feat: export token expiration error

try to match style follow naming convention tests revert import change match format naming convention test errors.As instead of errors.Is
coreos · Jun 27, 2022 · 2cafe18 · 2cafe18
1 parent 26c5037
commit 2cafe18
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 7 deletions.
diff --git a/oidc/verify.go b/oidc/verify.go
@@ -21,6 +21,18 @@ const (
 	issuerGoogleAccountsNoScheme = "accounts.google.com"
 )
 
+// TokenExpiredError indicates that Verify failed because the token was expired. This
+// error does NOT indicate that the token is not also invalid for other reasons. Other
+// checks might have failed if the expiration check had not failed.
+type TokenExpiredError struct {
+	// Expiry is the time when the token expired.
+	Expiry time.Time
+}
+
+func (e *TokenExpiredError) Error() string {
+	return fmt.Sprintf("oidc: token is expired (Token Expiry: %v)", e.Expiry)
+}
+
 // KeySet is a set of publc JSON Web Keys that can be used to validate the signature
 // of JSON web tokens. This is expected to be backed by a remote key set through
 // provider metadata discovery or an in-memory set of keys delivered out-of-band.
@@ -260,7 +272,7 @@ func (v *IDTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*IDTok
 		nowTime := now()
 
 		if t.Expiry.Before(nowTime) {
-			return nil, fmt.Errorf("oidc: token is expired (Token Expiry: %v)", t.Expiry)
+			return nil, &TokenExpiredError{Expiry: t.Expiry}
 		}
 
 		// If nbf claim is provided in token, ensure that it is indeed in the past.

diff --git a/oidc/verify_test.go b/oidc/verify_test.go
@@ -3,6 +3,7 @@ package oidc
 import (
 	"context"
 	"crypto"
+	"errors"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -72,8 +73,8 @@ func TestVerify(t *testing.T) {
 			config: Config{
 				SkipClientIDCheck: true,
 			},
-			signKey: newRSAKey(t),
-			wantErr: true,
+			signKey:   newRSAKey(t),
+			wantErrAs: &TokenExpiredError{},
 		},
 		{
 			name:    "unexpired token",
@@ -530,8 +531,9 @@ type verificationTest struct {
 	// testing invalid signatures.
 	verificationKey *signingKey
 
-	config  Config
-	wantErr bool
+	config    Config
+	wantErr   bool
+	wantErrAs error
 }
 
 func (v verificationTest) runGetToken(t *testing.T) (*IDToken, error) {
@@ -557,10 +559,13 @@ func (v verificationTest) runGetToken(t *testing.T) (*IDToken, error) {
 
 func (v verificationTest) run(t *testing.T) {
 	_, err := v.runGetToken(t)
-	if err != nil && !v.wantErr {
+	if err != nil && !v.wantErr && v.wantErrAs == nil {
 		t.Errorf("%v", err)
 	}
-	if err == nil && v.wantErr {
+	if err == nil && (v.wantErr || v.wantErrAs != nil) {
 		t.Errorf("expected error")
 	}
+	if v.wantErrAs != nil && !errors.As(err, &v.wantErrAs) {
+		t.Errorf("expected error %q but got %q", v.wantErrAs, err)
+	}
 }