remove github.com/zeebo/errs

v2/bundle/jwtbundle/bundle.go

@@ -3,18 +3,17 @@ package jwtbundle
 import (
 	"crypto"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"io"
 	"os"
 	"sync"
 
 	"github.com/go-jose/go-jose/v4"
 	"github.com/spiffe/go-spiffe/v2/internal/jwtutil"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/zeebo/errs"
 )
 
-var jwtbundleErr = errs.Class("jwtbundle")
-
 // Bundle is a collection of trusted JWT authorities for a trust domain.
 type Bundle struct {
 	trustDomain spiffeid.TrustDomain
@@ -43,7 +42,7 @@ func FromJWTAuthorities(trustDomain spiffeid.TrustDomain, jwtAuthorities map[str
 func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) {
 	bundleBytes, err := os.ReadFile(path)
 	if err != nil {
-		return nil, jwtbundleErr.New("unable to read JWT bundle: %w", err)
+		return nil, wrapJwtbundleErr(fmt.Errorf("unable to read JWT bundle: %w", err))
 	}
 
 	return Parse(trustDomain, bundleBytes)
@@ -53,7 +52,7 @@ func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) {
 func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) {
 	b, err := io.ReadAll(r)
 	if err != nil {
-		return nil, jwtbundleErr.New("unable to read: %v", err)
+		return nil, wrapJwtbundleErr(fmt.Errorf("unable to read: %v", err))
 	}
 
 	return Parse(trustDomain, b)
@@ -63,13 +62,13 @@ func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) {
 func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error) {
 	jwks := new(jose.JSONWebKeySet)
 	if err := json.Unmarshal(bundleBytes, jwks); err != nil {
-		return nil, jwtbundleErr.New("unable to parse JWKS: %v", err)
+		return nil, wrapJwtbundleErr(fmt.Errorf("unable to parse JWKS: %v", err))
 	}
 
 	bundle := New(trustDomain)
 	for i, key := range jwks.Keys {
 		if err := bundle.AddJWTAuthority(key.KeyID, key.Key); err != nil {
-			return nil, jwtbundleErr.New("error adding authority %d of JWKS: %v", i, errs.Unwrap(err))
+			return nil, wrapJwtbundleErr(fmt.Errorf("error adding authority %d of JWKS: %v", i, errors.Unwrap(err)))
 		}
 	}
 
@@ -115,7 +114,7 @@ func (b *Bundle) HasJWTAuthority(keyID string) bool {
 // under the given key ID, it is replaced. A key ID must be specified.
 func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error {
 	if keyID == "" {
-		return jwtbundleErr.New("keyID cannot be empty")
+		return wrapJwtbundleErr(errors.New("keyID cannot be empty"))
 	}
 
 	b.mtx.Lock()
@@ -192,8 +191,12 @@ func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*
 	defer b.mtx.RUnlock()
 
 	if b.trustDomain != trustDomain {
-		return nil, jwtbundleErr.New("no JWT bundle for trust domain %q", trustDomain)
+		return nil, wrapJwtbundleErr(fmt.Errorf("no JWT bundle for trust domain %q", trustDomain))
 	}
 
 	return b, nil
 }
+
+func wrapJwtbundleErr(err error) error {
+	return fmt.Errorf("jwtbundle: %w", err)
+}

v2/bundle/jwtbundle/set.go

@@ -1,6 +1,7 @@
 package jwtbundle
 
 import (
+	"fmt"
 	"sort"
 	"sync"
 
@@ -98,7 +99,7 @@ func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bun
 
 	bundle, ok := s.bundles[trustDomain]
 	if !ok {
-		return nil, jwtbundleErr.New("no JWT bundle for trust domain %q", trustDomain)
+		return nil, wrapJwtbundleErr(fmt.Errorf("no JWT bundle for trust domain %q", trustDomain))
 	}
 
 	return bundle, nil

v2/bundle/spiffebundle/bundle.go

@@ -4,6 +4,8 @@ import (
 	"crypto"
 	"crypto/x509"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"io"
 	"os"
 	"sync"
@@ -15,16 +17,13 @@ import (
 	"github.com/spiffe/go-spiffe/v2/internal/jwtutil"
 	"github.com/spiffe/go-spiffe/v2/internal/x509util"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/zeebo/errs"
 )
 
 const (
 	x509SVIDUse = "x509-svid"
 	jwtSVIDUse  = "jwt-svid"
 )
 
