Make logger values required

Eliminates a bajillion nil checks and footguns
(except in tests, which bypass exported APIs, but that is expected)

Most recent #207

Logging can still be disabled via zap.NewNop(), if necessary.
(But disabling logging in CertMagic is a really bad idea.)

Author: mholt

account_test.go

@@ -31,6 +31,7 @@ func TestNewAccount(t *testing.T) {
 	testConfig := &Config{
 		Issuers:   []Issuer{am},
 		Storage:   &FileStorage{Path: "./_testdata_tmp"},
+		Logger:    defaultTestLogger,
 		certCache: new(Cache),
 	}
 	am.config = testConfig
@@ -58,6 +59,7 @@ func TestSaveAccount(t *testing.T) {
 	testConfig := &Config{
 		Issuers:   []Issuer{am},
 		Storage:   &FileStorage{Path: "./_testdata1_tmp"},
+		Logger:    defaultTestLogger,
 		certCache: new(Cache),
 	}
 	am.config = testConfig
@@ -93,6 +95,7 @@ func TestGetAccountDoesNotAlreadyExist(t *testing.T) {
 	testConfig := &Config{
 		Issuers:   []Issuer{am},
 		Storage:   &FileStorage{Path: "./_testdata_tmp"},
+		Logger:    defaultTestLogger,
 		certCache: new(Cache),
 	}
 	am.config = testConfig
@@ -114,6 +117,7 @@ func TestGetAccountAlreadyExists(t *testing.T) {
 	testConfig := &Config{
 		Issuers:   []Issuer{am},
 		Storage:   &FileStorage{Path: "./_testdata2_tmp"},
+		Logger:    defaultTestLogger,
 		certCache: new(Cache),
 	}
 	am.config = testConfig
@@ -168,6 +172,7 @@ func TestGetEmailFromPackageDefault(t *testing.T) {
 	testConfig := &Config{
 		Issuers:   []Issuer{am},
 		Storage:   &FileStorage{Path: "./_testdata2_tmp"},
+		Logger:    defaultTestLogger,
 		certCache: new(Cache),
 	}
 	am.config = testConfig
@@ -189,6 +194,7 @@ func TestGetEmailFromUserInput(t *testing.T) {
 	testConfig := &Config{
 		Issuers:   []Issuer{am},
 		Storage:   &FileStorage{Path: "./_testdata3_tmp"},
+		Logger:    defaultTestLogger,
 		certCache: new(Cache),
 	}
 	am.config = testConfig
@@ -223,6 +229,7 @@ func TestGetEmailFromRecent(t *testing.T) {
 	testConfig := &Config{
 		Issuers:   []Issuer{am},
 		Storage:   &FileStorage{Path: "./_testdata4_tmp"},
+		Logger:    defaultTestLogger,
 		certCache: new(Cache),
 	}
 	am.config = testConfig

acmeclient.go

@@ -175,9 +175,7 @@ func (iss *ACMEIssuer) newACMEClient(useTestCA bool) (*acmez.Client, error) {
 		},
 		ChallengeSolvers: make(map[string]acmez.Solver),
 	}
-	if iss.Logger != nil {
-		client.Logger = iss.Logger.Named("acme_client")
-	}
+	client.Logger = iss.Logger.Named("acme_client")
 
 	// configure challenges (most of the time, DNS challenge is
 	// exclusive of other ones because it is usually only used
@@ -260,24 +258,20 @@ func (c *acmeClient) throttle(ctx context.Context, names []string) error {
 		// TODO: stop rate limiter when it is garbage-collected...
 	}
 	rateLimitersMu.Unlock()
-	if c.iss.Logger != nil {
-		c.iss.Logger.Info("waiting on internal rate limiter",
-			zap.Strings("identifiers", names),
-			zap.String("ca", c.acmeClient.Directory),
-			zap.String("account", email),
-		)
-	}
+	c.iss.Logger.Info("waiting on internal rate limiter",
+		zap.Strings("identifiers", names),
+		zap.String("ca", c.acmeClient.Directory),
+		zap.String("account", email),
+	)
 	err := rl.Wait(ctx)
 	if err != nil {
 		return err
 	}
-	if c.iss.Logger != nil {
-		c.iss.Logger.Info("done waiting on internal rate limiter",
-			zap.Strings("identifiers", names),
-			zap.String("ca", c.acmeClient.Directory),
-			zap.String("account", email),
-		)
-	}
+	c.iss.Logger.Info("done waiting on internal rate limiter",
+		zap.Strings("identifiers", names),
+		zap.String("ca", c.acmeClient.Directory),
+		zap.String("account", email),
+	)
 	return nil
 }
 

acmeissuer.go

@@ -110,7 +110,9 @@ type ACMEIssuer struct {
 	// certificate chains
 	PreferredChains ChainPreference
 
-	// Set a logger to enable logging
+	// Set a logger to configure logging; a default
+	// logger must always be set; if no logging is
+	// desired, set this to zap.NewNop().
 	Logger *zap.Logger
 
 	config     *Config
@@ -197,6 +199,11 @@ func NewACMEIssuer(cfg *Config, template ACMEIssuer) *ACMEIssuer {
 		template.Logger = DefaultACME.Logger
 	}
 
+	// absolutely do not allow a nil logger; that would panic
+	if template.Logger == nil {
+		template.Logger = defaultLogger
+	}
+
 	template.config = cfg
 	template.mu = new(sync.Mutex)
 
@@ -398,7 +405,7 @@ func (am *ACMEIssuer) doIssue(ctx context.Context, csr *x509.CertificateRequest,
 // processing. If there are no matches, the first chain is returned.
 func (am *ACMEIssuer) selectPreferredChain(certChains []acme.Certificate) acme.Certificate {
 	if len(certChains) == 1 {
-		if am.Logger != nil && (len(am.PreferredChains.AnyCommonName) > 0 || len(am.PreferredChains.RootCommonName) > 0) {
+		if len(am.PreferredChains.AnyCommonName) > 0 || len(am.PreferredChains.RootCommonName) > 0 {
 			am.Logger.Debug("there is only one chain offered; selecting it regardless of preferences",
 				zap.String("chain_url", certChains[0].URL))
 		}
@@ -423,11 +430,9 @@ func (am *ACMEIssuer) selectPreferredChain(certChains []acme.Certificate) acme.C
 		for i, chain := range certChains {
 			certs, err := parseCertsFromPEMBundle(chain.ChainPEM)
 			if err != nil {
-				if am.Logger != nil {
-					am.Logger.Error("unable to parse PEM certificate chain",
-						zap.Int("chain", i),
-						zap.Error(err))
-				}
+				am.Logger.Error("unable to parse PEM certificate chain",
+					zap.Int("chain", i),
+					zap.Error(err))
 				continue
 			}
 			decodedChains[i] = certs
@@ -438,11 +443,9 @@ func (am *ACMEIssuer) selectPreferredChain(certChains []acme.Certificate) acme.C
 				for i, chain := range decodedChains {
 					for _, cert := range chain {
 						if cert.Issuer.CommonName == prefAnyCN {
-							if am.Logger != nil {
-								am.Logger.Debug("found preferred certificate chain by issuer common name",
-									zap.String("preference", prefAnyCN),
-									zap.Int("chain", i))
-							}
+							am.Logger.Debug("found preferred certificate chain by issuer common name",
+								zap.String("preference", prefAnyCN),
+								zap.Int("chain", i))
 							return certChains[i]
 						}
 					}
@@ -454,20 +457,16 @@ func (am *ACMEIssuer) selectPreferredChain(certChains []acme.Certificate) acme.C
 			for _, prefRootCN := range am.PreferredChains.RootCommonName {
 				for i, chain := range decodedChains {
 					if chain[len(chain)-1].Issuer.CommonName == prefRootCN {
-						if am.Logger != nil {
-							am.Logger.Debug("found preferred certificate chain by root common name",
-								zap.String("preference", prefRootCN),
-								zap.Int("chain", i))
-						}
+						am.Logger.Debug("found preferred certificate chain by root common name",
+							zap.String("preference", prefRootCN),
+							zap.Int("chain", i))
 						return certChains[i]
 					}
 				}
 			}
 		}
 
-		if am.Logger != nil {
-			am.Logger.Warn("did not find chain matching preferences; using first")
-		}
+		am.Logger.Warn("did not find chain matching preferences; using first")
 	}
 
 	return certChains[0]
@@ -509,6 +508,7 @@ type ChainPreference struct {
 var DefaultACME = ACMEIssuer{
 	CA:     LetsEncryptProductionCA,
 	TestCA: LetsEncryptStagingCA,
+	Logger: defaultLogger,
 }
 
 // Some well-known CA endpoints available to use.

