[errors] de-specialize Transient in favor of Tags.

tokenserver/auth/machine/auth_method.go

 // Copyright 2016 The LUCI Authors. All rights reserved.
 // Use of this source code is governed under the Apache License, Version 2.0
 // that can be found in the LICENSE file.
 
 // Package machine implements authentication based on LUCI machine tokens.
 package machine
 
 import (
         "encoding/base64"
         "fmt"
         "net/http"
         "time"
 
         "github.com/golang/protobuf/proto"
         "golang.org/x/net/context"
 
         "github.com/luci/luci-go/common/clock"
         "github.com/luci/luci-go/common/errors"
         "github.com/luci/luci-go/common/logging"
+        "github.com/luci/luci-go/common/retry"
         "github.com/luci/luci-go/server/auth"
         "github.com/luci/luci-go/server/auth/identity"
         "github.com/luci/luci-go/server/auth/signing"
 
         "github.com/luci/luci-go/tokenserver/api"
 )
 
 const (
         // MachineTokenHeader is an HTTP header that carries the machine token.
         MachineTokenHeader = "X-Luci-Machine-Token"
@@ skipping 53 matching lines @@
         // it belongs to "auth-token-servers" group.
         signerServiceAccount, err := identity.MakeIdentity("user:" + body.IssuedBy)
         if err != nil {
                 logTokenError(c, r, body, err, "Bad issued_by field - %q", body.IssuedBy)
                 return nil, ErrBadToken
         }
 
         // Reject tokens from unknown token servers right away.
         db, err := auth.GetDB(c)
         if err != nil {
-                return nil, errors.WrapTransient(err)
+                return nil, retry.Tag.Apply(err)
         }
         ok, err := db.IsMember(c, signerServiceAccount, TokenServersGroup)
         if err != nil {
-                return nil, errors.WrapTransient(err)
+                return nil, retry.Tag.Apply(err)
         }
         if !ok {
                 logTokenError(c, r, body, nil, "Unknown token issuer - %q", body.IssuedBy)
                 return nil, ErrBadToken
         }
 
         // Check the expiration time before doing any heavier checks.
         if err = checkExpiration(body, clock.Now(c)); err != nil {
                 logTokenError(c, r, body, err, "Token has expired or not yet valid")
                 return nil, ErrBadToken
         }
 
         // Check the token was actually signed by the server.
         if err = m.checkSignature(c, body.IssuedBy, envelope); err != nil {
-                if errors.IsTransient(err) {
+                if retry.Tag.In(err) {
                         return nil, err
                 }
                 logTokenError(c, r, body, err, "Bad signature")
                 return nil, ErrBadToken
         }
 
         // The token is valid. Construct the bot identity.
         botIdent, err := identity.MakeIdentity("bot:" + body.MachineFqdn)
         if err != nil {
                 logTokenError(c, r, body, err, "Bad machine_fqdn - %q", body.MachineFqdn)
@@ skipping 57 matching lines @@
 
 // checkSignature verifies the token signature.
 func (m *MachineTokenAuthMethod) checkSignature(c context.Context, signerEmail string, envelope *tokenserver.MachineTokenEnvelope) error {
         // Note that FetchCertificatesForServiceAccount implements caching inside.
         fetcher := m.certsFetcher
         if fetcher == nil {
                 fetcher = signing.FetchCertificatesForServiceAccount
         }
         certs, err := fetcher(c, signerEmail)
         if err != nil {
-                return errors.WrapTransient(err)
+                return retry.Tag.Apply(err)
         }
         return certs.CheckSignature(envelope.KeyId, envelope.TokenBody, envelope.RsaSha256)
 }