Fix auth error telemetry classification (Azure#7233) (Azure#7235)

Auth errors were classified as 'unknown' in telemetry (~610K/28d).

Changes:
- Add ErrCategory("auth") to ReLoginRequiredError, ErrNoCurrentUser,
  and azidentity.AuthenticationFailedError branches in MapError()
- Move ErrNoCurrentUser from classifySentinel() into MapError() so
  it can set errDetails
- Add azidentity.AuthenticationFailedError handler with new code
  "auth.identity_failed"
- Update classifySuggestionType() to match

Per @JeffreyCA and @vhvb1989 feedback: use error.category (not
service.name) for all auth errors since these are locally generated
and may come from azd or az CLI delegated auth, not from AAD directly.

Fixes Azure#7233

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: 2 people

cli/azd/internal/cmd/errors.go

@@ -19,6 +19,7 @@ import (
 
 	"github.com/AlecAivazis/survey/v2/terminal"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/azure/azure-dev/cli/azd/internal"
 	"github.com/azure/azure-dev/cli/azd/internal/agent/consent"
 	"github.com/azure/azure-dev/cli/azd/internal/tracing"
@@ -48,6 +49,7 @@ func MapError(err error, span tracing.Span) {
 		errCode = updateErr.Code
 	} else if _, ok := errors.AsType[*auth.ReLoginRequiredError](err); ok {
 		errCode = "auth.login_required"
+		errDetails = append(errDetails, fields.ErrCategory.String("auth"))
 	} else if errWithSuggestion, ok := errors.AsType[*internal.ErrorWithSuggestion](err); ok {
 		errCode = "error.suggestion"
 		span.SetAttributes(fields.ErrType.String(classifySuggestionType(errWithSuggestion.Unwrap())))
@@ -184,6 +186,12 @@ func MapError(err error, span tracing.Span) {
 				fields.ServiceCorrelationId.String(authFailedErr.Parsed.CorrelationId))
 		}
 		errCode = "service.aad.failed"
+	} else if errors.Is(err, auth.ErrNoCurrentUser) {
+		errCode = "auth.not_logged_in"
+		errDetails = append(errDetails, fields.ErrCategory.String("auth"))
+	} else if _, ok := errors.AsType[*azidentity.AuthenticationFailedError](err); ok {
+		errCode = "auth.identity_failed"
+		errDetails = append(errDetails, fields.ErrCategory.String("auth"))
 	} else if code := classifySentinel(err); code != "" {
 		errCode = code
 	} else if isNetworkError(err) {
@@ -268,8 +276,6 @@ func classifySentinel(err error) string {
 		return "user.canceled"
 	case errors.Is(err, context.DeadlineExceeded):
 		return "internal.timeout"
-	case errors.Is(err, auth.ErrNoCurrentUser):
-		return "auth.not_logged_in"
 	case errors.Is(err, consent.ErrToolExecutionDenied):
 		return "user.tool_denied"
 	case errors.Is(err, git.ErrNotRepository):
@@ -374,6 +380,14 @@ func classifySuggestionType(err error) string {
 		return "service.aad.failed"
 	}
 
+	if errors.Is(err, auth.ErrNoCurrentUser) {
+		return "auth.not_logged_in"
+	}
+
+	if _, ok := errors.AsType[*azidentity.AuthenticationFailedError](err); ok {
+		return "auth.identity_failed"
+	}
+
 	if code := classifySentinel(err); code != "" {
 		return code
 	}

cli/azd/internal/cmd/errors_test.go

@@ -21,6 +21,7 @@ import (
 	"testing"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/azure/azure-dev/cli/azd/internal"
 	"github.com/azure/azure-dev/cli/azd/internal/agent/consent"
 	"github.com/azure/azure-dev/cli/azd/internal/tracing/fields"
@@ -201,6 +202,22 @@ func Test_MapError(t *testing.T) {
 				fields.ErrorKey(fields.ServiceCorrelationId.Key).String("12345"),
 			},
 		},
+		{
+			name:          "WithReLoginRequiredError",
+			err:           &auth.ReLoginRequiredError{},
+			wantErrReason: "auth.login_required",
+			wantErrDetails: []attribute.KeyValue{
+				fields.ErrorKey(fields.ErrCategory.Key).String("auth"),
+			},
+		},
+		{
+			name:          "WithAzidentityAuthenticationFailedError",
+			err:           &azidentity.AuthenticationFailedError{},
+			wantErrReason: "auth.identity_failed",
+			wantErrDetails: []attribute.KeyValue{
+				fields.ErrorKey(fields.ErrCategory.Key).String("auth"),
+			},
+		},
 		{
 			name: "WithExtServiceError",
 			err: &azdext.ServiceError{
@@ -274,16 +291,20 @@ func Test_MapError(t *testing.T) {
 			wantErrDetails: nil,
 		},
 		{
-			name:           "WithErrNoCurrentUser",
-			err:            auth.ErrNoCurrentUser,
-			wantErrReason:  "auth.not_logged_in",
-			wantErrDetails: nil,
+			name:          "WithErrNoCurrentUser",
+			err:           auth.ErrNoCurrentUser,
+			wantErrReason: "auth.not_logged_in",
+			wantErrDetails: []attribute.KeyValue{
+				fields.ErrorKey(fields.ErrCategory.Key).String("auth"),
+			},
 		},
 		{
-			name:           "WithWrappedErrNoCurrentUser",
-			err:            fmt.Errorf("failed to create credential: %w: %w", errors.New("inner"), auth.ErrNoCurrentUser),
-			wantErrReason:  "auth.not_logged_in",
-			wantErrDetails: nil,
+			name:          "WithWrappedErrNoCurrentUser",
+			err:           fmt.Errorf("failed to create credential: %w: %w", errors.New("inner"), auth.ErrNoCurrentUser),
+			wantErrReason: "auth.not_logged_in",
+			wantErrDetails: []attribute.KeyValue{
+				fields.ErrorKey(fields.ErrCategory.Key).String("auth"),
+			},
 		},
 		{
 			name:           "WithErrToolExecutionDenied",
@@ -974,6 +995,14 @@ func Test_ClassifySuggestionType_MatchesMapError(t *testing.T) {
 				Parsed: &auth.AadErrorResponse{Error: "invalid_grant"},
 			},
 		},
+		{
+			name: "ReLoginRequiredError",
+			err:  &auth.ReLoginRequiredError{},
+		},
+		{
+			name: "AzidentityAuthenticationFailedError",
+			err:  &azidentity.AuthenticationFailedError{},
+		},
 		// Sentinels
 		{name: "context.Canceled", err: context.Canceled},
 		{name: "context.DeadlineExceeded", err: context.DeadlineExceeded},