From 08abff1cae2384e45986836fbb5f0b818941fd28 Mon Sep 17 00:00:00 2001 From: Joshua Casey Date: Tue, 3 Sep 2024 07:34:30 -0500 Subject: [PATCH] Bump golanglint-ci to 1.60.3 --- .golangci.yaml | 2 -- cmd/pinniped/cmd/kubeconfig.go | 2 +- hack/lib/lint-version.txt | 2 +- .../oidcclientwatcher/oidc_client_watcher.go | 1 + internal/endpointaddr/endpointaddr.go | 5 ++++- .../endpoints/chooseidp/chooseidphtml/chooseidphtml.go | 6 +++--- .../endpoints/login/loginhtml/loginhtml.go | 4 ++-- internal/federationdomain/formposthtml/formposthtml.go | 6 +++--- internal/net/phttp/warning.go | 3 ++- internal/plog/config.go | 1 + internal/plog/level.go | 3 ++- internal/testutil/totp/totp.go | 2 +- internal/upstreamoidc/upstreamoidc_test.go | 2 +- pkg/oidcclient/login.go | 2 +- test/integration/limited_ciphers_utils_test.go | 6 +++--- test/integration/main_test.go | 2 +- test/integration/pod_shutdown_test.go | 10 +++++----- 17 files changed, 32 insertions(+), 27 deletions(-) diff --git a/.golangci.yaml b/.golangci.yaml index 17d5a317b..17f6903bc 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -20,7 +20,6 @@ linters: # - depguard - dogsled - exhaustive - - exportloopref - funlen - gochecknoglobals - gochecknoinits @@ -39,7 +38,6 @@ linters: - nolintlint - prealloc - rowserrcheck - - exportloopref - sqlclosecheck - unconvert - whitespace diff --git a/cmd/pinniped/cmd/kubeconfig.go b/cmd/pinniped/cmd/kubeconfig.go index defe624ca..8e536983c 100644 --- a/cmd/pinniped/cmd/kubeconfig.go +++ b/cmd/pinniped/cmd/kubeconfig.go @@ -745,7 +745,7 @@ func validateKubeconfig(ctx context.Context, flags getKubeconfigParams, kubeconf func countCACerts(pemData []byte) int { pool := x509.NewCertPool() pool.AppendCertsFromPEM(pemData) - return len(pool.Subjects()) + return len(pool.Subjects()) //nolint:staticcheck // there's no other clear way to mimic this legacy behavior } func hasPendingStrategy(credentialIssuer *conciergeconfigv1alpha1.CredentialIssuer) bool { diff --git a/hack/lib/lint-version.txt b/hack/lib/lint-version.txt index f6c9d766c..8f16209d1 100644 --- a/hack/lib/lint-version.txt +++ b/hack/lib/lint-version.txt @@ -1 +1 @@ -1.60.1 +1.60.3 diff --git a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go index a9573ba42..c57a1c6e5 100644 --- a/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go +++ b/internal/controller/supervisorconfig/oidcclientwatcher/oidc_client_watcher.go @@ -146,6 +146,7 @@ func (c *oidcClientWatcherController) updateStatus( updated.Status.Phase = supervisorconfigv1alpha1.OIDCClientPhaseError } + //nolint:gosec // looks like we are willing to accept the risk that there are less than 2147483647 dynamic clients updated.Status.TotalClientSecrets = int32(totalClientSecrets) if equality.Semantic.DeepEqual(upstream, updated) { diff --git a/internal/endpointaddr/endpointaddr.go b/internal/endpointaddr/endpointaddr.go index d6c76be4e..1307d5054 100644 --- a/internal/endpointaddr/endpointaddr.go +++ b/internal/endpointaddr/endpointaddr.go @@ -71,7 +71,10 @@ func Parse(endpoint string, defaultPort uint16) (HostPort, error) { return HostPort{}, fmt.Errorf("host %q is not a valid hostname or IP address", host) } - return HostPort{Host: host, Port: uint16(integerPort)}, nil + return HostPort{ + Host: host, + Port: uint16(integerPort), //nolint:gosec // this cast is checked by validation.IsValidPortNum above + }, nil } // ParseFromURL wraps Parse but specifically takes a url.URL instead of an endpoint string. diff --git a/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml.go b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml.go index e45e1bf38..b07dc6f50 100644 --- a/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml.go +++ b/internal/federationdomain/endpoints/chooseidp/chooseidphtml/chooseidphtml.go @@ -1,4 +1,4 @@ -// Copyright 2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package chooseidphtml @@ -28,8 +28,8 @@ var ( // Parse the Go templated HTML and inject functions providing the minified inline CSS and JS. parsedHTMLTemplate = template.Must(template.New("choose_idp.gohtml").Funcs(template.FuncMap{ - "minifiedCSS": func() template.CSS { return template.CSS(CSS()) }, - "minifiedJS": func() template.JS { return template.JS(JS()) }, //nolint:gosec // This is 100% static input, not attacker-controlled. + "minifiedCSS": func() template.CSS { return template.CSS(CSS()) }, //nolint:gosec // This is 100% static input, not attacker-controlled. + "minifiedJS": func() template.JS { return template.JS(JS()) }, //nolint:gosec // This is 100% static input, not attacker-controlled. }).Parse(rawHTMLTemplate)) // Generate the CSP header value once since it's effectively constant. diff --git a/internal/federationdomain/endpoints/login/loginhtml/loginhtml.go b/internal/federationdomain/endpoints/login/loginhtml/loginhtml.go index c09b5ca84..1de88a9da 100644 --- a/internal/federationdomain/endpoints/login/loginhtml/loginhtml.go +++ b/internal/federationdomain/endpoints/login/loginhtml/loginhtml.go @@ -1,4 +1,4 @@ -// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package loginhtml defines HTML templates used by the Supervisor. @@ -25,7 +25,7 @@ var ( // Parse the Go templated HTML and inject functions providing the minified inline CSS and JS. parsedHTMLTemplate = template.Must(template.New("login_form.gohtml").Funcs(template.FuncMap{ - "minifiedCSS": func() template.CSS { return template.CSS(CSS()) }, + "minifiedCSS": func() template.CSS { return template.CSS(CSS()) }, //nolint:gosec // This is 100% static input, not attacker-controlled. }).Parse(rawHTMLTemplate)) // Generate the CSP header value once since it's effectively constant. diff --git a/internal/federationdomain/formposthtml/formposthtml.go b/internal/federationdomain/formposthtml/formposthtml.go index cdf2b85b6..062a3efe1 100644 --- a/internal/federationdomain/formposthtml/formposthtml.go +++ b/internal/federationdomain/formposthtml/formposthtml.go @@ -1,4 +1,4 @@ -// Copyright 2021-2023 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package formposthtml defines HTML templates used by the Supervisor. @@ -29,8 +29,8 @@ var ( // Parse the Go templated HTML and inject functions providing the minified inline CSS and JS. parsedHTMLTemplate = template.Must(template.New("form_post.gohtml").Funcs(template.FuncMap{ - "minifiedCSS": func() template.CSS { return template.CSS(minifiedCSS) }, - "minifiedJS": func() template.JS { return template.JS(minifiedJS) }, //nolint:gosec // This is 100% static input, not attacker-controlled. + "minifiedCSS": func() template.CSS { return template.CSS(minifiedCSS) }, //nolint:gosec // This is 100% static input, not attacker-controlled. + "minifiedJS": func() template.JS { return template.JS(minifiedJS) }, //nolint:gosec // This is 100% static input, not attacker-controlled. }).Parse(rawHTMLTemplate)) // Generate the CSP header value once since it's effectively constant. diff --git a/internal/net/phttp/warning.go b/internal/net/phttp/warning.go index 99359461f..5cde35102 100644 --- a/internal/net/phttp/warning.go +++ b/internal/net/phttp/warning.go @@ -1,4 +1,4 @@ -// Copyright 2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package phttp @@ -40,6 +40,7 @@ func getWarningHandler() rest.WarningHandler { // the client-go rest.WarningHandlers all log warnings with non-empty message and code=299, agent is ignored // no deduplication or color output when running from a non-terminal such as a pod + //nolint:gosec // this is an int, cast to uintptr, cast back to int if isTerm := term.IsTerminal(int(os.Stderr.Fd())); !isTerm { return rest.WarningLogger{} } diff --git a/internal/plog/config.go b/internal/plog/config.go index b2c60416f..ae3686da5 100644 --- a/internal/plog/config.go +++ b/internal/plog/config.go @@ -57,6 +57,7 @@ func ValidateAndSetLogLevelAndFormatGlobally(ctx context.Context, spec LogSpec) if _, err := logs.GlogSetter(strconv.Itoa(int(klogLevel))); err != nil { panic(err) // programmer error } + //nolint:gosec // the range for klogLevel is [0,108] globalLevel.SetLevel(zapcore.Level(-klogLevel)) // klog levels are inverted when zap handles them var encoding string diff --git a/internal/plog/level.go b/internal/plog/level.go index 4daa7b936..56eb8483f 100644 --- a/internal/plog/level.go +++ b/internal/plog/level.go @@ -1,4 +1,4 @@ -// Copyright 2020-2021 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package plog @@ -45,6 +45,7 @@ func Enabled(level LogLevel) bool { l := klogLevelForPlogLevel(level) // check that both our global level and the klog global level agree that the plog level is enabled // klog levels are inverted when zap handles them + //nolint:gosec // the range for klogLevel is [0,108] return globalLevel.Enabled(zapcore.Level(-l)) && klog.V(l).Enabled() } diff --git a/internal/testutil/totp/totp.go b/internal/testutil/totp/totp.go index 7e2c153cf..9180dad6f 100644 --- a/internal/testutil/totp/totp.go +++ b/internal/testutil/totp/totp.go @@ -80,7 +80,7 @@ func GenerateOTPCode(t *testing.T, token string, when time.Time) (string, int64) ((int(sum[offset+2] & mask3)) << shift8) | (int(sum[offset+3]) & mask3)) - modulo := int32(value % int64(math.Pow10(length))) + modulo := int32(value % int64(math.Pow10(length))) //nolint:gosec // the resulting number must be less than 10^6 format := fmt.Sprintf("%%0%dd", length) diff --git a/internal/upstreamoidc/upstreamoidc_test.go b/internal/upstreamoidc/upstreamoidc_test.go index 762e09de2..fbbe156bb 100644 --- a/internal/upstreamoidc/upstreamoidc_test.go +++ b/internal/upstreamoidc/upstreamoidc_test.go @@ -1461,7 +1461,7 @@ func forceUserInfoWithClaims(subject string, claims string) *coreosoidc.UserInfo // this is some dark magic to set a private field claimsField := reflect.ValueOf(userInfo).Elem().FieldByName("claims") - claimsPointer := (*[]byte)(unsafe.Pointer(claimsField.UnsafeAddr())) + claimsPointer := (*[]byte)(unsafe.Pointer(claimsField.UnsafeAddr())) //nolint:gosec // this is a test hack we are willing to live with *claimsPointer = []byte(claims) return userInfo diff --git a/pkg/oidcclient/login.go b/pkg/oidcclient/login.go index f1b7e6d71..53267d6c2 100644 --- a/pkg/oidcclient/login.go +++ b/pkg/oidcclient/login.go @@ -75,7 +75,7 @@ const ( ) // stdin returns the file descriptor for stdin as an int. -func stdin() int { return int(os.Stdin.Fd()) } +func stdin() int { return int(os.Stdin.Fd()) } //nolint:gosec // this is an int, cast to uintptr, cast back to int type handlerState struct { // Basic parameters. diff --git a/test/integration/limited_ciphers_utils_test.go b/test/integration/limited_ciphers_utils_test.go index 51f52181d..f2eef58cf 100644 --- a/test/integration/limited_ciphers_utils_test.go +++ b/test/integration/limited_ciphers_utils_test.go @@ -114,7 +114,7 @@ func expectTLSConfigForServicePort( ) { portAsInt, err := strconv.Atoi(localPortAsStr) require.NoError(t, err) - portAsUint := uint16(portAsInt) // okay to cast because it will only be legal port numbers + portAsUint := uint16(portAsInt) //nolint:gosec // okay to cast because it will only be legal port numbers startKubectlPortForward(ctx, t, localPortAsStr, "443", serviceName, serviceNamespace) @@ -193,7 +193,7 @@ func restartAllPodsOfApp( // Scale down the deployment's number of replicas to 0, which will shut down all the pods. originalScale := updateDeploymentScale(t, namespace, appName, 