3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-06 10:21:05 +02:00
Code Issues Projects Releases Packages Wiki Activity

remove source, remove deadcode, fix linting issues

Browse source
This commit is contained in:
Caleb Doxsey 2023-04-21 09:08:56 -06:00
parent 681cf6fa27
commit 9fe4361d85
116 changed files with 404 additions and 535 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.golangci.yml
View file

@ -46,10 +46,15 @@ linters-settings:
linters:
disable-all: true
enable:
- asasalint
- bodyclose
- depguard
- dogsled
- errcheck
- errorlint
- exportloopref
- gci
- gocheckcompilerdirectives
- gofmt
- goimports
- goprintffuncname
@ -58,15 +63,18 @@ linters:
- govet
- ineffassign
- lll
- loggercheck
- misspell
- nakedret
- nolintlint
- revive
- staticcheck
- stylecheck
- tenv
- typecheck
- unconvert
- unused
- usestdlibvars
issues:
exclude-use-default: false
@ -96,6 +104,7 @@ issues:
- (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)
# gosec: False positive is triggered by 'src, err := os.ReadFile(filename)'
- Potential file inclusion via variable
- empty-block
##
## Custom

2
authenticate/handlers.go
View file

@ -168,7 +168,7 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
}
// RobotsTxt handles the /robots.txt route.
func (a *Authenticate) RobotsTxt(w http.ResponseWriter, r *http.Request) {
func (a *Authenticate) RobotsTxt(w http.ResponseWriter, _ *http.Request) {
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
w.WriteHeader(http.StatusOK)
fmt.Fprintf(w, "User-agent: *\nDisallow: /")

10
authenticate/handlers_test.go
View file

@ -50,7 +50,7 @@ func testAuthenticate() *Authenticate {
func TestAuthenticate_RobotsTxt(t *testing.T) {
auth := testAuthenticate()
req, err := http.NewRequest("GET", "/robots.txt", nil)
req, err := http.NewRequest(http.MethodGet, "/robots.txt", nil)
if err != nil {
t.Fatal(err)
}
@ -73,7 +73,7 @@ func TestAuthenticate_Handler(t *testing.T) {
if h == nil {
t.Error("handler cannot be nil")
}
req := httptest.NewRequest("GET", "/robots.txt", nil)
req := httptest.NewRequest(http.MethodGet, "/robots.txt", nil)
req.Header.Set("Accept", "application/json")
rr := httptest.NewRecorder()
@ -88,7 +88,7 @@ func TestAuthenticate_Handler(t *testing.T) {
// cors preflight
req = httptest.NewRequest(http.MethodOptions, "/.pomerium/sign_in", nil)
req.Header.Set("Accept", "application/json")
req.Header.Set("Access-Control-Request-Method", "GET")
req.Header.Set("Access-Control-Request-Method", http.MethodGet)
req.Header.Set("Access-Control-Request-Headers", "X-Requested-With")
rr = httptest.NewRecorder()
h.ServeHTTP(rr, req)
@ -430,7 +430,7 @@ func TestAuthenticate_SessionValidatorMiddleware(t *testing.T) {
}),
options: config.NewAtomicOptions(),
}
r := httptest.NewRequest("GET", "/", nil)
r := httptest.NewRequest(http.MethodGet, "/", nil)
state, err := tt.session.LoadSession(r)
if err != nil {
t.Fatal(err)
@ -461,7 +461,7 @@ func TestAuthenticate_userInfo(t *testing.T) {
t.Run("cookie-redirect-uri", func(t *testing.T) {
w := httptest.NewRecorder()
r := httptest.NewRequest("GET", "https://authenticate.service.cluster.local/.pomerium/?pomerium_redirect_uri=https://www.example.com", nil)
r := httptest.NewRequest(http.MethodGet, "https://authenticate.service.cluster.local/.pomerium/?pomerium_redirect_uri=https://www.example.com", nil)
var a Authenticate
a.state = atomicutil.NewValue(&authenticateState{
cookieSecret: cryptutil.NewKey(),

2
authenticate/identity_profile.go
View file

@ -26,7 +26,7 @@ var cookieChunker = httputil.NewCookieChunker()
func (a *Authenticate) buildIdentityProfile(
ctx context.Context,
r *http.Request,
sessionState *sessions.State,
_ *sessions.State,
claims identity.SessionClaims,
oauthToken *oauth2.Token,
) (*identitypb.Profile, error) {

4
authorize/check_response.go
View file

@ -61,8 +61,8 @@ func (a *Authorize) handleResult(
}
func (a *Authorize) handleResultAllowed(
ctx context.Context,
in *envoy_service_auth_v3.CheckRequest,
_ context.Context,
_ *envoy_service_auth_v3.CheckRequest,
result *evaluator.Result,
) (*envoy_service_auth_v3.CheckResponse, error) {
return a.okResponse(result.Headers), nil

7
authorize/check_response_test.go
View file

@ -4,7 +4,6 @@ import (
"context"
"net/http"
"net/http/httptest"
"net/url"
"testing"
envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
@ -95,8 +94,8 @@ func TestAuthorize_okResponse(t *testing.T) {
opt := &config.Options{
AuthenticateURLString: "https://authenticate.example.com",
Policies: []config.Policy{{
Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
To: mustParseWeightedURLs(t, "https://to.example.com"),
From: "https://example.com",
To: mustParseWeightedURLs(t, "https://to.example.com"),
SubPolicies: []config.SubPolicy{{
Rego: []string{"allow = true"},
}},
@ -160,7 +159,7 @@ func TestAuthorize_deniedResponse(t *testing.T) {
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))}
a.currentOptions.Store(&config.Options{
Policies: []config.Policy{{
Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
From: "https://example.com",
SubPolicies: []config.SubPolicy{{
Rego: []string{"allow = true"},
}},

26
authorize/evaluator/evaluator_test.go
View file

@ -87,7 +87,7 @@ func TestEvaluator(t *testing.T) {
Action: parser.ActionAllow,
Or: []parser.Criterion{{
Name: "http_method", Data: parser.Object{
"is": parser.String("GET"),
"is": parser.String(http.MethodGet),
},
}},
}},
@ -152,7 +152,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -177,7 +177,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -204,7 +204,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -228,7 +228,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -252,7 +252,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -283,7 +283,7 @@ func TestEvaluator(t *testing.T) {
ID: "session2",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -308,7 +308,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -332,7 +332,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -361,7 +361,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -384,7 +384,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
},
@ -421,7 +421,7 @@ func TestEvaluator(t *testing.T) {
ID: "session1",
},
HTTP: RequestHTTP{
Method: "GET",
Method: http.MethodGet,
URL: "https://from.example.com",
ClientCertificate: testValidCert,
Headers: tc.src,
@ -436,7 +436,7 @@ func TestEvaluator(t *testing.T) {
res, err := eval(t, options, []proto.Message{}, &Request{
Policy: &policies[8],
HTTP: NewRequestHTTP(
"GET",
http.MethodGet,
*mustParseURL("https://from.example.com/"),
nil,
testValidCert,

2
authorize/evaluator/google_cloud_serverless.go
View file

@ -66,7 +66,7 @@ type gcpIdentityTokenSource struct {
func (src *gcpIdentityTokenSource) Token() (*oauth2.Token, error) {
res, err, _ := src.singleflight.Do("", func() (interface{}, error) {
req, err := http.NewRequestWithContext(context.Background(), "GET", GCPIdentityDocURL+"?"+url.Values{
req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, GCPIdentityDocURL+"?"+url.Values{
"format": {"full"},
"audience": {src.audience},
}.Encode(), nil)

19
authorize/evaluator/policy_evaluator_test.go
View file

@ -2,6 +2,7 @@ package evaluator
import (
"context"
"net/http"
"strings"
"testing"
"time"
@ -69,7 +70,7 @@ func TestPolicyEvaluator(t *testing.T) {
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
@ -86,7 +87,7 @@ func TestPolicyEvaluator(t *testing.T) {
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: false,
@ -103,7 +104,7 @@ func TestPolicyEvaluator(t *testing.T) {
p1,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s2"},
IsValidClientCertificate: true,
@ -134,7 +135,7 @@ func TestPolicyEvaluator(t *testing.T) {
p,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
@ -164,7 +165,7 @@ func TestPolicyEvaluator(t *testing.T) {
p,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
@ -195,7 +196,7 @@ func TestPolicyEvaluator(t *testing.T) {
p,
[]proto.Message{s1, u1, s2, u2},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: false,
@ -234,7 +235,7 @@ func TestPolicyEvaluator(t *testing.T) {
p,
[]proto.Message{s1, u1, s2, u2, r1},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "s1"},
IsValidClientCertificate: true,
@ -257,7 +258,7 @@ func TestPolicyEvaluator(t *testing.T) {
},
},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "sa1"},
IsValidClientCertificate: true,
@ -281,7 +282,7 @@ func TestPolicyEvaluator(t *testing.T) {
},
},
&PolicyRequest{
HTTP: RequestHTTP{Method: "GET", URL: "https://from.example.com/path"},
HTTP: RequestHTTP{Method: http.MethodGet, URL: "https://from.example.com/path"},
Session: RequestSession{ID: "sa1"},
IsValidClientCertificate: true,

13
authorize/grpc_test.go
View file

@ -2,6 +2,7 @@ package authorize
import (
"context"
"net/http"
"net/url"
"testing"
@ -45,7 +46,7 @@ func Test_getEvaluatorRequest(t *testing.T) {
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))}
a.currentOptions.Store(&config.Options{
Policies: []config.Policy{{
Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
From: "https://example.com",
SubPolicies: []config.SubPolicy{{
Rego: []string{"allow = true"},
}},
@ -61,7 +62,7 @@ func Test_getEvaluatorRequest(t *testing.T) {
Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Id: "id-1234",
Method: "GET",
Method: http.MethodGet,
Headers: map[string]string{
"accept": "text/html",
"x-forwarded-proto": "https",
@ -85,7 +86,7 @@ func Test_getEvaluatorRequest(t *testing.T) {
ID: "SESSION_ID",
},
HTTP: evaluator.NewRequestHTTP(
"GET",
http.MethodGet,
mustParseURL("http://example.com/some/path?qs=1"),
map[string]string{
"Accept": "text/html",
@ -102,7 +103,7 @@ func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))}
a.currentOptions.Store(&config.Options{
Policies: []config.Policy{{
Source: &config.StringURL{URL: &url.URL{Host: "example.com"}},
From: "https://example.com",
SubPolicies: []config.SubPolicy{{
Rego: []string{"allow = true"},
}},
@ -117,7 +118,7 @@ func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
Request: &envoy_service_auth_v3.AttributeContext_Request{
Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
Id: "id-1234",
Method: "GET",
Method: http.MethodGet,
Headers: map[string]string{
"accept": "text/html",
"x-forwarded-proto": "https",
@ -135,7 +136,7 @@ func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
Policy: &a.currentOptions.Load().Policies[0],
Session: evaluator.RequestSession{},
HTTP: evaluator.NewRequestHTTP(
"GET",
http.MethodGet,
mustParseURL("http://example.com/some/path?qs=1"),
map[string]string{
"Accept": "text/html",

4
config/config_source.go
View file

@ -36,7 +36,7 @@ func (dispatcher *ChangeDispatcher) Trigger(ctx context.Context, cfg *Config) {
}
// OnConfigChange adds a listener.
func (dispatcher *ChangeDispatcher) OnConfigChange(ctx context.Context, li ChangeListener) {
func (dispatcher *ChangeDispatcher) OnConfigChange(_ context.Context, li ChangeListener) {
dispatcher.Lock()
defer dispatcher.Unlock()
dispatcher.onConfigChangeListeners = append(dispatcher.onConfigChangeListeners, li)
@ -80,7 +80,7 @@ func (src *StaticSource) SetConfig(ctx context.Context, cfg *Config) {
}
// OnConfigChange is ignored for the StaticSource.
func (src *StaticSource) OnConfigChange(ctx context.Context, li ChangeListener) {
func (src *StaticSource) OnConfigChange(_ context.Context, li ChangeListener) {
src.mu.Lock()
defer src.mu.Unlock()

2
config/envoyconfig/bootstrap.go
View file

@ -97,7 +97,7 @@ func (b *Builder) BuildBootstrapAdmin(cfg *config.Config) (admin *envoy_config_b
// BuildBootstrapDynamicResources builds the dynamic resources for the envoy bootstrap.
func (b *Builder) BuildBootstrapDynamicResources(
cfg *config.Config,
_ *config.Config,
fullyStatic bool,
) (dynamicResources *envoy_config_bootstrap_v3.Bootstrap_DynamicResources, err error) {
if fullyStatic {

2
config/envoyconfig/clusters_envoy_admin.go
View file

@ -10,7 +10,7 @@ import (
"github.com/pomerium/pomerium/config"
)
func (b *Builder) buildEnvoyAdminCluster(ctx context.Context, cfg *config.Config) (*envoy_config_cluster_v3.Cluster, error) {
func (b *Builder) buildEnvoyAdminCluster(_ context.Context, _ *config.Config) (*envoy_config_cluster_v3.Cluster, error) {
return &envoy_config_cluster_v3.Cluster{
Name: envoyAdminClusterName,
ConnectTimeout: defaultConnectionTimeout,

6
config/envoyconfig/envoyconfig.go
View file

@ -233,12 +233,12 @@ func getCombinedCertificateAuthority(cfg *config.Config) ([]byte, error) {
}
func marshalAny(msg proto.Message) *anypb.Any {
any := new(anypb.Any)
_ = anypb.MarshalFrom(any, msg, proto.MarshalOptions{
data := new(anypb.Any)
_ = anypb.MarshalFrom(data, msg, proto.MarshalOptions{
AllowPartial: true,
Deterministic: true,
})
return any
return data
}
// parseAddress parses a string address into an envoy address.

