Skip to content

Commit

Permalink
oidc: use %w verb for wrapping errors
Browse files Browse the repository at this point in the history
Errors wrapped using %v cannot be unwrapped. This means if there is an
underlying error such as `context.Canceled`, a caller cannot reliably
discover that error using any method other than string comparison. By
swapping to the %w verb, `errors.Is` and `errors.As` become valuable
tools for error discovery and behavior differentiation.

While by convention, some of the errors like `fetching keys %v` should
probably be changed to `fetching keys: %w` (with the `:` character),
this change opts not to do that to help preserve backward compatibility
for external error handling that uses string comparison today.
  • Loading branch information
rliebz committed Jun 12, 2023
1 parent b203e58 commit cc7f3e6
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 3 deletions.
4 changes: 2 additions & 2 deletions oidc/jwks.go
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ func (r *RemoteKeySet) verify(ctx context.Context, jws *jose.JSONWebSignature) (
// https://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys
keys, err := r.keysFromRemote(ctx)
if err != nil {
return nil, fmt.Errorf("fetching keys %v", err)
return nil, fmt.Errorf("fetching keys %w", err)
}

for _, key := range keys {
Expand Down Expand Up @@ -228,7 +228,7 @@ func (r *RemoteKeySet) updateKeys() ([]jose.JSONWebKey, error) {

resp, err := doRequest(r.ctx, req)
if err != nil {
return nil, fmt.Errorf("oidc: get keys failed %v", err)
return nil, fmt.Errorf("oidc: get keys failed %w", err)
}
defer resp.Body.Close()

Expand Down
43 changes: 42 additions & 1 deletion oidc/jwks_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"crypto/rand"
"crypto/rsa"
"encoding/json"
"errors"
"fmt"
"net/http"
"net/http/httptest"
Expand Down Expand Up @@ -138,6 +139,46 @@ func TestMismatchedKeyID(t *testing.T) {
testKeyVerify(t, key2, bad, key1, key2)
}

func TestKeyVerifyContextCanceled(t *testing.T) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()

payload := []byte("a secret")

good := newECDSAKey(t)
jws, err := jose.ParseSigned(good.sign(t, payload))
if err != nil {
t.Fatal(err)
}

timer := time.NewTimer(3 * time.Second)
defer timer.Stop()

s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
<-timer.C
}))
defer s.Close()

rks := newRemoteKeySet(ctx, s.URL, nil)

cancel()

// Ensure the token verifies.
_, err = rks.verify(ctx, jws)
if err == nil {
t.Fatal("expected context canceled, got nil error")
}

errMessage := "fetching keys context canceled"
if err.Error() != errMessage {
t.Errorf("expected error message %q got %q", errMessage, err)
}

if !errors.Is(err, context.Canceled) {
t.Errorf("expected error to be %q got %q", context.Canceled, err)
}
}

func testKeyVerify(t *testing.T, good, bad *signingKey, verification ...*signingKey) {
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
Expand Down Expand Up @@ -259,7 +300,7 @@ func BenchmarkVerify(b *testing.B) {

key := newRSAKey(b)

now := time.Date(2022, 01, 29, 0, 0, 0, 0, time.UTC)
now := time.Date(2022, 1, 29, 0, 0, 0, 0, time.UTC)
exp := now.Add(time.Hour)
payload := []byte(fmt.Sprintf(`{
"iss": "https://example.com",
Expand Down

0 comments on commit cc7f3e6

Please sign in to comment.