fix lint

authorize/evaluator/opa/opa.go

@@ -4,6 +4,6 @@ package opa
 
 import _ "embed" // to embed files
 
-// HeadersRego is the headers.rego script.
 //go:embed policy/headers.rego
+// HeadersRego is the headers.rego script.
 var HeadersRego string

cmd/pomerium/main.go

@@ -1,3 +1,4 @@
+// Package main contains pomerium.
 package main
 
 import (

integration/cmd/pomerium-integration-tests/main.go

@@ -1,3 +1,4 @@
+// Package main contains the pomerium-integration-tests command.
 package main
 
 import (
@@ -78,12 +79,12 @@ func runGenerateConfiguration(ctx context.Context) error {
 		}
 		asYAML, _ := yaml.JSONToYAML([]byte(contents))
 
-		err = os.MkdirAll(filepath.Dir(dstPath), 0755)
+		err = os.MkdirAll(filepath.Dir(dstPath), 0o755)
 		if err != nil {
 			return fmt.Errorf("error creating directory (path=%s): %w", dstPath, err)
 		}
 
-		err = os.WriteFile(dstPath, asYAML, 0600)
+		err = os.WriteFile(dstPath, asYAML, 0o600)
 		if err != nil {
 			return fmt.Errorf("error writing file (path=%s): %w", dstPath, err)
 		}

integration/main_test.go

@@ -1,3 +1,4 @@
+// Package main contains integration tests.
 package main
 
 import (

internal/directory/azure/delta.go

@@ -51,10 +51,10 @@ func newDeltaCollection(p *Provider) *deltaCollection {
 //
 // It involves 4 steps:
 //
-//   1. an initial request to /v1.0/groups/delta
-//   2. one or more requests to /v1.0/groups/delta?$skiptoken=..., which comes from the @odata.nextLink
-//   3. a final response with @odata.deltaLink
-//   4. on the next call to sync, starting at @odata.deltaLink
+//	1. an initial request to /v1.0/groups/delta
+//	2. one or more requests to /v1.0/groups/delta?$skiptoken=..., which comes from the @odata.nextLink
+//	3. a final response with @odata.deltaLink
+//	4. on the next call to sync, starting at @odata.deltaLink
 //
 // Only the changed groups/members are returned. Removed groups/members have an @removed property.
 func (dc *deltaCollection) Sync(ctx context.Context) error {

internal/identity/claims.go

@@ -65,8 +65,7 @@ func (claims Claims) Claims(v interface{}) error {
 
 // Flatten flattens the claims to a FlattenedClaims map. For example:
 //
-//   { "a": { "b": { "c": 12345 } } } => { "a.b.c": [12345] }
-//
+//	{ "a": { "b": { "c": 12345 } } } => { "a.b.c": [12345] }
 func (claims Claims) Flatten() FlattenedClaims {
 	flattened := make(FlattenedClaims)
 	for k, v := range claims {

internal/identity/oidc/google/google.go

@@ -29,8 +29,8 @@ var defaultScopes = []string{oidc.ScopeOpenID, "profile", "email"}
 // having the user select which Google account they'd like to use.
 //
 // For more details, please see google's documentation:
-// 	https://developers.google.com/identity/protocols/oauth2/web-server#offline
-// 	https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
+//	https://developers.google.com/identity/protocols/oauth2/web-server#offline
+//	https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
 var defaultAuthCodeOptions = map[string]string{"prompt": "select_account consent", "access_type": "offline"}
 
 // Provider is a Google implementation of the Authenticator interface.

internal/redisutil/client.go

@@ -100,27 +100,26 @@ func NewClientFromURL(rawURL string, tlsConfig *tls.Config) (redis.UniversalClie
 
 // ParseClusterURL parses a redis-cluster URL. Format is:
 //
-//    redis+cluster://[username:password@]host:port[,host2:port2,...]/[?param1=value1[&param2=value=2&...]]
+//	redis+cluster://[username:password@]host:port[,host2:port2,...]/[?param1=value1[&param2=value=2&...]]
 //
 // Additionally TLS is supported with rediss+cluster, or redis+clusters. Supported query params:
 //
-//    max_redirects: int
-//    read_only: bool
-//    route_by_latency: bool
-//    route_randomly: bool
-//    max_retries: int
-//    min_retry_backoff: duration
-//    max_retry_backoff: duration
-//    dial_timeout: duration
-//    read_timeout: duration
-//    write_timeout: duration
-//    pool_size: int
-//    min_idle_conns: int
-//    max_conn_age: duration
-//    pool_timeout: duration
-//    idle_timeout: duration
-//    idle_check_frequency: duration
-//
+//	max_redirects: int
+//	read_only: bool
+//	route_by_latency: bool
+//	route_randomly: bool
+//	max_retries: int
+//	min_retry_backoff: duration
+//	max_retry_backoff: duration
+//	dial_timeout: duration
+//	read_timeout: duration
+//	write_timeout: duration
+//	pool_size: int
+//	min_idle_conns: int
+//	max_conn_age: duration
+//	pool_timeout: duration
+//	idle_timeout: duration
+//	idle_check_frequency: duration
 func ParseClusterURL(rawurl string) (*redis.ClusterOptions, error) {
 	u, err := url.Parse(rawurl)
 	if err != nil {

internal/tests/xdserr/cmd/main.go

@@ -1,3 +1,4 @@
+// Package main contains main.
 package main
 
 import (
@@ -189,7 +190,8 @@ func saveConfig(ctx context.Context, client databroker.DataBrokerServiceClient,
 			Type: any.GetTypeUrl(),
 			Id:   "test_config",
 			Data: any,
-		}}})
+		}},
+	})
 	if err != nil {
 		return err
 	}

internal/tripper/chain.go

@@ -22,17 +22,17 @@ func NewChain(constructors ...Constructor) Chain {
 }
 
 // Then chains the trippers and returns the final http.RoundTripper.
-//     NewChain(m1, m2, m3).Then(h)
+//	NewChain(m1, m2, m3).Then(h)
 // is equivalent to:
-//     m1(m2(m3(h)))
+//	m1(m2(m3(h)))
 // When the request comes in, it will be passed to m1, then m2, then m3
 // and finally, the given roundtripper
 // (assuming every tripper calls the following one).
 //
 // A chain can be safely reused by calling Then() several times.
-//     stdStack := tripper.NewChain(ratelimitTripper, csrfTripper)
-//     tracePipe = stdStack.Then(traceTripper)
-//     authPipe = stdStack.Then(authTripper)
+//	stdStack := tripper.NewChain(ratelimitTripper, csrfTripper)
+//	tracePipe = stdStack.Then(traceTripper)
+//	authPipe = stdStack.Then(authTripper)
 // Note that constructors are called on every call to Then()
 // and thus several instances of the same tripper will be created
 // when a chain is reused in this way.

internal/urlutil/signed.go

@@ -22,8 +22,7 @@ type SignedURL struct {
 
 // NewSignedURL creates a new copy of a URL that can be signed with a shared key.
 //
-// N.B. It is the user's responsibility to make sure the key is 256 bits and
-// 		the url is not nil.
+// N.B. It is the user's responsibility to make sure the key is 256 bits and the url is not nil.
 func NewSignedURL(key []byte, uri *url.URL) *SignedURL {
 	return &SignedURL{uri: *uri, key: key, timeNow: time.Now} // uri is copied
 }

pkg/cmd/pomerium/pomerium.go

@@ -1,5 +1,4 @@
 // Package pomerium houses the main pomerium CLI command.
-//
 package pomerium
 
 import (

pkg/contextutil/contextutil_test.go

@@ -9,12 +9,15 @@ import (
 )
 
 func TestMerge(t *testing.T) {
+	type key1 struct{}
+	type key2 struct{}
+
 	t.Run("value", func(t *testing.T) {
-		ctx1 := context.WithValue(context.Background(), "key1", "value1")
-		ctx2 := context.WithValue(context.Background(), "key2", "value2")
+		ctx1 := context.WithValue(context.Background(), key1{}, "value1")
+		ctx2 := context.WithValue(context.Background(), key2{}, "value2")
 		ctx3, _ := Merge(ctx1, ctx2)
-		assert.Equal(t, "value1", ctx3.Value("key1"))
-		assert.Equal(t, "value2", ctx3.Value("key2"))
+		assert.Equal(t, "value1", ctx3.Value(key1{}))
+		assert.Equal(t, "value2", ctx3.Value(key2{}))
 	})
 	t.Run("cancel", func(t *testing.T) {
 		ctx1, cancel1 := context.WithCancel(context.Background())

pkg/cryptutil/certificates_test.go

@@ -10,9 +10,10 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-// A keypair for NIST P-256 / secp256r1
+// A keypair for NIST P-256 / secp256r1.
+//
 // Generated using:
-//   openssl ecparam -genkey -name prime256v1 -outform PEM
+//	openssl ecparam -genkey -name prime256v1 -outform PEM
 var pemECPrivateKeyP256 = `-----BEGIN EC PARAMETERS-----
 BggqhkjOPQMBBw==
 -----END EC PARAMETERS-----

pkg/cryptutil/kek.go

@@ -13,18 +13,17 @@ import (
 // A KeyEncryptionKey (KEK) is used to implement *envelope encryption*, similar to how data is stored at rest with
 // AWS or Google Cloud:
 //
-//   - AWS: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping
-//   - Google Cloud: https://cloud.google.com/kms/docs/envelope-encryption
+//	- AWS: https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#enveloping
+//	- Google Cloud: https://cloud.google.com/kms/docs/envelope-encryption
 //
 // Data is encrypted with a data encryption key (DEK) and that key is stored next to the data encrypted with the KEK.
 // Finally the KEK id is also stored with the data.
 //
 // To decrypt the data you first retrieve the KEK, second decrypt the DEK, and finally decrypt the data using the DEK.
 //
-//   - Our KEKs are asymmetric Curve25519 keys. We use the *public* key to encrypt the DEK so only the *private* key can
-//     decrypt it.
-//   - Our DEKs are symmetric XChaCha20Poly1305 keys.
-//
+//	- Our KEKs are asymmetric Curve25519 keys. We use the *public* key to encrypt the DEK so only the *private* key can
+//	  decrypt it.
+//	- Our DEKs are symmetric XChaCha20Poly1305 keys.
 type KeyEncryptionKey interface {
 	ID() string
 	KeyBytes() []byte

pkg/cryptutil/x509_test.go

@@ -9,8 +9,8 @@ import (
 )
 
 // generated using:
-//   openssl genpkey -algorithm x25519 -out priv.pem
-//   openssl pkey -in priv.pem -out pub.pem -pubout
+//	openssl genpkey -algorithm x25519 -out priv.pem
+//	openssl pkey -in priv.pem -out pub.pem -pubout
 var (
 	rawPrivateX25519Key = []byte(`-----BEGIN PRIVATE KEY-----
 MC4CAQAwBQYDK2VuBCIEIKALoNgzCksH0v0Bc7Ghl8vGin4MAIKpmtZSmaMN0Vtb

pkg/grpc/databroker/leaser.go

@@ -59,7 +59,6 @@ func NewLeasers(leaseName string, ttl time.Duration, client DataBrokerServiceCli
 //
 // 1. ctx is canceled
 // 2. a non-cancel error is returned from handler
-//
 func (locker *Leaser) Run(ctx context.Context) error {
 	retryTicker := time.NewTicker(locker.ttl / 2)
 	defer retryTicker.Stop()