Error handling fixes & add nilerr linter (#6776)

* golangci: add nilerr

We already had nilnesserr, but they are separate implementations and
nilerr has open PR gostaticanalysis/nilerr#23
which would have caught a bug in our code.

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* agent bootstrap: fix error handling

We were failing to propagate an error in one particular case.

This kind of thing should be caught by the nilerr and nilnesserr
linters, but neither of them does because of the presence of defer in
this function. For nilerr,
gostaticanalysis/nilerr#23 would fix that.

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

* oidc-discovery-provider: fix missing error check

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

---------

Signed-off-by: Carlo Teubner <cteubner1@bloomberg.net>

Author: c4rlo

.golangci.yml

@@ -14,6 +14,7 @@ linters:
     - mirror
     - misspell
     - nakedret
+    - nilerr
     - nilnesserr
     - nolintlint
     - predeclared

pkg/agent/agent.go

@@ -184,7 +184,7 @@ func (a *Agent) Run(ctx context.Context) error {
 				} else if a.c.RebootstrapMode != RebootstrapNever {
 					startTime, err := a.c.TrustBundleSources.GetStartTime()
 					if err != nil {
-						return nil
+						return err
 					}
 					seconds := time.Since(startTime)
 					if seconds < a.c.RebootstrapDelay {

support/oidc-discovery-provider/handler.go

@@ -31,7 +31,7 @@ type Handler struct {
 	http.Handler
 }
 
-func NewHandler(log logrus.FieldLogger, domainPolicy DomainPolicy, source JWKSSource, allowInsecureScheme bool, setKeyUse bool, jwtIssuer *url.URL, jwksURI *url.URL, serverPathPrefix string) *Handler {
+func NewHandler(log logrus.FieldLogger, domainPolicy DomainPolicy, source JWKSSource, allowInsecureScheme, setKeyUse bool, jwtIssuer, jwksURI *url.URL, serverPathPrefix string) (*Handler, error) {
 	if serverPathPrefix == "" {
 		serverPathPrefix = "/"
 	}
@@ -49,18 +49,18 @@ func NewHandler(log logrus.FieldLogger, domainPolicy DomainPolicy, source JWKSSo
 	mux := http.NewServeMux()
 	wkPath, err := url.JoinPath(serverPathPrefix, "/.well-known/openid-configuration")
 	if err != nil {
-		return nil
+		return nil, err
 	}
 	jwksPath, err := url.JoinPath(serverPathPrefix, "/keys")
 	if err != nil {
-		return nil
+		return nil, err
 	}
 
 	mux.Handle(wkPath, handlers.ProxyHeaders(http.HandlerFunc(h.serveWellKnown)))
 	mux.Handle(jwksPath, http.HandlerFunc(h.serveKeys))
 
 	h.Handler = mux
-	return h
+	return h, nil
 }
 
 func (h *Handler) serveWellKnown(w http.ResponseWriter, r *http.Request) {

support/oidc-discovery-provider/handler_test.go

@@ -173,7 +173,8 @@ func TestHandlerHTTPS(t *testing.T) {
 			require.NoError(t, err)
 			w := httptest.NewRecorder()
 
-			h := NewHandler(log, domainAllowlist(t, "localhost", "domain.test"), source, false, testCase.setKeyUse, nil, nil, "")
+			h, err := NewHandler(log, domainAllowlist(t, "localhost", "domain.test"), source, false, testCase.setKeyUse, nil, nil, "")
+			require.NoError(t, err)
 			h.ServeHTTP(w, r)
 
 			t.Logf("HEADERS: %q", w.Header())
@@ -285,7 +286,8 @@ func TestHandlerHTTPInsecure(t *testing.T) {
 			require.NoError(t, err)
 			w := httptest.NewRecorder()
 