-var spiffebundleErr = errs.Class("spiffebundle")
-
 type bundleDoc struct {
 	jose.JSONWebKeySet
 	SequenceNumber *uint64 `json:"spiffe_sequence,omitempty"`
@@ -58,7 +57,7 @@ func New(trustDomain spiffeid.TrustDomain) *Bundle {
 func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) {
 	bundleBytes, err := os.ReadFile(path)
 	if err != nil {
-		return nil, spiffebundleErr.New("unable to read SPIFFE bundle: %w", err)
+		return nil, wrapSpiffebundleErr(fmt.Errorf("unable to read SPIFFE bundle: %w", err))
 	}
 
 	return Parse(trustDomain, bundleBytes)
@@ -69,7 +68,7 @@ func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) {
 func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) {
 	b, err := io.ReadAll(r)
 	if err != nil {
-		return nil, spiffebundleErr.New("unable to read: %v", err)
+		return nil, wrapSpiffebundleErr(fmt.Errorf("unable to read: %v", err))
 	}
 
 	return Parse(trustDomain, b)
@@ -80,7 +79,7 @@ func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) {
 func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error) {
 	jwks := &bundleDoc{}
 	if err := json.Unmarshal(bundleBytes, jwks); err != nil {
-		return nil, spiffebundleErr.New("unable to parse JWKS: %v", err)
+		return nil, wrapSpiffebundleErr(fmt.Errorf("unable to parse JWKS: %v", err))
 	}
 
 	bundle := New(trustDomain)
@@ -94,19 +93,19 @@ func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error
 	if jwks.Keys == nil {
 		// The parameter keys MUST be present.
 		// https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md#413-keys
-		return nil, spiffebundleErr.New("no authorities found")
+		return nil, wrapSpiffebundleErr(errors.New("no authorities found"))
 	}
 	for i, key := range jwks.Keys {
 		switch key.Use {
 		// Two SVID types are supported: x509-svid and jwt-svid.
 		case x509SVIDUse:
 			if len(key.Certificates) != 1 {
-				return nil, spiffebundleErr.New("expected a single certificate in %s entry %d; got %d", x509SVIDUse, i, len(key.Certificates))
+				return nil, wrapSpiffebundleErr(fmt.Errorf("expected a single certificate in %s entry %d; got %d", x509SVIDUse, i, len(key.Certificates)))
 			}
 			bundle.AddX509Authority(key.Certificates[0])
 		case jwtSVIDUse:
 			if err := bundle.AddJWTAuthority(key.KeyID, key.Key); err != nil {
-				return nil, spiffebundleErr.New("error adding authority %d of JWKS: %v", i, errs.Unwrap(err))
+				return nil, wrapSpiffebundleErr(fmt.Errorf("error adding authority %d of JWKS: %v", i, errors.Unwrap(err)))
 			}
 		}
 	}
@@ -238,7 +237,7 @@ func (b *Bundle) HasJWTAuthority(keyID string) bool {
 // under the given key ID, it is replaced. A key ID must be specified.
 func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error {
 	if keyID == "" {
-		return spiffebundleErr.New("keyID cannot be empty")
+		return wrapSpiffebundleErr(errors.New("keyID cannot be empty"))
 	}
 
 	b.mtx.Lock()
@@ -404,7 +403,7 @@ func (b *Bundle) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bun
 	defer b.mtx.RUnlock()
 
 	if b.trustDomain != trustDomain {
-		return nil, spiffebundleErr.New("no SPIFFE bundle for trust domain %q", trustDomain)
+		return nil, wrapSpiffebundleErr(fmt.Errorf("no SPIFFE bundle for trust domain %q", trustDomain))
 	}
 
 	return b, nil
@@ -418,7 +417,7 @@ func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (
 	defer b.mtx.RUnlock()
 
 	if b.trustDomain != trustDomain {
-		return nil, spiffebundleErr.New("no X.509 bundle for trust domain %q", trustDomain)
+		return nil, wrapSpiffebundleErr(fmt.Errorf("no X.509 bundle for trust domain %q", trustDomain))
 	}
 
 	return b.X509Bundle(), nil
@@ -432,7 +431,7 @@ func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*
 	defer b.mtx.RUnlock()
 
 	if b.trustDomain != trustDomain {
-		return nil, spiffebundleErr.New("no JWT bundle for trust domain %q", trustDomain)
+		return nil, wrapSpiffebundleErr(fmt.Errorf("no JWT bundle for trust domain %q", trustDomain))
 	}
 
 	return b.JWTBundle(), nil
@@ -482,3 +481,7 @@ func copySequenceNumber(sequenceNumber *uint64) *uint64 {
 	copied := *sequenceNumber
 	return &copied
 }
+
+func wrapSpiffebundleErr(err error) error {
+	return fmt.Errorf("spiffebundle: %w", err)
+}

v2/bundle/spiffebundle/set.go

@@ -1,6 +1,7 @@
 package spiffebundle
 
 import (
+	"fmt"
 	"sort"
 	"sync"
 
