From aeb5e1b366f9bed6d6b1a143a3aa2810a0c3ed35 Mon Sep 17 00:00:00 2001 From: Herman Slatman Date: Tue, 20 Aug 2024 16:54:29 +0200 Subject: [PATCH] Address linter issues --- acme/api/revoke.go | 6 +++--- acme/errors.go | 18 +++++++++--------- api/api.go | 2 +- authority/admin/api/webhook.go | 2 +- authority/provisioner/jwk.go | 2 +- authority/provisioner/provisioner.go | 6 +++--- authority/provisioner/ssh_test.go | 2 +- authority/provisioner/x5c.go | 2 +- authority/ssh.go | 8 ++++---- authority/tls.go | 4 ++-- ca/identity/identity.go | 2 +- ca/tls.go | 2 -- errs/error.go | 4 ++-- 13 files changed, 29 insertions(+), 31 deletions(-) diff --git a/acme/api/revoke.go b/acme/api/revoke.go index c97d54c1..c613df2f 100644 --- a/acme/api/revoke.go +++ b/acme/api/revoke.go @@ -180,7 +180,7 @@ func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRe func wrapRevokeErr(err error) *acme.Error { t := err.Error() if strings.Contains(t, "is already revoked") { - return acme.NewError(acme.ErrorAlreadyRevokedType, t) + return acme.NewError(acme.ErrorAlreadyRevokedType, t) //nolint:govet // allow non-constant error messages } return acme.WrapErrorISE(err, "error when revoking certificate") } @@ -190,9 +190,9 @@ func wrapRevokeErr(err error) *acme.Error { func wrapUnauthorizedError(cert *x509.Certificate, unauthorizedIdentifiers []acme.Identifier, msg string, err error) *acme.Error { var acmeErr *acme.Error if err == nil { - acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg) + acmeErr = acme.NewError(acme.ErrorUnauthorizedType, msg) //nolint:govet // allow non-constant error messages } else { - acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg) + acmeErr = acme.WrapError(acme.ErrorUnauthorizedType, err, msg) //nolint:govet // allow non-constant error messages } acmeErr.Status = http.StatusForbidden // RFC8555 7.6 shows example with 403 diff --git a/acme/errors.go b/acme/errors.go index 586cfb9b..3c5fdb8d 100644 --- a/acme/errors.go +++ b/acme/errors.go @@ -294,14 +294,14 @@ type Subproblem struct { } // NewError creates a new Error. -func NewError(pt ProblemType, msg string, args ...interface{}) *Error { +func NewError(pt ProblemType, msg string, args ...any) *Error { return newError(pt, errors.Errorf(msg, args...)) } // NewDetailedError creates a new Error that includes the error // message in the details, providing more information to the // ACME client. -func NewDetailedError(pt ProblemType, msg string, args ...interface{}) *Error { +func NewDetailedError(pt ProblemType, msg string, args ...any) *Error { return NewError(pt, msg, args...).withDetail() } @@ -324,7 +324,7 @@ func (e *Error) AddSubproblems(subproblems ...Subproblem) *Error { // NewSubproblem creates a new Subproblem. The msg and args // are used to create a new error, which is set as the Detail, allowing // for more detailed error messages to be returned to the ACME client. -func NewSubproblem(pt ProblemType, msg string, args ...interface{}) Subproblem { +func NewSubproblem(pt ProblemType, msg string, args ...any) Subproblem { e := newError(pt, fmt.Errorf(msg, args...)) s := Subproblem{ Type: e.Type, @@ -335,7 +335,7 @@ func NewSubproblem(pt ProblemType, msg string, args ...interface{}) Subproblem { // NewSubproblemWithIdentifier creates a new Subproblem with a specific ACME // Identifier. It calls NewSubproblem and sets the Identifier. -func NewSubproblemWithIdentifier(pt ProblemType, identifier Identifier, msg string, args ...interface{}) Subproblem { +func NewSubproblemWithIdentifier(pt ProblemType, identifier Identifier, msg string, args ...any) Subproblem { s := NewSubproblem(pt, msg, args...) s.Identifier = &identifier return s @@ -362,12 +362,12 @@ func newError(pt ProblemType, err error) *Error { } // NewErrorISE creates a new ErrorServerInternalType Error. -func NewErrorISE(msg string, args ...interface{}) *Error { +func NewErrorISE(msg string, args ...any) *Error { return NewError(ErrorServerInternalType, msg, args...) } // WrapError attempts to wrap the internal error. -func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Error { +func WrapError(typ ProblemType, err error, msg string, args ...any) *Error { var e *Error switch { case err == nil: @@ -384,12 +384,12 @@ func WrapError(typ ProblemType, err error, msg string, args ...interface{}) *Err } } -func WrapDetailedError(typ ProblemType, err error, msg string, args ...interface{}) *Error { +func WrapDetailedError(typ ProblemType, err error, msg string, args ...any) *Error { return