From a2fd95aae6a6532b8c74e8ee192cd4759a5cd84f Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Thu, 14 Dec 2023 10:07:54 -0700 Subject: [PATCH] core/ci: update linting (#4844) * core/ci: update linting * re-add exportloopref * re-add gocheckcompilerdirectives * re-add stylecheck * re-add usestdlibvars * upgrade lint --------- Co-authored-by: Denis Mishin --- .github/workflows/lint.yaml | 2 +- .golangci.yml | 105 +----------------- authorize/evaluator/evaluator_test.go | 6 +- config/autocert.go | 1 - config/envoyconfig/acmetlsalpn_test.go | 1 - config/envoyconfig/clusters.go | 1 + config/layered.go | 4 +- config/mtls_test.go | 71 ++++++++---- config/options.go | 4 +- config/policy.go | 10 +- integration/policy_test.go | 2 +- internal/authenticateflow/stateful_test.go | 2 +- internal/deterministicecdsa/ecdsa.go | 6 +- internal/fileutil/fileutil_test.go | 2 +- internal/httputil/router_test.go | 24 ---- internal/httputil/server_test.go | 1 - internal/identity/manager/manager_test.go | 3 +- internal/retry/error.go | 1 - internal/telemetry/metrics/grpc.go | 3 +- internal/zero/bootstrap/file.go | 2 +- internal/zero/bootstrap/source.go | 14 +-- .../zero/reconciler/bundles_format_test.go | 3 +- .../zero/reconciler/bundles_queue_test.go | 1 - internal/zero/reconciler/download_cache.go | 6 +- pkg/encoding/base58/base58.go | 6 +- pkg/grpc/databroker/leaser.go | 2 +- pkg/grpc/health.go | 3 +- .../criteria/client_certificate_test.go | 51 ++++++--- pkg/protoutil/fieldmask_test.go | 3 +- ui/embed_local.go | 6 +- 30 files changed, 132 insertions(+), 214 deletions(-) delete mode 100644 internal/httputil/router_test.go diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index ae1b33c0b..ecb894aa6 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -22,5 +22,5 @@ jobs: - uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc with: - version: v1.52 + version: v1.55 args: --timeout=10m diff --git a/.golangci.yml b/.golangci.yml index 207b7d432..7175f01c9 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -2,68 +2,31 @@ run: deadline: 20m linters-settings: - dupl: - threshold: 100 - funlen: - lines: 100 - statements: 50 gci: - local-prefixes: github.com/pomerium - goconst: - min-len: 2 - min-occurrences: 2 - gocritic: - enabled-tags: - - diagnostic - - experimental - - opinionated - - performance - - style - disabled-checks: - - dupImport # https://github.com/go-critic/go-critic/issues/845 - - ifElseChain - - octalLiteral - - whyNoLint - - wrapperFunc - gocyclo: - min-complexity: 15 - goimports: - local-prefixes: github.com/pomerium - govet: - check-shadowing: false - lll: - line-length: 160 - maligned: - suggest-new: true - misspell: - locale: US - nolintlint: - allow-leading-space: true # don't require machine-readable nolint directives (i.e. with no leading space) - allow-unused: false # report any unused nolint directives - require-explanation: false # don't require an explanation for nolint directives - require-specific: false # don't require nolint directives to be specific about which linter is being skipped + custom-order: true + sections: + - standard + - default + - prefix(github.com/pomerium) linters: disable-all: true enable: - asasalint - bodyclose - - depguard - dogsled - errcheck - errorlint - exportloopref - gci - gocheckcompilerdirectives - - gofmt + - gofumpt - goimports - goprintffuncname - gosec - gosimple - govet - ineffassign - - lll - - loggercheck - misspell - nakedret - nolintlint @@ -71,13 +34,11 @@ linters: - staticcheck - stylecheck - tenv - - typecheck - unconvert - unused - usestdlibvars issues: - exclude-use-default: false # List of regexps of issue texts to exclude, empty list by default. # But independently from this option we use default exclude patterns, # it can be disabled by `exclude-use-default: false`. To list all @@ -86,51 +47,13 @@ issues: ## Defaults we want from golangci-lint # errcheck: Almost all programs ignore errors on these functions and in most cases it's ok - Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked - # golint: False positive when tests are defined in package 'test' - - func name will be used as test\.Test.