upgrade linter to latest

2026-01-05 04:56:11 +00:00 · 2025-05-12 12:36:48 -07:00
parent 32a29da86c
commit c600cf7949
28 changed files with 203 additions and 206 deletions
--- a/internal/admissionpluginconfig/admissionpluginconfig_test.go
+++ b/internal/admissionpluginconfig/admissionpluginconfig_test.go
@@ -18,7 +18,6 @@ import (
 	"k8s.io/client-go/discovery"
 	kubernetesfake "k8s.io/client-go/kubernetes/fake"
 	k8stesting "k8s.io/client-go/testing"
-	kubetesting "k8s.io/client-go/testing"
 )

 func TestValidateAdmissionPluginNames(t *testing.T) {
@@ -237,7 +236,7 @@ func TestConfigureAdmissionPlugins(t *testing.T) {
 			t.Parallel()

 			kubeClient := kubernetesfake.NewSimpleClientset()
-			kubeClient.Fake.Resources = tt.availableAPIResources
+			kubeClient.Resources = tt.availableAPIResources

 			// Unfortunately, kubernetesfake.NewSimpleClientset() does not support using reactors to
 			// cause discovery to return errors. Instead, we will make our own fake implementation of the
@@ -248,7 +247,7 @@ func TestConfigureAdmissionPlugins(t *testing.T) {
 				kubeClient.PrependReactor(
 					"get",
 					"resource",
-					func(a kubetesting.Action) (bool, runtime.Object, error) {
+					func(a k8stesting.Action) (bool, runtime.Object, error) {
 						return true, nil, tt.discoveryErr
 					},
 				)
--- a/internal/concierge/impersonator/impersonator.go
+++ b/internal/concierge/impersonator/impersonator.go
@@ -39,7 +39,6 @@ import (
 	"k8s.io/apiserver/pkg/authorization/authorizer"
 	"k8s.io/apiserver/pkg/endpoints/filterlatency"
 	"k8s.io/apiserver/pkg/endpoints/handlers/responsewriters"
-	"k8s.io/apiserver/pkg/endpoints/request"
 	genericapirequest "k8s.io/apiserver/pkg/endpoints/request"
 	genericapiserver "k8s.io/apiserver/pkg/server"
 	"k8s.io/apiserver/pkg/server/dynamiccertificates"
@@ -509,7 +508,7 @@ func newImpersonationReverseProxyFunc(restConfig *rest.Config) (func(*genericapi
 				return
 			}

-			userInfo, ok := request.UserFrom(r.Context())
+			userInfo, ok := genericapirequest.UserFrom(r.Context())
 			if !ok {
 				plog.Warning("aggregated API server logic did not set user info but it is always supposed to do so",
 					"url", r.URL.String(),
--- a/internal/concierge/impersonator/impersonator_test.go
+++ b/internal/concierge/impersonator/impersonator_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package impersonator
@@ -1042,8 +1042,8 @@ func TestImpersonator(t *testing.T) {

 			badCertConfig := kubeclient.SecureAnonymousClientConfig(clientKubeconfig)
 			badCert := newClientCert(t, unrelatedCA, "bad-user", []string{"bad-group"})
-			badCertConfig.TLSClientConfig.CertData = badCert.certPEM
-			badCertConfig.TLSClientConfig.KeyData = badCert.keyPEM
+			badCertConfig.CertData = badCert.certPEM
+			badCertConfig.KeyData = badCert.keyPEM

 			tcrBadCert, err := kubeclient.New(kubeclient.WithConfig(badCertConfig))
 			require.NoError(t, err)
--- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
+++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package jwtcachefiller
@@ -35,7 +35,6 @@ import (
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	k8sinformers "k8s.io/client-go/informers"
-	kubeinformers "k8s.io/client-go/informers"
 	kubernetesfake "k8s.io/client-go/kubernetes/fake"
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
@@ -2410,7 +2409,7 @@ func TestController(t *testing.T) {
 				tt.configClient(pinnipedAPIClient)
 			}
 			pinnipedInformers := conciergeinformers.NewSharedInformerFactory(pinnipedAPIClient, 0)
-			kubeInformers := kubeinformers.NewSharedInformerFactory(kubernetesfake.NewSimpleClientset(tt.secretsAndConfigMaps...), 0)
+			kubeInformers := k8sinformers.NewSharedInformerFactory(kubernetesfake.NewSimpleClientset(tt.secretsAndConfigMaps...), 0)
 			cache := authncache.New()

