update gofumpt to 0.3.1 and reformat the repo (#17055)

* update gofumpt to 0.3.1 and reformat the repo * output the version of the formatter we're using
2025-10-30 18:17:55 +00:00 · 2022-09-07 17:31:20 -07:00
parent cccd1d7353
commit 03d2be4cb9
49 changed files with 228 additions and 177 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -121,7 +121,7 @@ jobs:
    - CIRCLECI_CLI_VERSION: 0.1.5546
    - GO_TAGS: ''
    - GO_VERSION: 1.19.1
-    - GOFUMPT_VERSION: 0.2.1
+    - GOFUMPT_VERSION: 0.3.1
    - GOTESTSUM_VERSION: 0.5.2
  test-go-remote-docker:
    docker:
@@ -352,6 +352,7 @@ jobs:
    - checkout
    - run:
        command: |
+          echo "Using gofumpt version ${GOFUMPT_VERSION}"
          go install "mvdan.cc/gofumpt@v${GOFUMPT_VERSION}"
          make fmt
          if ! git diff --exit-code; then
@@ -363,7 +364,7 @@ jobs:
    - CIRCLECI_CLI_VERSION: 0.1.5546
    - GO_TAGS: ''
    - GO_VERSION: 1.19.1
-    - GOFUMPT_VERSION: 0.2.1
+    - GOFUMPT_VERSION: 0.3.1
    - GOTESTSUM_VERSION: 0.5.2
  test-go-race:
    docker:
@@ -849,7 +850,7 @@ jobs:
    - CIRCLECI_CLI_VERSION: 0.1.5546
    - GO_TAGS: ''
    - GO_VERSION: 1.19.1
-    - GOFUMPT_VERSION: 0.2.1
+    - GOFUMPT_VERSION: 0.3.1
    - GOTESTSUM_VERSION: 0.5.2
  test-go-race-remote-docker:
    docker:
--- a/.circleci/config/executors/@executors.yml
+++ b/.circleci/config/executors/@executors.yml
@@ -6,7 +6,7 @@ go-machine:
    CIRCLECI_CLI_VERSION: 0.1.5546 # Pin CircleCI CLI to patch version (ex: 1.2.3)
    GO_VERSION: 1.19.1 # Pin Go to patch version (ex: 1.2.3)
    GOTESTSUM_VERSION: 0.5.2 # Pin gotestsum to patch version (ex: 1.2.3)
-    GOFUMPT_VERSION: 0.2.1 # Pin gofumpt to patch version (ex: 1.2.3)
+    GOFUMPT_VERSION: 0.3.1 # Pin gofumpt to patch version (ex: 1.2.3)
    GO_TAGS: ""
  working_directory: /home/circleci/go/src/github.com/hashicorp/vault
 node:
--- a/.circleci/config/jobs/fmt.yml
+++ b/.circleci/config/jobs/fmt.yml
@@ -8,6 +8,7 @@ steps:
  - run:
      name: make fmt
      command: |
+        echo "Using gofumpt version ${GOFUMPT_VERSION}"
        go install "mvdan.cc/gofumpt@v${GOFUMPT_VERSION}"
        make fmt
        if ! git diff --exit-code; then
--- a/api/auth/approle/approle_test.go
+++ b/api/auth/approle/approle_test.go
@@ -16,7 +16,8 @@ import (
 // testHTTPServer creates a test HTTP server that handles requests until
 // the listener returned is closed.
 func testHTTPServer(
-	t *testing.T, handler http.Handler) (*api.Config, net.Listener) {
+	t *testing.T, handler http.Handler,
+) (*api.Config, net.Listener) {
 	ln, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		t.Fatalf("err: %s", err)
--- a/api/auth/ldap/ldap_test.go
+++ b/api/auth/ldap/ldap_test.go
@@ -16,7 +16,8 @@ import (
 // testHTTPServer creates a test HTTP server that handles requests until
 // the listener returned is closed.
 func testHTTPServer(
-	t *testing.T, handler http.Handler) (*api.Config, net.Listener) {
+	t *testing.T, handler http.Handler,
+) (*api.Config, net.Listener) {
 	ln, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		t.Fatalf("err: %s", err)
--- a/api/auth/userpass/userpass_test.go
+++ b/api/auth/userpass/userpass_test.go
@@ -16,7 +16,8 @@ import (
 // testHTTPServer creates a test HTTP server that handles requests until
 // the listener returned is closed.
 func testHTTPServer(
-	t *testing.T, handler http.Handler) (*api.Config, net.Listener) {
+	t *testing.T, handler http.Handler,
+) (*api.Config, net.Listener) {
 	ln, err := net.Listen("tcp", "127.0.0.1:0")
 	if err != nil {
 		t.Fatalf("err: %s", err)
--- a/api/lifetime_watcher.go
+++ b/api/lifetime_watcher.go
@@ -50,25 +50,24 @@ const (

 // LifetimeWatcher is a process for watching lifetime of a secret.
 //
-// 	watcher, err := client.NewLifetimeWatcher(&LifetimeWatcherInput{
-// 		Secret: mySecret,
-// 	})
-// 	go watcher.Start()
-// 	defer watcher.Stop()
+//	watcher, err := client.NewLifetimeWatcher(&LifetimeWatcherInput{
+//		Secret: mySecret,
+//	})
+//	go watcher.Start()
+//	defer watcher.Stop()
 //
-// 	for {
-// 		select {
-// 		case err := <-watcher.DoneCh():
-// 			if err != nil {
-// 				log.Fatal(err)
-// 			}
-//
-// 			// Renewal is now over
-// 		case renewal := <-watcher.RenewCh():
-// 			log.Printf("Successfully renewed: %#v", renewal)
-// 		}
-// 	}
+//	for {
+//		select {
+//		case err := <-watcher.DoneCh():
+//			if err != nil {
+//				log.Fatal(err)
+//			}
 //
+//			// Renewal is now over
+//		case renewal := <-watcher.RenewCh():
+//			log.Printf("Successfully renewed: %#v", renewal)
+//		}
+//	}
 //
 // `DoneCh` will return if renewal fails, or if the remaining lease duration is
 // under a built-in threshold and either renewing is not extending it or
@@ -251,7 +250,8 @@ func (r *LifetimeWatcher) doRenew() error {
 }

 func (r *LifetimeWatcher) doRenewWithOptions(tokenMode bool, nonRenewable bool, initLeaseDuration int, credString string,
-	renew renewFunc, initialRetryInterval time.Duration) error {
+	renew renewFunc, initialRetryInterval time.Duration,
+) error {
 	if credString == "" ||
 		(nonRenewable && r.renewBehavior == RenewBehaviorErrorOnErrors) {
 		return r.errLifetimeWatcherNotRenewable
--- a/api/ssh_agent.go
+++ b/api/ssh_agent.go
@@ -85,11 +85,10 @@ func (c *SSHHelperConfig) SetTLSParameters(clientConfig *Config, certPool *x509.
 }

