time.RFC3339) - certProperty := getStatusProperty(keyVaultCert.Name, keyVaultCert.Version, strconv.FormatBool(isEnabled), lastRefreshed) - certsStatus = append(certsStatus, certProperty) - mapKey := keymanagementprovider.KMPMapKey{Name: keyVaultCert.Name, Version: keyVaultCert.Version, Enabled: isEnabled} - keymanagementprovider.DeleteCertificateFromMap(s.resource, mapKey) - continue } return nil, nil, fmt.Errorf("failed to get secret objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err) diff --git a/pkg/keymanagementprovider/azurekeyvault/provider_test.go b/pkg/keymanagementprovider/azurekeyvault/provider_test.go index d3dc3ac62..e01d7ec93 100644 --- a/pkg/keymanagementprovider/azurekeyvault/provider_test.go +++ b/pkg/keymanagementprovider/azurekeyvault/provider_test.go @@ -27,6 +27,7 @@ import ( "time" kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault" + "github.com/Azure/go-autorest/autorest" "github.com/Azure/go-autorest/autorest/azure" "github.com/Azure/go-autorest/autorest/to" "github.com/ratify-project/ratify/internal/version" @@ -242,7 +243,12 @@ func TestGetCertificates(t *testing.T) { }, nil }, GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) { - return kv.SecretBundle{}, errors.New("403") + err := autorest.DetailedError{ + Original: &azure.RequestError{ + ServiceError: &azure.ServiceError{Code: "SecretDisabled"}, + }, + } + return kv.SecretBundle{}, err }, }, },