async.go

@@ -71,9 +71,7 @@ func (jm *jobManager) worker() {
 		jm.queue = jm.queue[1:]
 		jm.mu.Unlock()
 		if err := next.job(); err != nil {
-			if next.logger != nil {
-				next.logger.Error("job failed", zap.Error(err))
-			}
+			next.logger.Error("job failed", zap.Error(err))
 		}
 		if next.name != "" {
 			jm.mu.Lock()
@@ -116,22 +114,19 @@ func doWithRetry(ctx context.Context, log *zap.Logger, f func(context.Context) e
 				intervalIndex++
 			}
 			if time.Since(start) < maxRetryDuration {
-				if log != nil {
-					log.Error("will retry",
-						zap.Error(err),
-						zap.Int("attempt", attempts),
-						zap.Duration("retrying_in", retryIntervals[intervalIndex]),
-						zap.Duration("elapsed", time.Since(start)),
-						zap.Duration("max_duration", maxRetryDuration))
-				}
+				log.Error("will retry",
+					zap.Error(err),
+					zap.Int("attempt", attempts),
+					zap.Duration("retrying_in", retryIntervals[intervalIndex]),
+					zap.Duration("elapsed", time.Since(start)),
+					zap.Duration("max_duration", maxRetryDuration))
+
 			} else {
-				if log != nil {
-					log.Error("final attempt; giving up",
-						zap.Error(err),
-						zap.Int("attempt", attempts),
-						zap.Duration("elapsed", time.Since(start)),
-						zap.Duration("max_duration", maxRetryDuration))
-				}
+				log.Error("final attempt; giving up",
+					zap.Error(err),
+					zap.Int("attempt", attempts),
+					zap.Duration("elapsed", time.Since(start)),
+					zap.Duration("max_duration", maxRetryDuration))
 				return nil
 			}
 		}

cache.go

@@ -118,6 +118,11 @@ func NewCache(opts CacheOptions) *Cache {
 		logger:     opts.Logger,
 	}
 
+	// absolutely do not allow a nil logger; panics galore
+	if c.logger == nil {
+		c.logger = defaultLogger
+	}
+
 	go c.maintainAssets(0)
 
 	return c
@@ -194,14 +199,12 @@ func (certCache *Cache) cacheCertificate(cert Certificate) {
 func (certCache *Cache) unsyncedCacheCertificate(cert Certificate) {
 	// no-op if this certificate already exists in the cache
 	if _, ok := certCache.cache[cert.hash]; ok {
-		if certCache.logger != nil {
-			certCache.logger.Debug("certificate already cached",
-				zap.Strings("subjects", cert.Names),
-				zap.Time("expiration", expiresAt(cert.Leaf)),
-				zap.Bool("managed", cert.managed),
-				zap.String("issuer_key", cert.issuerKey),
-				zap.String("hash", cert.hash))
-		}
+		certCache.logger.Debug("certificate already cached",
+			zap.Strings("subjects", cert.Names),
+			zap.Time("expiration", expiresAt(cert.Leaf)),
+			zap.Bool("managed", cert.managed),
+			zap.String("issuer_key", cert.issuerKey),
+			zap.String("hash", cert.hash))
 		return
 	}
 
@@ -217,13 +220,11 @@ func (certCache *Cache) unsyncedCacheCertificate(cert Certificate) {
 		i := 0
 		for _, randomCert := range certCache.cache {
 			if i == rnd {
-				if certCache.logger != nil {
-					certCache.logger.Debug("cache full; evicting random certificate",
-						zap.Strings("removing_subjects", randomCert.Names),
-						zap.String("removing_hash", randomCert.hash),
-						zap.Strings("inserting_subjects", cert.Names),
-						zap.String("inserting_hash", cert.hash))
-				}
+				certCache.logger.Debug("cache full; evicting random certificate",
+					zap.Strings("removing_subjects", randomCert.Names),
+					zap.String("removing_hash", randomCert.hash),
+					zap.Strings("inserting_subjects", cert.Names),
+					zap.String("inserting_hash", cert.hash))
 				certCache.removeCertificate(randomCert)
 				break
 			}
@@ -239,16 +240,14 @@ func (certCache *Cache) unsyncedCacheCertificate(cert Certificate) {
 		certCache.cacheIndex[name] = append(certCache.cacheIndex[name], cert.hash)
 	}
 
