Remove github.com/zeebo/errs dependency

We don't really use this dependency for much other than to group some
errors together with a common error message prefix. The same can now
be accomplished with a couple custom error types and the `errors`
standard library package.

This package also wasn't consistently adopted throughout the project, so
at this point it's probably better to just rely on the standard library
functionality, since it's sufficient for the project's use cases.

Signed-off-by: Ryan Turner <ryan.turner253@icloud.com>

cmd/spire-server/cli/bundle/common.go

@@ -17,7 +17,6 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/cmd/spire-server/util"
-	"github.com/zeebo/errs"
 )
 
 const (
@@ -78,7 +77,7 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {
 
 	docBytes, err := b.Marshal()
 	if err != nil {
-		return errs.Wrap(err)
+		return err
 	}
 
 	var o bytes.Buffer
@@ -87,7 +86,7 @@ func printBundle(out io.Writer, bundle *types.Bundle) error {
 	}
 
 	if _, err := fmt.Fprintln(out, o.String()); err != nil {
-		return errs.Wrap(err)
+		return err
 	}
 
 	return nil

go.mod

@@ -78,7 +78,6 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/uber-go/tally/v4 v4.1.16
 	github.com/valyala/fastjson v1.6.4
-	github.com/zeebo/errs v1.4.0
 	golang.org/x/crypto v0.31.0
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
 	golang.org/x/net v0.32.0
@@ -290,6 +289,7 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yashtewari/glob-intersection v0.2.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	github.com/zeebo/errs v1.4.0 // indirect
 	go.mongodb.org/mongo-driver v1.14.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/detectors/gcp v1.29.0 // indirect

pkg/agent/attestor/node/node.go

@@ -28,7 +28,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/tlspolicy"
 	"github.com/spiffe/spire/pkg/common/util"
 	"github.com/spiffe/spire/pkg/common/x509util"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 )
@@ -101,7 +100,7 @@ func (a *attestor) Attest(ctx context.Context) (res *AttestationResult, err erro
 		// This is a bizarre case where we have an SVID but were unable to
 		// load a bundle from the cache which suggests some tampering with the
 		// cache on disk.
-		return nil, errs.New("SVID loaded but no bundle in cache")
+		return nil, errors.New("SVID loaded but no bundle in cache")
 	default:
 		log.WithField(telemetry.SPIFFEID, svid[0].URIs[0].String()).Info("SVID loaded")
 	}
@@ -265,7 +264,7 @@ func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle)
 	if !a.c.InsecureBootstrap {
 		// We shouldn't get here since loadBundle() should fail if the bundle
 		// is empty, but just in case...
-		return nil, errs.New("no bundle and not doing insecure bootstrap")
+		return nil, errors.New("no bundle and not doing insecure bootstrap")
 	}
 
 	// Insecure bootstrapping. Do not verify the server chain but rather do a
@@ -279,7 +278,7 @@ func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle)
 			if len(rawCerts) == 0 {
 				// This is not really possible without a catastrophic bug
 				// creeping into the TLS stack.
-				return errs.New("server chain is unexpectedly empty")
+				return errors.New("server chain is unexpectedly empty")
 			}
 
 			expectedServerID, err := idutil.ServerID(a.c.TrustDomain)
@@ -292,7 +291,7 @@ func (a *attestor) serverConn(ctx context.Context, bundle *spiffebundle.Bundle)
 				return err
 			}
 			if len(serverCert.URIs) != 1 || serverCert.URIs[0].String() != expectedServerID.String() {
-				return errs.New("expected server SPIFFE ID %q; got %q", expectedServerID, serverCert.URIs)
+				return fmt.Errorf("expected server SPIFFE ID %q; got %q", expectedServerID, serverCert.URIs)
 			}
 			return nil
 		},

pkg/agent/endpoints/sdsv3/handler.go

@@ -22,7 +22,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/pemutil"
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	"github.com/spiffe/spire/proto/spire/common"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/anypb"
@@ -99,7 +98,7 @@ func (h *Handler) StreamSecrets(stream secret_v3.SecretDiscoveryService_StreamSe
 	}()
 
 	var versionCounter int64
-	var versionInfo = strconv.FormatInt(versionCounter, 10)
+	versionInfo := strconv.FormatInt(versionCounter, 10)
 	var lastNonce string
 	var lastNode *core_v3.Node
 	var upd *cache.WorkloadUpdate
@@ -150,7 +149,7 @@ func (h *Handler) StreamSecrets(stream secret_v3.SecretDiscoveryService_StreamSe
 
 			// We need to send updates if the requested resource list has changed
 			// either explicitly, or implicitly because this is the first request.
-			var sendUpdates = lastReq == nil || subListChanged(lastReq.ResourceNames, newReq.ResourceNames)
+			sendUpdates := lastReq == nil || subListChanged(lastReq.ResourceNames, newReq.ResourceNames)
 
