Merge pull request #290 from cipherstash/handle-invalid-workspace-crn

tobyhede · web-flow · commit 034b660044d9 · 2025-07-24T12:07:50.000+10:00
fix: error on invalid workspace_crn
diff --git a/packages/cipherstash-proxy/src/config/tandem.rs b/packages/cipherstash-proxy/src/config/tandem.rs
@@ -138,6 +138,11 @@ pub struct DevelopmentConfig {
 ///
 /// ENV vars must be prefixed with `CS_`.
 ///
+/// IMPORTANT!
+/// Config needs to be loaded *before* logging can be initalized
+/// Tracing macros will not output and you may be confused.
+/// Use `println!`` and `eprintln!`` instead.
+///
 impl TandemConfig {
     pub fn default_path() -> String {
         DEFAULT_CONFIG_FILE_PATH.to_string()
@@ -194,9 +199,13 @@ impl TandemConfig {
                     env.insert("CS_ENCRYPT__DEFAULT_KEYSET_ID".into(), value);
                 }
 
-                if let Ok(Ok(value)) = std::env::var(CS_WORKSPACE_CRN).map(|crn| crn.parse::<Crn>())
-                {
-                    env.insert("CS_AUTH__WORKSPACE_CRN".into(), value.to_string());
+                if let Ok(value) = std::env::var(CS_WORKSPACE_CRN) {
+                    value
+                        .parse::<Crn>()
+                        .map(|crn| {
+                            env.insert("CS_AUTH__WORKSPACE_CRN".into(), crn.to_string());
+                        })
+                        .map_err(|_| ConfigError::InvalidWorkspaceCrn { crn: value })?;
                 }
 
                 if let Ok(value) = std::env::var(CS_WORKSPACE_ID) {
@@ -652,6 +661,25 @@ mod tests {
         });
     }
 
+    #[test]
+    fn invalid_crn_provided() {
+        let env = merge_env_vars(vec![(
+            "CS_WORKSPACE_CRN",
+            Some("crn:ap-southeast-N.aws:ABCDE12345"),
+        )]);
+
+        with_no_cs_vars(|| {
+            temp_env::with_vars(env, || {
+                let config = TandemConfig::build("tests/config/unknown.toml");
+                assert!(config.is_err());
+
+                if let Err(e) = config {
+                    assert!(e.to_string().contains("Invalid Workspace CRN"));
+                }
+            })
+        });
+    }
+
     #[test]
     fn missing_auth_config() {
         let env = merge_env_vars(vec![("CS_CLIENT_ACCESS_KEY", None)]);
diff --git a/packages/cipherstash-proxy/src/error.rs b/packages/cipherstash-proxy/src/error.rs
@@ -125,6 +125,12 @@ pub enum ConfigError {
     #[error("Invalid {name}: {value}")]
     InvalidParameter { name: String, value: String },
 
+    #[error(
+        "Invalid Workspace CRN: {crn}. CRN format is `crn:{{region}}.aws:{{workspace_id}}` For help visit {}",
+        ERROR_DOC_CONFIG_URL
+    )]
+    InvalidWorkspaceCrn { crn: String },
+
     #[error("Missing an active Encrypt configuration")]
     MissingActiveEncryptConfig,
 
