Merge pull request #500 from slashdevops/fix/retrier-lib

fix: replace httpretrier with httpx and apply Go 1.26 improvements

Author: christiangda

README.md

@@ -191,7 +191,7 @@ sam deploy --parameter-overrides SyncUserFields=phoneNumbers,addresses,enterpris
 ## ⚠️ Limitations
 
 * **Group Limit**: The AWS SSO SCIM API has a limit of 50 groups per request. Please support the feature request on the [AWS Support site](https://repost.aws/questions/QUqqnVkIo_SYyF_SlX5LcUjg/aws-sso-scim-api-pagination-for-methods) to help get this limit increased.
-* **Throttling**: With a large number of users and groups, you may encounter a `ThrottlingException` from the AWS SSO SCIM API. This project uses a [retryable HTTP client](https://github.com/p2p-b2b/httpretrier) to mitigate this, but it's still a possibility.
+* **Throttling**: With a large number of users and groups, you may encounter a `ThrottlingException` from the AWS SSO SCIM API. This project uses the [httpx](https://github.com/slashdevops/httpx) library with automatic retry and jitter backoff to mitigate this, but it's still a possibility.
 * **User Status**: The Google Workspace API doesn't differentiate between normal and guest users except for their status. This project only syncs `ACTIVE` users.
 
 ## For `ssosync` Users

cmd/idpscim/cmd/root.go

@@ -9,7 +9,6 @@ import (
 	"time"
 
 	"github.com/aws/aws-lambda-go/lambda"
-	"github.com/pkg/errors"
 	"github.com/slashdevops/idp-scim-sync/internal/config"
 	"github.com/slashdevops/idp-scim-sync/internal/setup"
 	"github.com/slashdevops/idp-scim-sync/internal/version"
@@ -92,13 +91,13 @@ func run(ctx context.Context) error {
 
 	ss, err := setup.SyncService(ctx, &cfg)
 	if err != nil {
-		return errors.Wrap(err, "cannot create sync service")
+		return fmt.Errorf("cannot create sync service: %w", err)
 	}
 
 	slog.Debug("app config", "config", cfg)
 
 	if err := ss.SyncGroupsAndTheirMembers(ctx); err != nil {
-		return errors.Wrap(err, "cannot sync groups and their members")
+		return fmt.Errorf("cannot sync groups and their members: %w", err)
 	}
 
 	slog.Info("sync groups completed", "duration", time.Since(timeStart).String())

cmd/idpscimcli/cmd/aws.go

@@ -3,10 +3,9 @@ package cmd
 import (
 	"context"
 	"log/slog"
-	"net/http"
 	"time"
 
-	"github.com/p2p-b2b/httpretrier"
+	"github.com/slashdevops/httpx"
 	"github.com/slashdevops/idp-scim-sync/internal/version"
 	"github.com/slashdevops/idp-scim-sync/pkg/aws"
 	"github.com/spf13/cobra"
@@ -92,11 +91,12 @@ func runAWSServiceConfig(_ *cobra.Command, _ []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reqTimeout)
 	defer cancel()
 
-	httpRetryClient := httpretrier.NewClient(
-		10, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 500*time.Millisecond),
-		nil, // Use http.DefaultTransport
-	)
+	httpRetryClient := httpx.NewClientBuilder().
+		WithMaxRetries(10).
+		WithRetryStrategy(httpx.JitterBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		Build()
 
 	awsSCIMService, err := aws.NewSCIMService(httpRetryClient, cfg.AWSSCIMEndpoint, cfg.AWSSCIMAccessToken)
 	if err != nil {
@@ -120,16 +120,14 @@ func runAWSGroupsList(_ *cobra.Command, _ []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reqTimeout)
 	defer cancel()
 
-	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
-	httpTransport.MaxIdleConns = 100
-	httpTransport.MaxConnsPerHost = 100
-	httpTransport.MaxIdleConnsPerHost = 100
-
-	httpClient := httpretrier.NewClient(
-		10, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 500*time.Millisecond),
-		httpTransport,
-	)
+	httpClient := httpx.NewClientBuilder().
+		WithMaxRetries(10).
+		WithRetryStrategy(httpx.JitterBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		WithMaxIdleConns(100).
+		WithMaxIdleConnsPerHost(100).
+		Build()
 
 	awsSCIMService, err := aws.NewSCIMService(httpClient, cfg.AWSSCIMEndpoint, cfg.AWSSCIMAccessToken)
 	if err != nil {
@@ -154,16 +152,14 @@ func runAWSUsersList(_ *cobra.Command, _ []string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), reqTimeout)
 	defer cancel()
 
-	httpTransport := http.DefaultTransport.(*http.Transport).Clone()
-	httpTransport.MaxIdleConns = 100
-	httpTransport.MaxConnsPerHost = 100
-	httpTransport.MaxIdleConnsPerHost = 100
-
-	httpClient := httpretrier.NewClient(
-		10, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 500*time.Millisecond),
-		httpTransport,
-	)
+	httpClient := httpx.NewClientBuilder().
+		WithMaxRetries(10).
+		WithRetryStrategy(httpx.JitterBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		WithMaxIdleConns(100).
+		WithMaxIdleConnsPerHost(100).
+		Build()
 
 	awsSCIMService, err := aws.NewSCIMService(httpClient, cfg.AWSSCIMEndpoint, cfg.AWSSCIMAccessToken)
 	if err != nil {

cmd/idpscimcli/cmd/gws.go

@@ -7,7 +7,7 @@ import (
 	"os"
 	"time"
 
-	"github.com/p2p-b2b/httpretrier"
+	"github.com/slashdevops/httpx"
 	"github.com/slashdevops/idp-scim-sync/internal/config"
 	"github.com/slashdevops/idp-scim-sync/internal/version"
 	"github.com/slashdevops/idp-scim-sync/pkg/google"
@@ -126,11 +126,12 @@ func getGWSDirectoryService(ctx context.Context) *google.DirectoryService {
 		"https://www.googleapis.com/auth/admin.directory.user.readonly",
 	}
 
-	httpRetryClient := httpretrier.NewClient(
-		3, // Max Retries
-		httpretrier.ExponentialBackoff(10*time.Millisecond, 100*time.Millisecond),
-		nil, // Use http.DefaultTransport
-	)
+	httpRetryClient := httpx.NewClientBuilder().
+		WithMaxRetries(3).
+		WithRetryStrategy(httpx.ExponentialBackoffStrategy).
+		WithRetryBaseDelay(500 * time.Millisecond).
+		WithRetryMaxDelay(10 * time.Second).
+		Build()
 
 	gServiceConfig := google.DirectoryServiceConfig{
 		UserEmail:      cfg.GWSUserEmail,

docs/Whats-New.md

@@ -2,6 +2,42 @@
 
 This document tracks notable changes, new features, and bug fixes across releases.
 