 			// save request so that all future workload updates lead to SDS updates for the last request
 			lastReq = newReq
@@ -206,7 +205,7 @@ func subListChanged(oldSubs []string, newSubs []string) (b bool) {
 	if len(oldSubs) != len(newSubs) {
 		return true
 	}
-	var subMap = make(map[string]bool)
+	subMap := make(map[string]bool)
 	for _, sub := range oldSubs {
 		subMap[sub] = true
 	}
@@ -582,7 +581,7 @@ func nextNonce() (string, error) {
 	b := make([]byte, 4)
 	_, err := rand.Read(b)
 	if err != nil {
-		return "", errs.Wrap(err)
+		return "", err
 	}
 	return hex.EncodeToString(b), nil
 }

pkg/agent/endpoints/workload/handler.go

@@ -22,7 +22,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	"github.com/spiffe/spire/pkg/common/x509util"
 	"github.com/spiffe/spire/proto/spire/common"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/encoding/protojson"
@@ -512,12 +511,12 @@ func keyStoreFromBundles(bundles []*spiffebundle.Bundle) (jwtsvid.KeyStore, erro
 func structFromValues(values map[string]any) (*structpb.Struct, error) {
 	valuesJSON, err := json.Marshal(values)
 	if err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 
 	s := new(structpb.Struct)
 	if err := protojson.Unmarshal(valuesJSON, s); err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 
 	return s, nil

pkg/agent/plugin/nodeattestor/k8spsat/psat.go

@@ -3,6 +3,7 @@ package k8spsat
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"os"
 	"sync"
 
@@ -12,7 +13,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/catalog"
 	"github.com/spiffe/spire/pkg/common/plugin/k8s"
 	"github.com/spiffe/spire/pkg/common/pluginconf"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -145,10 +145,10 @@ func (p *AttestorPlugin) getConfig() (*attestorConfig, error) {
 func loadTokenFromFile(path string) (string, error) {
 	data, err := os.ReadFile(path)
 	if err != nil {
-		return "", errs.Wrap(err)
+		return "", err
 	}
 	if len(data) == 0 {
-		return "", errs.New("%q is empty", path)
+		return "", fmt.Errorf("%q is empty", path)
 	}
 	return string(data), nil
 }

pkg/agent/plugin/nodeattestor/k8ssat/sat.go

@@ -14,7 +14,6 @@ import (
 	"github.com/spiffe/spire/pkg/common/catalog"
 	"github.com/spiffe/spire/pkg/common/plugin/k8s"
 	"github.com/spiffe/spire/pkg/common/pluginconf"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -148,10 +147,10 @@ func (p *AttestorPlugin) getConfig() (*attestorConfig, error) {
 func loadTokenFromFile(path string) (string, error) {
 	data, err := os.ReadFile(path)
 	if err != nil {
-		return "", errs.Wrap(err)
+		return "", err
 	}
 	if len(data) == 0 {
-		return "", errs.New("%q is empty", path)
+		return "", fmt.Errorf("%q is empty", path)
 	}
 	return string(data), nil
 }

pkg/common/bundleutil/unmarshal.go

@@ -8,7 +8,6 @@ import (
 
 	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
-	"github.com/zeebo/errs"
 )
 
 func Decode(trustDomain spiffeid.TrustDomain, r io.Reader) (*spiffebundle.Bundle, error) {
@@ -22,7 +21,7 @@ func Decode(trustDomain spiffeid.TrustDomain, r io.Reader) (*spiffebundle.Bundle
 func Unmarshal(trustDomain spiffeid.TrustDomain, data []byte) (*spiffebundle.Bundle, error) {
 	doc := new(bundleDoc)
 	if err := json.Unmarshal(data, doc); err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 	return unmarshal(trustDomain, doc)
 }
@@ -35,20 +34,20 @@ func unmarshal(trustDomain spiffeid.TrustDomain, doc *bundleDoc) (*spiffebundle.
 		switch key.Use {
 		case x509SVIDUse:
 			if len(key.Certificates) != 1 {
-				return nil, errs.New("expected a single certificate in x509-svid entry %d; got %d", i, len(key.Certificates))
+				return nil, fmt.Errorf("expected a single certificate in x509-svid entry %d; got %d", i, len(key.Certificates))
 			}
 			bundle.AddX509Authority(key.Certificates[0])
 		case jwtSVIDUse:
 			if key.KeyID == "" {
-				return nil, errs.New("missing key ID in jwt-svid entry %d", i)
+				return nil, fmt.Errorf("missing key ID in jwt-svid entry %d", i)
 			}
 			if err := bundle.AddJWTAuthority(key.KeyID, key.Key); err != nil {
-				return nil, errs.New("failed to add jwt-svid entry %d: %v", i, err)
+				return nil, fmt.Errorf("failed to add jwt-svid entry %d: %v", i, err)
 			}
 		case "":
-			return nil, errs.New("missing use for key entry %d", i)
+			return nil, fmt.Errorf("missing use for key entry %d", i)
 		default:
-			return nil, errs.New("unrecognized use %q for key entry %d", key.Use, i)
+			return nil, fmt.Errorf("unrecognized use %q for key entry %d", key.Use, i)
 		}
 	}
 

