ProblemDetails no longer implements Error

Author: aarongable

errors/errors.go

@@ -1,13 +1,23 @@
-// Package errors provides internal-facing error types for use in Boulder. Many
-// of these are transformed directly into Problem Details documents by the WFE.
-// Some, like NotFound, may be handled internally. We avoid using Problem
-// Details documents as part of our internal error system to avoid layering
-// confusions.
+// Package errors provide a special error type for use in Boulder. This error
+// type carries additional type information with it, and has two special powers:
 //
-// These errors are specifically for use in errors that cross RPC boundaries.
-// An error type that does not need to be passed through an RPC can use a plain
-// Go type locally. Our gRPC code is aware of these error types and will
-// serialize and deserialize them automatically.
+// 1. It is recognized by our gRPC code, and the type metadata and detail string
+// will cross gRPC boundaries intact.
+//
+// 2. It is recognized by our frontend API "rendering" code, and will be
+// automatically converted to the corresponding urn:ietf:params:acme:error:...
+// ACME Problem Document.
+//
+// This means that a deeply-nested service (such as the SA) that wants to ensure
+// that the ACME client sees a particular problem document (such as NotFound)
+// can return a BoulderError and be sure that it will be propagated all the way
+// to the client.
+//
+// Note, however, that any additional context wrapped *around* the BoulderError
+// (such as by fmt.Errorf("oops: %w")) will be lost when the error is converted
+// into a problem document. Similarly, any type information wrapped *by* a
+// BoulderError (such as a sql.ErrNoRows) is lost at the gRPC serialization
+// boundary.
 package errors
 
 import (
@@ -85,10 +95,15 @@ type SubBoulderError struct {
 	Identifier identifier.ACMEIdentifier
 }
 
+// Error implements the error interface, returning a string representation of
+// this error.
 func (be *BoulderError) Error() string {
 	return be.Detail
 }
 
+// Unwrap implements the optional error-unwrapping interface. It returns the
+// underlying type, all of when themselves implement the error interface, so
+// that `if errors.Is(someError, berrors.Malformed)` works.
 func (be *BoulderError) Unwrap() error {
 	return be.Type
 }
@@ -164,134 +179,134 @@ func New(errType ErrorType, msg string) error {
 
 // newf is a convenience function for creating a new BoulderError with a
 // formatted message.
-func newf(errType ErrorType, msg string, args ...interface{}) error {
+func newf(errType ErrorType, msg string, args ...any) error {
 	return &BoulderError{
 		Type:   errType,
 		Detail: fmt.Sprintf(msg, args...),
 	}
 }
 
-func InternalServerError(msg string, args ...interface{}) error {
+func InternalServerError(msg string, args ...any) error {
 	return newf(InternalServer, msg, args...)
 }
 
-func MalformedError(msg string, args ...interface{}) error {
+func MalformedError(msg string, args ...any) error {
 	return newf(Malformed, msg, args...)
 }
 
-func UnauthorizedError(msg string, args ...interface{}) error {
+func UnauthorizedError(msg string, args ...any) error {
 	return newf(Unauthorized, msg, args...)
 }
 
-func NotFoundError(msg string, args ...interface{}) error {
+func NotFoundError(msg string, args ...any) error {
 	return newf(NotFound, msg, args...)
 }
 
-func RateLimitError(retryAfter time.Duration, msg string, args ...interface{}) error {
+func RateLimitError(retryAfter time.Duration, msg string, args ...any) error {
 	return &BoulderError{
 		Type:       RateLimit,
 		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/", args...),
 		RetryAfter: retryAfter,
 	}
 }
 
-func RegistrationsPerIPAddressError(retryAfter time.Duration, msg string, args ...interface{}) error {
+func RegistrationsPerIPAddressError(retryAfter time.Duration, msg string, args ...any) error {
 	return &BoulderError{
 		Type:       RateLimit,
 		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/#new-registrations-per-ip-address", args...),
 		RetryAfter: retryAfter,
 	}
 }
 
-func RegistrationsPerIPv6RangeError(retryAfter time.Duration, msg string, args ...interface{}) error {
+func RegistrationsPerIPv6RangeError(retryAfter time.Duration, msg string, args ...any) error {
 	return &BoulderError{
 		Type:       RateLimit,
 		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/#new-registrations-per-ipv6-range", args...),
 		RetryAfter: retryAfter,
 	}
 }
 