 			logger, log := plog.TestLogger(t)
--- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
+++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller_test.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package webhookcachefiller
@@ -27,7 +27,6 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	k8sinformers "k8s.io/client-go/informers"
-	kubeinformers "k8s.io/client-go/informers"
 	kubernetesfake "k8s.io/client-go/kubernetes/fake"
 	coretesting "k8s.io/client-go/testing"
 	clocktesting "k8s.io/utils/clock/testing"
@@ -2124,7 +2123,7 @@ func TestController(t *testing.T) {
 				tt.configClient(pinnipedAPIClient)
 			}
 			pinnipedInformers := conciergeinformers.NewSharedInformerFactory(pinnipedAPIClient, 0)
-			kubeInformers := kubeinformers.NewSharedInformerFactory(kubernetesfake.NewSimpleClientset(tt.secretsAndConfigMaps...), 0)
+			kubeInformers := k8sinformers.NewSharedInformerFactory(kubernetesfake.NewSimpleClientset(tt.secretsAndConfigMaps...), 0)
 			cache := authncache.New()

 			logger, log := plog.TestLogger(t)
--- a/internal/controller/impersonatorconfig/impersonator_config.go
+++ b/internal/controller/impersonatorconfig/impersonator_config.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package impersonatorconfig
@@ -662,7 +662,7 @@ func (c *impersonatorConfigController) createOrUpdateService(ctx context.Context

 	// The Service already exists, so update only the specific fields that are meaningfully part of our desired state.
 	updatedService := existingService.DeepCopy()
-	updatedService.ObjectMeta.Labels = desiredService.ObjectMeta.Labels
+	updatedService.Labels = desiredService.Labels
 	updatedService.Spec.LoadBalancerIP = desiredService.Spec.LoadBalancerIP
 	updatedService.Spec.Type = desiredService.Spec.Type
 	updatedService.Spec.Selector = desiredService.Spec.Selector
--- a/internal/controller/kubecertagent/kubecertagent_test.go
+++ b/internal/controller/kubecertagent/kubecertagent_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package kubecertagent
@@ -176,7 +176,7 @@ func TestAgentController(t *testing.T) {
 	}
 	healthyAgentDeploymentWithOldStyleSelector := healthyAgentDeployment.DeepCopy()
 	healthyAgentDeploymentWithOldStyleSelector.Spec.Selector = metav1.SetAsLabelSelector(oldStyleLabels)
-	healthyAgentDeploymentWithOldStyleSelector.Spec.Template.ObjectMeta.Labels = oldStyleLabels
+	healthyAgentDeploymentWithOldStyleSelector.Spec.Template.Labels = oldStyleLabels
 	healthyAgentDeploymentWithOldStyleSelector.UID = "fake-uid-abc123"                        // needs UID to test delete options
 	healthyAgentDeploymentWithOldStyleSelector.ResourceVersion = "fake-resource-version-1234" // needs ResourceVersion to test delete options

--- a/internal/controller/supervisorstorage/garbage_collector.go
+++ b/internal/controller/supervisorstorage/garbage_collector.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package supervisorstorage
@@ -118,7 +118,7 @@ func (c *garbageCollectorController) Sync(ctx controllerlib.Context) error {

 	// Sort secrets by name so that audit log tests are deterministic
 	slices.SortStableFunc(listOfSecrets, func(a, b *corev1.Secret) int {
-		return strings.Compare(a.ObjectMeta.Name, b.ObjectMeta.Name)
+		return strings.Compare(a.Name, b.Name)
 	})

 	for i := range listOfSecrets {
--- a/internal/execcredcache/cachefile.go
+++ b/internal/execcredcache/cachefile.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package execcredcache
@@ -67,7 +67,7 @@ func readCache(path string) (*credCache, error) {
 	}

