Format error messages for object storage (EA) (#256)

metonym · web-flow · commit f8df5a7a774f · 2026-02-05T09:53:05.000-08:00
Improves error message formatting for object storage presigned URL operations
by returning user-friendly messages instead of raw provider responses.
The format follows the existing `received response code %d: %s`.
diff --git a/pkg/storage/repo.go b/pkg/storage/repo.go
@@ -2,6 +2,7 @@ package storage
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -147,8 +148,7 @@ func (r *Repo) UploadToPresignedURL(ctx context.Context, presignedURL string, co
 	defer resp.Body.Close()
 
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		respBody, _ := io.ReadAll(resp.Body)
-		return fmt.Errorf("upload failed with status %d: %s", resp.StatusCode, string(respBody))
+		return errors.New(storageErrorMessage(resp.StatusCode))
 	}
 
 	return nil
@@ -168,8 +168,7 @@ func (r *Repo) DownloadFromPresignedURL(ctx context.Context, presignedURL string
 	defer resp.Body.Close()
 
 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		respBody, _ := io.ReadAll(resp.Body)
-		return 0, fmt.Errorf("download failed with status %d: %s", resp.StatusCode, string(respBody))
+		return 0, errors.New(storageErrorMessage(resp.StatusCode))
 	}
 
 	written, err := io.Copy(dest, resp.Body)
@@ -179,3 +178,26 @@ func (r *Repo) DownloadFromPresignedURL(ctx context.Context, presignedURL string
 