-func NewOrdersPerAccountError(retryAfter time.Duration, msg string, args ...interface{}) error {
+func NewOrdersPerAccountError(retryAfter time.Duration, msg string, args ...any) error {
 	return &BoulderError{
 		Type:       RateLimit,
 		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/#new-orders-per-account", args...),
 		RetryAfter: retryAfter,
 	}
 }
 
-func CertificatesPerDomainError(retryAfter time.Duration, msg string, args ...interface{}) error {
+func CertificatesPerDomainError(retryAfter time.Duration, msg string, args ...any) error {
 	return &BoulderError{
 		Type:       RateLimit,
 		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-registered-domain", args...),
 		RetryAfter: retryAfter,
 	}
 }
 
-func CertificatesPerFQDNSetError(retryAfter time.Duration, msg string, args ...interface{}) error {
+func CertificatesPerFQDNSetError(retryAfter time.Duration, msg string, args ...any) error {
 	return &BoulderError{
 		Type:       RateLimit,
 		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/#new-certificates-per-exact-set-of-hostnames", args...),
 		RetryAfter: retryAfter,
 	}
 }
 
-func FailedAuthorizationsPerDomainPerAccountError(retryAfter time.Duration, msg string, args ...interface{}) error {
+func FailedAuthorizationsPerDomainPerAccountError(retryAfter time.Duration, msg string, args ...any) error {
 	return &BoulderError{
 		Type:       RateLimit,
 		Detail:     fmt.Sprintf(msg+": see https://letsencrypt.org/docs/rate-limits/#authorization-failures-per-hostname-per-account", args...),
 		RetryAfter: retryAfter,
 	}
 }
 
-func RejectedIdentifierError(msg string, args ...interface{}) error {
+func RejectedIdentifierError(msg string, args ...any) error {
 	return newf(RejectedIdentifier, msg, args...)
 }
 
-func InvalidEmailError(msg string, args ...interface{}) error {
+func InvalidEmailError(msg string, args ...any) error {
 	return newf(InvalidEmail, msg, args...)
 }
 
-func UnsupportedContactError(msg string, args ...interface{}) error {
+func UnsupportedContactError(msg string, args ...any) error {
 	return newf(UnsupportedContact, msg, args...)
 }
 
-func ConnectionFailureError(msg string, args ...interface{}) error {
+func ConnectionFailureError(msg string, args ...any) error {
 	return newf(ConnectionFailure, msg, args...)
 }
 
-func CAAError(msg string, args ...interface{}) error {
+func CAAError(msg string, args ...any) error {
 	return newf(CAA, msg, args...)
 }
 
-func MissingSCTsError(msg string, args ...interface{}) error {
+func MissingSCTsError(msg string, args ...any) error {
 	return newf(MissingSCTs, msg, args...)
 }
 
-func DuplicateError(msg string, args ...interface{}) error {
+func DuplicateError(msg string, args ...any) error {
 	return newf(Duplicate, msg, args...)
 }
 
-func OrderNotReadyError(msg string, args ...interface{}) error {
+func OrderNotReadyError(msg string, args ...any) error {
 	return newf(OrderNotReady, msg, args...)
 }
 
-func DNSError(msg string, args ...interface{}) error {
+func DNSError(msg string, args ...any) error {
 	return newf(DNS, msg, args...)
 }
 
-func BadPublicKeyError(msg string, args ...interface{}) error {
+func BadPublicKeyError(msg string, args ...any) error {
 	return newf(BadPublicKey, msg, args...)
 }
 
-func BadCSRError(msg string, args ...interface{}) error {
+func BadCSRError(msg string, args ...any) error {
 	return newf(BadCSR, msg, args...)
 }
 
-func AlreadyReplacedError(msg string, args ...interface{}) error {
+func AlreadyReplacedError(msg string, args ...any) error {
 	return newf(AlreadyReplaced, msg, args...)
 }
 
-func AlreadyRevokedError(msg string, args ...interface{}) error {
+func AlreadyRevokedError(msg string, args ...any) error {
 	return newf(AlreadyRevoked, msg, args...)
 }
 
@@ -303,18 +318,18 @@ func UnknownSerialError() error {
 	return newf(UnknownSerial, "unknown serial")
 }
 
-func InvalidProfileError(msg string, args ...interface{}) error {
+func InvalidProfileError(msg string, args ...any) error {
 	return newf(InvalidProfile, msg, args...)
 }
 
-func BadSignatureAlgorithmError(msg string, args ...interface{}) error {
+func BadSignatureAlgorithmError(msg string, args ...any) error {
 	return newf(BadSignatureAlgorithm, msg, args...)
 }
 
