feat: Extend error message for 401 errors (#827)

Co-authored-by: Jonas Israel <jonas.israel@sap.com>

Author: Jonas-Isr

cloudplatform/connectivity-oauth/src/main/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2Service.java

@@ -36,6 +36,7 @@
 import com.sap.cloud.security.config.ClientIdentity;
 import com.sap.cloud.security.token.Token;
 import com.sap.cloud.security.xsuaa.client.DefaultOAuth2TokenService;
+import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
 import com.sap.cloud.security.xsuaa.client.OAuth2TokenResponse;
 import com.sap.cloud.security.xsuaa.client.OAuth2TokenService;
 
@@ -190,7 +191,21 @@ private OAuth2TokenResponse executeClientCredentialsFlow( @Nullable final Tenant
                         tenantSubdomain,
                         additionalParameters,
                         false))
-            .getOrElseThrow(e -> new TokenRequestFailedException("Failed to resolve access token.", e));
+            .getOrElseThrow(e -> buildException(e, tenant));
+    }
+
+    private TokenRequestFailedException buildException( @Nonnull final Throwable e, @Nullable final Tenant tenant )
+    {
+        String message = "Failed to resolve access token.";
+        //        In case where tenant is not the provider tenant, and we get 401 error, add hint to error message.
+        if( e instanceof OAuth2ServiceException
+            && ((OAuth2ServiceException) e).getHttpStatusCode().equals(401)
+            && tenant != null ) {
+            message +=
+                " In case you are accessing a multi-tenant BTP service on behalf of a subscriber tenant, ensure that the service instance"
+                    + " is declared as dependency to SaaS Provisioning Service or Subscription Manager (SMS) and subscribed for the current tenant.";
+        }
+        return new TokenRequestFailedException(message, e);
     }
 
     private void setAppTidInCaseOfIAS( @Nullable final String tenantId )

cloudplatform/connectivity-oauth/src/test/java/com/sap/cloud/sdk/cloudplatform/connectivity/OAuth2IntegrationTest.java

@@ -2,16 +2,19 @@
 
 import static java.util.Map.entry;
 
+import static com.github.tomakehurst.wiremock.client.WireMock.absent;
 import static com.github.tomakehurst.wiremock.client.WireMock.containing;
 import static com.github.tomakehurst.wiremock.client.WireMock.equalTo;
 import static com.github.tomakehurst.wiremock.client.WireMock.okJson;
 import static com.github.tomakehurst.wiremock.client.WireMock.post;
 import static com.github.tomakehurst.wiremock.client.WireMock.postRequestedFor;
 import static com.github.tomakehurst.wiremock.client.WireMock.stubFor;
+import static com.github.tomakehurst.wiremock.client.WireMock.unauthorized;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlEqualTo;
 import static com.github.tomakehurst.wiremock.client.WireMock.verify;
 import static com.sap.cloud.sdk.cloudplatform.connectivity.ServiceBindingTestUtility.bindingWithCredentials;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatCode;
 
 import java.io.IOException;
 import java.net.URI;
@@ -33,11 +36,13 @@
 import com.github.tomakehurst.wiremock.junit5.WireMockTest;
 import com.sap.cloud.environment.servicebinding.api.ServiceBinding;
 import com.sap.cloud.environment.servicebinding.api.ServiceIdentifier;
+import com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException;
 import com.sap.cloud.sdk.cloudplatform.connectivity.exception.HttpClientInstantiationException;
 import com.sap.cloud.sdk.cloudplatform.tenant.DefaultTenant;
 import com.sap.cloud.sdk.cloudplatform.tenant.TenantAccessor;
 import com.sap.cloud.security.client.HttpClientFactory;
 import com.sap.cloud.security.config.ClientIdentity;
+import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
 
 import io.vavr.control.Try;
 
@@ -152,6 +157,55 @@ void testIasTokenFlow()
         }
     }
 
+    @Test
+    void testExtended401ErrorMessage()
+    {
+        final ServiceBinding binding =
+            bindingWithCredentials(
+                ServiceIdentifier.DESTINATION,
+                entry("credential-type", "binding-secret"),
+                entry("clientid", "myClientId2"),
+                entry("clientsecret", "myClientSecret2"),
+                entry("uri", "http://provider.destination.domain"),
+                entry("url", "http://provider.destination.domain"));
+        final ServiceBindingDestinationOptions options = ServiceBindingDestinationOptions.forService(binding).build();
+
+        final Try<HttpDestination> maybeDestination =
+            new OAuth2ServiceBindingDestinationLoader().tryGetDestination(options);
+        assertThat(maybeDestination.isSuccess()).isTrue();
+        final HttpDestination destination = maybeDestination.get();
+
+        {
+            // provider case - no tenant:
+            // Here, the short error message is returned.
+            stubFor(
+                post("/oauth/token")
+                    .withHost(equalTo("provider.destination.domain"))
+                    .withHeader("X-zid", absent())
+                    .willReturn(unauthorized()));
+            assertThatCode(destination::getHeaders)
+                .isInstanceOf(DestinationAccessException.class)
+                .hasMessageEndingWith("Failed to resolve access token.")
+                .hasRootCauseInstanceOf(OAuth2ServiceException.class);
+        }
+        {
+            // subscriber tenant:
+            // Here, the error message contains a note about updating the SaaS registry.
+            stubFor(
+                post("/oauth/token")
+                    .withHost(equalTo("provider.destination.domain"))
+                    .withHeader("X-zid", equalTo("subscriber"))
+                    .willReturn(unauthorized()));
+
+            TenantAccessor.executeWithTenant(new DefaultTenant("subscriber", "subscriber"), () -> {
+                assertThatCode(destination::getHeaders)
+                    .isInstanceOf(DestinationAccessException.class)
+                    .hasMessageEndingWith("subscribed for the current tenant.")
+                    .hasRootCauseInstanceOf(OAuth2ServiceException.class);
+            });
+        }
+    }
+
     @Test
     @DisplayName( "The subdomain should be replaced for subscriber tenants when using IAS and ZTIS" )
     void testIasFlowWithZeroTrustAndSubscriberTenant()