sn: keyring+verifier

mateeullahmalik · mateeullahmalik · commit 034b93df3243 · 2025-12-03T14:23:01.000+05:00
diff --git a/pkg/keyring/keyring.go b/pkg/keyring/keyring.go
@@ -42,6 +42,11 @@ func InitKeyring(cfg config.KeyringConfig) (sdkkeyring.Keyring, error) {
 	if err != nil {
 		return nil, err
 	}
+	// Validate non-interactive passphrase sources early so we can emit
+	// clear errors for misconfigured environment variables or files.
+	if err := validatePassphraseConfig(cfg, backend); err != nil {
+		return nil, err
+	}
 	// Use the directory as-is, it should already be resolved by the config
 	dir := cfg.Dir
 
@@ -112,6 +117,39 @@ func selectPassphrase(cfg config.KeyringConfig) string {
 	return ""
 }
 
+// validatePassphraseConfig ensures that configured non-interactive passphrase
+// sources are usable. It does not enforce that a passphrase is provided at all
+// (interactive mode is still allowed); it only catches obvious misconfigurations
+// such as an empty environment variable or unreadable/empty file.
+func validatePassphraseConfig(cfg config.KeyringConfig, backend string) error {
+	backend = strings.ToLower(backend)
+	// The "test" backend never uses a passphrase.
+	if backend == "test" {
+		return nil
+	}
+
+	// If an environment variable is configured, it must be set and non-empty.
+	if cfg.PassEnv != "" {
+		val, ok := os.LookupEnv(cfg.PassEnv)
+		if !ok || strings.TrimSpace(val) == "" {
+			return fmt.Errorf("keyring passphrase environment variable %q is not set or is empty", cfg.PassEnv)
+		}
+	}
+
+	// If a passphrase file is configured, it must be readable and non-empty.
+	if cfg.PassFile != "" {
+		b, err := os.ReadFile(cfg.PassFile)
+		if err != nil {
+			return fmt.Errorf("failed to read keyring passphrase file %q: %w", cfg.PassFile, err)
+		}
+		if strings.TrimSpace(string(b)) == "" {
+			return fmt.Errorf("keyring passphrase file %q is empty", cfg.PassFile)
+		}
+	}
+
+	return nil
+}
+
 func normaliseBackend(b string) (string, error) {
 	switch strings.ToLower(b) {
 	case "file":
diff --git a/supernode/verifier/verifier.go b/supernode/verifier/verifier.go
@@ -50,10 +50,28 @@ func (cv *ConfigVerifier) VerifyConfig(ctx context.Context) (*VerificationResult
 
 func (cv *ConfigVerifier) checkKeyExists(result *VerificationResult) error {
 	_, err := cv.keyring.Key(cv.config.SupernodeConfig.KeyName)
-	if err != nil {
-		result.Valid = false
-		result.Errors = append(result.Errors, ConfigError{Field: "key_name", Actual: cv.config.SupernodeConfig.KeyName, Message: fmt.Sprintf("Key '%s' not found in keyring", cv.config.SupernodeConfig.KeyName)})
+	if err == nil {
+		return nil
 	}
+
+	result.Valid = false
+
+	// Provide a more actionable error message that includes keyring backend and
+	// directory, and preserve the original error for debugging.
+	msg := fmt.Sprintf(
+		"failed to load key %q from keyring (backend=%s, dir=%s): %v. "+
+			"Ensure the key exists and that your keyring passphrase configuration is correct.",
+		cv.config.SupernodeConfig.KeyName,
+		cv.config.KeyringConfig.Backend,
+		cv.config.GetKeyringDir(),
+		err,
+	)
+
+	result.Errors = append(result.Errors, ConfigError{
+		Field:   "key_name",
+		Actual:  cv.config.SupernodeConfig.KeyName,
+		Message: msg,
+	})
 	return nil
 }
 
@@ -78,9 +96,35 @@ func (cv *ConfigVerifier) checkSupernodeExists(ctx context.Context, result *Veri
 	sn, err := cv.lumeraClient.SuperNode().GetSupernodeWithLatestAddress(ctx, cv.config.SupernodeConfig.Identity)
 	if err != nil {
 		result.Valid = false
-		result.Errors = append(result.Errors, ConfigError{Field: "registration", Actual: "error", Message: err.Error()})
+
+		msg := fmt.Sprintf(
+			"failed to fetch supernode registration from chain (identity=%s, grpc=%s): %v",
+			cv.config.SupernodeConfig.Identity,
+			cv.config.LumeraClientConfig.GRPCAddr,
+			err,
+		)
+
+		result.Errors = append(result.Errors, ConfigError{
+			Field:   "registration",
+			Actual:  "error",
+			Message: msg,
+		})
 		return nil, err
 	}
+	if sn == nil {
+		result.Valid = false
+		msg := fmt.Sprintf(
+			"supernode identity %s is not registered on chain (grpc=%s)",
+			cv.config.SupernodeConfig.Identity,
+			cv.config.LumeraClientConfig.GRPCAddr,
+		)
+		result.Errors = append(result.Errors, ConfigError{
+			Field:   "registration",
+			Actual:  "not_found",
+			Message: msg,
+		})
+		return nil, nil
+	}
 	return sn, nil
 }
 
