[errors] de-specialize Transient in favor of Tags.

server/auth/delegation/checker.go

 // Copyright 2016 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 package delegation
 
 import (
         "encoding/base64"
         "fmt"
         "strings"
 
         "github.com/golang/protobuf/proto"
         "golang.org/x/net/context"
 
         "github.com/luci/luci-go/common/clock"
         "github.com/luci/luci-go/common/errors"
         "github.com/luci/luci-go/common/logging"
+        "github.com/luci/luci-go/common/retry"
 
         "github.com/luci/luci-go/server/auth/identity"
         "github.com/luci/luci-go/server/auth/signing"
 
         "github.com/luci/luci-go/server/auth/delegation/messages"
 )
 
 const (
         // maxTokenSize is upper bound for expected size of a token (after base64
         // decoding). Larger tokens will be ignored right away.
@@ skipping 60 matching lines @@
         // subtoken).
         tok, err := deserializeToken(params.Token)
         if err != nil {
                 logging.Warningf(c, "auth: Failed to deserialize delegation token - %s", err)
                 return "", ErrMalformedDelegationToken
         }
 
         // Signed serialized subtoken -> Subtoken proto.
         subtoken, err := unsealToken(c, tok, params.CertificatesProvider)
         if err != nil {
-                if errors.IsTransient(err) {
+                if retry.Tag.In(err) {
                         logging.Warningf(c, "auth: Transient error when checking delegation token signature - %s", err)
                         return "", err
                 }
                 logging.Warningf(c, "auth: Failed to check delegation token signature - %s", err)
                 return "", ErrUnsignedDelegationToken
         }
 
         // Validate all constrains encoded in the token and derive the delegated
         // identity.
         return checkSubtoken(c, subtoken, &params)
@@ skipping 62 matching lines @@
                 logging.Warningf(c, "auth: Bad delegation token expiration - %s", err)
                 return "", ErrForbiddenDelegationToken
         }
         if err := checkSubtokenServices(subtoken, params.OwnServiceIdentity); err != nil {
                 logging.Warningf(c, "auth: Forbidden delegation token - %s", err)
                 return "", ErrForbiddenDelegationToken
         }
 
         // Do the audience check (may use group lookups).
         if err := checkSubtokenAudience(c, subtoken, params.PeerID, params.GroupsChecker); err != nil {
-                if errors.IsTransient(err) {
+                if retry.Tag.In(err) {
                         logging.Warningf(c, "auth: Transient error when checking delegation token audience - %s", err)
                         return "", err
                 }
                 logging.Warningf(c, "auth: Bad delegation token audience - %s", err)
                 return "", ErrForbiddenDelegationToken
         }
 
         // Grab delegated identity.
         ident, err := identity.MakeIdentity(subtoken.DelegatedIdentity)
         if err != nil {
@@ skipping 59 matching lines @@
         }
         // Search through groups now.
         switch ok, err := checker.IsMember(c, ident, groups...); {
         case err != nil:
                 return err // transient error during group lookup
         case ok:
                 return nil // success, 'ident' is in the target audience
         }
         return fmt.Errorf("%s is not allowed to use the token", ident)
 }