pkg/common/catalog/builtin.go

@@ -11,7 +11,6 @@ import (
 	"github.com/spiffe/spire-plugin-sdk/pluginsdk"
 	"github.com/spiffe/spire-plugin-sdk/private"
 	"github.com/spiffe/spire/pkg/common/log"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
 )
@@ -147,7 +146,7 @@ func startPipeServer(server *grpc.Server, log logrus.FieldLogger) (_ *pipeConn,
 	// Dial the server
 	conn, err := grpc.Dial("IGNORED", grpc.WithBlock(), grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithContextDialer(pipeNet.DialContext)) //nolint: staticcheck // It is going to be resolved on #5152
 	if err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 	closers = append(closers, conn)
 

pkg/common/catalog/closers.go

@@ -1,22 +1,25 @@
 package catalog
 
 import (
+	"errors"
 	"io"
 	"time"
 
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc"
 )
 
 type closerGroup []io.Closer
 
 func (cs closerGroup) Close() error {
 	// Close in reverse order.
-	var errs errs.Group
+	var errs error
 	for i := len(cs) - 1; i >= 0; i-- {
-		errs.Add(cs[i].Close())
+		if err := cs[i].Close(); err != nil {
+			errs = errors.Join(errs, err)
+		}
 	}
-	return errs.Err()
+
+	return errs
 }
 
 type closerFunc func()

pkg/common/catalog/external.go

@@ -14,7 +14,6 @@ import (
 	"github.com/spiffe/spire-plugin-sdk/pluginsdk"
 	"github.com/spiffe/spire-plugin-sdk/private"
 	"github.com/spiffe/spire/pkg/common/log"
-	"github.com/zeebo/errs"
 	"google.golang.org/grpc"
 )
 
@@ -154,7 +153,7 @@ func (p *hcClientPlugin) GRPCClient(ctx context.Context, b *goplugin.GRPCBroker,
 	// does not work yet anyway, so it is a moot point.
 	listener, err := b.Accept(private.HostServiceProviderID)
 	if err != nil {
-		return nil, errs.Wrap(err)
+		return nil, err
 	}
 
 	server := newHostServer(p.config.Log, p.config.Name, p.config.HostServices)

pkg/common/cryptoutil/keys.go

@@ -7,7 +7,6 @@ import (
 	"fmt"
 
 	"github.com/go-jose/go-jose/v4"
-	"github.com/zeebo/errs"
 )
 
 func RSAPublicKeyEqual(a, b *rsa.PublicKey) bool {
@@ -58,7 +57,7 @@ func JoseAlgFromPublicKey(publicKey any) (jose.SignatureAlgorithm, error) {
 	case *rsa.PublicKey:
 		// Prevent the use of keys smaller than 2048 bits
 		if publicKey.Size() < 256 {
-			return "", errs.New("unsupported RSA key size: %d", publicKey.Size())
+			return "", fmt.Errorf("unsupported RSA key size: %d", publicKey.Size())
 		}
 		alg = jose.RS256
 	case *ecdsa.PublicKey:
@@ -69,10 +68,10 @@ func JoseAlgFromPublicKey(publicKey any) (jose.SignatureAlgorithm, error) {
 		case 384:
 			alg = jose.ES384
 		default:
-			return "", errs.New("unable to determine signature algorithm for EC public key size %d", params.BitSize)
+			return "", fmt.Errorf("unable to determine signature algorithm for EC public key size %d", params.BitSize)
 		}
 	default:
-		return "", errs.New("unable to determine signature algorithm for public key type %T", publicKey)
+		return "", fmt.Errorf("unable to determine signature algorithm for public key type %T", publicKey)
 	}
 	return alg, nil
 }

pkg/common/jwtsvid/common.go

@@ -5,18 +5,17 @@ import (
 	"time"
 
 	"github.com/go-jose/go-jose/v4/jwt"
-	"github.com/zeebo/errs"
 )
 
 func GetTokenExpiry(token string) (time.Time, time.Time, error) {
 	tok, err := jwt.ParseSigned(token, AllowedSignatureAlgorithms)
 	if err != nil {
-		return time.Time{}, time.Time{}, errs.Wrap(err)
+		return time.Time{}, time.Time{}, err
 	}
 
 	claims := jwt.Claims{}
 	if err := tok.UnsafeClaimsWithoutVerification(&claims); err != nil {
-		return time.Time{}, time.Time{}, errs.Wrap(err)
+		return time.Time{}, time.Time{}, err
 	}
 	if claims.IssuedAt == nil {
 		return time.Time{}, time.Time{}, errors.New("JWT missing iat claim")