fix: add errorsource to TLS errors correctly (#1256)

njvrzm · web-flow · commit 8f93b9f7d93b · 2025-03-05T12:10:11.000+01:00
diff --git a/experimental/status/status_source.go b/experimental/status/status_source.go
@@ -2,6 +2,7 @@ package status
 
 import (
 	"context"
+	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
@@ -191,30 +192,15 @@ func isDNSNotFoundError(err error) bool {
 // isTLSCertificateVerificationError checks if the error is related to TLS certificate verification.
 func isTLSCertificateVerificationError(err error) bool {
 	var (
-		certErr        *x509.CertificateInvalidError
-		unknownAuthErr x509.UnknownAuthorityError
-		hostnameErr    *x509.HostnameError
+		certErr             x509.CertificateInvalidError
+		unknownAuthorityErr x509.UnknownAuthorityError
+		hostnameErr         x509.HostnameError
+		tlsError            *tls.CertificateVerificationError
 	)
-
-	// Directly check for certificate-related errors
-	if errors.As(err, &certErr) ||
-		errors.As(err, &unknownAuthErr) ||
-		errors.As(err, &hostnameErr) {
-		return true
-	}
-
-	// Check if the error is wrapped in a *url.Error
-	var urlErr *url.Error
-	if errors.As(err, &urlErr) {
-		// Check the underlying error in urlErr
-		if errors.As(urlErr.Err, &certErr) ||
-			errors.As(urlErr.Err, &unknownAuthErr) ||
-			errors.As(urlErr.Err, &hostnameErr) {
-			return true
-		}
-	}
-
-	return false
+	return errors.As(err, &certErr) ||
+		errors.As(err, &unknownAuthorityErr) ||
+		errors.As(err, &hostnameErr) ||
+		errors.As(err, &tlsError)
 }
 
 // isHTTPEOFError returns true if the error is an EOF error inside of url.Error or net.OpError, indicating the connection was closed prematurely by server
diff --git a/experimental/status/status_source_test.go b/experimental/status/status_source_test.go
@@ -2,6 +2,7 @@ package status_test
 
 import (
 	"context"
+	"crypto/tls"
 	"crypto/x509"
 	"errors"
 	"fmt"
@@ -241,7 +242,7 @@ func TestIsDownstreamHTTPError(t *testing.T) {
 		},
 		{
 			name:     "wrapped *url.Error with UnknownAuthorityError",
-			err:      &url.Error{Op: "Get", URL: "https://example.com", Err: x509.UnknownAuthorityError{}},
+			err:      &url.Error{Op: "Get", URL: "https://example.com", Err: &tls.CertificateVerificationError{Err: x509.UnknownAuthorityError{}}},
 			expected: true,
 		},
 		{
@@ -251,7 +252,7 @@ func TestIsDownstreamHTTPError(t *testing.T) {
 		},
 		{
 			name:     "direct CertificateInvalidError",
-			err:      &x509.CertificateInvalidError{Reason: x509.Expired, Cert: nil},
+			err:      x509.CertificateInvalidError{Reason: x509.Expired, Cert: nil},
 			expected: true,
 		},
 		{
@@ -294,9 +295,24 @@ func TestIsDownstreamHTTPError(t *testing.T) {
 			err: &url.Error{
 				Op:  "Get",
 				URL: "https://example.com",
-				Err: &x509.HostnameError{
-					Host:        "example.com",
-					Certificate: &x509.Certificate{},
+				Err: &tls.CertificateVerificationError{
+					Err: x509.HostnameError{
+						Host:        "example.com",
+						Certificate: &x509.Certificate{},
+					},
+				},
+			},
+			expected: true,
+		},
+		{
+			name: "TLS certificate expired",
+			err: &url.Error{
+				Op:  "Get",
+				URL: "https://example.com",
+				Err: &tls.CertificateVerificationError{
+					Err: x509.CertificateInvalidError{
+						Reason: x509.Expired,
+					},
 				},
 			},
 			expected: true,