 	// Validate that we're reading a version of the config we understand how to parse.
-	if !(cache.TypeMeta.APIVersion == apiVersion && cache.TypeMeta.Kind == apiKind) {
+	if !(cache.TypeMeta.APIVersion == apiVersion && cache.TypeMeta.Kind == apiKind) { //nolint:staticcheck // De Morgan's doesn't make this more readable
 		return nil, fmt.Errorf("%w: %#v", errUnsupportedVersion, cache.TypeMeta)
 	}
 	return &cache, nil
--- a/internal/federationdomain/endpoints/auth/auth_handler.go
+++ b/internal/federationdomain/endpoints/auth/auth_handler.go
@@ -311,7 +311,7 @@ func shouldShowIDPChooser(
 }

 func requireStaticClientForUsernameAndPasswordHeaders(authorizeRequester fosite.AuthorizeRequester) error {
-	if !(authorizeRequester.GetClient().GetID() == oidcapi.ClientIDPinnipedCLI) {
+	if !(authorizeRequester.GetClient().GetID() == oidcapi.ClientIDPinnipedCLI) { //nolint:staticcheck // De Morgan's doesn't make this more readable
 		return fosite.ErrAccessDenied.WithHint("This client is not allowed to submit username or password headers to this endpoint.")
 	}
 	return nil
--- a/internal/federationdomain/endpoints/chooseidp/choose_idp_handler.go
+++ b/internal/federationdomain/endpoints/chooseidp/choose_idp_handler.go
@@ -1,4 +1,4 @@
-// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2023-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package chooseidp
@@ -30,6 +30,7 @@ func NewHandler(authURL string, upstreamIDPs federationdomainproviders.Federatio
 		// This is just a sanity check that it appears to be an authorize request.
 		// Actual enforcement of parameters will happen at the authorization endpoint.
 		query := r.URL.Query()
+		//nolint:staticcheck // De Morgan's doesn't make this more readable
 		if !(query.Has("client_id") && query.Has("redirect_uri") && query.Has("scope") && query.Has("response_type")) {
 			return httperr.New(http.StatusBadRequest, "missing required query params (must include client_id, redirect_uri, scope, and response_type)")
 		}
--- a/internal/federationdomain/resolvedprovider/resolvedoidc/resolved_oidc_provider.go
+++ b/internal/federationdomain/resolvedprovider/resolvedoidc/resolved_oidc_provider.go
@@ -1,4 +1,4 @@
-// Copyright 2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package resolvedoidc
@@ -17,7 +17,6 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	"go.pinniped.dev/generated/latest/apis/supervisor/idpdiscovery/v1alpha1"
-	"go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	oidcapi "go.pinniped.dev/generated/latest/apis/supervisor/oidc"
 	"go.pinniped.dev/internal/constable"
 	"go.pinniped.dev/internal/federationdomain/downstreamsubject"
@@ -34,7 +33,7 @@ import (

 const (
 	// The name of the email claim from https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
-	emailClaimName = oidc.ScopeEmail
+	emailClaimName = oidcapi.ScopeEmail

 	// The name of the email_verified claim from https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
 	emailVerifiedClaimName = "email_verified"
@@ -234,6 +233,7 @@ func (p *FederationDomainResolvedOIDCIdentityProvider) UpstreamRefresh(
 	accessTokenStored := sessionData.UpstreamAccessToken != ""
 	refreshTokenStored := sessionData.UpstreamRefreshToken != ""

