fix(auth): handle ENOTDIR when opening cert config

auth/internal/transport/cert/secureconnect_cert.go

@@ -62,11 +62,11 @@ func NewSecureConnectProvider(configFilePath string) (Provider, error) {
 
 	file, err := os.ReadFile(configFilePath)
 	if err != nil {
-		if errors.Is(err, os.ErrNotExist) {
-			// Config file missing means Secure Connect is not supported.
-			return nil, errSourceUnavailable
-		}
-		return nil, err
+		// Config file missing means Secure Connect is not supported.
+		// There are non-os.ErrNotExist errors that may be returned.
+		// (e.g. if the home directory is /dev/null, *nix systems will
+		// return ENOTDIR instead of ENOENT)
+		return nil, errSourceUnavailable
 	}
 
 	var metadata secureConnectMetadata

auth/internal/transport/cert/secureconnect_cert_test.go

@@ -17,6 +17,8 @@ package cert
 import (
 	"bytes"
 	"errors"
+	"os"
+	"path/filepath"
 	"testing"
 )
 
@@ -30,6 +32,34 @@ func TestSecureConnectSource_ConfigMissing(t *testing.T) {
 	}
 }
 
+func TestSecureConnectSource_ConfigNotDirMissing(t *testing.T) {
+	source, err := NewSecureConnectProvider("/dev/null/missing.json")
+	if got, want := err, errSourceUnavailable; !errors.Is(err, errSourceUnavailable) {
+		t.Fatalf("got %v, want %v", got, want)
+	}
+	if source != nil {
+		t.Errorf("got %v, want nil source", source)
+	}
+}
+
+func TestSecureConnectSource_ConfigMissingPerms(t *testing.T) {
+	if os.Getuid() == 0 {
+		t.Skip("skipping permissions-related test because UID is 0 (reads never get EPERM while running as root in the current namespace)")
+	}
+	td := t.TempDir()
+	tmpFilePath := filepath.Join(td, "unreadable.json")
+	if wrErr := os.WriteFile(tmpFilePath, []byte{}, 0000); wrErr != nil {
+		t.Fatalf("failed to write temp file with permissions 000: %s", wrErr)
+	}
+	source, err := NewSecureConnectProvider(tmpFilePath)
+	if got, want := err, errSourceUnavailable; !errors.Is(err, errSourceUnavailable) {
+		t.Fatalf("got %v, want %v", got, want)
+	}
+	if source != nil {
+		t.Errorf("got %v, want nil source", source)
+	}
+}
+
 func TestSecureConnectSource_GetClientCertificateSuccess(t *testing.T) {
 	source, err := NewSecureConnectProvider("testdata/context_aware_metadata.json")
 	if err != nil {