WrapError(typ, err, msg, args...).withDetail() } // WrapErrorISE shortcut to wrap an internal server error type. -func WrapErrorISE(err error, msg string, args ...interface{}) *Error { +func WrapErrorISE(err error, msg string, args ...any) *Error { return WrapError(ErrorServerInternalType, err, msg, args...) } @@ -415,7 +415,7 @@ func (e *Error) Cause() error { } // ToLog implements the EnableLogger interface. -func (e *Error) ToLog() (interface{}, error) { +func (e *Error) ToLog() (any, error) { b, err := json.Marshal(e) if err != nil { return nil, WrapErrorISE(err, "error marshaling acme.Error for logging") diff --git a/api/api.go b/api/api.go index 72606eac..fa554492 100644 --- a/api/api.go +++ b/api/api.go @@ -4,7 +4,7 @@ import ( "bytes" "context" "crypto" - "crypto/dsa" //nolint:staticcheck // support legacy algorithms + "crypto/dsa" // support legacy algorithms "crypto/ecdsa" "crypto/ed25519" "crypto/rsa" diff --git a/authority/admin/api/webhook.go b/authority/admin/api/webhook.go index 04255e15..88c7e313 100644 --- a/authority/admin/api/webhook.go +++ b/authority/admin/api/webhook.go @@ -202,7 +202,7 @@ func (war *webhookAdminResponder) UpdateProvisionerWebhook(w http.ResponseWriter } if !found { msg := fmt.Sprintf("provisioner %q has no webhook with the name %q", prov.Name, newWebhook.Name) - err := admin.NewError(admin.ErrorNotFoundType, msg) + err := admin.NewError(admin.ErrorNotFoundType, msg) //nolint:govet // allow non-constant error messages render.Error(w, r, err) return } diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index ed481877..70a67061 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -249,7 +249,7 @@ func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e // Use options in the token. if opts.CertType != "" { if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil { - return nil, errs.BadRequestErr(err, err.Error()) + return nil, errs.BadRequestErr(err, err.Error()) //nolint:govet // allow non-constant error messages } } if opts.KeyID != "" { diff --git a/authority/provisioner/provisioner.go b/authority/provisioner/provisioner.go index f286206b..24792f66 100644 --- a/authority/provisioner/provisioner.go +++ b/authority/provisioner/provisioner.go @@ -246,7 +246,7 @@ type Config struct { Claims Claims // Audiences are the audiences used in the default provisioner, (JWK). Audiences Audiences - // SSHKeys are the root SSH public keys + // SSHKeys are the root SSH public keys. SSHKeys *SSHKeys // GetIdentityFunc is a function that returns an identity that will be // used by the provisioner to populate certificate attributes. @@ -257,11 +257,11 @@ type Config struct { // AuthorizeSSHRenewFunc is a function that returns nil if a given SSH // certificate can be renewed. AuthorizeSSHRenewFunc AuthorizeSSHRenewFunc - // WebhookClient is an http client to use in webhook request + // WebhookClient is an HTTP client used when performing webhook requests. WebhookClient *http.Client // SCEPKeyManager, if defined, is the interface used by SCEP provisioners. SCEPKeyManager SCEPKeyManager - // HTTPClient is an HTTP client that trust the system cert pool and the CA + // HTTPClient is an HTTP client that trusts the system cert pool and the CA // roots. HTTPClient *http.Client } diff --git a/authority/provisioner/ssh_test.go b/authority/provisioner/ssh_test.go index 6ad71459..39d5352f 100644 --- a/authority/provisioner/ssh_test.go +++ b/authority/provisioner/ssh_test.go @@ -90,7 +90,7 @@ func signSSHCertificate(key crypto.PublicKey, opts SignSSHOptions, signOpts []Si var templErr *sshutil.TemplateError if errors.As(err, &templErr) { return nil, errs.NewErr(http.StatusBadRequest, templErr, - errs.WithMessage(templErr.Error()), + errs.WithMessage(templErr.Error()), //nolint:govet // allow non-constant error messages errs.WithKeyVal("signOptions", signOpts), ) } diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index fd77fe75..e1a152f0 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -301,7 +301,7 @@ func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, e // Use options in the token. if opts.CertType != "" { if certType, err = sshutil.CertTypeFromString(opts.CertType); err != nil { - return nil, errs.BadRequestErr(err, err.Error()) + return nil, errs.BadRequestErr(err, err.Error()) //nolint:govet // allow non-constant error messages } } if opts.KeyID != "" { diff --git a/authority/ssh.go b/authority/ssh.go index 30e4bfc7..b28aa15d 100644 --- a/authority/ssh.go +++ b/authority/ssh.go @@ -214,7 +214,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi for _, v := range keyValidators { if err := v.Valid(key); err != nil { return nil, nil, errs.ApplyOptions( - errs.ForbiddenErr(err, err.Error()), + errs.ForbiddenErr(err, err.Error()), //nolint:govet // allow non-constant error messages errs.WithKeyVal("signOptions", signOpts), ) } @@ -231,7 +231,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi // Call enriching webhooks if err := a.callEnrichingWebhooksSSH(ctx, prov, webhookCtl, cr); err != nil { return nil, prov, errs.ApplyOptions( - errs.ForbiddenErr(err, err.Error()), + errs.ForbiddenErr(err, err.Error()), //nolint:govet // allow non-constant error messages errs.WithKeyVal("signOptions", signOpts), ) } @@ -243,7 +243,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi switch { case errors.As(err, &te): return nil, prov, errs.ApplyOptions( - errs.BadRequestErr(err, err.Error()), + errs.BadRequestErr(err, err.Error()), //nolint:govet // allow non-constant error messages errs.WithKeyVal("signOptions", signOpts), ) case strings.HasPrefix(err.Error(), "error unmarshaling certificate"): @@ -263,7 +263,7 @@ func (a *Authority) signSSH(ctx context.Context, key ssh.PublicKey, opts provisi // Use SignSSHOptions to modify the certificate validity. It will be later // checked or set if not defined. if err := opts.ModifyValidity(certTpl); err != nil { - return nil, prov, errs.BadRequestErr(err, err.Error()) + return nil, prov, errs.BadRequestErr(err, err.Error()) //nolint:govet // allow non-constant error messages } // Use provisioner modifiers. diff --git a/authority/tls.go b/authority/tls.go index 679c28ac..320eb596 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -197,7 +197,7 @@ func (a *Authority) signX509(ctx context.Context, csr *x509.CertificateRequest, if err := a.callEnrichingWebhooksX509(ctx, prov, webhookCtl, attData, csr); err != nil { return nil, prov, errs.ApplyOptions( - errs.ForbiddenErr(err, err.Error()), + errs.ForbiddenErr(err, err.Error()), //nolint:govet // allow non-constant error messages errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts), ) @@ -209,7 +209,7 @@ func (a *Authority) signX509(ctx context.Context, csr *x509.CertificateRequest, switch { case errors.As(err, &te): return nil, prov, errs.ApplyOptions( - errs.BadRequestErr(err, err.Error()), + errs.BadRequestErr(err, err.Error()), //nolint:govet // allow non-constant error messages errs.WithKeyVal("csr", csr), errs.WithKeyVal("signOptions", signOpts), ) diff --git a/ca/identity/identity.go b/ca/identity/identity.go index 755d270a..ac704001 100644 --- a/ca/identity/identity.go +++ b/ca/identity/identity.go @@ -306,7 +306,7 @@ func (i *Identity) Renew(client Renewer) error { return err } - if sign.CertChainPEM == nil || len(sign.CertChainPEM) == 0 { + if len(sign.CertChainPEM) == 0 { sign.CertChainPEM = []api.Certificate{sign.ServerPEM, sign.CaPEM} } diff --git a/ca/tls.go b/ca/tls.go index d7bed58a..a859263b 100644 --- a/ca/tls.go +++ b/ca/tls.go @@ -132,7 +132,6 @@ func (c *Client) getClientTLSConfig(ctx context.Context, sign *api.SignResponse, } tr := getDefaultTransport(tlsConfig) - //nolint:staticcheck // Use mutable tls.Config on renew tr.DialTLS = c.buildDialTLS(tlsCtx) // tr.DialTLSContext = c.buildDialTLSContext(tlsCtx) renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk) //nolint:contextcheck // deeply nested context @@ -180,7 +179,6 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse, // Update renew function with transport tr := getDefaultTransport(tlsConfig) - //nolint:staticcheck // Use mutable tls.Config on renew tr.DialTLS = c.buildDialTLS(tlsCtx) // tr.DialTLSContext = c.buildDialTLSContext(tlsCtx) renewer.RenewCertificate = getRenewFunc(tlsCtx, c, tr, pk) //nolint:contextcheck // deeply nested context diff --git a/errs/error.go b/errs/error.go index 4ea5001e..d98f42e2 100644 --- a/errs/error.go +++ b/errs/error.go @@ -177,7 +177,7 @@ func StatusCodeError(code int, e error, opts ...Option) error { } } -var ( +const ( seeLogs = "Please see the certificate authority logs for more info." // BadRequestDefaultMsg 400 default msg BadRequestDefaultMsg = "The request could not be completed; malformed or missing data. " + seeLogs @@ -193,7 +193,7 @@ var ( NotImplementedDefaultMsg = "The requested method is not implemented by the certificate authority. " + seeLogs ) -var ( +const ( // BadRequestPrefix is the prefix added to the bad request messages that are // directly sent to the cli. BadRequestPrefix = "The request could not be completed: "