0) - require.Greater(t, originalScale, 0) + require.Greater(t, int(originalScale), 0) testlib.RequireEventually(t, func(requireEventually *require.Assertions) { newPods := getRunningPodsByNamePrefix(t, namespace, appName+"-", ignorePodsWithNameSubstring) @@ -205,7 +205,7 @@ func restartAllPodsOfApp( testlib.RequireEventually(t, func(requireEventually *require.Assertions) { newPods := getRunningPodsByNamePrefix(t, namespace, appName+"-", ignorePodsWithNameSubstring) - requireEventually.Len(newPods, originalScale, "wanted %d pods", originalScale) + requireEventually.Equal(len(newPods), int(originalScale), "wanted %d pods", originalScale) requireEventually.True(allPodsReady(newPods), "wanted all new pods to be ready") }, 2*time.Minute, 200*time.Millisecond) } diff --git a/test/integration/main_test.go b/test/integration/main_test.go index f3b5992aa..d28e3527b 100644 --- a/test/integration/main_test.go +++ b/test/integration/main_test.go @@ -28,7 +28,7 @@ func TestMain(m *testing.M) { func splitIntegrationTestsIntoBuckets(m *testing.M) { // this is some dark magic to set a private field testsField := reflect.ValueOf(m).Elem().FieldByName("tests") - testsPointer := (*[]testing.InternalTest)(unsafe.Pointer(testsField.UnsafeAddr())) + testsPointer := (*[]testing.InternalTest)(unsafe.Pointer(testsField.UnsafeAddr())) //nolint:gosec // this is a test hack we are willing to live with tests := *testsPointer diff --git a/test/integration/pod_shutdown_test.go b/test/integration/pod_shutdown_test.go index a366d6dd1..5931e3696 100644 --- a/test/integration/pod_shutdown_test.go +++ b/test/integration/pod_shutdown_test.go @@ -97,7 +97,7 @@ func shutdownAllPodsOfApp( var newPods []corev1.Pod testlib.RequireEventually(t, func(requireEventually *require.Assertions) { newPods = getRunningPodsByNamePrefix(t, namespace, appName+"-", ignorePodsWithNameSubstring) - requireEventually.Len(newPods, originalScale, "wanted pods to return to original scale") + requireEventually.Equal(len(newPods), int(originalScale), "wanted pods to return to original scale") requireEventually.True(allPodsReady(newPods), "wanted all new pods to be ready") }, 2*time.Minute, 200*time.Millisecond) @@ -111,7 +111,7 @@ func shutdownAllPodsOfApp( // Double check: the deployment's previous scale should have equaled the actual number of running pods from // the start of the test (before we scaled down). - require.Equal(t, len(initialPods), originalScale) + require.Equal(t, len(initialPods), int(originalScale)) // Now that we have adjusted the scale to 0, the pods should go away. // Our pods are intended to gracefully shut down within a few seconds, so fail unless it happens fairly quickly. @@ -204,7 +204,7 @@ func isPodReady(pod corev1.Pod) bool { return false } -func updateDeploymentScale(t *testing.T, namespace string, deploymentName string, newScale int) int { +func updateDeploymentScale(t *testing.T, namespace string, deploymentName string, newScale int32) int32 { t.Helper() ctx, cancel := context.WithTimeout(context.Background(), 1*time.Minute) defer cancel() @@ -214,13 +214,13 @@ func updateDeploymentScale(t *testing.T, namespace string, deploymentName string require.NoError(t, err) desiredScale := initialScale.DeepCopy() - desiredScale.Spec.Replicas = int32(newScale) + desiredScale.Spec.Replicas = newScale updatedScale, err := client.AppsV1().Deployments(namespace).UpdateScale(ctx, deploymentName, desiredScale, metav1.UpdateOptions{}) require.NoError(t, err) t.Logf("updated scale of Deployment %s/%s from %d to %d", namespace, deploymentName, initialScale.Spec.Replicas, updatedScale.Spec.Replicas) - return int(initialScale.Spec.Replicas) + return initialScale.Spec.Replicas } func tailFollowPodLogs(t *testing.T, pod corev1.Pod) (chan struct{}, *bytes.Buffer) {