Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: export token expired error #342

Merged
merged 1 commit into from
Jun 27, 2022

Conversation

crenshaw-dev
Copy link

@crenshaw-dev crenshaw-dev commented Jun 23, 2022

Relates to #327

This allows errors.Is checking while preserving the exact same error messages for those who are doing string comparison.

Preserving the exact same strings means some of the error messages (without context) look a little weird. But I think it's a reasonable tradeoff until it's time for another major version bump.

This PR would let me write unit tests in Argo CD without worrying that a change in go-oidc will break my string comparison checks.

@ericchiang
Copy link
Collaborator

Hey @crenshaw-dev,

I don't want to export every possible error. If you've got a specific use case where a typed error would be helpful (e.g. specific HTTP status codes from the provider), happy to add that. Do you have an example of what you're trying to do?

Also, some of these errors arguably shouldn't be used problematically, since they're hit before we validate the signature check on the ID token.

Eric

@crenshaw-dev
Copy link
Author

@ericchiang there are two current use cases in Argo CD:

  1. We want to know if it's a "token expired" error so the UI can redirect the user immediately to a new login flow: https://github.com/argoproj/argo-cd/blob/a588e63e3cb9db91fd491c0d7371c87867861aa7/util/session/sessionmanager.go#L493-L504
  2. We have a regression test to make sure we support algorithms besides RS256 (added support with 2.2.0): https://github.com/argoproj/argo-cd/blob/a588e63e3cb9db91fd491c0d7371c87867861aa7/util/session/sessionmanager_test.go#L581

It's possible that test shouldn't exist. But I think the expired example is a reasonable use case. Would you be interested in a PR that only exports that error?

@ericchiang
Copy link
Collaborator

I think a token expired error would be reasonable to add!

That second test probably shouldn't be necessary? Just make sure your RS512 token doesn't return an error.

So sounds like the API we'd want to add it

var ErrTokenExpired = errors.New(...)

(nit: exported error variables generally start with "Err", and error types end with "Error" https://pkg.go.dev/io#pkg-variables, https://pkg.go.dev/net#AddrError)

Kinda a tangent, but I've also been thinking about having an oidctest package that would let you stand up a httptest provider with some basic configuration. Maybe that would be helpful too.

@crenshaw-dev
Copy link
Author

crenshaw-dev commented Jun 23, 2022

Just make sure your RS512 token doesn't return an error.

Yeeeeah that would be proper. I was lazy and didn't want to have to set up a full mock OIDC provider. Maybe that would be easier than I assumed.

(nit: exported error variables generally start with "Err", and error types end with "Error" https://pkg.go.dev/io#pkg-variables, https://pkg.go.dev/net#AddrError)

Good catch, will fix!

Kinda a tangent, but I've also been thinking about having an oidctest package that would let you stand up a httptest provider with some basic configuration. Maybe that would be helpful too.

Yep, that would make some other tests I'm working on a lot easier I think! Maybe I can put some Intuit time towards that eventually.

Updating the PR to be more minimal!

@crenshaw-dev crenshaw-dev changed the title feat: enable errors.Is for Verify errors (#327) feat: export token expired error Jun 23, 2022
Copy link
Collaborator

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(please squash your commits)

oidc/verify.go Outdated Show resolved Hide resolved
oidc/verify.go Outdated Show resolved Hide resolved
@crenshaw-dev crenshaw-dev force-pushed the enable-error-is-for-verify branch 3 times, most recently from 6f6a8a2 to fb92e10 Compare June 23, 2022 21:45
@@ -12,6 +13,9 @@ import (
"time"
)

// anyError is a fake error to match any error returned in a test.
var anyError = errors.New("")
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may or may not be the proper way to do this. lmk

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a new field and use that instead?

type verificationTest struct {
	wantErr bool
	
	wantErrIs error
}

@crenshaw-dev
Copy link
Author

@ericchiang ready for another look

@@ -12,6 +13,9 @@ import (
"time"
)

// anyError is a fake error to match any error returned in a test.
var anyError = errors.New("")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a new field and use that instead?

type verificationTest struct {
	wantErr bool
	
	wantErrIs error
}

oidc/verify.go Outdated Show resolved Hide resolved
try to match style

follow naming convention

tests

revert import change

match format

naming convention

test

errors.As instead of errors.Is
@crenshaw-dev
Copy link
Author

@ericchiang updated

@ericchiang
Copy link
Collaborator

thanks!

@ericchiang ericchiang merged commit 2cafe18 into coreos:v3 Jun 27, 2022
@crenshaw-dev crenshaw-dev deleted the enable-error-is-for-verify branch June 28, 2022 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants