errors: use %w verb directive (#419)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

authenticate/authenticate.go

@@ -30,13 +30,13 @@ var DefaultSessionDuration = time.Minute * 10
 // Returns on first error found.
 func ValidateOptions(o config.Options) error {
 	if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil {
-		return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %v", err)
+		return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %w", err)
 	}
 	if _, err := cryptutil.NewAEADCipherFromBase64(o.CookieSecret); err != nil {
-		return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid %v", err)
+		return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid %w", err)
 	}
 	if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil {
-		return fmt.Errorf("authenticate: invalid 'AUTHENTICATE_SERVICE_URL': %v", err)
+		return fmt.Errorf("authenticate: invalid 'AUTHENTICATE_SERVICE_URL': %w", err)
 	}
 	if o.ClientID == "" {
 		return errors.New("authenticate: 'IDP_CLIENT_ID' is required")

authorize/authorize.go

@@ -14,7 +14,7 @@ import (
 func ValidateOptions(o config.Options) error {
 	decoded, err := base64.StdEncoding.DecodeString(o.SharedKey)
 	if err != nil {
-		return fmt.Errorf("authorize: `SHARED_SECRET` malformed base64: %v", err)
+		return fmt.Errorf("authorize: `SHARED_SECRET` malformed base64: %w", err)
 	}
 	if len(decoded) != 32 {
 		return fmt.Errorf("authorize: `SHARED_SECRET` want 32 but got %d bytes", len(decoded))

config/options.go

@@ -339,7 +339,7 @@ func (o *Options) parseHeaders() error {
 		o.Headers = headers
 	} else if o.viperIsSet("headers") {
 		if err := o.viperUnmarshalKey("headers", &headers); err != nil {
-			return fmt.Errorf("header %s failed to parse: %s", o.viper.Get("headers"), err)
+			return fmt.Errorf("header %s failed to parse: %w", o.viper.Get("headers"), err)
 		}
 		o.Headers = headers
 	}
@@ -417,7 +417,7 @@ func (o *Options) Validate() error {
 	if o.AuthenticateURLString != "" {
 		u, err := urlutil.ParseAndValidateURL(o.AuthenticateURLString)
 		if err != nil {
-			return fmt.Errorf("config: bad authenticate-url %s : %v", o.AuthenticateURLString, err)
+			return fmt.Errorf("config: bad authenticate-url %s : %w", o.AuthenticateURLString, err)
 		}
 		o.AuthenticateURL = u
 	}

config/policy.go

@@ -77,12 +77,12 @@ func (p *Policy) Validate() error {
 	var err error
 	p.Source, err = urlutil.ParseAndValidateURL(p.From)
 	if err != nil {
-		return fmt.Errorf("config: policy bad source url %s", err)
+		return fmt.Errorf("config: policy bad source url %w", err)
 	}
 
 	p.Destination, err = urlutil.ParseAndValidateURL(p.To)
 	if err != nil {
-		return fmt.Errorf("config: policy bad destination url %s", err)
+		return fmt.Errorf("config: policy bad destination url %w", err)
 	}
 
 	// Only allow public access if no other whitelists are in place
@@ -98,24 +98,24 @@ func (p *Policy) Validate() error {
 	if p.TLSClientCert != "" && p.TLSClientKey != "" {
 		p.ClientCertificate, err = cryptutil.CertifcateFromBase64(p.TLSClientCert, p.TLSClientKey)
 		if err != nil {
-			return fmt.Errorf("config: couldn't decode client cert %v", err)
+			return fmt.Errorf("config: couldn't decode client cert %w", err)
 		}
 	} else if p.TLSClientCertFile != "" && p.TLSClientKeyFile != "" {
 		p.ClientCertificate, err = cryptutil.CertificateFromFile(p.TLSClientCertFile, p.TLSClientKeyFile)
 		if err != nil {
-			return fmt.Errorf("config: couldn't load client cert file %v", err)
+			return fmt.Errorf("config: couldn't load client cert file %w", err)
 		}
 	}
 
 	if p.TLSCustomCA != "" {
 		p.RootCAs, err = cryptutil.CertPoolFromBase64(p.TLSCustomCA)
 		if err != nil {
-			return fmt.Errorf("config: couldn't decode custom ca %v", err)
+			return fmt.Errorf("config: couldn't decode custom ca %w", err)
 		}
 	} else if p.TLSCustomCAFile != "" {
 		p.RootCAs, err = cryptutil.CertPoolFromFile(p.TLSCustomCAFile)
 		if err != nil {
-			return fmt.Errorf("config: couldn't load custom ca file %v", err)
+			return fmt.Errorf("config: couldn't load custom ca file %w", err)
 		}
 	}
 

