diff --git a/hack/lib/lint-version.txt b/hack/lib/lint-version.txt index c043eea77..276cbf9e2 100644 --- a/hack/lib/lint-version.txt +++ b/hack/lib/lint-version.txt @@ -1 +1 @@ -2.2.1 +2.3.0 diff --git a/internal/controller/impersonatorconfig/impersonator_config_test.go b/internal/controller/impersonatorconfig/impersonator_config_test.go index c0a3f7bd7..300387b89 100644 --- a/internal/controller/impersonatorconfig/impersonator_config_test.go +++ b/internal/controller/impersonatorconfig/impersonator_config_test.go @@ -544,12 +544,13 @@ func TestImpersonatorConfigControllerSync(t *testing.T) { expectedErrorRegex := "dial tcp .*: connect: connection refused" expectedErrorRegexCompiled, err := regexp.Compile(expectedErrorRegex) r.NoError(err) + + dialer := tls.Dialer{} assert.Eventually(t, func() bool { - _, err = tls.Dial( + _, err = dialer.DialContext( + context.Background(), "tcp", - testServerAddr(), - &tls.Config{InsecureSkipVerify: true}, //nolint:gosec - ) + testServerAddr()) return err != nil && expectedErrorRegexCompiled.MatchString(err.Error()) }, 20*time.Second, 50*time.Millisecond) r.Error(err) diff --git a/internal/localuserauthenticator/localuserauthenticator.go b/internal/localuserauthenticator/localuserauthenticator.go index fdf2da4b0..b5dd58c35 100644 --- a/internal/localuserauthenticator/localuserauthenticator.go +++ b/internal/localuserauthenticator/localuserauthenticator.go @@ -357,8 +357,8 @@ func run(ctx context.Context) error { startControllers(ctx, dynamicCertProvider, client.Kubernetes, kubeInformers) plog.Debug("controllers are ready") - //nolint:gosec // Intentionally binding to all network interfaces. - l, err := net.Listen("tcp", ":8443") + listenConfig := net.ListenConfig{} + l, err := listenConfig.Listen(context.Background(), "tcp", ":8443") if err != nil { return fmt.Errorf("cannot create listener: %w", err) } diff --git a/internal/localuserauthenticator/localuserauthenticator_test.go b/internal/localuserauthenticator/localuserauthenticator_test.go index da0df8c4b..ada0ca383 100644 --- a/internal/localuserauthenticator/localuserauthenticator_test.go +++ b/internal/localuserauthenticator/localuserauthenticator_test.go @@ -97,7 +97,8 @@ func TestWebhook(t *testing.T) { certProvider, caBundle, serverName := newCertProvider(t) w := newWebhook(certProvider, secretInformer) - l, err := net.Listen("tcp", "127.0.0.1:0") + listenConfig := &net.ListenConfig{} + l, err := listenConfig.Listen(t.Context(), "tcp", "127.0.0.1:0") require.NoError(t, err) defer func() { _ = l.Close() }() require.NoError(t, w.start(ctx, l)) diff --git a/internal/supervisor/server/server.go b/internal/supervisor/server/server.go index 309829e5a..9ef324bca 100644 --- a/internal/supervisor/server/server.go +++ b/internal/supervisor/server/server.go @@ -545,7 +545,8 @@ func runSupervisor(ctx context.Context, podInfo *downward.PodInfo, cfg *supervis if e := cfg.Endpoints.HTTP; e.Network != supervisor.NetworkDisabled { finishSetupPerms := maybeSetupUnixPerms(e, supervisorPod) - httpListener, err := net.Listen(e.Network, e.Address) + listenConfig := net.ListenConfig{} + httpListener, err := listenConfig.Listen(ctx, e.Network, e.Address) if err != nil { return fmt.Errorf("cannot create http listener with network %q and address %q: %w", e.Network, e.Address, err) } diff --git a/internal/testutil/tlsserver/tlsserver.go b/internal/testutil/tlsserver/tlsserver.go index 55696b0a6..943519dcc 100644 --- a/internal/testutil/tlsserver/tlsserver.go +++ b/internal/testutil/tlsserver/tlsserver.go @@ -36,7 +36,8 @@ const ( func TestServerIPv6(t *testing.T, handler http.Handler, f func(*httptest.Server)) (*httptest.Server, []byte) { t.Helper() - listener, err := net.Listen("tcp6", "[::1]:0") + listenConfig := net.ListenConfig{} + listener, err := listenConfig.Listen(t.Context(), "tcp6", "[::1]:0") require.NoError(t, err, "TLSTestIPv6Server: failed to listen on a port") server := &httptest.Server{ @@ -81,13 +82,14 @@ func TLSTestServerWithCert(t *testing.T, handler http.HandlerFunc, certificate * ReadHeaderTimeout: 10 * time.Second, } - l, err := net.Listen("tcp", "127.0.0.1:0") + listenConfig := net.ListenConfig{} + listener, err := listenConfig.Listen(t.Context(), "tcp", "127.0.0.1:0") require.NoError(t, err) serverShutdownChan := make(chan error) go func() { // Empty certFile and keyFile will use certs from Server.TLSConfig. - serverShutdownChan <- server.ServeTLS(l, "", "") + serverShutdownChan <- server.ServeTLS(listener, "", "") }() t.Cleanup(func() { @@ -99,7 +101,7 @@ func TLSTestServerWithCert(t *testing.T, handler http.HandlerFunc, certificate * } }) - return l.Addr().String() + return listener.Addr().String() } // RecordTLSHello configures the server to record client TLS negotiation info onto each incoming request, diff --git a/internal/upstreamldap/upstreamldap_test.go b/internal/upstreamldap/upstreamldap_test.go index 49e36968e..7321a02fe 100644 --- a/internal/upstreamldap/upstreamldap_test.go +++ b/internal/upstreamldap/upstreamldap_test.go @@ -2384,7 +2384,8 @@ func TestRealTLSDialing(t *testing.T) { require.NoError(t, err) testServerWithBadCertNameAddr := tlsserver.TLSTestServerWithCert(t, func(w http.ResponseWriter, r *http.Request) {}, cert) - unusedPortGrabbingListener, err := net.Listen("tcp", "127.0.0.1:0") + listenConfig := net.ListenConfig{} + unusedPortGrabbingListener, err := listenConfig.Listen(t.Context(), "tcp", "127.0.0.1:0") require.NoError(t, err) recentlyClaimedHostAndPort := unusedPortGrabbingListener.Addr().String() require.NoError(t, unusedPortGrabbingListener.Close()) diff --git a/test/integration/category_test.go b/test/integration/category_test.go index a008c524e..b4e2efb03 100644 --- a/test/integration/category_test.go +++ b/test/integration/category_test.go @@ -23,7 +23,7 @@ func runTestKubectlCommand(t *testing.T, args ...string) (string, string) { testlib.RequireEventually(t, func(requireEventually *require.Assertions) { stdOut.Reset() stdErr.Reset() - cmd := exec.Command("kubectl", args...) + cmd := exec.CommandContext(t.Context(), "kubectl", args...) cmd.Stdout = &stdOut cmd.Stderr = &stdErr requireEventually.NoError(cmd.Run()) diff --git a/test/integration/cli_test.go b/test/integration/cli_test.go index 3b5e178e7..5883f8c97 100644 --- a/test/integration/cli_test.go +++ b/test/integration/cli_test.go @@ -110,13 +110,14 @@ type testingT interface { Errorf(format string, args ...any) FailNow() Logf(format string, args ...any) + Context() context.Context } func runPinnipedCLI(t testingT, envVars []string, pinnipedExe string, args ...string) (string, string) { t.Helper() start := time.Now() var stdout, stderr bytes.Buffer - cmd := exec.Command(pinnipedExe, args...) + cmd := exec.CommandContext(t.Context(), pinnipedExe, args...) cmd.Stdout = &stdout cmd.Stderr = &stderr cmd.Env = envVars diff --git a/test/integration/concierge_tls_spec_test.go b/test/integration/concierge_tls_spec_test.go index c1f76e591..77df56bb3 100644 --- a/test/integration/concierge_tls_spec_test.go +++ b/test/integration/concierge_tls_spec_test.go @@ -701,8 +701,7 @@ func performKubectlApply(t *testing.T, resourceName string, yamlBytes []byte) (s t.Cleanup(func() { t.Helper() - //nolint:gosec // this is test code. - require.NoError(t, exec.Command("kubectl", []string{"delete", "--ignore-not-found", "-f", yamlFilepath}...).Run()) + require.NoError(t, exec.CommandContext(t.Context(), "kubectl", "delete", "--ignore-not-found", "-f", yamlFilepath).Run()) }) return stdOut.String(), stdErr.String(), err diff --git a/test/integration/kube_api_discovery_test.go b/test/integration/kube_api_discovery_test.go index 260da7711..e6b450db5 100644 --- a/test/integration/kube_api_discovery_test.go +++ b/test/integration/kube_api_discovery_test.go @@ -729,7 +729,7 @@ func requireKubectlExplainShowsDescriptionForResource(t *testing.T, resourceName func runKubectlVersion(t *testing.T) { t.Helper() t.Log("Running: kubectl version") - out, err := exec.Command("kubectl", "version").CombinedOutput() + out, err := exec.CommandContext(t.Context(), "kubectl", "version").CombinedOutput() require.NoError(t, err) t.Log(string(out)) } @@ -737,7 +737,7 @@ func runKubectlVersion(t *testing.T) { func runKubectlExplain(t *testing.T, resourceName string, apiVersion string) string { t.Helper() var stdOut, stdErr bytes.Buffer - cmd := exec.Command("kubectl", "explain", resourceName, "--api-version", apiVersion, "--output", "plaintext-openapiv2") + cmd := exec.CommandContext(t.Context(), "kubectl", "explain", resourceName, "--api-version", apiVersion, "--output", "plaintext-openapiv2") t.Log("Running:", cmd.String()) cmd.Stdout = &stdOut cmd.Stderr = &stdErr diff --git a/test/integration/ldap_client_test.go b/test/integration/ldap_client_test.go index 69cd43e19..bc75ecf3e 100644 --- a/test/integration/ldap_client_test.go +++ b/test/integration/ldap_client_test.go @@ -856,7 +856,8 @@ func findRecentlyUnusedLocalhostPorts(t *testing.T, howManyPorts int) []string { listeners := make([]net.Listener, howManyPorts) for i := range howManyPorts { var err error - listeners[i], err = net.Listen("tcp", "127.0.0.1:0") + listenConfig := net.ListenConfig{} + listeners[i], err = listenConfig.Listen(t.Context(), "tcp", "127.0.0.1:0") require.NoError(t, err) } diff --git a/test/integration/smoke_test.go b/test/integration/smoke_test.go index b9108a97a..a6fc7671e 100644 --- a/test/integration/smoke_test.go +++ b/test/integration/smoke_test.go @@ -16,7 +16,7 @@ import ( // Smoke test to see if the kubeconfig works and the cluster is reachable. func TestGetNodes(t *testing.T) { _ = testlib.IntegrationEnv(t) - cmd := exec.Command("kubectl", "get", "nodes") + cmd := exec.CommandContext(t.Context(), "kubectl", "get", "nodes") cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr err := cmd.Run() diff --git a/test/integration/supervisor_discovery_test.go b/test/integration/supervisor_discovery_test.go index 3de2cfd09..af1984b3d 100644 --- a/test/integration/supervisor_discovery_test.go +++ b/test/integration/supervisor_discovery_test.go @@ -670,10 +670,6 @@ func requireJWKSEndpointIsWorking(t *testing.T, supervisorScheme, supervisorAddr } func printServerCert(t *testing.T, address string, dnsOverrides map[string]string) { - conf := &tls.Config{ - InsecureSkipVerify: true, //nolint:gosec // this is for testing purposes - } - addressURL, err := url.Parse(address) require.NoError(t, err) @@ -691,10 +687,16 @@ func printServerCert(t *testing.T, address string, dnsOverrides map[string]strin host = dnsOverrides[host] } - conn, err := tls.Dial("tcp", host, conf) + dialer := tls.Dialer{ + Config: &tls.Config{ + InsecureSkipVerify: true, //nolint:gosec // this is for testing purposes + }, + } + netConn, err := dialer.DialContext(t.Context(), "tcp", host) + tlsConn := tls.Client(netConn, dialer.Config) require.NoError(t, err) - defer func() { _ = conn.Close() }() - certs := conn.ConnectionState().PeerCertificates + defer func() { _ = netConn.Close() }() + certs := tlsConn.ConnectionState().PeerCertificates for i, cert := range certs { t.Logf("found cert %d of %d for host=%q with dns=%+v and ips=%+v", i+1, diff --git a/test/testlib/access.go b/test/testlib/access.go index 51f0756b3..9c90d3ef4 100644 --- a/test/testlib/access.go +++ b/test/testlib/access.go @@ -154,7 +154,8 @@ func runKubectlGetNamespaces(t *testing.T, kubeConfigYAML string) (string, error f := writeStringToTempFile(t, "pinniped-generated-kubeconfig-*", kubeConfigYAML) //nolint:gosec // It's okay that we are passing f.Name() to an exec command here. It was created above. - output, err := exec.Command( + output, err := exec.CommandContext( + t.Context(), "kubectl", "get", "namespace", "--kubeconfig", f.Name(), ).CombinedOutput() diff --git a/test/testlib/cli.go b/test/testlib/cli.go index 63c524ed4..c50f2c400 100644 --- a/test/testlib/cli.go +++ b/test/testlib/cli.go @@ -42,7 +42,7 @@ func PinnipedCLIPath(t *testing.T) string { t.Log("building pinniped CLI binary") start := time.Now() - output, err := exec.Command("go", "build", "-o", path, "go.pinniped.dev/cmd/pinniped").CombinedOutput() + output, err := exec.CommandContext(t.Context(), "go", "build", "-o", path, "go.pinniped.dev/cmd/pinniped").CombinedOutput() require.NoError(t, err, string(output)) t.Logf("built CLI binary in %s", time.Since(start).Round(time.Millisecond))