fix(jwt_worker): handle exceptions when decoding jwk from pem

Returns a more controlled error if users attempt to use the Service
Account JSON from the GCP PubSub example from swagger, which is
redacted.

apps/emqx_connector/src/emqx_connector_jwt_worker.erl

@@ -120,7 +120,7 @@ init(#{private_key := PrivateKeyPEM} = Config) ->
 
 handle_continue({make_key, PrivateKeyPEM}, State0) ->
     ?tp(connector_jwt_worker_make_key, #{state => State0}),
-    case jose_jwk:from_pem(PrivateKeyPEM) of
+    try jose_jwk:from_pem(PrivateKeyPEM) of
         JWK = #jose_jwk{} ->
             State = State0#{jwk := JWK},
             {noreply, State, {continue, create_token}};
@@ -135,6 +135,17 @@ handle_continue({make_key, PrivateKeyPEM}, State0) ->
             Error = {invalid_private_key, Error0},
             ?tp(connector_jwt_worker_startup_error, #{error => Error}),
             {stop, {shutdown, {error, Error}}, State0}
+    catch
+        Kind:Error ->
+            ?tp(
+                error,
+                connector_jwt_worker_startup_error,
+                #{
+                    kind => Kind,
+                    error => Error
+                }
+            ),
+            {stop, {shutdown, {error, Error}}, State0}
     end;
 handle_continue(create_token, State0) ->
     State = generate_and_store_jwt(State0),

apps/emqx_connector/test/emqx_connector_jwt_worker_SUITE.erl

@@ -364,3 +364,23 @@ t_unknown_requests(_Config) ->
     gen_server:cast(Worker, unknown_cast),
     ?assertEqual({error, bad_call}, gen_server:call(Worker, unknown_call)),
     ok.
+
+t_truncated_private_key(_Config) ->
+    Config0 = generate_config(),
+    Config = Config0#{private_key := <<"-----BEGIN PRIVATE KEY-----\nMIIEvQI...">>},
+    process_flag(trap_exit, true),
+    ?check_trace(
+        ?wait_async_action(
+            ?assertMatch({ok, _}, emqx_connector_jwt_worker:start_link(Config)),
+            #{?snk_kind := connector_jwt_worker_startup_error},
+            1_000
+        ),
+        fun(Trace) ->
+            ?assertMatch(
+                [#{error := function_clause}],
+                ?of_kind(connector_jwt_worker_startup_error, Trace)
+            ),
+            ok
+        end
+    ),
+    ok.