 // Returns true if any of the following conditions are true:
-//   * CA cert is configured
-//   * CA path is configured
-//   * configured to skip certificate verification
-//   * TLS server name is configured
-//
+//   - CA cert is configured
+//   - CA path is configured
+//   - configured to skip certificate verification
+//   - TLS server name is configured
 func (c *SSHHelperConfig) shouldSetTLSParameters() bool {
 	return c.CACert != "" || c.CAPath != "" || c.TLSServerName != "" || c.TLSSkipVerify
 }
--- a/api/sys_audit.go
+++ b/api/sys_audit.go
@@ -87,7 +87,8 @@ func (c *Sys) ListAuditWithContext(ctx context.Context) (map[string]*Audit, erro

 // DEPRECATED: Use EnableAuditWithOptions instead
 func (c *Sys) EnableAudit(
-	path string, auditType string, desc string, opts map[string]string) error {
+	path string, auditType string, desc string, opts map[string]string,
+) error {
 	return c.EnableAuditWithOptions(path, &EnableAuditOptions{
 		Type:        auditType,
 		Description: desc,
--- a/builtin/credential/aws/backend_test.go
+++ b/builtin/credential/aws/backend_test.go
@@ -1021,31 +1021,33 @@ func TestBackend_PathBlacklistRoleTag(t *testing.T) {
 	}
 }

-/* This is an acceptance test.
-   Requires the following env vars:
-   TEST_AWS_EC2_RSA2048
-   TEST_AWS_EC2_PKCS7
-   TEST_AWS_EC2_IDENTITY_DOCUMENT
-   TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG
-   TEST_AWS_EC2_AMI_ID
-   TEST_AWS_EC2_ACCOUNT_ID
-   TEST_AWS_EC2_IAM_ROLE_ARN
+/*
+This is an acceptance test.

-   If this is being run on an EC2 instance, you can set the environment vars using this bash snippet:
+	Requires the following env vars:
+	TEST_AWS_EC2_RSA2048
+	TEST_AWS_EC2_PKCS7
+	TEST_AWS_EC2_IDENTITY_DOCUMENT
+	TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG
+	TEST_AWS_EC2_AMI_ID
+	TEST_AWS_EC2_ACCOUNT_ID
+	TEST_AWS_EC2_IAM_ROLE_ARN

-   export TEST_AWS_EC2_RSA2048=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/rsa2048)
-   export TEST_AWS_EC2_PKCS7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7)
-   export TEST_AWS_EC2_IDENTITY_DOCUMENT=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0)
-   export TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d '\n')
-   export TEST_AWS_EC2_AMI_ID=$(curl -s http://169.254.169.254/latest/meta-data/ami-id)
-   export TEST_AWS_EC2_IAM_ROLE_ARN=$(aws iam get-role --role-name $(curl -q http://169.254.169.254/latest/meta-data/iam/security-credentials/ -S -s) --query Role.Arn --output text)
-   export TEST_AWS_EC2_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+	If this is being run on an EC2 instance, you can set the environment vars using this bash snippet:

-   If the test is not being run on an EC2 instance that has access to
-   credentials using EC2RoleProvider, on top of the above vars, following
-   needs to be set:
-   TEST_AWS_SECRET_KEY
-   TEST_AWS_ACCESS_KEY
+	export TEST_AWS_EC2_RSA2048=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/rsa2048)
+	export TEST_AWS_EC2_PKCS7=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7)
+	export TEST_AWS_EC2_IDENTITY_DOCUMENT=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | base64 -w 0)
+	export TEST_AWS_EC2_IDENTITY_DOCUMENT_SIG=$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/signature | tr -d '\n')
+	export TEST_AWS_EC2_AMI_ID=$(curl -s http://169.254.169.254/latest/meta-data/ami-id)
+	export TEST_AWS_EC2_IAM_ROLE_ARN=$(aws iam get-role --role-name $(curl -q http://169.254.169.254/latest/meta-data/iam/security-credentials/ -S -s) --query Role.Arn --output text)
+	export TEST_AWS_EC2_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+
+	If the test is not being run on an EC2 instance that has access to
+	credentials using EC2RoleProvider, on top of the above vars, following
+	needs to be set:
+	TEST_AWS_SECRET_KEY
+	TEST_AWS_ACCESS_KEY
 */
 func TestBackendAcc_LoginWithInstanceIdentityDocAndAccessListIdentity(t *testing.T) {
 	for _, path := range []string{"identity-whitelist/", "identity-accesslist/"} {
--- a/builtin/credential/aws/certificates.go
+++ b/builtin/credential/aws/certificates.go
@@ -26,7 +26,9 @@ func init() {