-func AccountDoesNotExistError(msg string, args ...interface{}) error {
+func AccountDoesNotExistError(msg string, args ...any) error {
 	return newf(AccountDoesNotExist, msg, args...)
 }
 
-func BadNonceError(msg string, args ...interface{}) error {
+func BadNonceError(msg string, args ...any) error {
 	return newf(BadNonce, msg, args...)
 }

probs/probs.go

@@ -70,7 +70,7 @@ type SubProblemDetails struct {
 	Identifier identifier.ACMEIdentifier `json:"identifier"`
 }
 
-func (pd *ProblemDetails) Error() string {
+func (pd *ProblemDetails) String() string {
 	return fmt.Sprintf("%s :: %s", pd.Type, pd.Detail)
 }
 
@@ -329,26 +329,6 @@ func Conflict(detail string) *ProblemDetails {
 	}
 }
 
-// ContentLengthRequired returns a ProblemDetails representing a missing
-// Content-Length header error
-func ContentLengthRequired() *ProblemDetails {
-	return &ProblemDetails{
-		Type:       MalformedProblem,
-		Detail:     "missing Content-Length header",
-		HTTPStatus: http.StatusLengthRequired,
-	}
-}
-
-// InvalidContentType returns a ProblemDetails suitable for a missing
-// ContentType header, or an incorrect ContentType header
-func InvalidContentType(detail string) *ProblemDetails {
-	return &ProblemDetails{
-		Type:       MalformedProblem,
-		Detail:     detail,
-		HTTPStatus: http.StatusUnsupportedMediaType,
-	}
-}
-
 // MethodNotAllowed returns a ProblemDetails representing a disallowed HTTP
 // method error.
 func MethodNotAllowed() *ProblemDetails {

probs/probs_test.go

@@ -15,7 +15,7 @@ func TestProblemDetails(t *testing.T) {
 		Detail:     "Wat? o.O",
 		HTTPStatus: 403,
 	}
-	test.AssertEquals(t, pd.Error(), "malformed :: Wat? o.O")
+	test.AssertEquals(t, pd.String(), "malformed :: Wat? o.O")
 }
 
 func TestProblemDetailsConvenience(t *testing.T) {

ra/ra_test.go

@@ -851,7 +851,7 @@ func TestPerformValidationVAError(t *testing.T) {
 	challenge, err := bgrpc.PBToChallenge(dbAuthzPB.Challenges[challIdx])
 	test.AssertNotError(t, err, "Failed to marshall corepb.Challenge to core.Challenge.")
 	test.Assert(t, challenge.Status == core.StatusInvalid, "challenge was not marked as invalid")
-	test.AssertContains(t, challenge.Error.Error(), "Could not communicate with VA")
+	test.AssertContains(t, challenge.Error.String(), "Could not communicate with VA")
 	test.Assert(t, challenge.ValidationRecord == nil, "challenge had a ValidationRecord")
 
 	// Check that validated timestamp was recorded, stored, and retrieved

va/caa.go

@@ -2,6 +2,7 @@ package va
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"net/url"
 	"regexp"
@@ -70,7 +71,7 @@ func (va *ValidationAuthorityImpl) DoCAA(ctx context.Context, req *vapb.IsCAAVal
 		if prob != nil {
 			// CAA check failed.
 			probType = string(prob.Type)
-			logEvent.Error = prob.Error()
+			logEvent.Error = prob.String()
 		} else {
 			// CAA check passed.
 			outcome = pass
@@ -145,7 +146,7 @@ func (va *ValidationAuthorityImpl) checkCAA(
 	identifier identifier.ACMEIdentifier,
 	params *caaParams) error {
 	if core.IsAnyNilOrZero(params, params.validationMethod, params.accountURIID) {
-		return probs.ServerInternal("expected validationMethod or accountURIID not provided to checkCAA")
+		return errors.New("expected validationMethod or accountURIID not provided to checkCAA")
 	}
 
 	foundAt, valid, response, err := va.checkCAARecords(ctx, identifier, params)

va/caa_test.go

@@ -1139,7 +1139,7 @@ func TestCAAFailure(t *testing.T) {
 	}
 	prob := detailedError(err)
 	test.AssertEquals(t, prob.Type, probs.DNSProblem)
-	test.AssertContains(t, prob.Error(), "NXDOMAIN")
+	test.AssertContains(t, prob.String(), "NXDOMAIN")
 }
 