+## v0.40.1
+
+### Improved HTTP Retry Library
+
+Replaced the `httpretrier` library with [httpx](https://github.com/slashdevops/httpx), a zero-dependency HTTP client with built-in retry support.
+
+**Why:** The previous library did not properly handle HTTP `429 Too Many Requests` responses, which caused issues with AWS SSO SCIM API throttling under high load.
+
+**What changed:**
+
+* The `httpx` library automatically retries on `429` and `5xx` responses with configurable backoff strategies.
+* AWS SCIM API calls now use **jitter backoff** instead of simple exponential backoff, reducing the chance of thundering herd effects during rate limiting.
+* Google Workspace API calls use **exponential backoff** for reliable retries.
+* The `httpx` library has zero external dependencies and integrates with Go's `slog` logging.
+
+### AWS SCIM Client Improvements (`pkg/aws`)
+
+Several code quality improvements and bug fixes in the AWS SCIM client:
+
+* **Bug fix:** `CreateOrGetUser` used `reflect.DeepEqual` to compare a `*CreateUserRequest` with a `*GetUserResponse` — different types, so the comparison always returned `false`, causing unnecessary PUT updates on every 409 conflict. Replaced with a typed `usersEqual` function that compares only sync-relevant attributes.
+* **Removed `pkg/errors` dependency:** Replaced with stdlib `errors` and `fmt` packages. Sentinel errors now use `errors.New` instead of `errors.Errorf`.
+* **Go 1.26 `errors.AsType`:** Migrated all `errors.As` calls to the generic `errors.AsType[T]` for compile-time type safety and better performance.
+* **Fixed `String()` methods:** `User.String()` and `Group.String()` no longer call `os.Exit(1)` on marshal failure. They return a safe fallback string instead.
+* **Eliminated double JSON decode:** `GetUserByUserName` and `GetGroupByDisplayName` no longer marshal a resource to JSON and re-parse it. They use direct type conversion instead.
+* **Fixed decode error fallback:** `CreateGroup` and `CreateOrGetGroup` no longer attempt to read an already-consumed response body on decode failure.
+* **Removed redundant context set:** `do()` no longer calls `req.WithContext(ctx)` since the request is already created with `http.NewRequestWithContext`.
+* **Simplified type conversions:** `CreateOrGetUser` and `CreateOrGetGroup` use type conversions instead of manual field-by-field struct copies.
+
+### Go 1.26 Modernization
+
+Applied Go 1.26 best practices across the codebase:
+
+* **Removed `github.com/pkg/errors` dependency:** Replaced all `errors.Wrap` and `errors.Errorf` with stdlib `fmt.Errorf` (with `%w`) and `errors.New` in `internal/setup`, `internal/repository`, and `pkg/aws`.
+* **`errors.AsType[T]`:** Migrated `errors.As` calls to the generic `errors.AsType[T]` in `internal/core/sync.go` for type safety and performance.
+* **Fixed `os.Exit` in `Hash()`:** `internal/model.Hash()` no longer calls `os.Exit(1)` on nil input or encoding failure. It panics instead (appropriate for programming errors, recoverable, produces stack trace).
+
 ## v0.44.0
 
 ### Configurable User Fields

go.mod

@@ -7,18 +7,17 @@ require (
 	github.com/aws/aws-sdk-go-v2 v1.41.5
 	github.com/aws/aws-sdk-go-v2/config v1.32.13
 	github.com/aws/aws-sdk-go-v2/credentials v1.19.13
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0
 	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5
 	github.com/google/go-cmp v0.7.0
-	github.com/p2p-b2b/httpretrier v0.0.4
-	github.com/pkg/errors v0.9.1
+	github.com/slashdevops/httpx v0.0.4
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/mock v0.6.0
 	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
-	google.golang.org/api v0.273.0
+	google.golang.org/api v0.273.1
 	gopkg.in/yaml.v3 v3.0.1
 )
 