internal/cryptutil/certificates.go

@@ -14,11 +14,11 @@ import (
 func CertifcateFromBase64(cert, key string) (*tls.Certificate, error) {
 	decodedCert, err := base64.StdEncoding.DecodeString(cert)
 	if err != nil {
-		return nil, fmt.Errorf("failed to decode certificate cert %v: %v", decodedCert, err)
+		return nil, fmt.Errorf("failed to decode certificate cert %v: %w", decodedCert, err)
 	}
 	decodedKey, err := base64.StdEncoding.DecodeString(key)
 	if err != nil {
-		return nil, fmt.Errorf("failed to decode certificate key %v: %v", decodedKey, err)
+		return nil, fmt.Errorf("failed to decode certificate key %v: %w", decodedKey, err)
 	}
 	x509, err := tls.X509KeyPair(decodedCert, decodedKey)
 	return &x509, err
@@ -32,7 +32,7 @@ func CertificateFromFile(certFile, keyFile string) (*tls.Certificate, error) {
 func CertPoolFromBase64(encPemCerts string) (*x509.CertPool, error) {
 	b, err := base64.StdEncoding.DecodeString(encPemCerts)
 	if err != nil {
-		return nil, fmt.Errorf("couldn't decode pem %v: %v", b, err)
+		return nil, fmt.Errorf("couldn't decode pem %v: %w", b, err)
 	}
 	return bytesToCertPool(b)
 }

internal/cryptutil/encrypt.go

@@ -21,7 +21,7 @@ func NewAEADCipher(secret []byte) (cipher.AEAD, error) {
 func NewAEADCipherFromBase64(s string) (cipher.AEAD, error) {
 	decoded, err := base64.StdEncoding.DecodeString(s)
 	if err != nil {
-		return nil, fmt.Errorf("cryptutil: invalid base64: %v", err)
+		return nil, fmt.Errorf("cryptutil: invalid base64: %w", err)
 	}
 	return NewAEADCipher(decoded)
 }

internal/encoding/ecjson/ecjson.go

@@ -82,13 +82,13 @@ func compress(data []byte) ([]byte, error) {
 	var buf bytes.Buffer
 	writer, err := gzip.NewWriterLevel(&buf, gzip.DefaultCompression)
 	if err != nil {
-		return nil, fmt.Errorf("cryptutil: failed to create a gzip writer: %q", err)
+		return nil, fmt.Errorf("cryptutil: failed to create a gzip writer: %w", err)
 	}
 	if writer == nil {
 		return nil, fmt.Errorf("cryptutil: failed to create a gzip writer")
 	}
 	if _, err = writer.Write(data); err != nil {
-		return nil, fmt.Errorf("cryptutil: failed to compress data with err: %q", err)
+		return nil, fmt.Errorf("cryptutil: failed to compress data with err: %w", err)
 	}
 	if err = writer.Close(); err != nil {
 		return nil, err
@@ -100,7 +100,7 @@ func compress(data []byte) ([]byte, error) {
 func decompress(data []byte) ([]byte, error) {
 	reader, err := gzip.NewReader(bytes.NewReader(data))
 	if err != nil {
-		return nil, fmt.Errorf("cryptutil: failed to create a gzip reader: %q", err)
+		return nil, fmt.Errorf("cryptutil: failed to create a gzip reader: %w", err)
 	}
 	defer reader.Close()
 	var buf bytes.Buffer