* by other packages, and that stutters; consider calling this - # govet: Common false positives - - (possible misuse of unsafe.Pointer|should have signature) - # staticcheck: Developers tend to write in C-style with an explicit 'break' in a 'switch', so it's ok to ignore - - ineffective break statement. Did you mean to break out of the outer loop - # gosec: Too many false-positives on 'unsafe' usage - - Use of unsafe calls should be audited - # gosec: Too many false-positives for parametrized shell calls - - Subprocess launch(ed with variable|ing should be audited) - # gosec: Duplicated errcheck checks - - G104 - # gosec: unsafe close on file errors - - G307 - # gosec: Too many issues in popular repos - - (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less) - # gosec: False positive is triggered by 'src, err := os.ReadFile(filename)' - - Potential file inclusion via variable - empty-block - ## - ## Custom - ## - # Mostly harmless buffer writes where we skip error checking - # https://golang.org/pkg/bytes/#Buffer.Write - - "Error return value of `w.Write` is not checked" - - "Error return value of `io.WriteString` is not checked" - - "Error return value of `viper.BindEnv` is not checked" - - "Error return value of `h.Write` is not checked" - - "ExecuteTemplate` is not checked" - # go sec : we want to allow skipping tls auth - "TLS InsecureSkipVerify set true." - - "goroutine calls T.Fatalf, which must be called in the same goroutine as the test" - # good job Protobuffs! - - "method XXX" - "SA1019" - # EXC0001 errcheck: Almost all programs ignore errors on these functions and in most cases it's ok - - Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*print(f|ln)?|os\.(Un)?Setenv). is not checked exclude-rules: - # https://github.com/go-critic/go-critic/issues/926 - - linters: - - gocritic - text: "unnecessaryDefer:" # Exclude some linters from running on test files. - path: _test\.go$|^tests/|^integration/|^samples/|templates\.go$ linters: @@ -146,26 +69,10 @@ issues: - scopelint - gosec - gosimple - # Exclude lll issues for long lines with go:generate - - linters: - - lll - source: "^//go:generate " - # erroneously thinks google api url is a cred - - path: internal/identity/google.go - text: "Potential hardcoded credentials" - linters: - - gosec - # deprecated but every example still uses New - - path: internal/identity/google.go - text: "please use NewService instead" - linters: - - staticcheck - path: internal/identity/oauth/github/github.go text: "Potential hardcoded credentials" linters: - gosec - - linters: [golint] - text: "should have a package comment" - text: "G112:" linters: - gosec diff --git a/authorize/evaluator/evaluator_test.go b/authorize/evaluator/evaluator_test.go index 90de62c3b..588bd1a33 100644 --- a/authorize/evaluator/evaluator_test.go +++ b/authorize/evaluator/evaluator_test.go @@ -649,8 +649,10 @@ func TestPolicyEvaluatorReuse(t *testing.T) { // Make changes to some of the policies. newPolicies := []config.Policy{ {To: singleToURL("https://to1.example.com")}, - {To: singleToURL("https://to2.example.com"), - AllowedUsers: []string{"user-id-1"}}, // change just the policy itself + { + To: singleToURL("https://to2.example.com"), + AllowedUsers: []string{"user-id-1"}, + }, // change just the policy itself {To: singleToURL("https://to3.example.com")}, {To: singleToURL("https://foo.example.com"), // change route ID too AllowAnyAuthenticatedUser: true}, diff --git a/config/autocert.go b/config/autocert.go index eed8e6355..cb9d456f5 100644 --- a/config/autocert.go +++ b/config/autocert.go @@ -59,7 +59,6 @@ type AutocertOptions struct { // Validate ensures the Options fields are valid, and hydrated. func (o *AutocertOptions) Validate() error { - // validate ACME EAB settings if o.EABKeyID != "" && o.EABMACKey == "" { return errors.New("config: Autocert EAB MAC Key required when Key ID is provided") diff --git a/config/envoyconfig/acmetlsalpn_test.go b/config/envoyconfig/acmetlsalpn_test.go index 65ad85cd2..9af05afc3 100644 --- a/config/envoyconfig/acmetlsalpn_test.go +++ b/config/envoyconfig/acmetlsalpn_test.go @@ -31,7 +31,6 @@ func TestBuilder_buildACMETLSALPNCluster(t *testing.T) { b.buildACMETLSALPNCluster(&config.Config{ ACMETLSALPNPort: "1234", })) - } func TestBuilder_buildACMETLSALPNFilterChain(t *testing.T) { diff --git a/config/envoyconfig/clusters.go b/config/envoyconfig/clusters.go index 5baad4850..34143feca 100644 --- a/config/envoyconfig/clusters.go +++ b/config/envoyconfig/clusters.go @@ -213,6 +213,7 @@ func (b *Builder) buildPolicyEndpoints( ) ([]Endpoint, error) { var endpoints []Endpoint for _, dst := range policy.To { + dst := dst ts, err := b.buildPolicyTransportSocket(ctx, cfg, policy, dst.URL) if err != nil { return nil, err diff --git a/config/layered.go b/config/layered.go index 5cdba509e..3a6446746 100644 --- a/config/layered.go +++ b/config/layered.go @@ -20,9 +20,7 @@ type LayeredSource struct { ChangeDispatcher } -var ( - _ = Source(&LayeredSource{}) -) +var _ = Source(&LayeredSource{}) // NewLayeredSource creates a new config source that is watching the underlying source for changes func NewLayeredSource(ctx context.Context, underlying Source, builder func(*Config) error) (*LayeredSource, error) { diff --git a/config/mtls_test.go b/config/mtls_test.go index 0fdb5a29b..f1d4d59b8 100644 --- a/config/mtls_test.go +++ b/config/mtls_test.go @@ -14,7 +14,7 @@ func TestDownstreamMTLSSettingsGetCA(t *testing.T) { fakeCACert := []byte("--- FAKE CA CERT ---") caFile := filepath.Join(t.TempDir(), "CA.pem") - os.WriteFile(caFile, fakeCACert, 0644) + os.WriteFile(caFile, fakeCACert, 0o644) cases := []struct { label string @@ -41,7 +41,7 @@ func TestDownstreamMTLSSettingsGetCRL(t *testing.T) { fakeCRL := []byte("--- FAKE CRL ---") crlFile := filepath.Join(t.TempDir(), "CRL.pem") - os.WriteFile(crlFile, fakeCRL, 0644) + os.WriteFile(crlFile, fakeCRL, 0o644) cases := []struct { label string @@ -71,17 +71,23 @@ func TestDownstreamMTLSSettingsGetEnforcement(t *testing.T) { settings DownstreamMTLSSettings expected MTLSEnforcement }{ - {"default", - DownstreamMTLSSettings{}, MTLSEnforcementPolicyWithDefaultDeny, + { + "default", + DownstreamMTLSSettings{}, + MTLSEnforcementPolicyWithDefaultDeny, }, - {"policy", - DownstreamMTLSSettings{Enforcement: "policy"}, MTLSEnforcementPolicy, + { + "policy", + DownstreamMTLSSettings{Enforcement: "policy"}, + MTLSEnforcementPolicy, }, - {"policy_with_default_deny", + { + "policy_with_default_deny", DownstreamMTLSSettings{Enforcement: "policy_with_default_deny"}, MTLSEnforcementPolicyWithDefaultDeny, }, - {"reject_connection", + { + "reject_connection", DownstreamMTLSSettings{Enforcement: "reject_connection"}, MTLSEnforcementRejectConnection, }, @@ -122,20 +128,41 @@ func TestDownstreamMTLSSettingsValidate(t *testing.T) { errorMsg string }{ {"not set", DownstreamMTLSSettings{}, ""}, - {"both CA and CA file", DownstreamMTLSSettings{CA: "CA", CAFile: "CAFile"}, - "cannot set both ca and ca_file"}, - {"bad CA", DownstreamMTLSSettings{CA: "not%valid%base64%data"}, - "CA: illegal base64 data at input byte 3"}, - {"bad CA file", DownstreamMTLSSettings{CAFile: "-"}, - "CA file: open -: no such file or directory"}, - {"both CRL and CRL file", DownstreamMTLSSettings{CRL: "CRL", CRLFile: "CRLFile"}, - "cannot set both crl and crl_file"}, - {"bad CRL", DownstreamMTLSSettings{CRL: "dGhpc2lzZmluZQo="}, - "CRL: cryptutil: non-PEM data in CRL bundle"}, - {"bad CRL file", DownstreamMTLSSettings{CRLFile: "-"}, - "CRL file: open -: no such file or directory"}, - {"bad enforcement mode", DownstreamMTLSSettings{Enforcement: "whatever"}, - "unknown enforcement option"}, + { + "both CA and CA file", + DownstreamMTLSSettings{CA: "CA", CAFile: "CAFile"}, + "cannot set both ca and ca_file", + }, + { + "bad CA", + DownstreamMTLSSettings{CA: "not%valid%base64%data"}, + "CA: illegal base64 data at input byte 3", + }, + { + "bad CA file", + DownstreamMTLSSettings{CAFile: "-"}, + "CA file: open -: no such file or directory", + }, + { + "both CRL and CRL file", + DownstreamMTLSSettings{CRL: "CRL", CRLFile: "CRLFile"}, + "cannot set both crl and crl_file", + }, + { + "bad CRL", + DownstreamMTLSSettings{CRL: "dGhpc2lzZmluZQo="}, + "CRL: cryptutil: non-PEM data in CRL bundle", + }, + { + "bad CRL file", + DownstreamMTLSSettings{CRLFile: "-"}, + "CRL file: open -: no such file or directory", + }, + { + "bad enforcement mode", + DownstreamMTLSSettings{Enforcement: "whatever"}, + "unknown enforcement option", + }, {"bad SAN type", DownstreamMTLSSettings{MatchSubjectAltNames: []SANMatcher{ {Type: "whatever"}, }}, `unknown SAN type "whatever"`}, diff --git a/config/options.go b/config/options.go index 4fb0b781d..43a757e6c 100644 --- a/config/options.go +++ b/config/options.go @@ -269,7 +269,7 @@ type Options struct { // GoogleCloudServerlessAuthenticationServiceAccount is the service account to use for GCP serverless authentication. // If unset, the GCP metadata server will be used to query for identity tokens. - GoogleCloudServerlessAuthenticationServiceAccount string `mapstructure:"google_cloud_serverless_authentication_service_account" yaml:"google_cloud_serverless_authentication_service_account,omitempty"` //nolint + GoogleCloudServerlessAuthenticationServiceAccount string `mapstructure:"google_cloud_serverless_authentication_service_account" yaml:"google_cloud_serverless_authentication_service_account,omitempty"` // UseProxyProtocol configures the HTTP listener to require the HAProxy proxy protocol (either v1 or v2) on incoming requests. UseProxyProtocol bool `mapstructure:"use_proxy_protocol" yaml:"use_proxy_protocol,omitempty" json:"use_proxy_protocol,omitempty"` @@ -293,7 +293,7 @@ type Options struct { EnvoyBindConfigFreebind null.Bool `mapstructure:"envoy_bind_config_freebind" yaml:"envoy_bind_config_freebind,omitempty"` // ProgrammaticRedirectDomainWhitelist restricts the allowed redirect URLs when using programmatic login. - ProgrammaticRedirectDomainWhitelist []string `mapstructure:"programmatic_redirect_domain_whitelist" yaml:"programmatic_redirect_domain_whitelist,omitempty" json:"programmatic_redirect_domain_whitelist,omitempty"` //nolint + ProgrammaticRedirectDomainWhitelist []string `mapstructure:"programmatic_redirect_domain_whitelist" yaml:"programmatic_redirect_domain_whitelist,omitempty" json:"programmatic_redirect_domain_whitelist,omitempty"` // CodecType is the codec to use for downstream connections. CodecType CodecType `mapstructure:"codec_type" yaml:"codec_type"` diff --git a/config/policy.go b/config/policy.go index b530ce817..d6d2c4ec5 100644 --- a/config/policy.go +++ b/config/policy.go @@ -53,13 +53,13 @@ type Policy struct { // Path Rewrite Options PrefixRewrite string `mapstructure:"prefix_rewrite" yaml:"prefix_rewrite,omitempty" json:"prefix_rewrite,omitempty"` RegexRewritePattern string `mapstructure:"regex_rewrite_pattern" yaml:"regex_rewrite_pattern,omitempty" json:"regex_rewrite_pattern,omitempty"` - RegexRewriteSubstitution string `mapstructure:"regex_rewrite_substitution" yaml:"regex_rewrite_substitution,omitempty" json:"regex_rewrite_substitution,omitempty"` //nolint + RegexRewriteSubstitution string `mapstructure:"regex_rewrite_substitution" yaml:"regex_rewrite_substitution,omitempty" json:"regex_rewrite_substitution,omitempty"` // Host Rewrite Options HostRewrite string `mapstructure:"host_rewrite" yaml:"host_rewrite,omitempty" json:"host_rewrite,omitempty"` HostRewriteHeader string `mapstructure:"host_rewrite_header" yaml:"host_rewrite_header,omitempty" json:"host_rewrite_header,omitempty"` - HostPathRegexRewritePattern string `mapstructure:"host_path_regex_rewrite_pattern" yaml:"host_path_regex_rewrite_pattern,omitempty" json:"host_path_regex_rewrite_pattern,omitempty"` //nolint - HostPathRegexRewriteSubstitution string `mapstructure:"host_path_regex_rewrite_substitution" yaml:"host_path_regex_rewrite_substitution,omitempty" json:"host_path_regex_rewrite_substitution,omitempty"` //nolint + HostPathRegexRewritePattern string `mapstructure:"host_path_regex_rewrite_pattern" yaml:"host_path_regex_rewrite_pattern,omitempty" json:"host_path_regex_rewrite_pattern,omitempty"` + HostPathRegexRewriteSubstitution string `mapstructure:"host_path_regex_rewrite_substitution" yaml:"host_path_regex_rewrite_substitution,omitempty" json:"host_path_regex_rewrite_substitution,omitempty"` // Allow unauthenticated HTTP OPTIONS requests as per the CORS spec // https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests @@ -156,14 +156,14 @@ type Policy struct { // EnableGoogleCloudServerlessAuthentication adds "Authorization: Bearer ID_TOKEN" headers // to upstream requests. - EnableGoogleCloudServerlessAuthentication bool `mapstructure:"enable_google_cloud_serverless_authentication" yaml:"enable_google_cloud_serverless_authentication,omitempty"` //nolint + EnableGoogleCloudServerlessAuthentication bool `mapstructure:"enable_google_cloud_serverless_authentication" yaml:"enable_google_cloud_serverless_authentication,omitempty"` SubPolicies []SubPolicy `mapstructure:"sub_policies" yaml:"sub_policies,omitempty" json:"sub_policies,omitempty"` EnvoyOpts *envoy_config_cluster_v3.Cluster `mapstructure:"_envoy_opts" yaml:"-" json:"-"` // RewriteResponseHeaders rewrites response headers. This can be used to change the Location header. - RewriteResponseHeaders []RewriteHeader `mapstructure:"rewrite_response_headers" yaml:"rewrite_response_headers,omitempty" json:"rewrite_response_headers,omitempty"` //nolint + RewriteResponseHeaders []RewriteHeader `mapstructure:"rewrite_response_headers" yaml:"rewrite_response_headers,omitempty" json:"rewrite_response_headers,omitempty"` // SetResponseHeaders sets response headers. SetResponseHeaders map[string]string `mapstructure:"set_response_headers" yaml:"set_response_headers,omitempty"` diff --git a/integration/policy_test.go b/integration/policy_test.go index 0b9e9a51d..ab74a47e0 100644 --- a/integration/policy_test.go +++ b/integration/policy_test.go @@ -527,7 +527,7 @@ func TestPomeriumJWT(t *testing.T) { // format of the iat and exp timestamps. // (https://github.com/pomerium/pomerium/issues/4149) p := rawJWTPayload(t, headerJWT) - var digitsOnly = regexp.MustCompile(`^\d+$`) + digitsOnly := regexp.MustCompile(`^\d+$`) assert.Regexp(t, digitsOnly, p["iat"]) assert.Regexp(t, digitsOnly, p["exp"]) diff --git a/internal/authenticateflow/stateful_test.go b/internal/authenticateflow/stateful_test.go index a5f0e83ef..51f1a62a3 100644 --- a/internal/authenticateflow/stateful_test.go +++ b/internal/authenticateflow/stateful_test.go @@ -248,7 +248,7 @@ func TestStatefulCallback(t *testing.T) { } r := httptest.NewRequest(http.MethodGet, uri.String(), nil) - //fmt.Println(uri.String()) + // fmt.Println(uri.String()) r.Host = r.URL.Host r.Header.Set("Accept", "application/json") diff --git a/internal/deterministicecdsa/ecdsa.go b/internal/deterministicecdsa/ecdsa.go index 05571e2ea..ae2125b35 100644 --- a/internal/deterministicecdsa/ecdsa.go +++ b/internal/deterministicecdsa/ecdsa.go @@ -125,13 +125,13 @@ func Sign(rand io.Reader, priv *ecdsa.PrivateKey, hash []byte) (r, s *big.Int, e c := priv.PublicKey.Curve N := c.Params().N - var k, kInv *big.Int //nolint + var k, kInv *big.Int for { for { k, err = randFieldElement(c, rand) if err != nil { r = nil - return + return r, s, err } kInv = new(big.Int).ModInverse(k, N) @@ -152,5 +152,5 @@ func Sign(rand io.Reader, priv *ecdsa.PrivateKey, hash []byte) (r, s *big.Int, e } } - return //nolint + return r, s, err } diff --git a/internal/fileutil/fileutil_test.go b/internal/fileutil/fileutil_test.go index aebab7c53..3f09961c6 100644 --- a/internal/fileutil/fileutil_test.go +++ b/internal/fileutil/fileutil_test.go @@ -57,7 +57,7 @@ func TestReadFileUpTo(t *testing.T) { d := t.TempDir() input := []byte{1, 2, 3, 4, 5, 6, 7, 8, 9} fname := path.Join(d, "test") - require.NoError(t, os.WriteFile(fname, input, 0600)) + require.NoError(t, os.WriteFile(fname, input, 0o600)) for _, tc := range []struct { size int diff --git a/internal/httputil/router_test.go b/internal/httputil/router_test.go deleted file mode 100644 index 60bfb321c..000000000 --- a/internal/httputil/router_test.go +++ /dev/null @@ -1,24 +0,0 @@ -package httputil - -import ( - "reflect" - "testing" - - "github.com/gorilla/mux" -) - -func TestNewRouter(t *testing.T) { - tests := []struct { - name string - want *mux.Router - }{ - {"this is a gorilla router right?", mux.NewRouter()}, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - if got := NewRouter(); !reflect.DeepEqual(got, tt.want) { - t.Errorf("NewRouter() = %v, want %v", got, tt.want) - } - }) - } -} diff --git a/internal/httputil/server_test.go b/internal/httputil/server_test.go index 8d17bf457..da4df3f3a 100644 --- a/internal/httputil/server_test.go +++ b/internal/httputil/server_test.go @@ -29,7 +29,6 @@ func TestNewServer(t *testing.T) { // want *http.Server wantErr bool }{ - { "good basic http handler", &ServerOptions{ diff --git a/internal/identity/manager/manager_test.go b/internal/identity/manager/manager_test.go index 3fb374e4a..1f7d0d14a 100644 --- a/internal/identity/manager/manager_test.go +++ b/internal/identity/manager/manager_test.go @@ -252,7 +252,8 @@ func TestManager_refreshSession(t *testing.T) { FieldMask: &fieldmaskpb.FieldMask{ Paths: []string{"oauth_token", "id_token", "claims"}, }, - }}). + }, + }). Return(nil /* this result is currently unused */, nil) mgr.refreshSession(context.Background(), "user-id", "session-id") diff --git a/internal/retry/error.go b/internal/retry/error.go index bc7d25a31..d97d45d83 100644 --- a/internal/retry/error.go +++ b/internal/retry/error.go @@ -28,7 +28,6 @@ func (e *terminalError) Unwrap() error { // Is implements errors.Is for terminalError func (e *terminalError) Is(err error) bool { - //nolint:errorlint _, ok := err.(*terminalError) return ok } diff --git a/internal/telemetry/metrics/grpc.go b/internal/telemetry/metrics/grpc.go index 4dd94aa42..7ad043133 100644 --- a/internal/telemetry/metrics/grpc.go +++ b/internal/telemetry/metrics/grpc.go @@ -124,7 +124,8 @@ func GRPCClientInterceptor(service string) grpc.UnaryClientInterceptor { reply interface{}, cc *grpc.ClientConn, invoker grpc.UnaryInvoker, - opts ...grpc.CallOption) error { + opts ...grpc.CallOption, + ) error { // Split the method into parts for better slicing rpcInfo := strings.SplitN(method, "/", 3) var rpcMethod string diff --git a/internal/zero/bootstrap/file.go b/internal/zero/bootstrap/file.go index ed6b74bff..41fe14d9e 100644 --- a/internal/zero/bootstrap/file.go +++ b/internal/zero/bootstrap/file.go @@ -46,7 +46,7 @@ func SaveBootstrapConfigToFile(src *cluster_api.BootstrapConfig, fp string, ciph } ciphertext := cryptutil.Encrypt(cipher, plaintext, nil) - err = os.WriteFile(fp, ciphertext, 0600) + err = os.WriteFile(fp, ciphertext, 0o600) if err != nil { return fmt.Errorf("write bootstrap config: %w", err) } diff --git a/internal/zero/bootstrap/source.go b/internal/zero/bootstrap/source.go index 7e64d383e..a7a190f74 100644 --- a/internal/zero/bootstrap/source.go +++ b/internal/zero/bootstrap/source.go @@ -12,16 +12,12 @@ import ( cluster_api "github.com/pomerium/pomerium/pkg/zero/cluster" ) -var ( - _ = config.Source(new(source)) -) +var _ = config.Source(new(source)) -var ( - cmpOpts = []cmp.Option{ - cmpopts.IgnoreUnexported(config.Options{}), - cmpopts.EquateEmpty(), - } -) +var cmpOpts = []cmp.Option{ + cmpopts.IgnoreUnexported(config.Options{}), + cmpopts.EquateEmpty(), +} type source struct { cfg atomicutil.Value[*config.Config] diff --git a/internal/zero/reconciler/bundles_format_test.go b/internal/zero/reconciler/bundles_format_test.go index 0af272a63..1b718e452 100644 --- a/internal/zero/reconciler/bundles_format_test.go +++ b/internal/zero/reconciler/bundles_format_test.go @@ -16,7 +16,6 @@ import ( ) func TestReadRecords(t *testing.T) { - dir := t.TempDir() fd, err := os.CreateTemp(dir, "config") require.NoError(t, err) @@ -34,7 +33,7 @@ func TestReadRecords(t *testing.T) { } func writeSampleRecords(dst io.Writer) error { - var marshalOpts = protodelim.MarshalOptions{ + marshalOpts := protodelim.MarshalOptions{ MarshalOptions: proto.MarshalOptions{ AllowPartial: false, Deterministic: true, diff --git a/internal/zero/reconciler/bundles_queue_test.go b/internal/zero/reconciler/bundles_queue_test.go index dd2190292..0b6196ce6 100644 --- a/internal/zero/reconciler/bundles_queue_test.go +++ b/internal/zero/reconciler/bundles_queue_test.go @@ -73,7 +73,6 @@ func TestQueueMarkForSyncLater(t *testing.T) { assert.Equal(t, "bundle1", id4) assert.False(t, ok5, "Expected no more bundles to sync") assert.Empty(t, id5) - } func TestQueueGetNextBundleToSync(t *testing.T) { diff --git a/internal/zero/reconciler/download_cache.go b/internal/zero/reconciler/download_cache.go index 94563792f..42b06150f 100644 --- a/internal/zero/reconciler/download_cache.go +++ b/internal/zero/reconciler/download_cache.go @@ -37,10 +37,8 @@ const ( BundleCacheEntryRecordType = "pomerium.io/BundleCacheEntry" ) -var ( - // ErrBundleCacheEntryNotFound is returned when a bundle cache entry is not found - ErrBundleCacheEntryNotFound = errors.New("bundle cache entry not found") -) +// ErrBundleCacheEntryNotFound is returned when a bundle cache entry is not found +var ErrBundleCacheEntryNotFound = errors.New("bundle cache entry not found") // GetBundleCacheEntry gets a bundle cache entry from the databroker func (c *service) GetBundleCacheEntry(ctx context.Context, id string) (*BundleCacheEntry, error) { diff --git a/pkg/encoding/base58/base58.go b/pkg/encoding/base58/base58.go index 05b58df3f..928cb9a32 100644 --- a/pkg/encoding/base58/base58.go +++ b/pkg/encoding/base58/base58.go @@ -8,8 +8,10 @@ package base58 import "math/big" -var bigRadix = big.NewInt(58) -var bigZero = big.NewInt(0) +var ( + bigRadix = big.NewInt(58) + bigZero = big.NewInt(0) +) // Decode decodes a modified base58 string to a byte slice. func Decode(b string) []byte { diff --git a/pkg/grpc/databroker/leaser.go b/pkg/grpc/databroker/leaser.go index 0d4a4a62a..223280d7c 100644 --- a/pkg/grpc/databroker/leaser.go +++ b/pkg/grpc/databroker/leaser.go @@ -20,7 +20,7 @@ type retryableError struct { } func (err retryableError) Is(target error) bool { - if _, ok := target.(retryableError); ok { //nolint:errorlint + if _, ok := target.(retryableError); ok { return true } return false diff --git a/pkg/grpc/health.go b/pkg/grpc/health.go index b44eae97c..038f44615 100644 --- a/pkg/grpc/health.go +++ b/pkg/grpc/health.go @@ -10,8 +10,7 @@ import ( "github.com/pomerium/pomerium/internal/log" ) -type healthCheckSrv struct { -} +type healthCheckSrv struct{} // NewHealthCheckServer returns a basic health checker func NewHealthCheckServer() grpc_health.HealthServer { diff --git a/pkg/policy/criteria/client_certificate_test.go b/pkg/policy/criteria/client_certificate_test.go index 77fc35437..20164eef3 100644 --- a/pkg/policy/criteria/client_certificate_test.go +++ b/pkg/policy/criteria/client_certificate_test.go @@ -32,7 +32,8 @@ func TestClientCertificate(t *testing.T) { cert string expected A }{ - {"no certificate", + { + "no certificate", `allow: or: - client_certificate: @@ -40,7 +41,8 @@ func TestClientCertificate(t *testing.T) { "", A{false, A{ReasonClientCertificateUnauthorized}, M{}}, }, - {"no fingerprint match", + { + "no fingerprint match", `allow: or: - client_certificate: @@ -48,7 +50,8 @@ func TestClientCertificate(t *testing.T) { testCert, A{false, A{ReasonClientCertificateUnauthorized}, M{}}, }, - {"fingerprint match", + { + "fingerprint match", `allow: or: - client_certificate: @@ -56,7 +59,8 @@ func TestClientCertificate(t *testing.T) { testCert, A{true, A{ReasonClientCertificateOK}, M{}}, }, - {"fingerprint list match", + { + "fingerprint list match", `allow: or: - client_certificate: @@ -66,7 +70,8 @@ func TestClientCertificate(t *testing.T) { testCert, A{true, A{ReasonClientCertificateOK}, M{}}, }, - {"spki hash match", + { + "spki hash match", `allow: or: - client_certificate: @@ -74,7 +79,8 @@ func TestClientCertificate(t *testing.T) { testCert, A{true, A{ReasonClientCertificateOK}, M{}}, }, - {"spki hash list match", + { + "spki hash list match", `allow: or: - client_certificate: @@ -114,29 +120,36 @@ func TestCanonicalCertFingerprint(t *testing.T) { output string err string }{ - {"object", + { + "object", `{}`, "", "certificate fingerprint must be a string (was {})", }, - {"empty", + { + "empty", `""`, "", "certificate fingerprint must not be empty", }, - {"SHA-1 fingerprint", + { + "SHA-1 fingerprint", `"B1:E6:A2:DC:DD:6B:87:A4:9B:C5:7C:3B:7C:7F:1C:74:9A:DB:88:36"`, "", "unsupported certificate fingerprint format (B1:E6:A2:DC:DD:6B:87:A4:9B:C5:7C:3B:7C:7F:1C:74:9A:DB:88:36)", }, - {"uppercase short", + { + "uppercase short", `"DF6FF72FE9116521268F6F2DD4966F51DF479883FE7037B39F75916AC3049D1A"`, "", "unsupported certificate fingerprint format (DF6FF72FE9116521268F6F2DD4966F51DF479883FE7037B39F75916AC3049D1A)", }, - {"valid short", + { + "valid short", `"df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a"`, "df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a", "", }, - {"lowercase long", + { + "lowercase long", `"df:6f:f7:2f:e9:11:65:21:26:8f:6f:2d:d4:96:6f:51:df:47:98:83:fe:70:37:b3:9f:75:91:6a:c3:04:9d:1a"`, "", "unsupported certificate fingerprint format (df:6f:f7:2f:e9:11:65:21:26:8f:6f:2d:d4:96:6f:51:df:47:98:83:fe:70:37:b3:9f:75:91:6a:c3:04:9d:1a)", }, - {"valid long", + { + "valid long", `"DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A"`, "df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a", "", }, @@ -169,16 +182,20 @@ func TestSPKIHashFormatErrors(t *testing.T) { input string err string }{ - {"object", + { + "object", `{}`, "certificate SPKI hash condition expects a string or array of strings", }, - {"not base64", + { + "not base64", `"not%valid%base64%data"`, "certificate SPKI hash must be a base64-encoded SHA-256 hash (was not%valid%base64%data)", }, - {"SHA-1 hash", + { + "SHA-1 hash", `"VYby3BAoHawLLtsyckwo5Q=="`, "certificate SPKI hash must be a base64-encoded SHA-256 hash (was VYby3BAoHawLLtsyckwo5Q==)", }, - {"valid", + { + "valid", `"FsDbM0rUYIiL3V339eIKqiz6HPSB+Pz2WeAWhqlqh8U="`, "", }, } diff --git a/pkg/protoutil/fieldmask_test.go b/pkg/protoutil/fieldmask_test.go index c821167cf..e9b7aeaec 100644 --- a/pkg/protoutil/fieldmask_test.go +++ b/pkg/protoutil/fieldmask_test.go @@ -57,7 +57,8 @@ func TestOverwriteMaskedErrors(t *testing.T) { s2.OauthToken = &session.OAuthToken{AccessToken: "access-token"} err = protoutil.OverwriteMasked(&s1, &s2, &fieldmaskpb.FieldMask{ - Paths: []string{"oauth_token.foo"}}) + Paths: []string{"oauth_token.foo"}, + }) assert.Equal(t, `cannot overwrite unknown field "foo" in message session.OAuthToken`, err.Error()) diff --git a/ui/embed_local.go b/ui/embed_local.go index bef1f6804..21e6fb6c5 100644 --- a/ui/embed_local.go +++ b/ui/embed_local.go @@ -10,10 +10,8 @@ import ( "path/filepath" ) -var ( - //go:embed dist/* - uiFS embed.FS -) +//go:embed dist/* +var uiFS embed.FS func openFile(name string) (f fs.File, etag string, err error) { f, err = os.Open(filepath.Join("ui", name))