+	//nolint:staticcheck // De Morgan's doesn't make this more readable
 	exactlyOneTokenStored := (accessTokenStored || refreshTokenStored) && !(accessTokenStored && refreshTokenStored)
 	if !exactlyOneTokenStored {
 		return nil, errorsx.WithStack(resolvedprovider.ErrMissingUpstreamSessionInternalError())
@@ -373,11 +373,11 @@ func makeDownstreamOIDCSessionData(
 	oidcUpstream upstreamprovider.UpstreamOIDCIdentityProviderI,
 	token *oidctypes.Token,
 ) (*psession.OIDCSessionData, []string, error) {
-	upstreamSubject, err := extractStringClaimValue(oidc.IDTokenClaimSubject, oidcUpstream.GetResourceName(), token.IDToken.Claims)
+	upstreamSubject, err := extractStringClaimValue(oidcapi.IDTokenClaimSubject, oidcUpstream.GetResourceName(), token.IDToken.Claims)
 	if err != nil {
 		return nil, nil, err
 	}
-	upstreamIssuer, err := extractStringClaimValue(oidc.IDTokenClaimIssuer, oidcUpstream.GetResourceName(), token.IDToken.Claims)
+	upstreamIssuer, err := extractStringClaimValue(oidcapi.IDTokenClaimIssuer, oidcUpstream.GetResourceName(), token.IDToken.Claims)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -472,11 +472,11 @@ func getDownstreamSubjectAndUpstreamUsernameFromUpstreamIDToken(
 ) (string, string, error) {
 	// The spec says the "sub" claim is only unique per issuer,
 	// so we will prepend the issuer string to make it globally unique.
-	upstreamIssuer, err := extractStringClaimValue(oidc.IDTokenClaimIssuer, upstreamIDPConfig.GetResourceName(), idTokenClaims)
+	upstreamIssuer, err := extractStringClaimValue(oidcapi.IDTokenClaimIssuer, upstreamIDPConfig.GetResourceName(), idTokenClaims)
 	if err != nil {
 		return "", "", err
 	}
-	upstreamSubject, err := extractStringClaimValue(oidc.IDTokenClaimSubject, upstreamIDPConfig.GetResourceName(), idTokenClaims)
+	upstreamSubject, err := extractStringClaimValue(oidcapi.IDTokenClaimSubject, upstreamIDPConfig.GetResourceName(), idTokenClaims)
 	if err != nil {
 		return "", "", err
 	}
@@ -554,7 +554,7 @@ func extractStringClaimValue(claimName string, upstreamIDPName string, idTokenCl

 func mappedUsernameFromUpstreamOIDCSubject(upstreamIssuerAsString string, upstreamSubject string) string {
 	return fmt.Sprintf("%s?%s=%s", upstreamIssuerAsString,
-		oidc.IDTokenClaimSubject, url.QueryEscape(upstreamSubject),
+		oidcapi.IDTokenClaimSubject, url.QueryEscape(upstreamSubject),
 	)
 }

--- a/internal/kubeclient/kubeclient_test.go
+++ b/internal/kubeclient/kubeclient_test.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package kubeclient
@@ -827,7 +827,7 @@ func wantCloseReqWrapper(t *testing.T) transport.WrapperFunc {
 				wc := &wantCloser{_rc: req.Body}
 				t.Cleanup(func() {
 					require.Eventuallyf(t, func() bool {
-						return 1 == len(wc.calls())
+						return len(wc.calls()) == 1
 					}, 5*time.Second, 100*time.Millisecond,
 						"did not close req body expected number of times at %s for req %#v; actual calls = %s", caller, req, wc.calls())
 				})
@@ -843,7 +843,7 @@ func wantCloseReqWrapper(t *testing.T) transport.WrapperFunc {
 					wc := &wantCloser{_rc: originalBodyCopy}
 					t.Cleanup(func() {
 						require.Eventuallyf(t, func() bool {
-							return 1 == len(wc.calls())
+							return len(wc.calls()) == 1
 						}, 5*time.Second, 100*time.Millisecond,
 							"did not close req body copy expected number of times at %s for req %#v; actual calls = %s", caller, req, wc.calls())
 					})
@@ -872,7 +872,7 @@ func wantCloseRespWrapper(t *testing.T) transport.WrapperFunc {
 			t.Cleanup(func() {
 				require.Eventuallyf(t, func() bool {
 					return wc.couldRead() == false &&
-						1 == len(wc.calls())
+						len(wc.calls()) == 1
 				}, 5*time.Second, 10*time.Millisecond,
 					`did not close resp body expected number of times at %s for req %#v; actual calls = %s
 did not consume all response body bytes before closing %s, couldRead=%v`, caller, req, wc.calls(), caller, wc.couldRead())
--- a/internal/kubeclient/watch.go
+++ b/internal/kubeclient/watch.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package kubeclient
@@ -68,12 +68,12 @@ func handleWatchResponseNewGVK(
 		}()
 		defer newBodyWriter.Close()