 	return written, nil
 }
+
+func storageErrorMessage(statusCode int) string {
+	var message string
+	switch statusCode {
+	case 400:
+		message = "bad request"
+	case 401, 403:
+		message = "access denied"
+	case 404:
+		message = "object not found"
+	case 409:
+		message = "conflict"
+	case 413:
+		message = "object too large"
+	case 429:
+		message = "rate limited, please try again later"
+	case 500, 502, 503, 504:
+		message = "storage service temporarily unavailable"
+	default:
+		message = "unexpected error"
+	}
+	return fmt.Sprintf("received response code %d: %s", statusCode, message)
+}
diff --git a/pkg/storage/repo_test.go b/pkg/storage/repo_test.go
@@ -0,0 +1,255 @@
+package storage
+
+import (
+	"bytes"
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestStorageErrorMessage(t *testing.T) {
+	tests := []struct {
+		name       string
+		statusCode int
+		want       string
+	}{
+		{
+			name:       "400 bad request",
+			statusCode: 400,
+			want:       "received response code 400: bad request",
+		},
+		{
+			name:       "401 unauthorized",
+			statusCode: 401,
+			want:       "received response code 401: access denied",
+		},
+		{
+			name:       "403 forbidden",
+			statusCode: 403,
+			want:       "received response code 403: access denied",
+		},
+		{
+			name:       "404 not found",
+			statusCode: 404,
+			want:       "received response code 404: object not found",
+		},
+		{
+			name:       "409 conflict",
+			statusCode: 409,
+			want:       "received response code 409: conflict",
+		},
+		{
+			name:       "413 payload too large",
+			statusCode: 413,
+			want:       "received response code 413: object too large",
+		},
+		{
+			name:       "429 too many requests",
+			statusCode: 429,
+			want:       "received response code 429: rate limited, please try again later",
+		},
+		{
+			name:       "500 internal server error",
+			statusCode: 500,
+			want:       "received response code 500: storage service temporarily unavailable",
+		},
+		{
+			name:       "502 bad gateway",
+			statusCode: 502,
+			want:       "received response code 502: storage service temporarily unavailable",
+		},
+		{
+			name:       "503 service unavailable",
+			statusCode: 503,
+			want:       "received response code 503: storage service temporarily unavailable",
+		},
+		{
+			name:       "504 gateway timeout",
+			statusCode: 504,
+			want:       "received response code 504: storage service temporarily unavailable",
+		},
+		{
+			name:       "unknown status code",
+			statusCode: 418,
+			want:       "received response code 418: unexpected error",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := storageErrorMessage(tt.statusCode)
+			require.Equal(t, tt.want, got)
+		})
+	}
+}
+
+func TestDownloadFromPresignedURL_StorageErrors(t *testing.T) {
+	tests := []struct {
+		name           string
+		statusCode     int
+		responseBody   string
+		wantErrContain []string
+		wantErrExclude []string
+	}{
+		{
+			name:       "404 with S3 XML error",
+			statusCode: 404,
+			responseBody: `<?xml version="1.0" encoding="UTF-8"?>
+<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>tea-d3tc3fuuk2gs73d0paug/foo/bar/test.txt</Key><RequestId>95N55HR7H0QBF3X9</RequestId><HostId>QfLXA55SGkqZ6VEKV97lgMjiFNWRFhpTj29FAylq2SOh2LJFMyvHuRdUjDu1IaZ/NmQR0znt4/0=</HostId></Error>`,
+			wantErrContain: []string{"received response code 404", "object not found"},
+			wantErrExclude: []string{"NoSuchKey", "tea-d3tc3fuuk2gs73d0paug", "RequestId", "HostId"},
+		},
+		{
+			name:       "403 with GCS error",
+			statusCode: 403,
+			responseBody: `<?xml version='1.0' encoding='UTF-8'?>
+<Error><Code>AccessDenied</Code><Message>Access denied.</Message><Details>render-objects-bucket/some/path</Details></Error>`,
+			wantErrContain: []string{"received response code 403", "access denied"},
+			wantErrExclude: []string{"render-objects-bucket", "AccessDenied", "Details"},
+		},
+		{
+			name:           "500 server error",
+			statusCode:     500,
+			responseBody:   `Internal Server Error: connection to storage backend failed`,
+			wantErrContain: []string{"received response code 500", "storage service temporarily unavailable"},
+			wantErrExclude: []string{"Internal Server Error", "storage backend"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create mock server that returns the specified status and body
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(tt.statusCode)
+				w.Write([]byte(tt.responseBody))
+			}))
+			defer server.Close()
+
+			repo := &Repo{
+				httpClient: server.Client(),
+			}
+
+			var buf bytes.Buffer
+			_, err := repo.DownloadFromPresignedURL(context.Background(), server.URL, &buf)
+
+			require.Error(t, err)
+			for _, expected := range tt.wantErrContain {
+				require.Contains(t, err.Error(), expected)
+			}
+
+			// Verify sensitive information is NOT exposed
+			for _, excluded := range tt.wantErrExclude {
+				require.NotContains(t, err.Error(), excluded,
+					"error message should not contain sensitive info: %s", excluded)
+			}
+		})
+	}
+}
+
+func TestUploadToPresignedURL_StorageErrors(t *testing.T) {
+	tests := []struct {
+		name           string
+		statusCode     int
+		responseBody   string
+		wantErrContain []string
+		wantErrExclude []string
+	}{
+		{
+			name:       "403 with S3 access denied",
+			statusCode: 403,
+			responseBody: `<?xml version="1.0" encoding="UTF-8"?>
+<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>ABC123</RequestId><HostId>xyz789</HostId></Error>`,
+			wantErrContain: []string{"received response code 403", "access denied"},
+			wantErrExclude: []string{"AccessDenied", "RequestId", "HostId", "ABC123", "xyz789"},
+		},
+		{
+			name:       "413 payload too large",
+			statusCode: 413,
+			responseBody: `<?xml version="1.0" encoding="UTF-8"?>
+<Error><Code>EntityTooLarge</Code><Message>Your proposed upload exceeds the maximum allowed size</Message><MaxSizeAllowed>5368709120</MaxSizeAllowed></Error>`,
+			wantErrContain: []string{"received response code 413", "object too large"},
+			wantErrExclude: []string{"EntityTooLarge", "MaxSizeAllowed", "5368709120"},
+		},
+		{
+			name:           "502 bad gateway",
+			statusCode:     502,
+			responseBody:   `Bad Gateway: upstream storage unavailable`,
+			wantErrContain: []string{"received response code 502", "storage service temporarily unavailable"},
+			wantErrExclude: []string{"Bad Gateway", "upstream"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create mock server that returns the specified status and body
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(tt.statusCode)
+				w.Write([]byte(tt.responseBody))
+			}))
+			defer server.Close()
+
+			repo := &Repo{
+				httpClient: server.Client(),
+			}
+
+			content := strings.NewReader("test content")
+			err := repo.UploadToPresignedURL(context.Background(), server.URL, content, 12)
+
+			require.Error(t, err)
+			for _, expected := range tt.wantErrContain {
+				require.Contains(t, err.Error(), expected)
+			}
+
+			// Verify sensitive information is NOT exposed
+			for _, excluded := range tt.wantErrExclude {
+				require.NotContains(t, err.Error(), excluded,
+					"error message should not contain sensitive info: %s", excluded)
+			}
+		})
+	}
+}
+
+func TestDownloadFromPresignedURL_Success(t *testing.T) {
+	expectedContent := "file content here"
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(expectedContent))
+	}))
+	defer server.Close()
+
+	repo := &Repo{
+		httpClient: server.Client(),
+	}
+
+	var buf bytes.Buffer
+	written, err := repo.DownloadFromPresignedURL(context.Background(), server.URL, &buf)
+
+	require.NoError(t, err)
+	require.Equal(t, int64(len(expectedContent)), written)
+	require.Equal(t, expectedContent, buf.String())
+}
+
+func TestUploadToPresignedURL_Success(t *testing.T) {
+	var receivedContent bytes.Buffer
+
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		receivedContent.ReadFrom(r.Body)
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer server.Close()
+
+	repo := &Repo{
+		httpClient: server.Client(),
+	}
+
+	content := "test upload content"
+	err := repo.UploadToPresignedURL(context.Background(), server.URL, strings.NewReader(content), int64(len(content)))
+
+	require.NoError(t, err)
+	require.Equal(t, content, receivedContent.String())
+}
