deployment: add goimports with path awareness (#1316)

Plus fix some spelling

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>

.golangci.yml

@@ -74,6 +74,10 @@ linters-settings:
     line-length: 160
     # tab width in spaces. Default to 1.
     tab-width: 1
+  goimports:
+    # put imports beginning with prefix after 3rd-party packages;
+    # it's a comma-separated list of prefixes
+    local-prefixes: github.com/pomerium/pomerium
   unused:
     # treat code as a program (not a library) and report unused exported identifiers; default is false.
     # XXX: if you enable this setting, unused will report a lot of false-positives in text editors:
@@ -201,7 +205,7 @@ issues:
 
   exclude-rules:
     # Exclude some linters from running on test files.
-    - path: _test\.go$|^tests/|^samples/|templates\.go$
+    - path: _test\.go$|^tests/|^integration/|^samples/|templates\.go$
       linters:
         - errcheck
         - maligned
@@ -209,6 +213,7 @@ issues:
         - gosec
         - bodyclose
         - unparam
+        - unused
     # erroneously thinks google api url is a cred
     - path: internal/identity/google.go
       text: "Potential hardcoded credentials"

docs/docs/identity-providers/cognito.md

@@ -51,7 +51,7 @@ After this is done, go to **App client settings** (in the Side menu under **App
 
 ![AWS Cognito Side Menu](./img/cognito-side-menu.png)
 
-In the setings for **Pomerium** app, put in the following details
+In the settings for **Pomerium** app, put in the following details
 
 | **Field**                  | **Description**                                                                              |
 | -------------------------- | -------------------------------------------------------------------------------------------- |

docs/docs/topics/data-storage.md

@@ -35,7 +35,7 @@ To prevent early session loss in production deployments, persistent storage back
 
 Configuration options for each backend are detailed in [cache configuration reference](/reference/#cache-service).
 
-In all backends, Pomerium encrypts record values.  This ensures security of all records at rest, regardless of data store capabilities.  While this prevents many classes of attack vector, additional security measaures should always be taken to secure data in transit and minimize access to the backends themselves.
+In all backends, Pomerium encrypts record values.  This ensures security of all records at rest, regardless of data store capabilities.  While this prevents many classes of attack vector, additional security measures should always be taken to secure data in transit and minimize access to the backends themselves.
 
 Please see Pomerium backend and upstream storage system documentation for best practices.
 
@@ -80,10 +80,3 @@ databroker_storage_ca_file: /tls/ca.pem
 ::: tip
 the second `s` in `rediss` is intentional and turns on TLS support
 :::
-
-
-
-
-
-
-

docs/docs/topics/kubernetes-integration.md

@@ -9,7 +9,7 @@ description: >-
 
 ## Background
 
-Kubernetes supports [a variety](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies) of ways to perform authentication against the API Server.  While there is tremendous flexability in the core product, operators can encounter various practical challenges:
+Kubernetes supports [a variety](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#authentication-strategies) of ways to perform authentication against the API Server.  While there is tremendous flexibility in the core product, operators can encounter various practical challenges:
 
 - Cloud providers typically support only their native IAM implementation, which may not integrate with your IdP
 - OIDC providers may not provide group claims, requiring manual mappings to RBAC roles

docs/docs/topics/programmatic-access.md

@@ -25,15 +25,13 @@ https://authenticate.example.com/.pomerium/sign_in?redirect_uri=http%3A%2F%2Floc
 
 ### Callback handler
 
-It is the script or application's responsibility to create a HTTP callback handler. Authenticated sessions are returned in the form of a [callback](https://developer.okta.com/docs/concepts/auth-overview/#what-kind-of-client-are-you-building) from pomerium to a HTTP server. This is the `redirect_uri` value used to build login API's URL, and represents the URL of a (usually local) HTTP server responsible for receiving the resulting user session in the form of `pomerium_jwt` and `pomerium_refresh_token` query parameters.
+It is the script or application's responsibility to create a HTTP callback handler. Authenticated sessions are returned in the form of a [callback](https://developer.okta.com/docs/concepts/auth-overview/#what-kind-of-client-are-you-building) from pomerium to a HTTP server. This is the `redirect_uri` value used to build login API's URL, and represents the URL of a (usually local) HTTP server responsible for receiving the resulting user session in the form of `pomerium_jwt` query parameters.
 
 See the python script below for example of how to start a callback server, and store the session payload.
 
 ## Handling expiration and revocation
 
-Your application should handle token expiration. If the session expires before work is done, the identity provider issued `refresh_token` can be used to create a new valid session.
-
-Also, your script or application should anticipate the possibility that a granted `refresh_token` may stop working. For example, a refresh token might stop working if the underlying user changes passwords, revokes access, or if the administrator removes rotates or deletes the OAuth Client ID.
+Your script or application should anticipate the possibility that your underlying  `refresh_token` may stop working. For example, a refresh token might stop working if the underlying user changes passwords, revokes access, or if the administrator removes rotates or deletes the OAuth Client ID.
 
 ## High level workflow
 
@@ -46,7 +44,7 @@ The application interacting with Pomerium must manage the following workflow. Co
 1. Pomerium's authenticate service creates a user session and redirect token, then redirects back to the managed endpoint (e.g. `httpbin.corp.domain.example`)
 1. Pomerium's proxy service makes a callback request to the original `redirect_uri` with the user session and as an argument.
 1. The script or application is responsible for handling that http callback request, and securely handling the callback session (`pomerium_jwt`) queryparam.
-1. The script or application can now make any requests as normal to the upstrream application by setting the `Authorization: Pomerium ${pomerium_jwt}` header.
+1. The script or application can now make any requests as normal to the upstream application by setting the `Authorization: Pomerium ${pomerium_jwt}` header.
 
 ## Example Code
 

integration/main_test.go

@@ -10,9 +10,10 @@ import (
 	"time"
 
 	"github.com/onsi/gocleanup"
-	"github.com/pomerium/pomerium/integration/internal/cluster"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
+
+	"github.com/pomerium/pomerium/integration/internal/cluster"
 )
 
 var (

internal/middleware/middleware_test.go

@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+
 	"github.com/pomerium/pomerium/internal/urlutil"
 )
 

internal/telemetry/metrics/http.go

@@ -4,11 +4,12 @@ import (
 	"fmt"
 	"net/http"
 
-	"github.com/pomerium/pomerium/internal/log"
-	"github.com/pomerium/pomerium/internal/tripper"
 	"go.opencensus.io/plugin/ochttp"
 	"go.opencensus.io/stats/view"
 	"go.opencensus.io/tag"
+
+	"github.com/pomerium/pomerium/internal/log"
+	"github.com/pomerium/pomerium/internal/tripper"
 )
 
 // HTTP Views

internal/telemetry/metrics/http_test.go

@@ -10,8 +10,9 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/pomerium/pomerium/internal/tripper"
 	"go.opencensus.io/stats/view"
+
+	"github.com/pomerium/pomerium/internal/tripper"
 )
 
 func testDataRetrieval(v *view.View, t *testing.T, want string) {

internal/telemetry/metrics/storage.go

@@ -4,10 +4,11 @@ import (
 	"context"
 	"time"
 
-	"github.com/pomerium/pomerium/internal/log"
 	"go.opencensus.io/stats"
 	"go.opencensus.io/stats/view"
 	"go.opencensus.io/tag"
+
+	"github.com/pomerium/pomerium/internal/log"
 )
 
 var (

pkg/storage/encrypted.go

@@ -4,11 +4,12 @@ import (
 	"context"
 	"crypto/cipher"
 
-	"github.com/pomerium/pomerium/pkg/cryptutil"
-	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
+
+	"github.com/pomerium/pomerium/pkg/cryptutil"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 type encryptedBackend struct {

pkg/storage/encrypted_test.go

@@ -5,11 +5,12 @@ import (
 	"errors"
 	"testing"
 
-	"github.com/pomerium/pomerium/pkg/cryptutil"
-	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
+
+	"github.com/pomerium/pomerium/pkg/cryptutil"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
 func TestEncryptedBackend(t *testing.T) {

pkg/storage/redis/redis_test.go

@@ -14,10 +14,11 @@ import (
 
 	"github.com/gomodule/redigo/redis"
 	"github.com/ory/dockertest/v3"
-	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/anypb"
+
+	"github.com/pomerium/pomerium/pkg/cryptutil"
 )
 
 var db *DB