 // These certificates are for verifying PKCS#7 DSA signatures.
 // Copied from:
-//   curl https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-pkcs7.html | pcregrep -M -o -e '(?s)-----BEGIN CERTIFICATE-----[^>]*-----END CERTIFICATE-----'
+//
+//	curl https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/verify-pkcs7.html | pcregrep -M -o -e '(?s)-----BEGIN CERTIFICATE-----[^>]*-----END CERTIFICATE-----'
+//
 // Last updated: 2022-05-31
 const pkcs7RawCerts = `-----BEGIN CERTIFICATE-----
 MIIC7TCCAq0CCQCWukjZ5V4aZzAJBgcqhkjOOAQDMFwxCzAJBgNVBAYTAlVTMRkw
--- a/builtin/credential/aws/path_role.go
+++ b/builtin/credential/aws/path_role.go
@@ -305,7 +305,8 @@ func (b *backend) roleInternal(ctx context.Context, s logical.Storage, roleName
 // setRole creates or updates a role in the storage. The caller must hold
 // the write lock.
 func (b *backend) setRole(ctx context.Context, s logical.Storage, roleName string,
-	roleEntry *awsRoleEntry) error {
+	roleEntry *awsRoleEntry,
+) error {
 	if roleName == "" {
 		return fmt.Errorf("missing role name")
 	}
--- a/builtin/credential/aws/pkcs7/ber.go
+++ b/builtin/credential/aws/pkcs7/ber.go
@@ -106,12 +106,12 @@ func lengthLength(i int) (numBytes int) {
 // added to 0x80. The length is encoded in big endian encoding follow after
 //
 // Examples:
-//  length | byte 1 | bytes n
-//  0      | 0x00   | -
-//  120    | 0x78   | -
-//  200    | 0x81   | 0xC8
-//  500    | 0x82   | 0x01 0xF4
 //
+//	length | byte 1 | bytes n
+//	0      | 0x00   | -
+//	120    | 0x78   | -
+//	200    | 0x81   | 0xC8
+//	500    | 0x82   | 0x01 0xF4
 func encodeLength(out *bytes.Buffer, length int) (err error) {
 	if length >= 128 {
 		l := lengthLength(length)
--- a/builtin/credential/aws/pkcs7/encrypt.go
+++ b/builtin/credential/aws/pkcs7/encrypt.go
@@ -256,7 +256,7 @@ func encryptAESCBC(content []byte, key []byte) ([]byte, *encryptedContentInfo, e
 // value is EncryptionAlgorithmDESCBC. To use a different algorithm, change the
 // value before calling Encrypt(). For example:
 //
-//     ContentEncryptionAlgorithm = EncryptionAlgorithmAES128GCM
+//	ContentEncryptionAlgorithm = EncryptionAlgorithmAES128GCM
 //
 // TODO(fullsailor): Add support for encrypting content with other algorithms
 func Encrypt(content []byte, recipients []*x509.Certificate) ([]byte, error) {
--- a/builtin/credential/cert/backend_test.go
+++ b/builtin/credential/cert/backend_test.go
@@ -1836,7 +1836,8 @@ func testAccStepLoginWithNameInvalid(t *testing.T, connState tls.ConnectionState
 }

 func testAccStepListCerts(
-	t *testing.T, certs []string) []logicaltest.TestStep {
+	t *testing.T, certs []string,
+) []logicaltest.TestStep {
 	return []logicaltest.TestStep{
 		{
 			Operation: logical.ListOperation,
@@ -1893,7 +1894,8 @@ type allowed struct {
 }

 func testAccStepCert(
-	t *testing.T, name string, cert []byte, policies string, testData allowed, expectError bool) logicaltest.TestStep {
+	t *testing.T, name string, cert []byte, policies string, testData allowed, expectError bool,
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "certs/" + name,
@@ -1922,7 +1924,8 @@ func testAccStepCert(
 }

 func testAccStepCertLease(
-	t *testing.T, name string, cert []byte, policies string) logicaltest.TestStep {
+	t *testing.T, name string, cert []byte, policies string,
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "certs/" + name,
@@ -1936,7 +1939,8 @@ func testAccStepCertLease(
 }

 func testAccStepCertTTL(
-	t *testing.T, name string, cert []byte, policies string) logicaltest.TestStep {
+	t *testing.T, name string, cert []byte, policies string,
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "certs/" + name,
@@ -1950,7 +1954,8 @@ func testAccStepCertTTL(
 }

 func testAccStepCertMaxTTL(
-	t *testing.T, name string, cert []byte, policies string) logicaltest.TestStep {
+	t *testing.T, name string, cert []byte, policies string,
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "certs/" + name,
@@ -1965,7 +1970,8 @@ func testAccStepCertMaxTTL(
 }

 func testAccStepCertNoLease(
-	t *testing.T, name string, cert []byte, policies string) logicaltest.TestStep {
+	t *testing.T, name string, cert []byte, policies string,
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "certs/" + name,
--- a/builtin/credential/ldap/backend_test.go
+++ b/builtin/credential/ldap/backend_test.go
@@ -382,19 +382,19 @@ func TestLdapAuthBackend_UserPolicies(t *testing.T) {
 }

 /*
- * Acceptance test for LDAP Auth Method
- *
- * The tests here rely on a docker LDAP server:
- * [https://github.com/rroemhild/docker-test-openldap]
- *
- * ...as well as existence of a person object, `cn=Hermes Conrad,dc=example,dc=com`,
- *    which is a member of a group, `cn=admin_staff,ou=people,dc=example,dc=com`
- *
- * Querying the server from the command line:
- *   $ docker run --privileged -d -p 389:389 --name ldap --rm rroemhild/test-openldap
- *   $ ldapsearch -x -H ldap://localhost -b dc=planetexpress,dc=com -s sub uid=hermes
- *   $ ldapsearch -x -H ldap://localhost -b dc=planetexpress,dc=com -s sub \
-         'member=cn=Hermes Conrad,ou=people,dc=planetexpress,dc=com'
+* Acceptance test for LDAP Auth Method
+*
+* The tests here rely on a docker LDAP server:
+* [https://github.com/rroemhild/docker-test-openldap]
+*
+* ...as well as existence of a person object, `cn=Hermes Conrad,dc=example,dc=com`,
+*    which is a member of a group, `cn=admin_staff,ou=people,dc=example,dc=com`
+*
+  - Querying the server from the command line:
+  - $ docker run --privileged -d -p 389:389 --name ldap --rm rroemhild/test-openldap
+  - $ ldapsearch -x -H ldap://localhost -b dc=planetexpress,dc=com -s sub uid=hermes
+  - $ ldapsearch -x -H ldap://localhost -b dc=planetexpress,dc=com -s sub \
+    'member=cn=Hermes Conrad,ou=people,dc=planetexpress,dc=com'
 */
 func factory(t *testing.T) logical.Backend {
 	defaultLeaseTTLVal := time.Hour * 24
--- a/builtin/credential/radius/backend_test.go
+++ b/builtin/credential/radius/backend_test.go
@@ -339,7 +339,8 @@ func testStepUserList(t *testing.T, users []string) logicaltest.TestStep {
 }

 func testStepUpdateUser(
-	t *testing.T, name string, policies string) logicaltest.TestStep {
+	t *testing.T, name string, policies string,
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "users/" + name,
--- a/builtin/credential/userpass/backend_test.go
+++ b/builtin/credential/userpass/backend_test.go
@@ -300,7 +300,8 @@ func testAccStepLogin(t *testing.T, user string, pass string, policies []string)
 }

 func testUserCreateOperation(
-	t *testing.T, name string, password string, policies string) logicaltest.TestStep {
+	t *testing.T, name string, password string, policies string,
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.CreateOperation,
 		Path:      "users/" + name,
@@ -312,7 +313,8 @@ func testUserCreateOperation(
 }

 func testAccStepUser(
-	t *testing.T, name string, password string, policies string) logicaltest.TestStep {
+	t *testing.T, name string, password string, policies string,
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "users/" + name,
--- a/builtin/credential/userpass/stepwise_test.go
+++ b/builtin/credential/userpass/stepwise_test.go
@@ -32,7 +32,8 @@ func TestAccBackend_stepwise_UserCrud(t *testing.T) {
 }

 func testAccStepwiseUser(
-	t *testing.T, name string, password string, policies string) stepwise.Step {
+	t *testing.T, name string, password string, policies string,
+) stepwise.Step {
 	return stepwise.Step{
 		Operation: stepwise.UpdateOperation,
 		Path:      "users/" + name,
--- a/builtin/logical/aws/iam_policies_test.go
+++ b/builtin/logical/aws/iam_policies_test.go
@@ -207,7 +207,7 @@ func Test_combinePolicyDocuments(t *testing.T) {
 				`{"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "NotAction": "ec2:DescribeAvailabilityZones", "Resource": "*"}]}`,
 			},
 			expectedOutput: `{"Version": "2012-10-17","Statement":[{"Effect": "Allow","NotAction": "ec2:DescribeAvailabilityZones",	"Resource": "*"}]}`,
-			expectedErr: false,
+			expectedErr:    false,
 		},
 		{
 			description: "one blank policy",
--- a/builtin/logical/aws/secret_access_keys.go
+++ b/builtin/logical/aws/secret_access_keys.go
@@ -278,7 +278,8 @@ func (b *backend) secretAccessKeysCreate(
 	ctx context.Context,
 	s logical.Storage,
 	displayName, policyName string,
-	role *awsRoleEntry) (*logical.Response, error) {
+	role *awsRoleEntry,
+) (*logical.Response, error) {
 	iamClient, err := b.clientIAM(ctx, s)
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), nil
--- a/builtin/logical/database/rollback_test.go
+++ b/builtin/logical/database/rollback_test.go
@@ -20,9 +20,9 @@ const (

 // Tests that the WAL rollback function rolls back the database password.
 // The database password should be rolled back when:
-//  - A WAL entry exists
-//  - Password has been altered on the database
-//  - Password has not been updated in storage
+//   - A WAL entry exists
+//   - Password has been altered on the database
+//   - Password has not been updated in storage
 func TestBackend_RotateRootCredentials_WAL_rollback(t *testing.T) {
 	cluster, sys := getCluster(t)
 	defer cluster.Cleanup()
@@ -163,9 +163,9 @@ func TestBackend_RotateRootCredentials_WAL_rollback(t *testing.T) {

 // Tests that the WAL rollback function does not roll back the database password.
 // The database password should not be rolled back when:
-//  - A WAL entry exists
-//  - Password has not been altered on the database
-//  - Password has not been updated in storage
+//   - A WAL entry exists
+//   - Password has not been altered on the database
+//   - Password has not been updated in storage
 func TestBackend_RotateRootCredentials_WAL_no_rollback_1(t *testing.T) {
 	cluster, sys := getCluster(t)
 	defer cluster.Cleanup()
@@ -267,9 +267,9 @@ func TestBackend_RotateRootCredentials_WAL_no_rollback_1(t *testing.T) {

 // Tests that the WAL rollback function does not roll back the database password.
 // The database password should not be rolled back when:
-//  - A WAL entry exists
-//  - Password has been altered on the database
-//  - Password has been updated in storage
+//   - A WAL entry exists
+//   - Password has been altered on the database
+//   - Password has been updated in storage
 func TestBackend_RotateRootCredentials_WAL_no_rollback_2(t *testing.T) {
 	cluster, sys := getCluster(t)
 	defer cluster.Cleanup()
--- a/builtin/logical/database/rotation.go
+++ b/builtin/logical/database/rotation.go
@@ -312,12 +312,12 @@ type setStaticAccountOutput struct {
 // - verifies role exists and is in the allowed roles list
 // - loads an existing WAL entry if WALID input is given, otherwise creates a
 // new WAL entry
-// - gets a database connection
-// - accepts an input credential, otherwise generates a new one for
-//   the role's credential type
-// - sets new credential for the static account
-// - uses WAL for ensuring new credentials are not lost if storage to Vault fails,
-//   resulting in a partial failure.
+//   - gets a database connection
+//   - accepts an input credential, otherwise generates a new one for
+//     the role's credential type
+//   - sets new credential for the static account
+//   - uses WAL for ensuring new credentials are not lost if storage to Vault fails,
+//     resulting in a partial failure.
 //
 // This method does not perform any operations on the priority queue. Those
 // tasks must be handled outside of this method.
--- a/builtin/logical/pki/ocsp_test.go
+++ b/builtin/logical/pki/ocsp_test.go
@@ -316,8 +316,9 @@ func TestOcsp_RevokedCertHasIssuerWithoutAKey(t *testing.T) {
 // the response to the caller on its behalf.
 //
 // NOTE: This test is a bit at the mercy of iteration order of the issuer ids.
-//       If it becomes flaky, most likely something is wrong in the code
-//       and not the test.
+//
+//	If it becomes flaky, most likely something is wrong in the code
+//	and not the test.
 func TestOcsp_MultipleMatchingIssuersOneWithoutSigningUsage(t *testing.T) {
 	b, s, testEnv := setupOcspEnv(t, "ec")

--- a/builtin/logical/ssh/backend_test.go
+++ b/builtin/logical/ssh/backend_test.go
@@ -2120,7 +2120,8 @@ func testDefaultUserTemplate(t *testing.T, testDefaultUserTemplate string,

 func testAllowedPrincipalsTemplate(t *testing.T, testAllowedDomainsTemplate string,
 	expectedValidPrincipal string, testEntityMetadata map[string]string,
-	roleConfigPayload map[string]interface{}, signingPayload map[string]interface{}) {
+	roleConfigPayload map[string]interface{}, signingPayload map[string]interface{},
+) {
 	cluster, userpassToken := getSshCaTestCluster(t, testUserName)
 	defer cluster.Cleanup()
 	client := cluster.Cores[0].Client
@@ -2169,7 +2170,8 @@ func testAllowedPrincipalsTemplate(t *testing.T, testAllowedDomainsTemplate stri
 }

 func testAllowedUsersTemplate(t *testing.T, testAllowedUsersTemplate string,
-	expectedValidPrincipal string, testEntityMetadata map[string]string) {
+	expectedValidPrincipal string, testEntityMetadata map[string]string,
+) {
 	testAllowedPrincipalsTemplate(
 		t, testAllowedUsersTemplate,
 		expectedValidPrincipal, testEntityMetadata,
--- a/builtin/logical/transit/backend_test.go
+++ b/builtin/logical/transit/backend_test.go
@@ -623,7 +623,8 @@ func testAccStepReadPolicyWithVersions(t *testing.T, name string, expectNone, de
 }

 func testAccStepEncrypt(
-	t *testing.T, name, plaintext string, decryptData map[string]interface{}) logicaltest.TestStep {
+	t *testing.T, name, plaintext string, decryptData map[string]interface{},
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "encrypt/" + name,
@@ -647,7 +648,8 @@ func testAccStepEncrypt(
 }

 func testAccStepEncryptUpsert(
-	t *testing.T, name, plaintext string, decryptData map[string]interface{}) logicaltest.TestStep {
+	t *testing.T, name, plaintext string, decryptData map[string]interface{},
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.CreateOperation,
 		Path:      "encrypt/" + name,
@@ -671,7 +673,8 @@ func testAccStepEncryptUpsert(
 }

 func testAccStepEncryptContext(
-	t *testing.T, name, plaintext, context string, decryptData map[string]interface{}) logicaltest.TestStep {
+	t *testing.T, name, plaintext, context string, decryptData map[string]interface{},
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "encrypt/" + name,
@@ -697,7 +700,8 @@ func testAccStepEncryptContext(
 }

 func testAccStepDecrypt(
-	t *testing.T, name, plaintext string, decryptData map[string]interface{}) logicaltest.TestStep {
+	t *testing.T, name, plaintext string, decryptData map[string]interface{},
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "decrypt/" + name,
@@ -725,7 +729,8 @@ func testAccStepDecrypt(
 }

 func testAccStepRewrap(
-	t *testing.T, name string, decryptData map[string]interface{}, expectedVer int) logicaltest.TestStep {
+	t *testing.T, name string, decryptData map[string]interface{}, expectedVer int,
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "rewrap/" + name,
@@ -757,7 +762,8 @@ func testAccStepRewrap(

 func testAccStepEncryptVX(
 	t *testing.T, name, plaintext string, decryptData map[string]interface{},
-	ver int, encryptHistory map[int]map[string]interface{}) logicaltest.TestStep {
+	ver int, encryptHistory map[int]map[string]interface{},
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "encrypt/" + name,
@@ -788,7 +794,8 @@ func testAccStepEncryptVX(

 func testAccStepLoadVX(
 	t *testing.T, name string, decryptData map[string]interface{},
-	ver int, encryptHistory map[int]map[string]interface{}) logicaltest.TestStep {
+	ver int, encryptHistory map[int]map[string]interface{},
+) logicaltest.TestStep {
 	// This is really a no-op to allow us to do data manip in the check function
 	return logicaltest.TestStep{
 		Operation: logical.ReadOperation,
@@ -801,7 +808,8 @@ func testAccStepLoadVX(
 }

 func testAccStepDecryptExpectFailure(
-	t *testing.T, name, plaintext string, decryptData map[string]interface{}) logicaltest.TestStep {
+	t *testing.T, name, plaintext string, decryptData map[string]interface{},
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "decrypt/" + name,
@@ -825,7 +833,8 @@ func testAccStepRotate(t *testing.T, name string) logicaltest.TestStep {

 func testAccStepWriteDatakey(t *testing.T, name string,
 	noPlaintext bool, bits int,
-	dataKeyInfo map[string]interface{}) logicaltest.TestStep {
+	dataKeyInfo map[string]interface{},
+) logicaltest.TestStep {
 	data := map[string]interface{}{}
 	subPath := "plaintext"
 	if noPlaintext {
@@ -869,7 +878,8 @@ func testAccStepWriteDatakey(t *testing.T, name string,
 }

 func testAccStepDecryptDatakey(t *testing.T, name string,
-	dataKeyInfo map[string]interface{}) logicaltest.TestStep {
+	dataKeyInfo map[string]interface{},
+) logicaltest.TestStep {
 	return logicaltest.TestStep{
 		Operation: logical.UpdateOperation,
 		Path:      "decrypt/" + name,
--- a/builtin/logical/transit/stepwise_test.go
+++ b/builtin/logical/transit/stepwise_test.go
@@ -162,7 +162,8 @@ func testAccStepwiseReadPolicyWithVersions(t *testing.T, name string, expectNone
 }

 func testAccStepwiseEncryptContext(
-	t *testing.T, name, plaintext, context string, decryptData map[string]interface{}) stepwise.Step {
+	t *testing.T, name, plaintext, context string, decryptData map[string]interface{},
+) stepwise.Step {
 	return stepwise.Step{
 		Operation: stepwise.UpdateOperation,
 		Path:      "encrypt/" + name,
@@ -188,7 +189,8 @@ func testAccStepwiseEncryptContext(
 }

 func testAccStepwiseDecrypt(
-	t *testing.T, name, plaintext string, decryptData map[string]interface{}) stepwise.Step {
+	t *testing.T, name, plaintext string, decryptData map[string]interface{},
+) stepwise.Step {
 	return stepwise.Step{
 		Operation: stepwise.UpdateOperation,
 		Path:      "decrypt/" + name,
--- a/command/agent/auth/alicloud/alicloud.go
+++ b/command/agent/auth/alicloud/alicloud.go
@@ -18,13 +18,11 @@ import (
 )

 /*
-
-	Creds can be inferred from instance metadata, and those creds
-	expire every 60 minutes, so we're going to need to poll for new
-	creds. Since we're polling anyways, let's poll once a minute so
-	all changes can be picked up rather quickly. This is configurable,
-	however.
-
+Creds can be inferred from instance metadata, and those creds
+expire every 60 minutes, so we're going to need to poll for new
+creds. Since we're polling anyways, let's poll once a minute so
+all changes can be picked up rather quickly. This is configurable,
+however.
 */
 const defaultCredCheckFreqSeconds = 60

--- a/command/token/helper_external.go
+++ b/command/token/helper_external.go
@@ -46,10 +46,10 @@ var _ TokenHelper = (*ExternalTokenHelper)(nil)
 // BinaryPath is executed within a shell with environment Env. The last argument
 // appended will be the operation, which is:
 //
-//   * "get" - Read the value of the token and write it to stdout.
-//   * "store" - Store the value of the token which is on stdin. Output
-//       nothing.
-//   * "erase" - Erase the contents stored. Output nothing.
+//   - "get" - Read the value of the token and write it to stdout.
+//   - "store" - Store the value of the token which is on stdin. Output
+//     nothing.
+//   - "erase" - Erase the contents stored. Output nothing.
 //
 // Any errors can be written on stdout. If the helper exits with a non-zero
 // exit code then the stderr will be made part of the error value.
--- a/helper/constants/fips_build_check.go
+++ b/helper/constants/fips_build_check.go
@@ -8,17 +8,17 @@ import "C"
 // without implementation in any imported or built library. This results in
 // a linker err if the above build constraints are satisfied:
 //
-//   /home/cipherboy/GitHub/cipherboy/vault-enterprise/helper/constants/fips_build_check.go:10: undefined reference to `github.com/hashicorp/vault/helper/constants.VaultFIPSBuildRequiresVersionAgnosticTagAndOneVersionTag'
+//	/home/cipherboy/GitHub/cipherboy/vault-enterprise/helper/constants/fips_build_check.go:10: undefined reference to `github.com/hashicorp/vault/helper/constants.VaultFIPSBuildRequiresVersionAgnosticTagAndOneVersionTag'
 //
 // This indicates that a build error has occurred due to mismatched tags.
 //
 // In particular, we use this to enforce the following restrictions on build
 // tags:
 //
-//  - If a versioned fips_140_* tag is specified, the unversioned tag must
-//    also be.
-//  - If the unversioned tag is specified, a versioned tag must be.
-//  - Both versioned flags cannot be specified at the same time.
+//   - If a versioned fips_140_* tag is specified, the unversioned tag must
+//     also be.
+//   - If the unversioned tag is specified, a versioned tag must be.
+//   - Both versioned flags cannot be specified at the same time.
 //
 // In the unlikely event that a FFI implementation for this function exists
 // in the future, it should be renamed to a new function which does not
--- a/http/assets.go
+++ b/http/assets.go
@@ -9,6 +9,7 @@ import (
 )

 // content is our static web server content.
+//
 //go:embed web_ui/*
 var content embed.FS

--- a/http/handler.go
+++ b/http/handler.go
@@ -1148,9 +1148,9 @@ func parseMFAHeader(req *logical.Request) error {
 // maintain backwards compatibility, this will err on the side of JSON.
 // The request will be considered a form only if:
 //
-//   1. The content type is "application/x-www-form-urlencoded"
-//   2. The start of the request doesn't look like JSON. For this test we
-//      we expect the body to begin with { or [, ignoring leading whitespace.
+//  1. The content type is "application/x-www-form-urlencoded"
+//  2. The start of the request doesn't look like JSON. For this test we
+//     we expect the body to begin with { or [, ignoring leading whitespace.
 func isForm(head []byte, contentType string) bool {
 	contentType, _, err := mime.ParseMediaType(contentType)

@@ -1221,8 +1221,8 @@ func oidcPermissionDenied(path string, err error) bool {
 // permission denied errors (expired token) on resources protected
 // by OIDC access tokens. Currently, the UserInfo Endpoint is the only
 // protected resource. See the following specifications for details:
-//  - https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
-//  - https://datatracker.ietf.org/doc/html/rfc6750#section-3.1
+//   - https://openid.net/specs/openid-connect-core-1_0.html#UserInfoError
+//   - https://datatracker.ietf.org/doc/html/rfc6750#section-3.1
 func respondOIDCPermissionDenied(w http.ResponseWriter) {
 	errorCode := "invalid_token"
 	errorDescription := logical.ErrPermissionDenied.Error()
--- a/http/logical.go
+++ b/http/logical.go
@@ -287,9 +287,9 @@ func buildLogicalRequest(core *vault.Core, w http.ResponseWriter, r *http.Reques
 // handleLogical returns a handler for processing logical requests. These requests
 // may or may not end up getting forwarded under certain scenarios if the node
 // is a performance standby. Some of these cases include:
-//     - Perf standby and token with limited use count.
-//     - Perf standby and token re-validation needed (e.g. due to invalid token).
-//     - Perf standby and control group error.
+//   - Perf standby and token with limited use count.
+//   - Perf standby and token re-validation needed (e.g. due to invalid token).
+//   - Perf standby and control group error.
 func handleLogical(core *vault.Core) http.Handler {
 	return handleLogicalInternal(core, false, false)
 }
--- a/internalshared/listenerutil/listener.go
+++ b/internalshared/listenerutil/listener.go
@@ -75,7 +75,8 @@ func UnixSocketListener(path string, unixSocketsConfig *UnixSocketsConfig) (net.
 func TLSConfig(
 	l *configutil.Listener,
 	props map[string]string,
-	ui cli.Ui) (*tls.Config, reloadutil.ReloadFunc, error) {
+	ui cli.Ui,
+) (*tls.Config, reloadutil.ReloadFunc, error) {
 	props["tls"] = "disabled"