32
config/envoyconfig/listeners.go
View file

@ -27,7 +27,6 @@ import (
"github.com/pomerium/pomerium/internal/sets"
"github.com/pomerium/pomerium/internal/telemetry/metrics"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/cryptutil"
)
const listenerBufferLimit uint32 = 32 * 1024
@ -576,37 +575,6 @@ func getAllRouteableHosts(options *config.Options, addr string) ([]string, error
return allHosts.ToSlice(), nil
}
func getAllServerNames(cfg *config.Config, addr string) ([]string, error) {
serverNames := sets.NewSorted[string]()
serverNames.Add("*")
certs, err := cfg.AllCertificates()
if err != nil {
return nil, err
}
for i := range certs {
serverNames.Add(cryptutil.GetCertificateServerNames(&certs[i])...)
}
if addr == cfg.Options.Addr {
sns, err := cfg.Options.GetAllRouteableHTTPServerNames()
if err != nil {
return nil, err
}
serverNames.Add(sns...)
}
if addr == cfg.Options.GetGRPCAddr() {
sns, err := cfg.Options.GetAllRouteableGRPCServerNames()
if err != nil {
return nil, err
}
serverNames.Add(sns...)
}
return serverNames.ToSlice(), nil
}
func urlsMatchHost(urls []*url.URL, host string) bool {
for _, u := range urls {
if urlMatchesHost(u, host) {

2
config/envoyconfig/listeners_envoy_admin.go
View file

@ -11,7 +11,7 @@ import (
"github.com/pomerium/pomerium/config"
)
func (b *Builder) buildEnvoyAdminListener(ctx context.Context, cfg *config.Config) (*envoy_config_listener_v3.Listener, error) {
func (b *Builder) buildEnvoyAdminListener(_ context.Context, cfg *config.Config) (*envoy_config_listener_v3.Listener, error) {
filter, err := b.buildEnvoyAdminHTTPConnectionManagerFilter()
if err != nil {
return nil, err

37
config/envoyconfig/listeners_test.go
View file

@ -125,7 +125,7 @@ func Test_buildDownstreamTLSContext(t *testing.T) {
downstreamTLSContext, err := b.buildDownstreamTLSContextMulti(context.Background(), &config.Config{Options: &config.Options{
Policies: []config.Policy{
{
Source: &config.StringURL{URL: mustParseURL(t, "https://a.example.com:1234")},
From: "https://a.example.com:1234",
TLSDownstreamClientCA: "TEST",
},
},
@ -224,10 +224,10 @@ func Test_getAllDomains(t *testing.T) {
AuthorizeURLString: "https://authorize.example.com:9001",
DataBrokerURLString: "https://cache.example.com:9001",
Policies: []config.Policy{
{Source: &config.StringURL{URL: mustParseURL(t, "http://a.example.com")}},
{Source: &config.StringURL{URL: mustParseURL(t, "https://b.example.com")}},
{Source: &config.StringURL{URL: mustParseURL(t, "https://c.example.com")}},
{Source: &config.StringURL{URL: mustParseURL(t, "https://d.unknown.example.com")}},
{From: "http://a.example.com"},
{From: "https://b.example.com"},
{From: "https://c.example.com"},
{From: "https://d.unknown.example.com"},
},
Cert: base64.StdEncoding.EncodeToString(certPEM),
Key: base64.StdEncoding.EncodeToString(keyPEM),
@ -281,33 +281,6 @@ func Test_getAllDomains(t *testing.T) {
assert.Equal(t, expect, actual)
})
})
t.Run("tls", func(t *testing.T) {
t.Run("http", func(t *testing.T) {
actual, err := getAllServerNames(&config.Config{Options: options}, "127.0.0.1:9000")
require.NoError(t, err)
expect := []string{
"*",
"*.unknown.example.com",
"a.example.com",
"authenticate.example.com",
"b.example.com",
"c.example.com",
"d.unknown.example.com",
}
assert.Equal(t, expect, actual)
})
t.Run("grpc", func(t *testing.T) {
actual, err := getAllServerNames(&config.Config{Options: options}, "127.0.0.1:9001")
require.NoError(t, err)
expect := []string{
"*",
"*.unknown.example.com",
"authorize.example.com",
"cache.example.com",
}
assert.Equal(t, expect, actual)
})
})
}
func Test_urlMatchesHost(t *testing.T) {

2
config/envoyconfig/protocols.go
View file

@ -116,7 +116,7 @@ func buildUpstreamALPN(upstreamProtocol upstreamProtocolConfig) []string {
}
}
func getUpstreamProtocolForPolicy(ctx context.Context, policy *config.Policy) upstreamProtocolConfig {
func getUpstreamProtocolForPolicy(_ context.Context, policy *config.Policy) upstreamProtocolConfig {
upstreamProtocol := upstreamProtocolAuto
if policy.AllowWebsockets {
// #2388, force http/1 when using web sockets

2
config/envoyconfig/route_configurations.go
View file

@ -29,7 +29,7 @@ func (b *Builder) BuildRouteConfigurations(
}
func (b *Builder) buildMainRouteConfiguration(
ctx context.Context,
_ context.Context,
cfg *config.Config,
) (*envoy_config_route_v3.RouteConfiguration, error) {
var certs []tls.Certificate

14
config/envoyconfig/routes.go
View file

@ -198,7 +198,12 @@ func (b *Builder) buildPolicyRoutes(
for i, p := range options.GetAllPolicies() {
policy := p
if !urlMatchesHost(policy.Source.URL, host) {
fromURL, err := urlutil.ParseAndValidateURL(policy.From)
if err != nil {
return nil, err
}
if !urlMatchesHost(fromURL, host) {
continue
}
@ -335,7 +340,8 @@ func (b *Builder) buildPolicyRouteRouteAction(options *config.Options, policy *c
Enabled: &wrappers.BoolValue{Value: policy.AllowSPDY},
},
}
if urlutil.IsTCP(policy.Source.URL) {
if policy.IsTCP() {
upgradeConfigs = append(upgradeConfigs, &envoy_config_route_v3.RouteAction_UpgradeConfig{
UpgradeType: "CONNECT",
Enabled: &wrappers.BoolValue{Value: true},
@ -407,7 +413,7 @@ func toEnvoyHeaders(headers map[string]string) []*envoy_config_core_v3.HeaderVal
func mkRouteMatch(policy *config.Policy) *envoy_config_route_v3.RouteMatch {
match := &envoy_config_route_v3.RouteMatch{}
switch {
case urlutil.IsTCP(policy.Source.URL):
case policy.IsTCP():
match.PathSpecifier = &envoy_config_route_v3.RouteMatch_ConnectMatcher_{
ConnectMatcher: &envoy_config_route_v3.RouteMatch_ConnectMatcher{},
}
@ -473,7 +479,7 @@ func getRouteIdleTimeout(policy *config.Policy) *durationpb.Duration {
func shouldDisableStreamIdleTimeout(policy *config.Policy) bool {
return policy.AllowWebsockets ||
urlutil.IsTCP(policy.Source.URL) ||
policy.IsTCP() ||
policy.IsForKubernetes() // disable for kubernetes so that tailing logs works (#2182)
}

40
config/envoyconfig/routes_test.go
View file

@ -298,7 +298,7 @@ func TestTimeouts(t *testing.T) {
DefaultUpstreamTimeout: time.Second * 3,
Policies: []config.Policy{
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
Path: "/test",
UpstreamTimeout: getDuration(tc.upstream),
IdleTimeout: getDuration(tc.idle),
@ -352,48 +352,48 @@ func Test_buildPolicyRoutes(t *testing.T) {
DefaultUpstreamTimeout: time.Second * 3,
Policies: []config.Policy{
{
Source: &config.StringURL{URL: mustParseURL(t, "https://ignore.example.com")},
From: "https://ignore.example.com",
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
Path: "/some/path",
AllowWebsockets: true,
PreserveHostHeader: true,
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
Prefix: "/some/prefix/",
SetRequestHeaders: map[string]string{"HEADER-KEY": "HEADER-VALUE"},
UpstreamTimeout: &oneMinute,
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
Regex: `^/[a]+$`,
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
Prefix: "/some/prefix/",
RemoveRequestHeaders: []string{"HEADER-KEY"},
UpstreamTimeout: &oneMinute,
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
Path: "/some/path",
AllowSPDY: true,
PreserveHostHeader: true,
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
Path: "/some/path",
AllowSPDY: true,
AllowWebsockets: true,
@ -401,7 +401,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
Path: "/websocket-timeout",
AllowWebsockets: true,
PreserveHostHeader: true,
@ -911,7 +911,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
DefaultUpstreamTimeout: time.Second * 3,
Policies: []config.Policy{
{
Source: &config.StringURL{URL: mustParseURL(t, "https://authenticate.example.com")},
From: "https://authenticate.example.com",
PassIdentityHeaders: true,
},
},
@ -992,11 +992,11 @@ func Test_buildPolicyRoutes(t *testing.T) {
DefaultUpstreamTimeout: time.Second * 3,
Policies: []config.Policy{
{
Source: &config.StringURL{URL: mustParseURL(t, "tcp+https://example.com:22")},
From: "tcp+https://example.com:22",
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "tcp+https://example.com:22")},
From: "tcp+https://example.com:22",
PassIdentityHeaders: true,
UpstreamTimeout: &ten,
},
@ -1143,7 +1143,7 @@ func Test_buildPolicyRoutes(t *testing.T) {
},
Policies: []config.Policy{
{
Source: &config.StringURL{URL: mustParseURL(t, "https://from.example.com")},
From: "https://from.example.com",
},
},
}, "from.example.com", false)
@ -1229,37 +1229,37 @@ func Test_buildPolicyRoutesRewrite(t *testing.T) {
DefaultUpstreamTimeout: time.Second * 3,
Policies: []config.Policy{
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
To: mustParseWeightedURLs(t, "https://foo.example.com/bar"),
PassIdentityHeaders: true,
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
To: mustParseWeightedURLs(t, "https://foo.example.com/bar"),
PassIdentityHeaders: true,
PrefixRewrite: "/foo",
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
To: mustParseWeightedURLs(t, "https://foo.example.com/bar"),
PassIdentityHeaders: true,
RegexRewritePattern: "^/service/([^/]+)(/.*)$",
RegexRewriteSubstitution: "\\2/instance/\\1",
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
To: mustParseWeightedURLs(t, "https://foo.example.com/bar"),
PassIdentityHeaders: true,
HostRewrite: "literal.example.com",
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
To: mustParseWeightedURLs(t, "https://foo.example.com/bar"),
PassIdentityHeaders: true,
HostRewriteHeader: "HOST_HEADER",
},
{
Source: &config.StringURL{URL: mustParseURL(t, "https://example.com")},
From: "https://example.com",
To: mustParseWeightedURLs(t, "https://foo.example.com/bar"),
PassIdentityHeaders: true,
HostPathRegexRewritePattern: "^/(.+)/.+$",

2
config/log.go
View file

@ -26,7 +26,7 @@ func (mgr *LogManager) Close() error {
}
// OnConfigChange is called whenever configuration changes.
func (mgr *LogManager) OnConfigChange(ctx context.Context, cfg *Config) {
func (mgr *LogManager) OnConfigChange(_ context.Context, cfg *Config) {
if cfg == nil || cfg.Options == nil {
return
}

4
config/metrics.go
View file

@ -9,12 +9,12 @@ import (
"sync"
"time"
"github.com/rs/zerolog"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/middleware"
"github.com/pomerium/pomerium/internal/telemetry"
"github.com/pomerium/pomerium/internal/telemetry/metrics"
"github.com/rs/zerolog"
)
const (

2
config/metrics_test.go
View file

@ -52,7 +52,7 @@ func TestMetricsManagerBasicAuth(t *testing.T) {
assert.NoError(t, err)
assert.Equal(t, http.StatusUnauthorized, res.StatusCode)
req, err := http.NewRequest("GET", fmt.Sprintf("%s/metrics", srv1.URL), nil)
req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("%s/metrics", srv1.URL), nil)
require.NoError(t, err)
req.SetBasicAuth("x", "y")
res, err = http.DefaultClient.Do(req)

87
config/options.go
View file

@ -463,7 +463,7 @@ func (o *Options) viperIsSet(key string) bool {
// parseHeaders handles unmarshalling any custom headers correctly from the
// environment or viper's parsed keys
func (o *Options) parseHeaders(ctx context.Context) error {
func (o *Options) parseHeaders(_ context.Context) error {
var headers map[string]string
if o.HeadersEnv != "" {
// Handle JSON by default via viper
@ -1094,51 +1094,6 @@ func (o *Options) GetAllRouteableGRPCHosts() ([]string, error) {
return hosts.ToSlice(), nil
}
// GetAllRouteableGRPCServerNames returns all the possible gRPC server names handled by the Pomerium options.
func (o *Options) GetAllRouteableGRPCServerNames() ([]string, error) {
hosts := sets.NewSorted[string]()
// authorize urls
if IsAll(o.Services) {
authorizeURLs, err := o.GetAuthorizeURLs()
if err != nil {
return nil, err
}
for _, u := range authorizeURLs {
hosts.Add(urlutil.GetServerNamesForURL(u)...)
}
} else if IsAuthorize(o.Services) {
authorizeURLs, err := o.GetInternalAuthorizeURLs()
if err != nil {
return nil, err
}
for _, u := range authorizeURLs {
hosts.Add(urlutil.GetServerNamesForURL(u)...)
}
}
// databroker urls
if IsAll(o.Services) {
dataBrokerURLs, err := o.GetDataBrokerURLs()
if err != nil {
return nil, err
}
for _, u := range dataBrokerURLs {
hosts.Add(urlutil.GetServerNamesForURL(u)...)
}
} else if IsDataBroker(o.Services) {
dataBrokerURLs, err := o.GetInternalDataBrokerURLs()
if err != nil {
return nil, err
}
for _, u := range dataBrokerURLs {
hosts.Add(urlutil.GetServerNamesForURL(u)...)
}
}
return hosts.ToSlice(), nil
}
// GetAllRouteableHTTPHosts returns all the possible HTTP hosts handled by the Pomerium options.
func (o *Options) GetAllRouteableHTTPHosts() ([]string, error) {
hosts := sets.NewSorted[string]()
@ -1159,9 +1114,14 @@ func (o *Options) GetAllRouteableHTTPHosts() ([]string, error) {
// policy urls
if IsProxy(o.Services) {
for _, policy := range o.GetAllPolicies() {
hosts.Add(urlutil.GetDomainsForURL(policy.Source.URL)...)
fromURL, err := urlutil.ParseAndValidateURL(policy.From)
if err != nil {
return nil, err
}
hosts.Add(urlutil.GetDomainsForURL(fromURL)...)
if policy.TLSDownstreamServerName != "" {
tlsURL := policy.Source.URL.ResolveReference(&url.URL{Host: policy.TLSDownstreamServerName})
tlsURL := fromURL.ResolveReference(&url.URL{Host: policy.TLSDownstreamServerName})
hosts.Add(urlutil.GetDomainsForURL(tlsURL)...)
}
}
@ -1170,37 +1130,6 @@ func (o *Options) GetAllRouteableHTTPHosts() ([]string, error) {
return hosts.ToSlice(), nil
}
// GetAllRouteableHTTPServerNames returns all the possible HTTP server names handled by the Pomerium options.
func (o *Options) GetAllRouteableHTTPServerNames() ([]string, error) {
serverNames := sets.NewSorted[string]()
if IsAuthenticate(o.Services) {
authenticateURL, err := o.GetInternalAuthenticateURL()
if err != nil {
return nil, err
}
serverNames.Add(urlutil.GetServerNamesForURL(authenticateURL)...)
authenticateURL, err = o.GetAuthenticateURL()
if err != nil {
return nil, err
}
serverNames.Add(urlutil.GetServerNamesForURL(authenticateURL)...)
}
// policy urls
if IsProxy(o.Services) {
for _, policy := range o.GetAllPolicies() {
serverNames.Add(urlutil.GetServerNamesForURL(policy.Source.URL)...)
if policy.TLSDownstreamServerName != "" {
tlsURL := policy.Source.URL.ResolveReference(&url.URL{Host: policy.TLSDownstreamServerName})
serverNames.Add(urlutil.GetServerNamesForURL(tlsURL)...)
}
}
}
return serverNames.ToSlice(), nil
}
// GetClientSecret gets the client secret.
func (o *Options) GetClientSecret() (string, error) {
if o == nil {

14
config/options_test.go
View file

@ -87,9 +87,9 @@ func Test_bindEnvs(t *testing.T) {
defer os.Unsetenv("POMERIUM_DEBUG")
defer os.Unsetenv("POLICY")
defer os.Unsetenv("HEADERS")
os.Setenv("POMERIUM_DEBUG", "true")
os.Setenv("POLICY", "LSBmcm9tOiBodHRwczovL2h0dHBiaW4ubG9jYWxob3N0LnBvbWVyaXVtLmlvCiAgdG86IAogICAgLSBodHRwOi8vbG9jYWxob3N0OjgwODEsMQo=")
os.Setenv("HEADERS", `{"X-Custom-1":"foo", "X-Custom-2":"bar"}`)
t.Setenv("POMERIUM_DEBUG", "true")
t.Setenv("POLICY", "LSBmcm9tOiBodHRwczovL2h0dHBiaW4ubG9jYWxob3N0LnBvbWVyaXVtLmlvCiAgdG86IAogICAgLSBodHRwOi8vbG9jYWxob3N0OjgwODEsMQo=")
t.Setenv("HEADERS", `{"X-Custom-1":"foo", "X-Custom-2":"bar"}`)
err := bindEnvs(o, v)
if err != nil {
t.Fatalf("failed to bind options to env vars: %s", err)
@ -207,7 +207,6 @@ func Test_parsePolicyFile(t *testing.T) {
}
source := "https://pomerium.io"
sourceURL, _ := url.ParseRequestURI(source)
to, err := ParseWeightedURL("https://httpbin.org")
require.NoError(t, err)
@ -222,9 +221,8 @@ func Test_parsePolicyFile(t *testing.T) {
"simple json",
[]byte(fmt.Sprintf(`{"policy":[{"from": "%s","to":"%s"}]}`, source, to.URL.String())),
[]Policy{{
From: source,
To: []WeightedURL{*to},
Source: &StringURL{sourceURL},
From: source,
To: []WeightedURL{*to},
}},
false,
},
@ -280,7 +278,7 @@ func Test_Checksum(t *testing.T) {
func TestOptionsFromViper(t *testing.T) {
opts := []cmp.Option{
cmpopts.IgnoreFields(Options{}, "CookieSecret", "GRPCInsecure", "GRPCAddr", "DataBrokerURLString", "DataBrokerURLStrings", "AuthorizeURLString", "AuthorizeURLStrings", "DefaultUpstreamTimeout", "CookieExpire", "Services", "Addr", "LogLevel", "KeyFile", "CertFile", "SharedKey", "ReadTimeout", "IdleTimeout", "GRPCClientTimeout", "GRPCClientDNSRoundRobin", "TracingSampleRate", "ProgrammaticRedirectDomainWhitelist"),
cmpopts.IgnoreFields(Policy{}, "Source", "EnvoyOpts"),
cmpopts.IgnoreFields(Policy{}, "EnvoyOpts"),
cmpOptIgnoreUnexported,
}

40
config/policy.go
View file

@ -4,7 +4,6 @@ import (
"context"
"crypto/tls"
"encoding/base64"
"encoding/json"
"fmt"
"net/url"
"os"
@ -41,8 +40,6 @@ type Policy struct {
AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`
Source *StringURL `yaml:",omitempty" json:"source,omitempty" hash:"ignore"`
// Additional route matching options
Prefix string `mapstructure:"prefix" yaml:"prefix,omitempty" json:"prefix,omitempty"`
Path string `mapstructure:"path" yaml:"path,omitempty" json:"path,omitempty"`
@ -450,8 +447,6 @@ func (p *Policy) Validate() error {
source.String())
}
p.Source = &StringURL{source}
if len(p.To) == 0 && p.Redirect == nil {
return errEitherToOrRedirectRequired
}
@ -558,7 +553,7 @@ func (p *Policy) Checksum() uint64 {
// RouteID returns a unique identifier for a route
func (p *Policy) RouteID() (uint64, error) {
id := routeID{
Source: p.Source,
From: p.From,
Prefix: p.Prefix,
Path: p.Path,
Regex: p.Regex,
@ -589,19 +584,20 @@ func (p *Policy) String() string {
to = strings.Join(dsts, ",")
}
return fmt.Sprintf("%s → %s", p.Source.String(), to)
return fmt.Sprintf("%s → %s", p.From, to)
}
// Matches returns true if the policy would match the given URL.
func (p *Policy) Matches(requestURL url.URL) bool {
// handle nils by always returning false
if p.Source == nil {
// an invalid from URL should not match anything
fromURL, err := urlutil.ParseAndValidateURL(p.From)
if err != nil {
return false
}
// make sure one of the host domains matches the incoming url
found := false
for _, host := range urlutil.GetDomainsForURL(p.Source.URL) {
for _, host := range urlutil.GetDomainsForURL(fromURL) {
found = found || host == requestURL.Host
}
if !found {
@ -634,6 +630,11 @@ func (p *Policy) IsForKubernetes() bool {
return p.KubernetesServiceAccountTokenFile != "" || p.KubernetesServiceAccountToken != ""
}
// IsTCP returns true if the route is for TCP.
func (p *Policy) IsTCP() bool {
return strings.HasPrefix(p.From, "tcp")
}
// AllAllowedDomains returns all the allowed domains.
func (p *Policy) AllAllowedDomains() []string {
var ads []string
@ -674,25 +675,8 @@ func (p *Policy) GetSetAuthorizationHeader() configpb.Route_AuthorizationHeaderM
return mode
}
// StringURL stores a URL as a string in json.
type StringURL struct {
*url.URL
}
func (su *StringURL) String() string {
if su == nil || su.URL == nil {
return "?"
}
return su.URL.String()
}
// MarshalJSON returns the URLs host as json.
func (su *StringURL) MarshalJSON() ([]byte, error) {
return json.Marshal(su.String())
}
type routeID struct {
Source *StringURL
From string
To []string
Prefix string
Path string

2
config/policy_test.go
View file

@ -84,7 +84,7 @@ func TestPolicy_String(t *testing.T) {
if got := p.String(); got != tt.want {
t.Errorf("Policy.String() = %v, want %v", got, tt.want)
}
out, err := json.Marshal(p.Source)
out, err := json.Marshal(p.From)
if err != nil {
t.Fatal(err)
}

4
config/trace.go
View file

@ -6,12 +6,12 @@ import (
"reflect"
"sync"
"github.com/rs/zerolog"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/telemetry"
"github.com/pomerium/pomerium/internal/telemetry/trace"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/rs/zerolog"
)
// TracingOptions are the options for tracing.

2
databroker/databroker.go
View file

@ -31,7 +31,7 @@ func newDataBrokerServer(cfg *config.Config) *dataBrokerServer {
}
// OnConfigChange updates the underlying databroker server whenever configuration is changed.
func (srv *dataBrokerServer) OnConfigChange(ctx context.Context, cfg *config.Config) {
func (srv *dataBrokerServer) OnConfigChange(_ context.Context, cfg *config.Config) {
srv.server.UpdateConfig(srv.getOptions(cfg)...)
srv.setKey(cfg)
}

12
databroker/databroker_test.go
View file

@ -50,7 +50,7 @@ func TestServerSync(t *testing.T) {
require.NoError(t, err)
defer conn.Close()
c := databroker.NewDataBrokerServiceClient(conn)
any := protoutil.NewAny(new(user.User))
data := protoutil.NewAny(new(user.User))
numRecords := 200
var serverVersion uint64
@ -58,9 +58,9 @@ func TestServerSync(t *testing.T) {
for i := 0; i < numRecords; i++ {
res, err := c.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: strconv.Itoa(i),
Data: any,
Data: data,
}},
})
require.NoError(t, err)
@ -102,15 +102,15 @@ func BenchmarkSync(b *testing.B) {
}
defer conn.Close()
c := databroker.NewDataBrokerServiceClient(conn)
any := protoutil.NewAny(new(session.Session))
data := protoutil.NewAny(new(session.Session))
numRecords := 10000
for i := 0; i < numRecords; i++ {
_, _ = c.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: strconv.Itoa(i),
Data: any,
Data: data,
}},
})
}

2
integration/authorization_test.go
View file

@ -27,7 +27,7 @@ func TestAuthorization(t *testing.T) {
t.Run("public", func(t *testing.T) {
client := getClient(t)
req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io", nil)
if err != nil {
t.Fatal(err)
}

4
integration/benchmark_test.go
View file

@ -20,7 +20,7 @@ func BenchmarkLoggedInUserAccess(b *testing.B) {
b.ResetTimer()
for i := 0; i < b.N; i++ {
req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/by-domain", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/by-domain", nil)
require.NoError(b, err)
res, err := client.Do(req)
require.NoError(b, err)
@ -34,7 +34,7 @@ func BenchmarkLoggedOutUserAccess(b *testing.B) {
b.ResetTimer()
for i := 0; i < b.N; i++ {
req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/by-domain", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/by-domain", nil)
require.NoError(b, err)
res, err := client.Do(req)
require.NoError(b, err)

2
integration/cmd/pomerium-integration-tests/main.go
View file

@ -36,7 +36,7 @@ func main() {
}
}
func runGenerateConfiguration(ctx context.Context) error {
func runGenerateConfiguration(_ context.Context) error {
log.Info().Msg("generating configuration")
root := filepath.Join(".", "integration")

6
integration/control_plane_test.go
View file

@ -16,7 +16,7 @@ func TestDashboard(t *testing.T) {
defer clearTimeout()
t.Run("user dashboard", func(t *testing.T) {
req, err := http.NewRequestWithContext(ctx, "GET", "https://authenticate.localhost.pomerium.io/.pomerium/", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://authenticate.localhost.pomerium.io/.pomerium/", nil)
if err != nil {
t.Fatal(err)
}
@ -32,7 +32,7 @@ func TestDashboard(t *testing.T) {
assert.Equal(t, http.StatusFound, res.StatusCode, "unexpected status code: %s", body)
})
t.Run("dashboard strict slash redirect", func(t *testing.T) {
req, err := http.NewRequestWithContext(ctx, "GET", "https://authenticate.localhost.pomerium.io/.pomerium", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://authenticate.localhost.pomerium.io/.pomerium", nil)
if err != nil {
t.Fatal(err)
}
@ -64,7 +64,7 @@ func TestHealth(t *testing.T) {
endpoint := endpoint
routeToCheck := fmt.Sprintf("%s/%s", route, endpoint)
t.Run(routeToCheck, func(t *testing.T) {
req, err := http.NewRequestWithContext(ctx, "GET", routeToCheck, nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, routeToCheck, nil)
if err != nil {
t.Fatal(err)
}

6
integration/flows/flows.go
View file

@ -92,7 +92,7 @@ func Authenticate(ctx context.Context, client *http.Client, url *url.URL, option
apiLogin.RawQuery = q.Encode()
apiLogin.Path = cfg.apiPath
req, err := http.NewRequestWithContext(ctx, "GET", apiLogin.String(), nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiLogin.String(), nil)
if err != nil {
return nil, fmt.Errorf("via-api: invalid request: %w", err)
}
@ -113,7 +113,7 @@ func Authenticate(ctx context.Context, client *http.Client, url *url.URL, option
}
}
req, err := http.NewRequestWithContext(ctx, "GET", url.String(), nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url.String(), nil)
if err != nil {
return nil, err
}
@ -234,7 +234,7 @@ func requestFromRedirectResponse(ctx context.Context, res *http.Response, req *h
return nil, fmt.Errorf("error parsing location: %w", err)
}
location = req.URL.ResolveReference(location)
newreq, err := http.NewRequestWithContext(ctx, "GET", location.String(), nil)
newreq, err := http.NewRequestWithContext(ctx, http.MethodGet, location.String(), nil)
if err != nil {
return nil, err
}

2
integration/forms/forms.go
View file

@ -30,7 +30,7 @@ func Parse(r io.Reader) []Form {
var visit func(*html.Node)
visit = func(node *html.Node) {
if node.Type == html.ElementNode && node.Data == "form" {
currentForm = &Form{Action: "", Method: "GET", Inputs: make(map[string]string)}
currentForm = &Form{Action: "", Method: http.MethodGet, Inputs: make(map[string]string)}
for _, attr := range node.Attr {
switch attr.Key {
case "action":

2
integration/main_test.go
View file

@ -111,7 +111,7 @@ func waitForHealthy(ctx context.Context) error {
reqCtx, clearTimeout := context.WithTimeout(ctx, time.Second)
defer clearTimeout()
req, err := http.NewRequestWithContext(reqCtx, "GET", endpoint, nil)
req, err := http.NewRequestWithContext(reqCtx, http.MethodGet, endpoint, nil)
if err != nil {
return err
}

22
integration/policy_test.go
View file

@ -26,7 +26,7 @@ func TestQueryStringParams(t *testing.T) {
"q2": {"x?y?z"},
}
req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/?"+qs.Encode(), nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/?"+qs.Encode(), nil)
if err != nil {
t.Fatal(err)
}
@ -58,11 +58,11 @@ func TestCORS(t *testing.T) {
defer clearTimeout()
t.Run("enabled", func(t *testing.T) {
req, err := http.NewRequestWithContext(ctx, "OPTIONS", "https://httpdetails.localhost.pomerium.io/cors-enabled", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodOptions, "https://httpdetails.localhost.pomerium.io/cors-enabled", nil)
if err != nil {
t.Fatal(err)
}
req.Header.Set("Access-Control-Request-Method", "GET")
req.Header.Set("Access-Control-Request-Method", http.MethodGet)
req.Header.Set("Origin", "https://httpdetails.localhost.pomerium.io")
res, err := getClient(t).Do(req)
@ -74,11 +74,11 @@ func TestCORS(t *testing.T) {
assert.Equal(t, http.StatusOK, res.StatusCode, "unexpected status code")
})
t.Run("disabled", func(t *testing.T) {
req, err := http.NewRequestWithContext(ctx, "OPTIONS", "https://httpdetails.localhost.pomerium.io/cors-disabled", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodOptions, "https://httpdetails.localhost.pomerium.io/cors-disabled", nil)
if err != nil {
t.Fatal(err)
}
req.Header.Set("Access-Control-Request-Method", "GET")
req.Header.Set("Access-Control-Request-Method", http.MethodGet)
req.Header.Set("Origin", "https://httpdetails.localhost.pomerium.io")
res, err := getClient(t).Do(req)
@ -97,7 +97,7 @@ func TestPreserveHostHeader(t *testing.T) {
defer clearTimeout()
t.Run("enabled", func(t *testing.T) {
req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/preserve-host-header-enabled", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/preserve-host-header-enabled", nil)
if err != nil {
t.Fatal(err)
}
@ -122,7 +122,7 @@ func TestPreserveHostHeader(t *testing.T) {
"destination host should be preserved in %v", result)
})
t.Run("disabled", func(t *testing.T) {
req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/preserve-host-header-disabled", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/preserve-host-header-disabled", nil)
if err != nil {
t.Fatal(err)
}
@ -153,7 +153,7 @@ func TestSetRequestHeaders(t *testing.T) {
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
defer clearTimeout()
req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/", nil)
if err != nil {
t.Fatal(err)
}
@ -181,7 +181,7 @@ func TestRemoveRequestHeaders(t *testing.T) {
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
defer clearTimeout()
req, err := http.NewRequestWithContext(ctx, "GET", "https://httpdetails.localhost.pomerium.io/", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://httpdetails.localhost.pomerium.io/", nil)
if err != nil {
t.Fatal(err)
}
@ -245,7 +245,7 @@ func TestGoogleCloudRun(t *testing.T) {
ctx, clearTimeout := context.WithTimeout(ctx, time.Second*30)
defer clearTimeout()
req, err := http.NewRequestWithContext(ctx, "GET", "https://cloudrun.localhost.pomerium.io/", nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, "https://cloudrun.localhost.pomerium.io/", nil)
if err != nil {
t.Fatal(err)
}
@ -287,7 +287,7 @@ func TestLoadBalancer(t *testing.T) {
_ = res.Body.Close()
for i := 0; i < 100; i++ {
req, err := http.NewRequestWithContext(ctx, "GET",
req, err := http.NewRequestWithContext(ctx, http.MethodGet,
"https://httpdetails.localhost.pomerium.io/"+path, nil)
if !assert.NoError(t, err) {
return distribution

8
internal/autocert/manager.go
View file

@ -23,6 +23,7 @@ import (
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/telemetry/metrics"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/cryptutil"
)
@ -438,11 +439,12 @@ func sourceHostnames(cfg *config.Config) []string {
dedupe := map[string]struct{}{}
for _, p := range policies {
dedupe[p.Source.Hostname()] = struct{}{}
if u, _ := urlutil.ParseAndValidateURL(p.From); u != nil {
dedupe[u.Hostname()] = struct{}{}
}
}
if cfg.Options.AuthenticateURLString != "" {
u, _ := cfg.Options.GetAuthenticateURL()
if u != nil {
if u, _ := cfg.Options.GetAuthenticateURL(); u != nil {
dedupe[u.Hostname()] = struct{}{}
}
}

26
internal/autocert/manager_test.go
View file

@ -384,7 +384,7 @@ func Test_configureCertificateAuthority(t *testing.T) {
expected *certmagic.ACMEIssuer
wantErr bool
}
var tests = map[string]func(t *testing.T) test{
tests := map[string]func(t *testing.T) test{
"ok/default": func(t *testing.T) test {
return test{
args: args{
@ -460,7 +460,7 @@ func Test_configureExternalAccountBinding(t *testing.T) {
expected *certmagic.ACMEIssuer
wantErr bool
}
var tests = map[string]func(t *testing.T) test{
tests := map[string]func(t *testing.T) test{
"ok": func(t *testing.T) test {
return test{
args: args{
@ -522,11 +522,11 @@ func Test_configureTrustedRoots(t *testing.T) {
wantErr bool
cleanup func()
}
var tests = map[string]func(t *testing.T) test{
tests := map[string]func(t *testing.T) test{
"ok/pem": func(t *testing.T) test {
copy, err := x509.SystemCertPool()
roots, err := x509.SystemCertPool()
require.NoError(t, err)
ok := copy.AppendCertsFromPEM(ca.certPEM)
ok := roots.AppendCertsFromPEM(ca.certPEM)
require.Equal(t, true, ok)
return test{
args: args{
@ -538,15 +538,15 @@ func Test_configureTrustedRoots(t *testing.T) {
expected: &certmagic.ACMEIssuer{
CA: certmagic.DefaultACME.CA,
TestCA: certmagic.DefaultACME.TestCA,
TrustedRoots: copy,
TrustedRoots: roots,
},
wantErr: false,
}
},
"ok/file": func(t *testing.T) test {
copy, err := x509.SystemCertPool()
roots, err := x509.SystemCertPool()
require.NoError(t, err)
ok := copy.AppendCertsFromPEM(ca.certPEM)
ok := roots.AppendCertsFromPEM(ca.certPEM)
require.Equal(t, true, ok)
f, err := os.CreateTemp("", "pomerium-test-ca")
require.NoError(t, err)
@ -563,7 +563,7 @@ func Test_configureTrustedRoots(t *testing.T) {
expected: &certmagic.ACMEIssuer{
CA: certmagic.DefaultACME.CA,
TestCA: certmagic.DefaultACME.TestCA,
TrustedRoots: copy,
TrustedRoots: roots,
},
wantErr: false,
cleanup: func() {
@ -572,7 +572,7 @@ func Test_configureTrustedRoots(t *testing.T) {
}
},
"fail/pem": func(t *testing.T) test {
copy, err := x509.SystemCertPool()
roots, err := x509.SystemCertPool()
require.NoError(t, err)
return test{
args: args{
@ -584,13 +584,13 @@ func Test_configureTrustedRoots(t *testing.T) {
expected: &certmagic.ACMEIssuer{
CA: certmagic.DefaultACME.CA,
TestCA: certmagic.DefaultACME.TestCA,
TrustedRoots: copy,
TrustedRoots: roots,
},
wantErr: true,
}
},
"fail/file": func(t *testing.T) test {
copy, err := x509.SystemCertPool()
roots, err := x509.SystemCertPool()
require.NoError(t, err)
return test{
args: args{
@ -602,7 +602,7 @@ func Test_configureTrustedRoots(t *testing.T) {
expected: &certmagic.ACMEIssuer{
CA: certmagic.DefaultACME.CA,
TestCA: certmagic.DefaultACME.TestCA,
TrustedRoots: copy,
TrustedRoots: roots,
},
wantErr: true,
}

12
internal/controlplane/events.go
View file

@ -22,16 +22,16 @@ const maxEvents = 50
var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn)
func (srv *Server) storeEvent(ctx context.Context, evt proto.Message) error {
any := protoutil.NewAny(evt)
data := protoutil.NewAny(evt)
client, err := srv.getDataBrokerClient(ctx)
if err != nil {
return err
}
if !srv.haveSetCapacity[any.GetTypeUrl()] {
if !srv.haveSetCapacity[data.GetTypeUrl()] {
_, err = client.SetOptions(ctx, &databrokerpb.SetOptionsRequest{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Options: &databrokerpb.Options{
Capacity: proto.Uint64(maxEvents),
},
@ -39,7 +39,7 @@ func (srv *Server) storeEvent(ctx context.Context, evt proto.Message) error {
if err != nil {
return err
}
srv.haveSetCapacity[any.GetTypeUrl()] = true
srv.haveSetCapacity[data.GetTypeUrl()] = true
}
var id string
@ -51,9 +51,9 @@ func (srv *Server) storeEvent(ctx context.Context, evt proto.Message) error {
_, err = client.Put(ctx, &databrokerpb.PutRequest{
Records: []*databrokerpb.Record{{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: id,
Data: any,
Data: data,
}},
})
if err != nil {

2
internal/controlplane/http.go
View file

@ -19,7 +19,7 @@ import (
hpke_handlers "github.com/pomerium/pomerium/pkg/hpke/handlers"
)
func (srv *Server) addHTTPMiddleware(root *mux.Router, cfg *config.Config) {
func (srv *Server) addHTTPMiddleware(root *mux.Router, _ *config.Config) {
compressor, err := httpcompression.DefaultAdapter()
if err != nil {
panic(err)

2
internal/controlplane/xdsmgr/xdsmgr.go
View file

@ -212,7 +212,7 @@ func (mgr *Manager) DeltaAggregatedResources(
// StreamAggregatedResources is not implemented.
func (mgr *Manager) StreamAggregatedResources(
stream envoy_service_discovery_v3.AggregatedDiscoveryService_StreamAggregatedResourcesServer,
_ envoy_service_discovery_v3.AggregatedDiscoveryService_StreamAggregatedResourcesServer,
) error {
return status.Errorf(codes.Unimplemented, "method StreamAggregatedResources not implemented")
}

4
internal/databroker/config_source.go
View file

@ -223,13 +223,13 @@ func (s *syncerHandler) GetDataBrokerServiceClient() databroker.DataBrokerServic
return s.client
}
func (s *syncerHandler) ClearRecords(ctx context.Context) {
func (s *syncerHandler) ClearRecords(_ context.Context) {
s.src.mu.Lock()
s.src.dbConfigs = map[string]dbConfig{}
s.src.mu.Unlock()
}
func (s *syncerHandler) UpdateRecords(ctx context.Context, serverVersion uint64, records []*databroker.Record) {
func (s *syncerHandler) UpdateRecords(ctx context.Context, _ uint64, records []*databroker.Record) {
if len(records) == 0 {
return
}

2
internal/databroker/server.go
View file

@ -129,7 +129,7 @@ func (srv *Server) Get(ctx context.Context, req *databroker.GetRequest) (*databr
}
// ListTypes lists all the record types.
func (srv *Server) ListTypes(ctx context.Context, req *emptypb.Empty) (*databroker.ListTypesResponse, error) {
func (srv *Server) ListTypes(ctx context.Context, _ *emptypb.Empty) (*databroker.ListTypesResponse, error) {
ctx, span := trace.StartSpan(ctx, "databroker.grpc.ListTypes")
defer span.End()
log.Info(ctx).Msg("list types")

48
internal/databroker/server_test.go
View file

@ -59,25 +59,25 @@ func TestServer_Get(t *testing.T) {
s := new(session.Session)
s.Id = "1"
any := protoutil.NewAny(s)
data := protoutil.NewAny(s)
_, err := srv.Put(context.Background(), &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: s.Id,
Data: any,
Data: data,
}},
})
assert.NoError(t, err)
_, err = srv.Put(context.Background(), &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: s.Id,
DeletedAt: timestamppb.Now(),
}},
})
assert.NoError(t, err)
_, err = srv.Get(context.Background(), &databroker.GetRequest{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: s.Id,
})
assert.Error(t, err)
@ -91,17 +91,17 @@ func TestServer_Options(t *testing.T) {
s := new(session.Session)
s.Id = "1"
any := protoutil.NewAny(s)
data := protoutil.NewAny(s)
_, err := srv.Put(context.Background(), &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: s.Id,
Data: any,
Data: data,
}},
})
assert.NoError(t, err)
_, err = srv.SetOptions(context.Background(), &databroker.SetOptionsRequest{
Type: any.TypeUrl,
Type: data.TypeUrl,
Options: &databroker.Options{
Capacity: proto.Uint64(1),
},
@ -141,12 +141,12 @@ func TestServer_Query(t *testing.T) {
for i := 0; i < 10; i++ {
s := new(session.Session)
s.Id = fmt.Sprint(i)
any := protoutil.NewAny(s)
data := protoutil.NewAny(s)
_, err := srv.Put(context.Background(), &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: s.Id,
Data: any,
Data: data,
}},
})
assert.NoError(t, err)
@ -192,12 +192,12 @@ func TestServer_Sync(t *testing.T) {
s := new(session.Session)
s.Id = "1"
any := protoutil.NewAny(s)
data := protoutil.NewAny(s)
_, err := srv.Put(context.Background(), &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: s.Id,
Data: any,
Data: data,
}},
})
assert.NoError(t, err)
@ -251,9 +251,9 @@ func TestServer_Sync(t *testing.T) {
_, err = srv.Put(context.Background(), &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: s.Id,
Data: any,
Data: data,
}},
})
assert.NoError(t, err)
@ -276,12 +276,12 @@ func TestServerInvalidStorage(t *testing.T) {
s := new(session.Session)
s.Id = "1"
any := protoutil.NewAny(s)
data := protoutil.NewAny(s)
_, err := srv.Put(context.Background(), &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: s.Id,
Data: any,
Data: data,
}},
})
_ = assert.Error(t, err) && assert.Contains(t, err.Error(), "unsupported storage type")
@ -297,12 +297,12 @@ func TestServerRedis(t *testing.T) {
s := new(session.Session)
s.Id = "1"
any := protoutil.NewAny(s)
data := protoutil.NewAny(s)
_, err := srv.Put(context.Background(), &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.TypeUrl,
Type: data.TypeUrl,
Id: s.Id,
Data: any,
Data: data,
}},
})
assert.NoError(t, err)
@ -328,7 +328,7 @@ func TestServerRedis(t *testing.T) {
client := databroker.NewDataBrokerServiceClient(cc)
stream, err := client.SyncLatest(ctx, &databroker.SyncLatestRequest{
Type: any.TypeUrl,
Type: data.TypeUrl,
})
if err != nil {
return err

2
internal/deterministicecdsa/ecdsa.go
View file

@ -102,7 +102,7 @@ func WrapPrivateKey(privateKey *ecdsa.PrivateKey) crypto.PrivateKey {
// This method implements crypto.Signer, which is an interface to support keys
// where the private part is kept in, for example, a hardware module. Common
// uses can use the SignASN1 function in this package directly.
func (priv deterministicPrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
func (priv deterministicPrivateKey) Sign(rand io.Reader, digest []byte, _ crypto.SignerOpts) ([]byte, error) {
r, s, err := Sign(rand, priv.PrivateKey, digest)
if err != nil {
return nil, err

4
internal/encoding/jws/jws.go
View file

@ -3,10 +3,10 @@
package jws
import (
"github.com/pomerium/pomerium/internal/encoding"
"github.com/go-jose/go-jose/v3"
"github.com/go-jose/go-jose/v3/jwt"
"github.com/pomerium/pomerium/internal/encoding"
)
// JSONWebSigner is the struct representing a signed JWT.

4
internal/encoding/mock/mock_encoder.go
View file

@ -19,11 +19,11 @@ type Encoder struct {
}
// Marshal is a mock implementation of Encoder.
func (mc Encoder) Marshal(i interface{}) ([]byte, error) {
func (mc Encoder) Marshal(_ any) ([]byte, error) {
return mc.MarshalResponse, mc.MarshalError
}
// Unmarshal is a mock implementation of Encoder.
func (mc Encoder) Unmarshal(s []byte, i interface{}) error {
func (mc Encoder) Unmarshal(_ []byte, _ any) error {
return mc.UnmarshalError
}

4
internal/encoding/mock/mock_encoder_test.go
View file

@ -13,14 +13,14 @@ func TestMockEncoder(t *testing.T) {
UnmarshalError: e,
}
s, err := mc.Marshal("test")
if err != e {
if errors.Is(err, e) {
t.Error("unexpected Marshal error")
}
if string(s) != "MarshalResponse" {
t.Error("unexpected MarshalResponse error")
}
err = mc.Unmarshal([]byte("s"), "s")
if err != e {
if errors.Is(err, e) {
t.Error("unexpected Unmarshal error")
}
}

2
internal/handlers/jwks_test.go
View file

@ -41,7 +41,7 @@ func TestJWKSHandler(t *testing.T) {
w := httptest.NewRecorder()
r := httptest.NewRequest(http.MethodOptions, "/", nil)
r.Header.Set("Origin", "https://www.example.com")
r.Header.Set("Access-Control-Request-Method", "GET")
r.Header.Set("Access-Control-Request-Method", http.MethodGet)
handlers.JWKSHandler(nil).ServeHTTP(w, r)
assert.Equal(t, http.StatusNoContent, w.Result().StatusCode)
})

2
internal/handlers/webauthn/webauthn.go
View file

@ -128,7 +128,7 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) error {
}
switch {
case r.Method == "GET":
case r.Method == http.MethodGet:
return h.handleView(w, r, s)
case r.FormValue("action") == "authenticate":
return h.handleAuthenticate(w, r, s)

2
internal/handlers/well_known_pomerium_test.go
View file

@ -17,7 +17,7 @@ func TestWellKnownPomeriumHandler(t *testing.T) {
w := httptest.NewRecorder()
r := httptest.NewRequest(http.MethodOptions, "/", nil)
r.Header.Set("Origin", authenticateURL.String())
r.Header.Set("Access-Control-Request-Method", "GET")
r.Header.Set("Access-Control-Request-Method", http.MethodGet)
WellKnownPomerium(authenticateURL).ServeHTTP(w, r)
assert.Equal(t, http.StatusNoContent, w.Result().StatusCode)
})

2
internal/httputil/handlers_test.go
View file

@ -51,7 +51,7 @@ func TestHandlerFunc_ServeHTTP(t *testing.T) {
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
r := httptest.NewRequest("GET", "/", nil)
r := httptest.NewRequest(http.MethodGet, "/", nil)
r.Header.Set("Accept", "application/json")
w := httptest.NewRecorder()
tt.f.ServeHTTP(w, r)

6
internal/httputil/httputil_test.go
View file

@ -9,16 +9,16 @@ import (
)
func TestGetClientIPAddress(t *testing.T) {
r1, err := http.NewRequest("GET", "https://example.com", nil)
r1, err := http.NewRequest(http.MethodGet, "https://example.com", nil)
require.NoError(t, err)
assert.Equal(t, "127.0.0.1", GetClientIPAddress(r1))
r2, err := http.NewRequest("GET", "https://example.com", nil)
r2, err := http.NewRequest(http.MethodGet, "https://example.com", nil)
require.NoError(t, err)
r2.RemoteAddr = "127.0.0.2:1234"
assert.Equal(t, "127.0.0.2", GetClientIPAddress(r2))
r3, err := http.NewRequest("GET", "https://example.com", nil)
r3, err := http.NewRequest(http.MethodGet, "https://example.com", nil)
require.NoError(t, err)
r3.RemoteAddr = "127.0.0.3:1234"
r3.Header.Set("X-Envoy-External-Address", "127.0.0.3")

2
internal/httputil/reproxy/reproxy_test.go
View file

@ -62,7 +62,7 @@ func TestMiddleware(t *testing.T) {
policyID, _ := cfg.Options.Policies[0].RouteID()
req, err := http.NewRequest("GET", srv2.URL, nil)
req, err := http.NewRequest(http.MethodGet, srv2.URL, nil)
require.NoError(t, err)
for _, hdr := range h.GetPolicyIDHeaders(policyID) {
req.Header.Set(hdr[0], hdr[1])

2
internal/httputil/router.go
View file

@ -16,7 +16,7 @@ func NewRouter() *mux.Router {
// CSRFFailureHandler sets a HTTP 403 Forbidden status and writes the
// CSRF failure reason to the response.
func CSRFFailureHandler(w http.ResponseWriter, r *http.Request) error {
func CSRFFailureHandler(_ http.ResponseWriter, r *http.Request) error {
if err := csrf.FailureReason(r); err != nil {
return NewError(http.StatusBadRequest, csrf.FailureReason(r))
}

3
internal/identity/manager/manager.go
View file

@ -448,7 +448,8 @@ func isTemporaryError(err error) bool {
if errors.Is(err, context.DeadlineExceeded) || errors.Is(err, context.Canceled) {
return true
}
if e, ok := err.(interface{ Temporary() bool }); ok && e.Temporary() {
var hasTemporary interface{ Temporary() bool }
if errors.As(err, &hasTemporary) && hasTemporary.Temporary() {
return true
}
return false

6
internal/identity/manager/manager_test.go
View file

@ -160,11 +160,11 @@ func TestManager_reportErrors(t *testing.T) {
}
func mkRecord(msg recordable) *databroker.Record {
any := protoutil.NewAny(msg)
data := protoutil.NewAny(msg)
return &databroker.Record{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: msg.GetId(),
Data: any,
Data: data,
}
}

4
internal/identity/manager/sync.go
View file

@ -17,7 +17,7 @@ type dataBrokerSyncer struct {
}
func newDataBrokerSyncer(
ctx context.Context,
_ context.Context,
cfg *atomicutil.Value[*config],
update chan<- updateRecordsMessage,
clear chan<- struct{},
@ -47,7 +47,7 @@ func (syncer *dataBrokerSyncer) GetDataBrokerServiceClient() databroker.DataBrok
return syncer.cfg.Load().dataBrokerClient
}
func (syncer *dataBrokerSyncer) UpdateRecords(ctx context.Context, serverVersion uint64, records []*databroker.Record) {
func (syncer *dataBrokerSyncer) UpdateRecords(ctx context.Context, _ uint64, records []*databroker.Record) {
select {
case <-ctx.Done():
case syncer.update <- updateRecordsMessage{records: records}:

6
internal/identity/mock_provider.go
View file

@ -33,18 +33,18 @@ func (mp MockProvider) Refresh(context.Context, *oauth2.Token, identity.State) (
}
// Revoke is a mocked providers function.
func (mp MockProvider) Revoke(ctx context.Context, s *oauth2.Token) error {
func (mp MockProvider) Revoke(_ context.Context, _ *oauth2.Token) error {
return mp.RevokeError
}
// GetSignInURL is a mocked providers function.
func (mp MockProvider) GetSignInURL(s string) (string, error) { return mp.GetSignInURLResponse, nil }
func (mp MockProvider) GetSignInURL(_ string) (string, error) { return mp.GetSignInURLResponse, nil }
// LogOut is a mocked providers function.
func (mp MockProvider) LogOut() (*url.URL, error) { return &mp.LogOutResponse, mp.LogOutError }
// UpdateUserInfo is a mocked providers function.
func (mp MockProvider) UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interface{}) error {
func (mp MockProvider) UpdateUserInfo(_ context.Context, _ *oauth2.Token, _ interface{}) error {
return mp.UpdateUserInfoError
}

11
internal/identity/oauth/apple/apple.go
View file

@ -10,12 +10,10 @@ import (
"net/http"
"net/url"
"strings"
"time"
"golang.org/x/exp/maps"
"golang.org/x/oauth2"
"github.com/go-jose/go-jose/v3/jwt"
"golang.org/x/exp/maps"
"golang.org/x/oauth2"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/identity/identity"
@ -32,7 +30,6 @@ const (
defaultProviderURL = "https://appleid.apple.com"
tokenURL = "/auth/token" //nolint: gosec
authURL = "/auth/authorize"
refreshDeadline = time.Minute * 60
revocationURL = "/auth/revoke"
)
@ -50,7 +47,7 @@ type Provider struct {
}
// New instantiates an OpenID Connect (OIDC) provider for Apple.
func New(ctx context.Context, o *oauth.Options) (*Provider, error) {
func New(_ context.Context, o *oauth.Options) (*Provider, error) {
options := *o
if options.ProviderURL == "" {
options.ProviderURL = defaultProviderURL
@ -178,7 +175,7 @@ func (p *Provider) Revoke(ctx context.Context, t *oauth2.Token) error {
}
// UpdateUserInfo gets claims from the oauth token.
func (p *Provider) UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interface{}) error {
func (p *Provider) UpdateUserInfo(_ context.Context, t *oauth2.Token, v interface{}) error {
rawIDToken, ok := t.Extra("id_token").(string)
if !ok {
return nil

6
internal/identity/oauth/github/github.go
View file

@ -56,7 +56,7 @@ type Provider struct {
}
// New instantiates an OAuth2 provider for Github.
func New(ctx context.Context, o *oauth.Options) (*Provider, error) {
func New(_ context.Context, o *oauth.Options) (*Provider, error) {
p := Provider{}
if o.ProviderURL == "" {
o.ProviderURL = defaultProviderURL
@ -92,7 +92,7 @@ func New(ctx context.Context, o *oauth.Options) (*Provider, error) {
func (p *Provider) Authenticate(ctx context.Context, code string, v identity.State) (*oauth2.Token, error) {
oauth2Token, err := p.Oauth.Exchange(ctx, code)
if err != nil {
return nil, fmt.Errorf("github: token exchange failed %v", err)
return nil, fmt.Errorf("github: token exchange failed %w", err)
}
// github tokens never expire
@ -124,7 +124,7 @@ func (p *Provider) UpdateUserInfo(ctx context.Context, t *oauth2.Token, v interf
}
// Refresh is a no-op for github, because github sessions never expire.
func (p *Provider) Refresh(ctx context.Context, t *oauth2.Token, v identity.State) (*oauth2.Token, error) {
func (p *Provider) Refresh(_ context.Context, t *oauth2.Token, _ identity.State) (*oauth2.Token, error) {
t.Expiry = time.Now().Add(refreshDeadline)
return t, nil
}

2
internal/log/log.go
View file

@ -161,7 +161,7 @@ func Panic() *zerolog.Event {
// zerolog.Disabled will still disable events produced by this method.
//
// You must call Msg on the returned event in order to send the event.
func Log(ctx context.Context) *zerolog.Event {
func Log(_ context.Context) *zerolog.Event {
return Logger().Log()
}

10
internal/registry/inmemory/inmemory.go
View file

@ -6,14 +6,14 @@ import (
"sync"
"time"
"github.com/pomerium/pomerium/internal/registry"
"github.com/pomerium/pomerium/internal/signal"
pb "github.com/pomerium/pomerium/pkg/grpc/registry"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
"google.golang.org/protobuf/types/known/durationpb"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/pomerium/pomerium/internal/registry"
"github.com/pomerium/pomerium/internal/signal"
pb "github.com/pomerium/pomerium/pkg/grpc/registry"
)
type inMemoryServer struct {
@ -131,7 +131,7 @@ func (s *inMemoryServer) reportLocked(services []*pb.Service) (bool, error) {
}
// List returns current snapshot of the services known to the registry
func (s *inMemoryServer) List(ctx context.Context, req *pb.ListRequest) (*pb.ServiceList, error) {
func (s *inMemoryServer) List(_ context.Context, req *pb.ListRequest) (*pb.ServiceList, error) {
if err := req.Validate(); err != nil {
return nil, status.Error(codes.InvalidArgument, err.Error())
}

4
internal/registry/inmemory/inmemory_test.go
View file

@ -8,14 +8,14 @@ import (
"testing"
"time"
pb "github.com/pomerium/pomerium/pkg/grpc/registry"
"github.com/google/go-cmp/cmp"
"github.com/google/go-cmp/cmp/cmpopts"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"google.golang.org/grpc"
"google.golang.org/grpc/test/bufconn"
pb "github.com/pomerium/pomerium/pkg/grpc/registry"
)
const (

4
internal/registry/reporter.go
View file

@ -9,12 +9,12 @@ import (
"strings"
"time"
"github.com/cenkalti/backoff/v4"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/pkg/grpc"
pb "github.com/pomerium/pomerium/pkg/grpc/registry"
"github.com/cenkalti/backoff/v4"
)
// Reporter periodically submits a list of services available on this instance to the service registry

4
internal/registry/reporter_test.go
View file

@ -3,9 +3,9 @@ package registry
import (
"testing"
"github.com/pomerium/pomerium/config"
"github.com/stretchr/testify/assert"
"github.com/pomerium/pomerium/config"
)
func TestMetricsURL(t *testing.T) {

4
internal/sessions/cookie/cookie_store.go
View file

@ -96,7 +96,7 @@ func (cs *Store) makeCookie(value string) *http.Cookie {
}
// ClearSession clears the session cookie from a request
func (cs *Store) ClearSession(w http.ResponseWriter, r *http.Request) {
func (cs *Store) ClearSession(w http.ResponseWriter, _ *http.Request) {
c := cs.makeCookie("")
c.MaxAge = -1
c.Expires = timeNow().Add(-time.Hour)
@ -130,7 +130,7 @@ func (cs *Store) LoadSession(r *http.Request) (string, error) {
return jwt, nil
}
}
return "", fmt.Errorf("%w: %s", sessions.ErrMalformed, err)
return "", fmt.Errorf("%w: %w", sessions.ErrMalformed, err)
}
// SaveSession saves a session state to a request's cookie store.

5
internal/sessions/cookie/cookie_store_test.go
View file

@ -4,6 +4,7 @@ import (
"crypto/rand"
"errors"
"fmt"
"net/http"
"net/http/httptest"
"strings"
"testing"
@ -133,13 +134,13 @@ func TestStore_SaveSession(t *testing.T) {
decoder: tt.decoder,
}
r := httptest.NewRequest("GET", "/", nil)
r := httptest.NewRequest(http.MethodGet, "/", nil)
w := httptest.NewRecorder()
if err := s.SaveSession(w, r, tt.State); (err != nil) != tt.wantErr {
t.Errorf("Store.SaveSession() error = %v, wantErr %v", err, tt.wantErr)
}
r = httptest.NewRequest("GET", "/", nil)
r = httptest.NewRequest(http.MethodGet, "/", nil)
for _, cookie := range w.Result().Cookies() {
r.AddCookie(cookie)
}

6
internal/sessions/header/header_store_test.go
View file

@ -9,19 +9,19 @@ import (
func TestTokenFromHeader(t *testing.T) {
t.Run("pomerium header", func(t *testing.T) {
r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
r, _ := http.NewRequest(http.MethodGet, "http://localhost/some/url", nil)
r.Header.Set("X-Pomerium-Authorization", "JWT")
v := TokenFromHeaders(r)
assert.Equal(t, "JWT", v)
})
t.Run("pomerium type", func(t *testing.T) {
r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
r, _ := http.NewRequest(http.MethodGet, "http://localhost/some/url", nil)
r.Header.Set("Authorization", "Pomerium JWT")
v := TokenFromHeaders(r)
assert.Equal(t, "JWT", v)
})
t.Run("bearer type", func(t *testing.T) {
r, _ := http.NewRequest("GET", "http://localhost/some/url", nil)
r, _ := http.NewRequest(http.MethodGet, "http://localhost/some/url", nil)
r.Header.Set("Authorization", "Bearer Pomerium-JWT")
v := TokenFromHeaders(r)
assert.Equal(t, "JWT", v)

4
internal/sessions/queryparam/query_store.go
View file

@ -53,14 +53,14 @@ func (qp *Store) LoadSession(r *http.Request) (string, error) {
}
// ClearSession clears the session cookie from a request's query param key `pomerium_session`.
func (qp *Store) ClearSession(w http.ResponseWriter, r *http.Request) {
func (qp *Store) ClearSession(_ http.ResponseWriter, r *http.Request) {
params := r.URL.Query()
params.Del(qp.queryParamKey)
r.URL.RawQuery = params.Encode()
}
// SaveSession sets a session to a request's query param key `pomerium_session`
func (qp *Store) SaveSession(w http.ResponseWriter, r *http.Request, x interface{}) error {
func (qp *Store) SaveSession(_ http.ResponseWriter, r *http.Request, x interface{}) error {
data, err := qp.encoder.Marshal(x)
if err != nil {
return err

3
internal/sessions/queryparam/query_store_test.go
View file

@ -2,6 +2,7 @@ package queryparam
import (
"errors"
"net/http"
"net/http/httptest"
"net/url"
"testing"
@ -30,7 +31,7 @@ func TestNewQueryParamStore(t *testing.T) {
t.Run(tt.name, func(t *testing.T) {
got := NewStore(tt.enc, tt.qp)
r := httptest.NewRequest("GET", "/", nil)
r := httptest.NewRequest(http.MethodGet, "/", nil)
w := httptest.NewRecorder()
if err := got.SaveSession(w, r, tt.State); (err != nil) != tt.wantErr {

2
internal/telemetry/grpc_test.go
View file

@ -18,7 +18,7 @@ type mockTagHandler struct {
type mockCtxTag string
func (m *mockTagHandler) TagRPC(ctx context.Context, tagInfo *grpcstats.RPCTagInfo) context.Context {
func (m *mockTagHandler) TagRPC(ctx context.Context, _ *grpcstats.RPCTagInfo) context.Context {
m.called = true
return context.WithValue(ctx, mockCtxTag("added"), "true")
}

2
internal/telemetry/metrics/grpc_test.go
View file

@ -19,7 +19,7 @@ type testInvoker struct {
statsHandler stats.Handler
}
func (t testInvoker) UnaryInvoke(ctx context.Context, method string, req, reply interface{}, cc *grpc.ClientConn, opts ...grpc.CallOption) error {
func (t testInvoker) UnaryInvoke(ctx context.Context, method string, _, reply any, _ *grpc.ClientConn, _ ...grpc.CallOption) error {
r := reply.(*wrapperspb.StringValue)
r.Value = "hello"

4
internal/telemetry/metrics/http.go
View file

@ -110,7 +110,7 @@ var (
)
// HTTPMetricsHandler creates a metrics middleware for incoming HTTP requests
func HTTPMetricsHandler(getInstallationID func() string, service string) func(next http.Handler) http.Handler {
func HTTPMetricsHandler(_ func() string, service string) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx, tagErr := tag.New(
@ -137,7 +137,7 @@ func HTTPMetricsHandler(getInstallationID func() string, service string) func(ne
}
// HTTPMetricsRoundTripper creates a metrics tracking tripper for outbound HTTP Requests
func HTTPMetricsRoundTripper(getInstallationID func() string, service string) func(next http.RoundTripper) http.RoundTripper {
func HTTPMetricsRoundTripper(_ func() string, service string) func(next http.RoundTripper) http.RoundTripper {
return func(next http.RoundTripper) http.RoundTripper {
return tripper.RoundTripperFunc(func(r *http.Request) (*http.Response, error) {
ctx, tagErr := tag.New(

6
internal/telemetry/metrics/http_test.go
View file

@ -64,7 +64,7 @@ func Test_HTTPMetricsHandler(t *testing.T) {
{
name: "good get",
url: "http://test.local/good",
verb: "GET",
verb: http.MethodGet,
wanthttpServerRequestSize: "{ { {host test.local}{http_method GET}{service test_service} }&{1 0 5e-324 0 0 [1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]",
wanthttpServerResponseSize: "{ { {host test.local}{http.status 200}{http_method GET}{service test_service} }&{1 5 5 5 0 [0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]",
wanthttpServerRequestDuration: "{ { {host test.local}{http.status 200}{http_method GET}{service test_service} }",
@ -145,7 +145,7 @@ func Test_HTTPMetricsRoundTripper(t *testing.T) {
{
name: "good get",
url: "http://test.local/good",
verb: "GET",
verb: http.MethodGet,
wanthttpClientRequestSize: "{ { {host test.local}{http.status 200}{http_method GET}{service test_service} }&{1 5 5 5 0 [0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]",
wanthttpClientResponseSize: "{ { {host test.local}{http.status 200}{http_method GET}{service test_service} }&{1 5 5 5 0 [0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0]",
wanthttpClientRequestDuration: "{ { {host test.local}{http.status 200}{http_method GET}{service test_service} }",
@ -190,7 +190,7 @@ func Test_HTTPMetricsRoundTripper(t *testing.T) {
// Check for transport Errors
client = http.Client{Transport: chain.Then(newFailingTestTransport())}
req, _ := http.NewRequest("GET", "http://test.local", new(bytes.Buffer))
req, _ := http.NewRequest(http.MethodGet, "http://test.local", new(bytes.Buffer))
resp, err := client.Do(req)
if err == nil || resp != nil {
t.Error("Transport error not surfaced properly")

6
internal/telemetry/metrics/info_test.go
View file

@ -6,12 +6,12 @@ import (
"runtime"
"testing"
"github.com/pomerium/pomerium/internal/version"
"github.com/pomerium/pomerium/pkg/metrics"
"go.opencensus.io/metric/metricdata"
"go.opencensus.io/metric/metricproducer"
"go.opencensus.io/stats/view"
"github.com/pomerium/pomerium/internal/version"
"github.com/pomerium/pomerium/pkg/metrics"
)
func Test_SetConfigInfo(t *testing.T) {

3
internal/telemetry/metrics/processes_test.go
View file

@ -2,6 +2,7 @@ package metrics
import (
"context"
"net/http"
"net/http/httptest"
"os"
"runtime"
@ -40,7 +41,7 @@ func TestProcessCollector(t *testing.T) {
"pomerium_example_process_virtual_memory_max_bytes",
}
assert.Eventually(t, func() bool {
req := httptest.NewRequest("GET", "http://test.local/metrics", nil)
req := httptest.NewRequest(http.MethodGet, "http://test.local/metrics", nil)
rec := httptest.NewRecorder()
exp.ServeHTTP(rec, req)
str := rec.Body.String()

2
internal/telemetry/metrics/providers.go
View file

@ -224,7 +224,7 @@ func scrapeEndpoint(endpoint ScrapeEndpoint, labels []*io_prometheus_client.Labe
return func(ctx context.Context) promProducerResult {
name := fmt.Sprintf("%s %s", endpoint.Name, endpoint.URL.String())
req, err := http.NewRequestWithContext(ctx, "GET", endpoint.URL.String(), nil)
req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint.URL.String(), nil)
if err != nil {
return promProducerResult{name: name, err: fmt.Errorf("make request: %w", err)}
}

2
internal/telemetry/metrics/providers_test.go
View file

@ -33,7 +33,7 @@ func getMetrics(t *testing.T, envoyURL *url.URL) []byte {
if err != nil {
t.Fatal(err)
}
req := httptest.NewRequest("GET", "http://test.local/metrics", nil)
req := httptest.NewRequest(http.MethodGet, "http://test.local/metrics", nil)
rec := httptest.NewRecorder()
h.ServeHTTP(rec, req)

8
internal/tests/xdserr/cmd/main.go
View file

@ -169,7 +169,7 @@ func saveAndLogConfig(ctx context.Context, client databroker.DataBrokerServiceCl
return nil
}
func waitHealthy(ctx context.Context, client *http.Client, routes []*config.Route) error {
func waitHealthy(ctx context.Context, _ *http.Client, routes []*config.Route) error {
now := time.Now()
if err := xdserr.WaitForHealthy(ctx, httpClient, routes); err != nil {
return err
@ -184,12 +184,12 @@ func waitHealthy(ctx context.Context, client *http.Client, routes []*config.Rout
}
func saveConfig(ctx context.Context, client databroker.DataBrokerServiceClient, cfg *config.Config) error {
any := protoutil.NewAny(cfg)
data := protoutil.NewAny(cfg)
r, err := client.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: "test_config",
Data: any,
Data: data,
}},
})
if err != nil {

12
internal/tests/xdserr/config.go
View file

@ -43,20 +43,20 @@ func DumpConfig(ctx context.Context, adminURL string) (*adminv3.RoutesConfigDump
return nil, err
}
any, _ := anypb.New(&emptypb.Empty{})
fmt.Println(protojson.Format(any))
a, _ := anypb.New(&emptypb.Empty{})
fmt.Println(protojson.Format(a))
opts := &protojson.UnmarshalOptions{
AllowPartial: true,
DiscardUnknown: true,
}
for i, data := range cfg.Configs {
any := new(anypb.Any)
if err = opts.Unmarshal(data, any); err != nil {
a := new(anypb.Any)
if err = opts.Unmarshal(data, a); err != nil {
log.Error(ctx).Err(err).Int("config", i).
//RawJSON("data", data).
// RawJSON("data", data).
Msg("decode")
} else {
log.Info(ctx).Msg(any.TypeUrl)
log.Info(ctx).Msg(a.TypeUrl)
}
}
return nil, err

2
internal/tests/xdserr/echo.go
View file

@ -9,7 +9,7 @@ import (
"golang.org/x/sync/errgroup"
)
func echo(w http.ResponseWriter, r *http.Request) {
func echo(w http.ResponseWriter, _ *http.Request) {
fmt.Fprintf(w, "pong")
}

2
internal/testutil/testutil.go
View file

@ -19,7 +19,7 @@ import (
func AssertProtoEqual(t *testing.T, expected, actual interface{}, msgAndArgs ...interface{}) bool {
t.Helper()
return assert.True(t, cmp.Equal(expected, actual, protocmp.Transform()),
cmp.Diff(expected, actual, protocmp.Transform()))
append(msgAndArgs, cmp.Diff(expected, actual, protocmp.Transform()))...)
}
// AssertProtoJSONEqual asserts that a protobuf message matches the given JSON. The protoMsg can also be a slice

10
internal/tripper/chain_test.go
View file

@ -12,7 +12,7 @@ type mockTransport struct {
id string
}
func (t *mockTransport) RoundTrip(r *http.Request) (*http.Response, error) {
func (t *mockTransport) RoundTrip(_ *http.Request) (*http.Response, error) {
w := httptest.NewRecorder()
w.WriteString(t.id)
@ -46,7 +46,7 @@ func TestNew(t *testing.T) {
chain := NewChain(m1, m2)
resp, _ := chain.Then(t1).
RoundTrip(httptest.NewRequest("GET", "/", nil))
RoundTrip(httptest.NewRequest(http.MethodGet, "/", nil))
if len(chain.constructors) != 2 {
t.Errorf("Wrong number of constructors in chain")
@ -64,7 +64,7 @@ func TestThenNoMiddleware(t *testing.T) {
want := "t"
resp, _ := chain.Then(t1).
RoundTrip(httptest.NewRequest("GET", "/", nil))
RoundTrip(httptest.NewRequest(http.MethodGet, "/", nil))
b, _ := io.ReadAll(resp.Body)
if string(b) != want {
@ -89,7 +89,7 @@ func TestAppend(t *testing.T) {
want := "t,c2,c1"
resp, _ := chain.Then(t1).
RoundTrip(httptest.NewRequest("GET", "/", nil))
RoundTrip(httptest.NewRequest(http.MethodGet, "/", nil))
if len(chain.constructors) != 2 {
t.Errorf("Wrong number of constructors in chain")
@ -112,7 +112,7 @@ func TestAppendImmutability(t *testing.T) {
}
resp, _ := chain.Then(t1).
RoundTrip(httptest.NewRequest("GET", "/", nil))
RoundTrip(httptest.NewRequest(http.MethodGet, "/", nil))
b, _ := io.ReadAll(resp.Body)
if string(b) != want {

2
internal/urlutil/known.go
View file

@ -131,7 +131,7 @@ const (
)
// WebAuthnURL returns the /.pomerium/webauthn URL.
func WebAuthnURL(r *http.Request, authenticateURL *url.URL, key []byte, values url.Values) string {
func WebAuthnURL(_ *http.Request, authenticateURL *url.URL, key []byte, values url.Values) string {
u := authenticateURL.ResolveReference(&url.URL{
Path: WebAuthnURLPath,
RawQuery: buildURLValues(values, url.Values{

8
internal/urlutil/known_test.go
View file

@ -41,7 +41,7 @@ func TestCallbackURL(t *testing.T) {
func TestRedirectURI(t *testing.T) {
t.Run("query", func(t *testing.T) {
r, err := http.NewRequest("GET", "https://www.example.com?"+(url.Values{
r, err := http.NewRequest(http.MethodGet, "https://www.example.com?"+(url.Values{
QueryRedirectURI: {"https://www.example.com/redirect"},
}).Encode(), nil)
require.NoError(t, err)
@ -51,7 +51,7 @@ func TestRedirectURI(t *testing.T) {
assert.Equal(t, "https://www.example.com/redirect", redirectURI)
})
t.Run("form", func(t *testing.T) {
r, err := http.NewRequest("POST", "https://www.example.com", strings.NewReader((url.Values{
r, err := http.NewRequest(http.MethodPost, "https://www.example.com", strings.NewReader((url.Values{
QueryRedirectURI: {"https://www.example.com/redirect"},
}).Encode()))
require.NoError(t, err)
@ -62,7 +62,7 @@ func TestRedirectURI(t *testing.T) {
assert.Equal(t, "https://www.example.com/redirect", redirectURI)
})
t.Run("cookie", func(t *testing.T) {
r, err := http.NewRequest("GET", "https://www.example.com", nil)
r, err := http.NewRequest(http.MethodGet, "https://www.example.com", nil)
require.NoError(t, err)
r.AddCookie(&http.Cookie{
Name: QueryRedirectURI,
@ -102,7 +102,7 @@ func TestSignInURL(t *testing.T) {
func TestSignOutURL(t *testing.T) {
t.Parallel()
r := httptest.NewRequest("GET", "https://route.example.com?"+(url.Values{
r := httptest.NewRequest(http.MethodGet, "https://route.example.com?"+(url.Values{
QueryRedirectURI: {"https://www.example.com/redirect"},
}).Encode(), nil)
authenticateURL := MustParseAndValidateURL("https://authenticate.example.com")

5
internal/urlutil/url.go
View file

@ -145,11 +145,6 @@ func GetDomainsForURL(u *url.URL) []string {
return []string{u.Hostname(), net.JoinHostPort(u.Hostname(), defaultPort)}
}
// IsTCP returns whether or not the given URL is for TCP via HTTP Connect.
func IsTCP(u *url.URL) bool {
return u.Scheme == "tcp+http" || u.Scheme == "tcp+https"
}
// Join joins elements of a URL with '/'.
func Join(elements ...string) string {
var builder strings.Builder

5
pkg/cryptutil/certificates.go
View file

@ -128,10 +128,9 @@ func DecodePrivateKey(encodedKey []byte) (*ecdsa.PrivateKey, error) {
if block.Type == "EC PRIVATE KEY" {
break
} else {
skippedTypes = append(skippedTypes, block.Type)
continue
}
skippedTypes = append(skippedTypes, block.Type)
}
privKey, err := x509.ParseECPrivateKey(block.Bytes)

4
pkg/cryptutil/x509.go
View file

@ -42,7 +42,7 @@ func MarshalPKCS8PrivateKey(key interface{}) ([]byte, error) {
}
curvePrivateKey, err := asn1.Marshal(kek.KeyBytes())
if err != nil {
return nil, fmt.Errorf("cryptutil: failed to marshal private key: %v", err)
return nil, fmt.Errorf("cryptutil: failed to marshal private key: %w", err)
}
privKey.PrivateKey = curvePrivateKey
return asn1.Marshal(privKey)
@ -86,7 +86,7 @@ func ParsePKCS8PrivateKey(der []byte) (interface{}, error) {
if privKey.Algo.Algorithm.Equal(oidPublicKeyX25519) {
var bs []byte
if _, err := asn1.Unmarshal(privKey.PrivateKey, &bs); err != nil {
return nil, fmt.Errorf("cryptutil: invalid X25519 private key: %v", err)
return nil, fmt.Errorf("cryptutil: invalid X25519 private key: %w", err)
}
return NewPrivateKeyEncryptionKey(bs)
}

3
pkg/grpc/databroker/databroker.go
View file

@ -4,6 +4,7 @@ package databroker
import (
"context"
"encoding/json"
"errors"
"fmt"
"io"
@ -111,7 +112,7 @@ loop:
for {
res, err := stream.Recv()
switch {
case err == io.EOF:
case errors.Is(err, io.EOF):
break loop
case err != nil:
return nil, 0, 0, fmt.Errorf("error receiving record: %w", err)

4
pkg/grpc/databroker/fast_forward_test.go
View file

@ -15,11 +15,11 @@ type mockFF struct {
update chan uint64
}
func (ff *mockFF) ClearRecords(ctx context.Context) {
func (ff *mockFF) ClearRecords(_ context.Context) {
ff.clear <- struct{}{}
}
func (ff *mockFF) UpdateRecords(ctx context.Context, sv uint64, records []*Record) {
func (ff *mockFF) UpdateRecords(_ context.Context, sv uint64, _ []*Record) {
time.Sleep(time.Millisecond * time.Duration(rand.Intn(5)))
ff.update <- sv
}

2
pkg/grpc/databroker/leaser.go
View file

@ -20,7 +20,7 @@ type retryableError struct {
}
func (err retryableError) Is(target error) bool {
if _, ok := target.(retryableError); ok {
if _, ok := target.(retryableError); ok { //nolint:errorlint
return true
}
return false

46
pkg/grpc/device/device.go
View file

@ -27,12 +27,12 @@ func DeleteCredential(
return nil, err
}
any := protoutil.NewAny(credential)
data := protoutil.NewAny(credential)
_, err = client.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: credentialID,
Data: any,
Data: data,
DeletedAt: timestamppb.Now(),
}},
})
@ -52,12 +52,12 @@ func DeleteEnrollment(
return nil, err
}
any := protoutil.NewAny(enrollment)
data := protoutil.NewAny(enrollment)
_, err = client.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: enrollmentID,
Data: any,
Data: data,
DeletedAt: timestamppb.Now(),
}},
})
@ -70,10 +70,10 @@ func GetCredential(
client databroker.DataBrokerServiceClient,
credentialID string,
) (*Credential, error) {
any := protoutil.NewAny(new(Credential))
data := protoutil.NewAny(new(Credential))
res, err := client.Get(ctx, &databroker.GetRequest{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: credentialID,
})
if err != nil {
@ -95,10 +95,10 @@ func GetEnrollment(
client databroker.DataBrokerServiceClient,
enrollmentID string,
) (*Enrollment, error) {
any := protoutil.NewAny(new(Enrollment))
data := protoutil.NewAny(new(Enrollment))
res, err := client.Get(ctx, &databroker.GetRequest{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: enrollmentID,
})
if err != nil {
@ -120,10 +120,10 @@ func GetOwnerCredentialRecord(
client databroker.DataBrokerServiceClient,
credentialID []byte,
) (*OwnerCredentialRecord, error) {
any := protoutil.NewAny(new(OwnerCredentialRecord))
data := protoutil.NewAny(new(OwnerCredentialRecord))
res, err := client.Get(ctx, &databroker.GetRequest{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: base58.Encode(credentialID),
})
if err != nil {
@ -145,10 +145,10 @@ func GetType(
client databroker.DataBrokerServiceClient,
typeID string,
) (*Type, error) {
any := protoutil.NewAny(new(Type))
data := protoutil.NewAny(new(Type))
res, err := client.Get(ctx, &databroker.GetRequest{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: typeID,
})
if err != nil {
@ -172,12 +172,12 @@ func PutCredential(
) error {
shrinkCredential(credential)
any := protoutil.NewAny(credential)
data := protoutil.NewAny(credential)
_, err := client.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: credential.GetId(),
Data: any,
Data: data,
}},
})
return err
@ -189,12 +189,12 @@ func PutEnrollment(
client databroker.DataBrokerServiceClient,
enrollment *Enrollment,
) error {
any := protoutil.NewAny(enrollment)
data := protoutil.NewAny(enrollment)
_, err := client.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: enrollment.GetId(),
Data: any,
Data: data,
}},
})
return err
@ -206,12 +206,12 @@ func PutOwnerCredentialRecord(
client databroker.DataBrokerServiceClient,
ownerCredentialRecord *OwnerCredentialRecord,
) error {
any := protoutil.NewAny(ownerCredentialRecord)
data := protoutil.NewAny(ownerCredentialRecord)
_, err := client.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: base58.Encode(ownerCredentialRecord.GetId()),
Data: any,
Data: data,
}},
})
return err

16
pkg/grpc/session/session.go
View file

@ -17,12 +17,12 @@ import (
// Delete deletes a session from the databroker.
func Delete(ctx context.Context, client databroker.DataBrokerServiceClient, sessionID string) error {
any := protoutil.NewAny(new(Session))
data := protoutil.NewAny(new(Session))
_, err := client.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: sessionID,
Data: any,
Data: data,
DeletedAt: timestamppb.Now(),
}},
})
@ -31,9 +31,9 @@ func Delete(ctx context.Context, client databroker.DataBrokerServiceClient, sess
// Get gets a session from the databroker.
func Get(ctx context.Context, client databroker.DataBrokerServiceClient, sessionID string) (*Session, error) {
any := protoutil.NewAny(new(Session))
data := protoutil.NewAny(new(Session))
res, err := client.Get(ctx, &databroker.GetRequest{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: sessionID,
})
if err != nil {
@ -51,12 +51,12 @@ func Get(ctx context.Context, client databroker.DataBrokerServiceClient, session
// Put sets a session in the databroker.
func Put(ctx context.Context, client databroker.DataBrokerServiceClient, s *Session) (*databroker.PutResponse, error) {
s = proto.Clone(s).(*Session)
any := protoutil.NewAny(s)
data := protoutil.NewAny(s)
res, err := client.Put(ctx, &databroker.PutRequest{
Records: []*databroker.Record{{
Type: any.GetTypeUrl(),
Type: data.GetTypeUrl(),
Id: s.Id,
Data: any,
Data: data,
}},
})
return res, err

2
pkg/hpke/handlers/hpke_public_key_test.go
View file

@ -20,7 +20,7 @@ func TestHPKEPublicKeyHandler(t *testing.T) {
w := httptest.NewRecorder()
r := httptest.NewRequest(http.MethodOptions, "/", nil)
r.Header.Set("Origin", "https://www.example.com")
r.Header.Set("Access-Control-Request-Method", "GET")
r.Header.Set("Access-Control-Request-Method", http.MethodGet)
handlers.HPKEPublicKeyHandler(k1.PublicKey()).ServeHTTP(w, r)
assert.Equal(t, http.StatusNoContent, w.Result().StatusCode)
})

3
pkg/policy/criteria/cors_preflight_test.go
View file

@ -1,6 +1,7 @@
package criteria
import (
"net/http"
"testing"
"github.com/stretchr/testify/require"
@ -15,7 +16,7 @@ allow:
`, []dataBrokerRecord{}, Input{HTTP: InputHTTP{
Method: "OPTIONS",
Headers: map[string][]string{
"Access-Control-Request-Method": {"GET"},
"Access-Control-Request-Method": {http.MethodGet},
"Origin": {"example.com"},
},
}})

10
pkg/policy/criteria/criteria_test.go
View file

@ -20,8 +20,10 @@ import (
"github.com/pomerium/pomerium/pkg/protoutil"
)
type A = []interface{}
type M = map[string]interface{}
type (
A = []interface{}
M = map[string]interface{}
)
var testingNow = time.Date(2021, 5, 11, 13, 43, 0, 0, time.Local)
@ -98,8 +100,8 @@ func evaluate(t *testing.T,
}
for _, record := range dataBrokerRecords {
any := protoutil.NewAny(record)
if string(recordType) == any.GetTypeUrl() &&
data := protoutil.NewAny(record)
if string(recordType) == data.GetTypeUrl() &&
string(recordID) == record.GetId() {
bs, _ := json.Marshal(record)
v, err := ast.ValueFromReader(bytes.NewReader(bs))

Some files were not shown because too many files have changed in this diff Show more