 func TestFilterCAA(t *testing.T) {

va/dns_test.go

@@ -24,7 +24,7 @@ func TestDNSValidationWrong(t *testing.T) {
 		t.Fatalf("Successful DNS validation with wrong TXT record")
 	}
 	prob := detailedError(err)
-	test.AssertEquals(t, prob.Error(), "unauthorized :: Incorrect TXT record \"a\" found at _acme-challenge.wrong-dns01.com")
+	test.AssertEquals(t, prob.String(), "unauthorized :: Incorrect TXT record \"a\" found at _acme-challenge.wrong-dns01.com")
 }
 
 func TestDNSValidationWrongMany(t *testing.T) {
@@ -35,7 +35,7 @@ func TestDNSValidationWrongMany(t *testing.T) {
 		t.Fatalf("Successful DNS validation with wrong TXT record")
 	}
 	prob := detailedError(err)
-	test.AssertEquals(t, prob.Error(), "unauthorized :: Incorrect TXT record \"a\" (and 4 more) found at _acme-challenge.wrong-many-dns01.com")
+	test.AssertEquals(t, prob.String(), "unauthorized :: Incorrect TXT record \"a\" (and 4 more) found at _acme-challenge.wrong-many-dns01.com")
 }
 
 func TestDNSValidationWrongLong(t *testing.T) {
@@ -46,7 +46,7 @@ func TestDNSValidationWrongLong(t *testing.T) {
 		t.Fatalf("Successful DNS validation with wrong TXT record")
 	}
 	prob := detailedError(err)
-	test.AssertEquals(t, prob.Error(), "unauthorized :: Incorrect TXT record \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...\" found at _acme-challenge.long-dns01.com")
+	test.AssertEquals(t, prob.String(), "unauthorized :: Incorrect TXT record \"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...\" found at _acme-challenge.long-dns01.com")
 }
 
 func TestDNSValidationFailure(t *testing.T) {

va/tlsalpn_test.go

@@ -254,7 +254,7 @@ func TestTLSALPN01TalkingToHTTP(t *testing.T) {
 	test.AssertError(t, err, "TLS-SNI-01 validation passed when talking to a HTTP-only server")
 	prob := detailedError(err)
 	expected := "Server only speaks HTTP, not TLS"
-	if !strings.HasSuffix(prob.Error(), expected) {
+	if !strings.HasSuffix(prob.String(), expected) {
 		t.Errorf("Got wrong error detail. Expected %q, got %q", expected, prob)
 	}
 }
@@ -780,7 +780,7 @@ func TestTLSALPN01ExtraSANs(t *testing.T) {
 	// In go >= 1.19, the TLS client library detects that the certificate has
 	// a duplicate extension and terminates the connection itself.
 	prob := detailedError(err)
-	test.AssertContains(t, prob.Error(), "Error getting validation data")
+	test.AssertContains(t, prob.String(), "Error getting validation data")
 }
 
 func TestTLSALPN01ExtraAcmeExtensions(t *testing.T) {
@@ -795,7 +795,7 @@ func TestTLSALPN01ExtraAcmeExtensions(t *testing.T) {
 	// In go >= 1.19, the TLS client library detects that the certificate has
 	// a duplicate extension and terminates the connection itself.
 	prob := detailedError(err)
-	test.AssertContains(t, prob.Error(), "Error getting validation data")
+	test.AssertContains(t, prob.String(), "Error getting validation data")
 }
 
 func TestAcceptableExtensions(t *testing.T) {
@@ -857,7 +857,7 @@ func TestTLSALPN01BadIdentifier(t *testing.T) {
 	_, err := va.validateTLSALPN01(ctx, identifier.ACMEIdentifier{Type: "smime", Value: "dobber@bad.horse"}, expectedKeyAuthorization)
 	test.AssertError(t, err, "Server accepted a hypothetical S/MIME identifier")
 	prob := detailedError(err)
-	test.AssertContains(t, prob.Error(), "Identifier type for TLS-ALPN-01 challenge was not DNS or IP")
+	test.AssertContains(t, prob.String(), "Identifier type for TLS-ALPN-01 challenge was not DNS or IP")
 }
 
 // TestTLSALPN01ServerName tests compliance with RFC 8737, Sec. 3 (step 3) & RFC

va/va.go

@@ -703,7 +703,7 @@ func (va *ValidationAuthorityImpl) DoDCV(ctx context.Context, req *vapb.PerformV
 		outcome := fail
 		if prob != nil {
 			probType = string(prob.Type)
-			logEvent.Error = prob.Error()
+			logEvent.Error = prob.String()
 			logEvent.Challenge.Error = prob
 			logEvent.Challenge.Status = core.StatusInvalid
 		} else {