 	if l.TLSDisable {
--- a/physical/cockroachdb/cockroachdb.go
+++ b/physical/cockroachdb/cockroachdb.go
@@ -304,8 +304,8 @@ func (c *CockroachDBBackend) transaction(tx *sql.Tx, txns []*physical.TxnEntry)
 // https://www.cockroachlabs.com/docs/stable/keywords-and-identifiers.html#identifiers
 //
 //   - All values that accept an identifier must:
-//     - Begin with a Unicode letter or an underscore (_). Subsequent characters can be letters,
-//     - underscores, digits (0-9), or dollar signs ($).
+//   - Begin with a Unicode letter or an underscore (_). Subsequent characters can be letters,
+//   - underscores, digits (0-9), or dollar signs ($).
 //   - Not equal any SQL keyword unless the keyword is accepted by the element's syntax. For example,
 //     name accepts Unreserved or Column Name keywords.
 //
--- a/physical/gcs/gcs_ha.go
+++ b/physical/gcs/gcs_ha.go
@@ -321,9 +321,10 @@ OUTER:
 //
 // - lock does not exist
 //   - write the lock
+//
 // - lock exists
 //   - if key is empty or identity is the same or timestamp exceeds TTL
-//     - update the lock to self
+//   - update the lock to self
 func (l *Lock) writeLock() (bool, error) {
 	// Create a transaction to read and the update (maybe)
 	ctx, cancel := context.WithCancel(context.Background())
--- a/physical/postgresql/postgresql.go
+++ b/physical/postgresql/postgresql.go
@@ -36,11 +36,9 @@ const (
 // Verify PostgreSQLBackend satisfies the correct interfaces
 var _ physical.Backend = (*PostgreSQLBackend)(nil)

-//
 // HA backend was implemented based on the DynamoDB backend pattern
 // With distinction using central postgres clock, hereby avoiding
 // possible issues with multiple clocks
-//
 var (
 	_ physical.HABackend = (*PostgreSQLBackend)(nil)
 	_ physical.Lock      = (*PostgreSQLLock)(nil)
--- a/physical/spanner/spanner_ha.go
+++ b/physical/spanner/spanner_ha.go
@@ -320,9 +320,10 @@ OUTER:
 //
 // - lock does not exist
 //   - write the lock
+//
 // - lock exists
 //   - if key is empty or identity is the same or timestamp exceeds TTL
-//     - update the lock to self
+//   - update the lock to self
 func (l *Lock) writeLock() (bool, error) {
 	// Keep track of whether the lock was written
 	lockWritten := false
--- a/sdk/database/helper/dbutil/quoteidentifier.go
+++ b/sdk/database/helper/dbutil/quoteidentifier.go
@@ -28,10 +28,10 @@ import "strings"
 // QuoteIdentifier quotes an "identifier" (e.g. a table or a column name) to be
 // used as part of an SQL statement.  For example:
 //
-//    tblname := "my_table"
-//    data := "my_data"
-//    quoted := pq.QuoteIdentifier(tblname)
-//    err := db.Exec(fmt.Sprintf("INSERT INTO %s VALUES ($1)", quoted), data)
+//	tblname := "my_table"
+//	data := "my_data"
+//	quoted := pq.QuoteIdentifier(tblname)
+//	err := db.Exec(fmt.Sprintf("INSERT INTO %s VALUES ($1)", quoted), data)
 //
 // Any double quotes in name will be escaped.  The quoted identifier will be
 // case sensitive when used in a query.  If the input string contains a zero
--- a/sdk/framework/openapi.go
+++ b/sdk/framework/openapi.go
@@ -734,7 +734,8 @@ func cleanResponse(resp *logical.Response) *cleanedResponse {
 // /sys/tools/random/{urlbytes} -> postSysToolsRandomUrlbytes
 //
 // In the unlikely case of a duplicate ids, a numeric suffix is added:
-//   postSysToolsRandomUrlbytes_2
+//
+//	postSysToolsRandomUrlbytes_2
 //
 // An optional user-provided suffix ("context") may also be appended.
 func (d *OASDocument) CreateOperationIDs(context string) {
--- a/sdk/framework/secret.go
+++ b/sdk/framework/secret.go
@@ -42,7 +42,8 @@ func (s *Secret) Renewable() bool {
 }

 func (s *Secret) Response(
-	data, internal map[string]interface{}) *logical.Response {
+	data, internal map[string]interface{},
+) *logical.Response {
 	internalData := make(map[string]interface{})
 	for k, v := range internal {
 		internalData[k] = v
--- a/sdk/helper/keysutil/policy_test.go
+++ b/sdk/helper/keysutil/policy_test.go
@@ -834,7 +834,8 @@ func Test_RSA_PSS(t *testing.T) {
 	}