internal/identity/google.go

@@ -67,13 +67,13 @@ func NewGoogleProvider(p *Provider) (*GoogleProvider, error) {
 	if p.ServiceAccount != "" {
 		apiCreds, err := base64.StdEncoding.DecodeString(p.ServiceAccount)
 		if err != nil {
-			return nil, fmt.Errorf("identity/google: could not decode service account json %v", err)
+			return nil, fmt.Errorf("identity/google: could not decode service account json %w", err)
 		}
 		// Required scopes for groups api
 		// https://developers.google.com/admin-sdk/directory/v1/reference/groups/list
 		conf, err := google.JWTConfigFromJSON(apiCreds, admin.AdminDirectoryUserReadonlyScope, admin.AdminDirectoryGroupReadonlyScope)
 		if err != nil {
-			return nil, fmt.Errorf("identity/google: failed making jwt config from json %v", err)
+			return nil, fmt.Errorf("identity/google: failed making jwt config from json %w", err)
 		}
 		var credentialsFile struct {
 			ImpersonateUser string `json:"impersonate_user"`
@@ -85,7 +85,7 @@ func NewGoogleProvider(p *Provider) (*GoogleProvider, error) {
 		client := conf.Client(context.TODO())
 		gp.apiClient, err = admin.New(client)
 		if err != nil {
-			return nil, fmt.Errorf("identity/google: failed creating admin service %v", err)
+			return nil, fmt.Errorf("identity/google: failed creating admin service %w", err)
 		}
 		gp.UserGroupFn = gp.UserGroups
 	} else {
@@ -133,7 +133,7 @@ func (p *GoogleProvider) UserGroups(ctx context.Context, s *sessions.State) ([]s
 		req := p.apiClient.Groups.List().UserKey(s.Subject).MaxResults(100)
 		resp, err := req.Do()
 		if err != nil {
-			return nil, fmt.Errorf("identity/google: group api request failed %v", err)
+			return nil, fmt.Errorf("identity/google: group api request failed %w", err)
 		}
 		for _, group := range resp.Groups {
 			groups = append(groups, group.Email)

internal/telemetry/metrics/providers.go

@@ -22,7 +22,7 @@ func PrometheusHandler() (http.Handler, error) {
 			Registry:  reg,
 		})
 	if err != nil {
-		return nil, fmt.Errorf("telemetry/metrics: prometheus exporter: %v", err)
+		return nil, fmt.Errorf("telemetry/metrics: prometheus exporter: %w", err)
 	}
 	view.RegisterExporter(exporter)
 	mux := http.NewServeMux()

proxy/clients/clients.go

@@ -94,12 +94,12 @@ func NewGRPCClientConn(opts *Options) (*grpc.ClientConn, error) {
 			if opts.CA != "" {
 				ca, err = base64.StdEncoding.DecodeString(opts.CA)
 				if err != nil {
-					return nil, fmt.Errorf("failed to decode certificate authority: %v", err)
+					return nil, fmt.Errorf("failed to decode certificate authority: %w", err)
 				}
 			} else {
 				ca, err = ioutil.ReadFile(opts.CAFile)
 				if err != nil {
-					return nil, fmt.Errorf("certificate authority file %v not readable: %v", opts.CAFile, err)
+					return nil, fmt.Errorf("certificate authority file %v not readable: %w", opts.CAFile, err)
 				}
 			}
 			if ok := rootCAs.AppendCertsFromPEM(ca); !ok {

proxy/proxy.go

@@ -40,24 +40,24 @@ const (
 // a proper Proxy instance
 func ValidateOptions(o config.Options) error {
 	if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil {
-		return fmt.Errorf("proxy: invalid 'SHARED_SECRET': %v", err)
+		return fmt.Errorf("proxy: invalid 'SHARED_SECRET': %w", err)
 	}
 
 	if _, err := cryptutil.NewAEADCipherFromBase64(o.CookieSecret); err != nil {
-		return fmt.Errorf("proxy: invalid 'COOKIE_SECRET': %v", err)
+		return fmt.Errorf("proxy: invalid 'COOKIE_SECRET': %w", err)
 	}
 
 	if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil {
-		return fmt.Errorf("proxy: invalid 'AUTHENTICATE_SERVICE_URL': %v", err)
+		return fmt.Errorf("proxy: invalid 'AUTHENTICATE_SERVICE_URL': %w", err)
 	}
 
 	if err := urlutil.ValidateURL(o.AuthorizeURL); err != nil {
-		return fmt.Errorf("proxy: invalid 'AUTHORIZE_SERVICE_URL': %v", err)
+		return fmt.Errorf("proxy: invalid 'AUTHORIZE_SERVICE_URL': %w", err)
 	}
 
 	if len(o.SigningKey) != 0 {
 		if _, err := jws.NewES256Signer(o.SigningKey, ""); err != nil {
-			return fmt.Errorf("proxy: invalid 'SIGNING_KEY': %v", err)
+			return fmt.Errorf("proxy: invalid 'SIGNING_KEY': %w", err)
 		}
 	}
 	return nil
@@ -193,7 +193,7 @@ func (p *Proxy) UpdatePolicies(opts *config.Options) error {
 
 	for _, policy := range opts.Policies {
 		if err := policy.Validate(); err != nil {
-			return fmt.Errorf("proxy: invalid policy %s", err)
+			return fmt.Errorf("proxy: invalid policy %w", err)
 		}
 		r, err = p.reverseProxyHandler(r, &policy)
 		if err != nil {