-	if certCache.logger != nil {
-		certCache.logger.Debug("added certificate to cache",
-			zap.Strings("subjects", cert.Names),
-			zap.Time("expiration", expiresAt(cert.Leaf)),
-			zap.Bool("managed", cert.managed),
-			zap.String("issuer_key", cert.issuerKey),
-			zap.String("hash", cert.hash),
-			zap.Int("cache_size", len(certCache.cache)),
-			zap.Int("cache_capacity", certCache.options.Capacity))
-	}
+	certCache.logger.Debug("added certificate to cache",
+		zap.Strings("subjects", cert.Names),
+		zap.Time("expiration", expiresAt(cert.Leaf)),
+		zap.Bool("managed", cert.managed),
+		zap.String("issuer_key", cert.issuerKey),
+		zap.String("hash", cert.hash),
+		zap.Int("cache_size", len(certCache.cache)),
+		zap.Int("cache_capacity", certCache.options.Capacity))
 }
 
 // removeCertificate removes cert from the cache.
@@ -275,16 +274,14 @@ func (certCache *Cache) removeCertificate(cert Certificate) {
 	// delete the actual cert from the cache
 	delete(certCache.cache, cert.hash)
 
-	if certCache.logger != nil {
-		certCache.logger.Debug("removed certificate from cache",
-			zap.Strings("subjects", cert.Names),
-			zap.Time("expiration", expiresAt(cert.Leaf)),
-			zap.Bool("managed", cert.managed),
-			zap.String("issuer_key", cert.issuerKey),
-			zap.String("hash", cert.hash),
-			zap.Int("cache_size", len(certCache.cache)),
-			zap.Int("cache_capacity", certCache.options.Capacity))
-	}
+	certCache.logger.Debug("removed certificate from cache",
+		zap.Strings("subjects", cert.Names),
+		zap.Time("expiration", expiresAt(cert.Leaf)),
+		zap.Bool("managed", cert.managed),
+		zap.String("issuer_key", cert.issuerKey),
+		zap.String("hash", cert.hash),
+		zap.Int("cache_size", len(certCache.cache)),
+		zap.Int("cache_capacity", certCache.options.Capacity))
 }
 
 // replaceCertificate atomically replaces oldCert with newCert in
@@ -296,11 +293,9 @@ func (certCache *Cache) replaceCertificate(oldCert, newCert Certificate) {
 	certCache.removeCertificate(oldCert)
 	certCache.unsyncedCacheCertificate(newCert)
 	certCache.mu.Unlock()
-	if certCache.logger != nil {
-		certCache.logger.Info("replaced certificate in cache",
-			zap.Strings("subjects", newCert.Names),
-			zap.Time("new_expiration", expiresAt(newCert.Leaf)))
-	}
+	certCache.logger.Info("replaced certificate in cache",
+		zap.Strings("subjects", newCert.Names),
+		zap.Time("new_expiration", expiresAt(newCert.Leaf)))
 }
 
 func (certCache *Cache) getAllMatchingCerts(name string) []Certificate {

certificates.go

@@ -177,7 +177,7 @@ func (cfg *Config) CacheUnmanagedTLSCertificate(ctx context.Context, tlsCert tls
 		return err
 	}
 	err = stapleOCSP(ctx, cfg.OCSP, cfg.Storage, &cert, nil)
-	if err != nil && cfg.Logger != nil {
+	if err != nil {
 		cfg.Logger.Warn("stapling OCSP", zap.Error(err))
 	}
 	cfg.emit(ctx, "cached_unmanaged_cert", map[string]any{"sans": cert.Names})
@@ -225,7 +225,7 @@ func (cfg Config) makeCertificateWithOCSP(ctx context.Context, certPEMBlock, key
 		return cert, err
 	}
 	err = stapleOCSP(ctx, cfg.OCSP, cfg.Storage, &cert, certPEMBlock)
-	if err != nil && cfg.Logger != nil {
+	if err != nil {
 		cfg.Logger.Warn("stapling OCSP", zap.Error(err), zap.Strings("identifiers", cert.Names))
 	}
 	return cert, nil
@@ -333,9 +333,7 @@ func (cfg *Config) managedCertInStorageExpiresSoon(ctx context.Context, cert Cer
 // to the new cert. It assumes that the new certificate for oldCert.Names[0] is
 // already in storage. It returns the newly-loaded certificate if successful.
 func (cfg *Config) reloadManagedCertificate(ctx context.Context, oldCert Certificate) (Certificate, error) {
-	if cfg.Logger != nil {
-		cfg.Logger.Info("reloading managed certificate", zap.Strings("identifiers", oldCert.Names))
-	}
+	cfg.Logger.Info("reloading managed certificate", zap.Strings("identifiers", oldCert.Names))
 	newCert, err := cfg.loadManagedCertificate(ctx, oldCert.Names[0])
 	if err != nil {
 		return Certificate{}, fmt.Errorf("loading managed certificate for %v from storage: %v", oldCert.Names, err)