 	test_RSA_PSS := func(t *testing.T, p *Policy, rsaKey *rsa.PrivateKey, hashType HashType,
-		marshalingType MarshalingType) {
+		marshalingType MarshalingType,
+	) {
 		unsaltedOptions := SigningOptions{
 			HashAlgorithm: hashType,
 			Marshaling:    marshalingType,
--- a/sdk/helper/locksutil/locks.go
+++ b/sdk/helper/locksutil/locks.go
@@ -25,7 +25,6 @@ type LockEntry struct {
 // Lock B, Lock A
 //
 // Where process 1 is now deadlocked trying to lock B, and process 2 deadlocked trying to lock A
-//
 func CreateLocks() []*LockEntry {
 	ret := make([]*LockEntry, LockCount)
 	for i := range ret {
--- a/sdk/helper/template/template.go
+++ b/sdk/helper/template/template.go
@@ -39,37 +39,48 @@ func Function(name string, f interface{}) Opt {
 // - random
 //   - Randomly generated characters. This uses the charset specified in RandomCharset. Must include a length.
 //     Example: {{ rand 20 }}
+//
 // - truncate
 //   - Truncates the previous value to the specified length. Must include a maximum length.
 //     Example: {{ .DisplayName | truncate 10 }}
+//
 // - truncate_sha256
 //   - Truncates the previous value to the specified length. If the original length is greater than the length
 //     specified, the remaining characters will be sha256 hashed and appended to the end. The hash will be only the first 8 characters The maximum length will
 //     be no longer than the length specified.
 //     Example: {{ .DisplayName | truncate_sha256 30 }}
+//
 // - uppercase
 //   - Uppercases the previous value.
 //     Example: {{ .RoleName | uppercase }}
+//
 // - lowercase
 //   - Lowercases the previous value.
 //     Example: {{ .DisplayName | lowercase }}
+//
 // - replace
 //   - Performs a string find & replace
 //     Example: {{ .DisplayName | replace - _ }}
+//
 // - sha256
 //   - SHA256 hashes the previous value.
 //     Example: {{ .DisplayName | sha256 }}
+//
 // - base64
 //   - base64 encodes the previous value.
 //     Example: {{ .DisplayName | base64 }}
+//
 // - unix_time
 //   - Provides the current unix time in seconds.
 //     Example: {{ unix_time }}
+//
 // - unix_time_millis
 //   - Provides the current unix time in milliseconds.
 //     Example: {{ unix_time_millis }}
+//
 // - timestamp
 //   - Provides the current time. Must include a standard Go format string
+//
 // - uuid
 //   - Generates a UUID
 //     Example: {{ uuid }}
--- a/sdk/logical/request.go
+++ b/sdk/logical/request.go
@@ -378,7 +378,6 @@ type MFACreds map[string][]string
 // InitializationRequest stores the parameters and context of an Initialize()
 // call being made to a logical.Backend.
 type InitializationRequest struct {
-
 	// Storage can be used to durably store and retrieve state.
 	Storage Storage
 }
--- a/serviceregistration/kubernetes/testing/testserver.go
+++ b/serviceregistration/kubernetes/testing/testserver.go
@@ -47,15 +47,15 @@ var (
 // the test server. This must be done by the caller to avoid an import
 // cycle between the client and the testserver. Example usage:
 //
-//		client.Scheme = testConf.ClientScheme
-//		client.TokenFile = testConf.PathToTokenFile
-//		client.RootCAFile = testConf.PathToRootCAFile
-//		if err := os.Setenv(client.EnvVarKubernetesServiceHost, testConf.ServiceHost); err != nil {
-//			t.Fatal(err)
-//		}
-//		if err := os.Setenv(client.EnvVarKubernetesServicePort, testConf.ServicePort); err != nil {
-//			t.Fatal(err)
-//		}
+//	client.Scheme = testConf.ClientScheme
+//	client.TokenFile = testConf.PathToTokenFile
+//	client.RootCAFile = testConf.PathToRootCAFile
+//	if err := os.Setenv(client.EnvVarKubernetesServiceHost, testConf.ServiceHost); err != nil {
+//		t.Fatal(err)
+//	}
+//	if err := os.Setenv(client.EnvVarKubernetesServicePort, testConf.ServicePort); err != nil {
+//		t.Fatal(err)
+//	}
 type Conf struct {
 	ClientScheme, PathToTokenFile, PathToRootCAFile, ServiceHost, ServicePort string
 }
--- a/vault/expiration.go
+++ b/vault/expiration.go
@@ -1775,10 +1775,10 @@ func (m *ExpirationManager) uniquePoliciesGc() {
 // Acquiring a lock from a leaseEntry is a bad idea because it could change
 // between loading and acquiring the lock. So we only provide an ID-based map, and the
 // locking discipline should be:
-//    1. Lock lease
-//    2. Load, or attempt to load, leaseEntry
-//    3. Modify leaseEntry and pendingMap (atomic wrt operations on this lease)
-//    4. Unlock lease
+//  1. Lock lease
+//  2. Load, or attempt to load, leaseEntry
+//  3. Modify leaseEntry and pendingMap (atomic wrt operations on this lease)
+//  4. Unlock lease
 //
 // The lock must be removed from the map when the lease is deleted, or is
 // found to not exist in storage. loadEntry does this whenever it returns
--- a/vault/external_tests/sealmigration/testshared.go
+++ b/vault/external_tests/sealmigration/testshared.go
@@ -334,7 +334,8 @@ func migrateFromShamirToTransit_Pre14(t *testing.T, logger hclog.Logger, storage
 }

 func validateMigration(t *testing.T, storage teststorage.ReusableStorage,
-	cluster *vault.TestCluster, leaderIdx int, f func(t *testing.T, core *vault.TestClusterCore)) {
+	cluster *vault.TestCluster, leaderIdx int, f func(t *testing.T, core *vault.TestClusterCore),
+) {
 	t.Helper()

 	leader := cluster.Cores[leaderIdx]
@@ -693,7 +694,8 @@ func runShamir(t *testing.T, logger hclog.Logger, storage teststorage.ReusableSt

 // initializeTransit initializes a brand new backend storage with Transit.
 func InitializeTransit(t *testing.T, logger hclog.Logger, storage teststorage.ReusableStorage, basePort int,
-	tss *sealhelper.TransitSealServer, sealKeyName string) (*vault.TestCluster, *vault.TestClusterOptions) {
+	tss *sealhelper.TransitSealServer, sealKeyName string,
+) (*vault.TestCluster, *vault.TestClusterOptions) {
 	t.Helper()

 	baseClusterPort := basePort + 10
--- a/vault/identity_store_groups_test.go
+++ b/vault/identity_store_groups_test.go
@@ -1083,11 +1083,12 @@ func TestIdentityStore_GroupMultiCase(t *testing.T) {

 /*
 Test groups hierarchy:
-                ------- eng(entityID3) -------
-                |                            |
-         ----- vault -----        -- ops(entityID2) --
-         |               |        |                  |
-   kube(entityID1)    identity    build            deploy
+
+	             ------- eng(entityID3) -------
+	             |                            |
+	      ----- vault -----        -- ops(entityID2) --
+	      |               |        |                  |
+	kube(entityID1)    identity    build            deploy
 */
 func TestIdentityStore_GroupHierarchyCases(t *testing.T) {
 	var resp *logical.Response