go.sum

@@ -32,8 +32,8 @@ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 h1:c31//R3x
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21/go.mod h1:r6+pf23ouCB718FUxaqzZdbpYFyDtehyZcmP5KL9FkA=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 h1:ZlvrNcHSFFWURB8avufQq9gFsheUgjVD9536obIknfM=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21/go.mod h1:cv3TNhVrssKR0O/xxLJVRfd2oazSnZnkUeTf6ctUwfQ=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3 h1:HwxWTbTrIHm5qY+CAEur0s/figc3qwvLWsNkF4RPToo=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.97.3/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0 h1:foqo/ocQ7WqKwy3FojGtZQJo0FR4vto9qnz9VaumbCo=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.98.0/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5 h1:z2ayoK3pOvf8ODj/vPR0FgAS5ONruBq0F94SRoW/BIU=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.41.5/go.mod h1:mpZB5HAl4ZIISod9qCi12xZ170TbHX9CCJV5y7nb7QU=
 github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1KxLgHBKKY/CLqwP8lg=
@@ -82,19 +82,17 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/p2p-b2b/httpretrier v0.0.4 h1:TREDrCthpm0jMTLq2T9+rf8hhH9h36W8Vf8l3L5+WiI=
-github.com/p2p-b2b/httpretrier v0.0.4/go.mod h1:0yKtg4EekYBRzwLIiRVBqh4A/I3VQRiSdBnpu5InyOw=
 github.com/pelletier/go-toml/v2 v2.3.0 h1:k59bC/lIZREW0/iVaQR8nDHxVq8OVlIzYCOJf421CaM=
 github.com/pelletier/go-toml/v2 v2.3.0/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
-github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
-github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sagikazarmark/locafero v0.12.0 h1:/NQhBAkUb4+fH1jivKHWusDYFjMOOKU88eegjfxfHb4=
 github.com/sagikazarmark/locafero v0.12.0/go.mod h1:sZh36u/YSZ918v0Io+U9ogLYQJ9tLLBmM4eneO6WwsI=
+github.com/slashdevops/httpx v0.0.4 h1:XhwMl9asfiPSqBaTv4wNjwFus6RFfgsEffl33BZazK4=
+github.com/slashdevops/httpx v0.0.4/go.mod h1:RIXp0/ylq/BqDlPo8glvay29Nr6zHw6jbExJneLYXKQ=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
 github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
@@ -146,8 +144,8 @@ golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
 golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 gonum.org/v1/gonum v0.16.0 h1:5+ul4Swaf3ESvrOnidPp4GZbzf0mxVQpDCYUQE7OJfk=
 gonum.org/v1/gonum v0.16.0/go.mod h1:fef3am4MQ93R2HHpKnLk4/Tbh/s0+wqD5nfa6Pnwy4E=
-google.golang.org/api v0.273.0 h1:r/Bcv36Xa/te1ugaN1kdJ5LoA5Wj/cL+a4gj6FiPBjQ=
-google.golang.org/api v0.273.0/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew=
+google.golang.org/api v0.273.1 h1:L7G/TmpAMz0nKx/ciAVssVmWQiOF6+pOuXeKrWVsquY=
+google.golang.org/api v0.273.1/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew=
 google.golang.org/genproto v0.0.0-20260316180232-0b37fe3546d5 h1:JNfk58HZ8lfmXbYK2vx/UvsqIL59TzByCxPIX4TDmsE=
 google.golang.org/genproto v0.0.0-20260316180232-0b37fe3546d5/go.mod h1:x5julN69+ED4PcFk/XWayw35O0lf/nGa4aNgODCmNmw=
 google.golang.org/genproto/googleapis/api v0.0.0-20260316180232-0b37fe3546d5 h1:CogIeEXn4qWYzzQU0QqvYBM8yDF9cFYzDq9ojSpv0Js=

internal/core/sync.go

@@ -101,10 +101,10 @@ func (ss *SyncService) SyncGroupsAndTheirMembers(ctx context.Context) error {
 	slog.Info("getting state data")
 	state, err := ss.repo.GetState(ctx)
 	if err != nil {
-		var nsk *types.NoSuchKey
-		var StateFileEmpty *repository.ErrStateFileEmpty
-
-		if errors.As(err, &nsk) || errors.As(err, &StateFileEmpty) {
+		if _, ok := errors.AsType[*types.NoSuchKey](err); ok {
+			slog.Warn("no state file found in the state repository, creating a new one")
+			state = model.StateBuilder().Build()
+		} else if _, ok := errors.AsType[*repository.ErrStateFileEmpty](err); ok {
 			slog.Warn("no state file found in the state repository, creating a new one")
 			state = model.StateBuilder().Build()
 		} else {

internal/model/hash.go

@@ -5,22 +5,20 @@ import (
 	"crypto/sha256"
 	"encoding/gob"
 	"fmt"
-	"log/slog"
-	"os"
 )
 
-// Hash returns a sha256 hash of value pass as argument
+// Hash returns a sha256 hash of value pass as argument.
+// It panics if value is nil or cannot be gob-encoded, since these
+// conditions indicate a programming error in the caller.
 func Hash(value any) string {
 	if value == nil {
-		slog.Error("value is nil")
-		os.Exit(1)
+		panic("model: Hash called with nil value")
 	}
 
 	buf := new(bytes.Buffer)
 	enc := gob.NewEncoder(buf)
 	if err := enc.Encode(value); err != nil {
-		slog.Error("error encoding value")
-		os.Exit(1)
+		panic(fmt.Sprintf("model: Hash encoding error: %v", err))
 	}
 
 	return fmt.Sprintf("%x", sha256.Sum256(buf.Bytes()))

internal/repository/s3.go

@@ -4,11 +4,11 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
-	"github.com/pkg/errors"
 	"github.com/slashdevops/idp-scim-sync/internal/model"
 )