TUN-8894: report FIPS+PQ error to Sentry when dialling to the edge

## Summary Since we will enable PQ + FIPS it is necessary to add observability so that we can understand if issues are happening. Closes TUN-8894
2025-01-30 06:26:53 -08:00 · 2025-01-30 06:26:53 -08:00 · 90176a79b4
parent 9695829e5b
commit 90176a79b4
1 changed files with 23 additions and 0 deletions
--- a/supervisor/tunnel.go
+++ b/supervisor/tunnel.go
@ -11,6 +11,7 @@ import (
 	"sync"
 	"time"

+	"github.com/getsentry/sentry-go"
 	"github.com/pkg/errors"
 	"github.com/quic-go/quic-go"
 	"github.com/rs/zerolog"
@ -598,6 +599,8 @@ func (e *EdgeTunnelServer) serveQUIC(
 	)
 	if err != nil {
 		connLogger.ConnAwareLogger().Err(err).Msgf("Failed to dial a quic connection")
+
+		e.reportErrorToSentry(err)
 		return err, true
 	}

@ -667,6 +670,26 @@ func (e *EdgeTunnelServer) serveQUIC(
 	return errGroup.Wait(), false
 }

+// The reportErrorToSentry is an helper function that handles
+// verifies if an error should be reported to Sentry.
+func (e *EdgeTunnelServer) reportErrorToSentry(err error) {
+	dialErr, ok := err.(*connection.EdgeQuicDialError)
+	if ok {
+		// The TransportError provides an Unwrap function however
+		// the err MAY not always be set
+		transportErr, ok := dialErr.Cause.(*quic.TransportError)
+		if ok &&
+			transportErr.ErrorCode.IsCryptoError() &&
+			fips.IsFipsEnabled() &&
+			e.config.FeatureSelector.PostQuantumMode() == features.PostQuantumStrict {
+			// Only report to Sentry when using FIPS, PQ,
+			// and the error is a Crypto error reported by
+			// an EdgeQuicDialError
+			sentry.CaptureException(err)
+		}
+	}
+}
+
 func listenReconnect(ctx context.Context, reconnectCh <-chan ReconnectSignal, gracefulShutdownCh <-chan struct{}) error {
 	select {
 	case reconnect := <-reconnectCh: