diff --git a/acme/api/eab.go b/acme/api/eab.go index 26854595..3dce6947 100644 --- a/acme/api/eab.go +++ b/acme/api/eab.go @@ -129,7 +129,7 @@ func validateEABJWS(ctx context.Context, jws *jose.JSONWebSignature) (string, *a keyID := header.KeyID nonce := header.Nonce - if !(algorithm == jose.HS256 || algorithm == jose.HS384 || algorithm == jose.HS512) { + if algorithm != jose.HS256 && algorithm != jose.HS384 && algorithm != jose.HS512 { return "", acme.NewError(acme.ErrorMalformedType, "'alg' field set to invalid algorithm '%s'", algorithm) } diff --git a/api/sshRenew.go b/api/sshRenew.go index 661e3067..24d11b6f 100644 --- a/api/sshRenew.go +++ b/api/sshRenew.go @@ -21,8 +21,8 @@ type SSHRenewRequest struct { // Validate validates the SSHSignRequest. func (s *SSHRenewRequest) Validate() error { - switch { - case s.OTT == "": + switch s.OTT { + case "": return errs.BadRequest("missing or empty ott") default: return nil diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go index a892567e..32a0bdf0 100644 --- a/authority/provisioner/acme.go +++ b/authority/provisioner/acme.go @@ -17,7 +17,7 @@ import ( // ACMEChallenge represents the supported acme challenges. type ACMEChallenge string -//nolint:stylecheck,revive // better names +//nolint:staticcheck,revive // better names const ( // HTTP_01 is the http-01 ACME challenge. HTTP_01 ACMEChallenge = "http-01" diff --git a/authority/provisioner/utils_test.go b/authority/provisioner/utils_test.go index be7ac79a..09e06972 100644 --- a/authority/provisioner/utils_test.go +++ b/authority/provisioner/utils_test.go @@ -1042,10 +1042,12 @@ func generateAzureToken(sub, iss, aud, tenantID, subscriptionID, resourceGroup, if err != nil { return "", err } + var xmsMirID string - if resourceType == "vm" { + switch resourceType { + case "vm": xmsMirID = fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s", subscriptionID, resourceGroup, resourceName) - } else if resourceType == "uai" { + case "uai": xmsMirID = fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s", subscriptionID, resourceGroup, resourceName) } diff --git a/authority/tls.go b/authority/tls.go index 679c28ac..f9ae1d32 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -610,7 +610,7 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error } // If not mTLS nor ACME, then get the TokenID of the token. - if !(revokeOpts.MTLS || revokeOpts.ACME) { + if !revokeOpts.MTLS && !revokeOpts.ACME { token, err := jose.ParseSigned(revokeOpts.OTT) if err != nil { return errs.Wrap(http.StatusUnauthorized, err, "authority.Revoke; error parsing token", opts...) diff --git a/ca/acmeClient_test.go b/ca/acmeClient_test.go index 6d3ac16f..c909af19 100644 --- a/ca/acmeClient_test.go +++ b/ca/acmeClient_test.go @@ -112,11 +112,11 @@ func TestNewACMEClient(t *testing.T) { i := 0 srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header - switch { - case i == 0: + switch i { + case 0: render.JSONStatus(w, r, tc.r1, tc.rc1) i++ - case i == 1: + case 1: w.Header().Set("Replay-Nonce", "abc123") render.JSONStatus(w, r, []byte{}, 200) i++ diff --git a/cas/stepcas/issuer.go b/cas/stepcas/issuer.go index cf985974..f6cdcc79 100644 --- a/cas/stepcas/issuer.go +++ b/cas/stepcas/issuer.go @@ -91,8 +91,8 @@ func validateX5CIssuer(iss *apiv1.CertificateIssuer) error { // not given, then it will download it from the CA. If the password is not set // it will be prompted. func validateJWKIssuer(iss *apiv1.CertificateIssuer) error { - switch { - case iss.Provisioner == "": + switch iss.Provisioner { + case "": return errors.New("stepCAS `certificateIssuer.provisioner` cannot be empty") default: return nil diff --git a/cas/stepcas/stepcas_test.go b/cas/stepcas/stepcas_test.go index d2846fb0..b4013792 100644 --- a/cas/stepcas/stepcas_test.go +++ b/cas/stepcas/stepcas_test.go @@ -130,13 +130,13 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) { _ = json.NewDecoder(r.Body).Decode(v) } srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - switch { - case r.RequestURI == "/root/"+testRootFingerprint: + switch r.RequestURI { + case "/root/" + testRootFingerprint: w.WriteHeader(http.StatusOK) writeJSON(w, api.RootResponse{ RootPEM: api.NewCertificate(testRootCrt), }) - case r.RequestURI == "/sign": + case "/sign": var msg api.SignRequest parseJSON(r, &msg) if msg.CsrPEM.DNSNames[0] == "fail.doe.org" { @@ -148,7 +148,7 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) { writeJSON(w, api.SignResponse{ CertChainPEM: []api.Certificate{api.NewCertificate(testCrt), api.NewCertificate(testIssCrt)}, }) - case r.RequestURI == "/renew": + case "/renew": if r.Header.Get("Authorization") == "Bearer fail" { w.WriteHeader(http.StatusBadRequest) fmt.Fprintf(w, `{"error":"fail","message":"fail"}`) @@ -158,7 +158,7 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) { writeJSON(w, api.SignResponse{ CertChainPEM: []api.Certificate{api.NewCertificate(testCrt), api.NewCertificate(testIssCrt)}, }) - case r.RequestURI == "/revoke": + case "/revoke": var msg api.RevokeRequest parseJSON(r, &msg) if msg.Serial == "fail" { @@ -170,7 +170,7 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) { writeJSON(w, api.RevokeResponse{ Status: "ok", }) - case r.RequestURI == "/provisioners": + case "/provisioners": w.WriteHeader(http.StatusOK) writeJSON(w, api.ProvisionersResponse{ NextCursor: "cursor", @@ -188,7 +188,7 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) { }, }, }) - case r.RequestURI == "/provisioners?cursor=cursor": + case "/provisioners?cursor=cursor": w.WriteHeader(http.StatusOK) writeJSON(w, api.ProvisionersResponse{}) default: diff --git a/cas/vaultcas/auth/approle/approle_test.go b/cas/vaultcas/auth/approle/approle_test.go index 28b7b7f7..d353d663 100644 --- a/cas/vaultcas/auth/approle/approle_test.go +++ b/cas/vaultcas/auth/approle/approle_test.go @@ -16,15 +16,15 @@ func testCAHelper(t *testing.T) (*url.URL, *vault.Client) { t.Helper() srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - switch { - case r.RequestURI == "/v1/auth/approle/login": + switch r.RequestURI { + case "/v1/auth/approle/login": w.WriteHeader(http.StatusOK) fmt.Fprintf(w, `{ "auth": { "client_token": "hvs.0000" } }`) - case r.RequestURI == "/v1/auth/custom-approle/login": + case "/v1/auth/custom-approle/login": w.WriteHeader(http.StatusOK) fmt.Fprintf(w, `{ "auth": { diff --git a/cas/vaultcas/auth/aws/aws_test.go b/cas/vaultcas/auth/aws/aws_test.go index 9d6a8f73..74637e29 100644 --- a/cas/vaultcas/auth/aws/aws_test.go +++ b/cas/vaultcas/auth/aws/aws_test.go @@ -16,15 +16,15 @@ func testCAHelper(t *testing.T) (*url.URL, *vault.Client) { t.Helper() srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - switch { - case r.RequestURI == "/v1/auth/aws/login": + switch r.RequestURI { + case "/v1/auth/aws/login": w.WriteHeader(http.StatusOK) fmt.Fprintf(w, `{ "auth": { "client_token": "hvs.0000" } }`) - case r.RequestURI == "/v1/auth/custom-aws/login": + case "/v1/auth/custom-aws/login": w.WriteHeader(http.StatusOK) fmt.Fprintf(w, `{ "auth": { diff --git a/cas/vaultcas/auth/kubernetes/kubernetes_test.go b/cas/vaultcas/auth/kubernetes/kubernetes_test.go index 55be904d..54b29714 100644 --- a/cas/vaultcas/auth/kubernetes/kubernetes_test.go +++ b/cas/vaultcas/auth/kubernetes/kubernetes_test.go @@ -19,15 +19,15 @@ func testCAHelper(t *testing.T) (*url.URL, *vault.Client) { t.Helper() srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - switch { - case r.RequestURI == "/v1/auth/kubernetes/login": + switch r.RequestURI { + case "/v1/auth/kubernetes/login": w.WriteHeader(http.StatusOK) fmt.Fprintf(w, `{ "auth": { "client_token": "hvs.0000" } }`) - case r.RequestURI == "/v1/auth/custom-kubernetes/login": + case "/v1/auth/custom-kubernetes/login": w.WriteHeader(http.StatusOK) fmt.Fprintf(w, `{ "auth": { diff --git a/cas/vaultcas/vaultcas.go b/cas/vaultcas/vaultcas.go index b6caddc4..f53be6b3 100644 --- a/cas/vaultcas/vaultcas.go +++ b/cas/vaultcas/vaultcas.go @@ -212,12 +212,12 @@ func (v *VaultCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv func (v *VaultCAS) createCertificate(cr *x509.CertificateRequest, lifetime time.Duration) (*x509.Certificate, []*x509.Certificate, error) { var vaultPKIRole string - switch { - case cr.PublicKeyAlgorithm == x509.RSA: + switch cr.PublicKeyAlgorithm { + case x509.RSA: vaultPKIRole = v.config.PKIRoleRSA - case cr.PublicKeyAlgorithm == x509.ECDSA: + case x509.ECDSA: vaultPKIRole = v.config.PKIRoleEC - case cr.PublicKeyAlgorithm == x509.Ed25519: + case x509.Ed25519: vaultPKIRole = v.config.PKIRoleEd25519 default: return nil, nil, fmt.Errorf("unsupported public key algorithm %v", cr.PublicKeyAlgorithm) diff --git a/cas/vaultcas/vaultcas_test.go b/cas/vaultcas/vaultcas_test.go index 2f44bc05..4b9931ba 100644 --- a/cas/vaultcas/vaultcas_test.go +++ b/cas/vaultcas/vaultcas_test.go @@ -97,48 +97,48 @@ func testCAHelper(t *testing.T) (*url.URL, *vault.Client) { } srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - switch { - case r.RequestURI == "/v1/auth/approle/login": + switch r.RequestURI { + case "/v1/auth/approle/login": w.WriteHeader(http.StatusOK) fmt.Fprintf(w, `{ "auth": { "client_token": "98a4c7ab-b1fe-361b-ba0b-e307aacfd587" } }`) - case r.RequestURI == "/v1/pki/sign/ec": + case "/v1/pki/sign/ec": w.WriteHeader(http.StatusOK) cert := map[string]interface{}{"data": map[string]interface{}{"certificate": testCertificateSigned + "\n" + testRootCertificate}} writeJSON(w, cert) return - case r.RequestURI == "/v1/pki/sign/rsa": + case "/v1/pki/sign/rsa": w.WriteHeader(http.StatusOK) cert := map[string]interface{}{"data": map[string]interface{}{"certificate": testCertificateSigned + "\n" + testRootCertificate}} writeJSON(w, cert) return - case r.RequestURI == "/v1/pki/sign/ed25519": + case "/v1/pki/sign/ed25519": w.WriteHeader(http.StatusOK) cert := map[string]interface{}{"data": map[string]interface{}{"certificate": testCertificateSigned + "\n" + testRootCertificate}} writeJSON(w, cert) return - case r.RequestURI == "/v1/pki/cert/ca_chain": + case "/v1/pki/cert/ca_chain": w.WriteHeader(http.StatusOK) cert := map[string]interface{}{"data": map[string]interface{}{"certificate": testCertificateSigned + "\n" + testRootCertificate}} writeJSON(w, cert) return - case r.RequestURI == "/v1/pki/revoke": + case "/v1/pki/revoke": buf := new(bytes.Buffer) buf.ReadFrom(r.Body) m := make(map[string]string) json.Unmarshal(buf.Bytes(), &m) - switch { - case m["serial_number"] == "1c-71-6e-18-cc-f4-70-29-5f-75-ee-64-a8-fe-69-ad": + switch m["serial_number"] { + case "1c-71-6e-18-cc-f4-70-29-5f-75-ee-64-a8-fe-69-ad": w.WriteHeader(http.StatusOK) return - case m["serial_number"] == "01-e2-40": + case "01-e2-40": w.WriteHeader(http.StatusOK) return // both - case m["serial_number"] == "01-34-3e": + case "01-34-3e": w.WriteHeader(http.StatusOK) return default: diff --git a/examples/basic-client/client.go b/examples/basic-client/client.go index 42358ac8..f0288644 100644 --- a/examples/basic-client/client.go +++ b/examples/basic-client/client.go @@ -1,3 +1,4 @@ +//nolint:govet // example code; allow unused variables package main import ( @@ -95,10 +96,11 @@ func main() { // An http server will use the tls.Config like: _ = &http.Server{ Addr: ":443", - Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + Handler: http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { w.Write([]byte("Hello world")) }), - TLSConfig: tlsConfig, + TLSConfig: tlsConfig, + ReadHeaderTimeout: 30 * time.Second, } // Get tls.Config for a client diff --git a/examples/basic-federation/server/main.go b/examples/basic-federation/server/main.go index 2becff18..21e44799 100644 --- a/examples/basic-federation/server/main.go +++ b/examples/basic-federation/server/main.go @@ -31,9 +31,9 @@ func main() { name = r.TLS.PeerCertificates[0].Subject.CommonName issuer = r.TLS.PeerCertificates[len(r.TLS.PeerCertificates)-1].Issuer.CommonName } - - w.Write([]byte(fmt.Sprintf("Hello %s (cert issued by '%s') at %s", name, issuer, time.Now().UTC()))) + fmt.Fprintf(w, "Hello %s (cert issued by '%s') at %s", name, issuer, time.Now().UTC()) }), + ReadHeaderTimeout: 30 * time.Second, }, ca.AddFederationToClientCAs(), ListTrustedRoots()) if err != nil { panic(err) diff --git a/examples/bootstrap-mtls-server/server.go b/examples/bootstrap-mtls-server/server.go index 1f9c0901..a175931d 100644 --- a/examples/bootstrap-mtls-server/server.go +++ b/examples/bootstrap-mtls-server/server.go @@ -29,8 +29,9 @@ func main() { if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 { name = r.TLS.PeerCertificates[0].Subject.CommonName } - w.Write([]byte(fmt.Sprintf("Hello %s at %s!!!", name, time.Now().UTC()))) + fmt.Fprintf(w, "Hello %s at %s!!!", name, time.Now().UTC()) }), + ReadHeaderTimeout: 30 * time.Second, }) if err != nil { panic(err) diff --git a/examples/bootstrap-tls-server/server.go b/examples/bootstrap-tls-server/server.go index e91f524b..5e008b4a 100644 --- a/examples/bootstrap-tls-server/server.go +++ b/examples/bootstrap-tls-server/server.go @@ -29,8 +29,9 @@ func main() { if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 { name = r.TLS.PeerCertificates[0].Subject.CommonName } - w.Write([]byte(fmt.Sprintf("Hello %s at %s!!!", name, time.Now().UTC()))) + fmt.Fprintf(w, "Hello %s at %s!!!", name, time.Now().UTC()) }), + ReadHeaderTimeout: 30 * time.Second, }, ca.VerifyClientCertIfGiven()) if err != nil { panic(err) diff --git a/test/integration/scep/internal/x509/oid.go b/test/integration/scep/internal/x509/oid.go index e5dd214a..1fbd29e4 100644 --- a/test/integration/scep/internal/x509/oid.go +++ b/test/integration/scep/internal/x509/oid.go @@ -2,7 +2,7 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -//nolint:stylecheck,revive,gocritic // code copied from crypto/x509 +//nolint:staticcheck,revive,gocritic // code copied from crypto/x509 package legacyx509 import (