-			h := NewHandler(log, domainAllowlist(t, "localhost", "domain.test"), source, true, false, nil, nil, "")
+			h, err := NewHandler(log, domainAllowlist(t, "localhost", "domain.test"), source, true, false, nil, nil, "")
+			require.NoError(t, err)
 			h.ServeHTTP(w, r)
 
 			t.Logf("HEADERS: %q", w.Header())
@@ -458,7 +460,8 @@ func TestHandlerHTTP(t *testing.T) {
 			require.NoError(t, err)
 			w := httptest.NewRecorder()
 
-			h := NewHandler(log, domainAllowlist(t, "domain.test", "xn--n38h.test"), source, false, false, nil, nil, "")
+			h, err := NewHandler(log, domainAllowlist(t, "domain.test", "xn--n38h.test"), source, false, false, nil, nil, "")
+			require.NoError(t, err)
 			h.ServeHTTP(w, r)
 
 			t.Logf("HEADERS: %q", w.Header())
@@ -569,7 +572,8 @@ func TestHandlerProxied(t *testing.T) {
 			r.Header.Add("X-Forwarded-Scheme", "https")
 			r.Header.Add("X-Forwarded-Host", "domain.test")
 			w := httptest.NewRecorder()
-			h := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, nil, nil, "")
+			h, err := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, nil, nil, "")
+			require.NoError(t, err)
 			h.ServeHTTP(w, r)
 			t.Logf("HEADERS: %q", w.Header())
 			assert.Equal(t, testCase.code, w.Code)
@@ -719,7 +723,8 @@ func TestHandlerJWTIssuer(t *testing.T) {
 			w := httptest.NewRecorder()
 
 			u, _ := url.Parse(testCase.jwtIssuer)
-			h := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, u, nil, "")
+			h, err := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, u, nil, "")
+			require.NoError(t, err)
 			h.ServeHTTP(w, r)
 
 			t.Logf("HEADERS: %q", w.Header())
@@ -781,7 +786,8 @@ func TestHandlerJWTIssuerAndJWKSURI(t *testing.T) {
 
 			u, _ := url.Parse(testCase.jwtIssuer)
 			j, _ := url.Parse(testCase.jwksURI)
-			h := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, u, j, "")
+			h, err := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, u, j, "")
+			require.NoError(t, err)
 			h.ServeHTTP(w, r)
 
 			t.Logf("HEADERS: %q", w.Header())
@@ -932,7 +938,8 @@ func TestHandlerAdvertisedURL(t *testing.T) {
 			w := httptest.NewRecorder()
 
 			u, _ := url.Parse(testCase.jwksURI)
-			h := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, nil, u, "")
+			h, err := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, nil, u, "")
+			require.NoError(t, err)
 			h.ServeHTTP(w, r)
 
 			t.Logf("HEADERS: %q", w.Header())
@@ -1059,7 +1066,8 @@ func TestHandlerPrefix(t *testing.T) {
 			r.Header.Add("X-Forwarded-Host", "domain.test")
 			w := httptest.NewRecorder()
 
-			h := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, nil, nil, testCase.serverPathPrefix)
+			h, err := NewHandler(log, domainAllowlist(t, "domain.test"), source, false, false, nil, nil, testCase.serverPathPrefix)
+			require.NoError(t, err)
 			h.ServeHTTP(w, r)
 
 			t.Logf("HEADERS: %q", w.Header())

support/oidc-discovery-provider/main.go

@@ -93,7 +93,11 @@ func run(configPath string, expandEnv bool) error {
 		}
 	}
 
-	var handler http.Handler = NewHandler(log, domainPolicy, source, config.AllowInsecureScheme, config.SetKeyUse, jwtIssuer, jwksURI, config.ServerPathPrefix)
+	var handler http.Handler
+	handler, err = NewHandler(log, domainPolicy, source, config.AllowInsecureScheme, config.SetKeyUse, jwtIssuer, jwksURI, config.ServerPathPrefix)
+	if err != nil {
+		return err
+	}
 	if config.LogRequests {
 		log.Info("Logging all requests")
 		handler = logHandler(log, handler)