@@ -100,7 +101,7 @@ func (s *Set) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle
 
 	bundle, ok := s.bundles[trustDomain]
 	if !ok {
-		return nil, spiffebundleErr.New("no SPIFFE bundle for trust domain %q", trustDomain)
+		return nil, wrapSpiffebundleErr(fmt.Errorf("no SPIFFE bundle for trust domain %q", trustDomain))
 	}
 
 	return bundle, nil
@@ -114,7 +115,7 @@ func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*x5
 
 	bundle, ok := s.bundles[trustDomain]
 	if !ok {
-		return nil, spiffebundleErr.New("no X.509 bundle for trust domain %q", trustDomain)
+		return nil, wrapSpiffebundleErr(fmt.Errorf("no X.509 bundle for trust domain %q", trustDomain))
 	}
 
 	return bundle.X509Bundle(), nil
@@ -128,7 +129,7 @@ func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*jwt
 
 	bundle, ok := s.bundles[trustDomain]
 	if !ok {
-		return nil, spiffebundleErr.New("no JWT bundle for trust domain %q", trustDomain)
+		return nil, wrapSpiffebundleErr(fmt.Errorf("no JWT bundle for trust domain %q", trustDomain))
 	}
 
 	return bundle.JWTBundle(), nil

v2/bundle/x509bundle/bundle.go

@@ -2,18 +2,16 @@ package x509bundle
 
 import (
 	"crypto/x509"
+	"fmt"
 	"io"
 	"os"
 	"sync"
 
 	"github.com/spiffe/go-spiffe/v2/internal/pemutil"
 	"github.com/spiffe/go-spiffe/v2/internal/x509util"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/zeebo/errs"
 )
 
-var x509bundleErr = errs.Class("x509bundle")
-
 // Bundle is a collection of trusted X.509 authorities for a trust domain.
 type Bundle struct {
 	trustDomain spiffeid.TrustDomain
@@ -42,7 +40,7 @@ func FromX509Authorities(trustDomain spiffeid.TrustDomain, authorities []*x509.C
 func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) {
 	fileBytes, err := os.ReadFile(path)
 	if err != nil {
-		return nil, x509bundleErr.New("unable to load X.509 bundle file: %w", err)
+		return nil, wrapX509bundleErr(fmt.Errorf("unable to load X.509 bundle file: %w", err))
 	}
 
 	return Parse(trustDomain, fileBytes)
@@ -53,7 +51,7 @@ func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error) {
 func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error) {
 	b, err := io.ReadAll(r)
 	if err != nil {
-		return nil, x509bundleErr.New("unable to read X.509 bundle: %v", err)
+		return nil, wrapX509bundleErr(fmt.Errorf("unable to read X.509 bundle: %v", err))
 	}
 
 	return Parse(trustDomain, b)
@@ -69,7 +67,7 @@ func Parse(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error) {
 
 	certs, err := pemutil.ParseCertificates(b)
 	if err != nil {
-		return nil, x509bundleErr.New("cannot parse certificate: %v", err)
+		return nil, wrapX509bundleErr(fmt.Errorf("cannot parse certificate: %v", err))
 	}
 	for _, cert := range certs {
 		bundle.AddX509Authority(cert)
@@ -87,7 +85,7 @@ func ParseRaw(trustDomain spiffeid.TrustDomain, b []byte) (*Bundle, error) {
 
 	certs, err := x509.ParseCertificates(b)
 	if err != nil {
-		return nil, x509bundleErr.New("cannot parse certificate: %v", err)
+		return nil, wrapX509bundleErr(fmt.Errorf("cannot parse certificate: %v", err))
 	}
 	for _, cert := range certs {
 		bundle.AddX509Authority(cert)
@@ -195,8 +193,12 @@ func (b *Bundle) Clone() *Bundle {
 // returned if the trust domain does not match that of the bundle.
 func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error) {
 	if b.trustDomain != trustDomain {
-		return nil, x509bundleErr.New("no X.509 bundle found for trust domain: %q", trustDomain)
+		return nil, wrapX509bundleErr(fmt.Errorf("no X.509 bundle found for trust domain: %q", trustDomain))
 	}
 
 	return b, nil
 }
+
+func wrapX509bundleErr(err error) error {
+	return fmt.Errorf("x509bundle: %w", err)
+}

v2/bundle/x509bundle/set.go

@@ -1,6 +1,7 @@
 package x509bundle
 
 import (
+	"fmt"
 	"sort"
 	"sync"
 
@@ -98,7 +99,7 @@ func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bu
 
 	bundle, ok := s.bundles[trustDomain]
 	if !ok {
-		return nil, x509bundleErr.New("no X.509 bundle for trust domain %q", trustDomain)
+		return nil, wrapX509bundleErr(fmt.Errorf("no X.509 bundle for trust domain %q", trustDomain))
 	}
 
 	return bundle, nil