-		frameReader := serializerInfo.StreamSerializer.Framer.NewFrameReader(resp.Body)
+		frameReader := serializerInfo.StreamSerializer.NewFrameReader(resp.Body)
 		watchEventDecoder := streaming.NewDecoder(frameReader, serializerInfo.StreamSerializer.Serializer)
 		sourceDecoder = restclientwatch.NewDecoder(watchEventDecoder, &passthroughDecoder{})
 		defer sourceDecoder.Close()

-		frameWriter := serializerInfo.StreamSerializer.Framer.NewFrameWriter(newBodyWriter)
+		frameWriter := serializerInfo.StreamSerializer.NewFrameWriter(newBodyWriter)
 		watchEventEncoder := streaming.NewEncoder(frameWriter, serializerInfo.StreamSerializer.Serializer)

 		for {
--- a/internal/localuserauthenticator/localuserauthenticator.go
+++ b/internal/localuserauthenticator/localuserauthenticator.go
@@ -1,4 +1,4 @@
-// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package localuserauthenticator provides a authentication webhook program.
@@ -151,7 +151,7 @@ func (w *webhook) ServeHTTP(rsp http.ResponseWriter, req *http.Request) {
 	}

 	plog.Debug("successful authentication")
-	respondWithAuthenticated(rsp, secret.ObjectMeta.Name, groups)
+	respondWithAuthenticated(rsp, secret.Name, groups)
 }

 func getUsernameAndPasswordFromRequest(rsp http.ResponseWriter, req *http.Request) (string, string, error) {
--- a/internal/plog/config_test.go
+++ b/internal/plog/config_test.go
@@ -135,8 +135,7 @@ func TestFormat(t *testing.T) {
 	%s/config_test.go:%d
 testing.tRunner
 	%s/src/testing/testing.go:%d`,
-				//nolint:staticcheck // runtime.GOROOT() is deprecated but good enough for this unit test.
-				wd, getLineNumberOfCaller()-20, runtime.GOROOT(), getLineNumberOfCaller(2),
+				wd, getLineNumberOfCaller()-19, runtime.GOROOT(), getLineNumberOfCaller(2), //nolint:staticcheck // calling a deprecated function is good enough for this unit test
 			),
 		),
 	), scanner.Text())
--- a/internal/testutil/oidcclient_test.go
+++ b/internal/testutil/oidcclient_test.go
@@ -1,4 +1,4 @@
-// Copyright 2022-2023 the Pinniped contributors. All Rights Reserved.
+// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 package testutil
@@ -48,7 +48,7 @@ func TestBcryptHashedPassword2TestHelpers(t *testing.T) {
 	requireCost(t, oidcclientvalidator.DefaultMinBcryptCost, HashedPassword2AtSupervisorMinCost)
 }

-func generateHash(t *testing.T, password string, cost int) string { //nolint:unused,deadcode // used in comments above
+func generateHash(t *testing.T, password string, cost int) string { //nolint:unused // used in comments above
 	hash, err := bcrypt.GenerateFromPassword([]byte(password), cost)
 	require.NoError(t, err)
 	return string(hash)
--- a/internal/upstreamldap/upstreamldap.go
+++ b/internal/upstreamldap/upstreamldap.go
@@ -1,4 +1,4 @@
-// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved.
+// Copyright 2021-2025 the Pinniped contributors. All Rights Reserved.
 // SPDX-License-Identifier: Apache-2.0

 // Package upstreamldap implements an abstraction of upstream LDAP IDP interactions.
@@ -291,11 +291,11 @@ func (p *Provider) dial(ctx context.Context) (Conn, error) {
 	// Choose how and where to dial based on TLS vs. StartTLS config option.
 	var dialFunc LDAPDialerFunc
 	var addr endpointaddr.HostPort
-	switch {
-	case p.c.ConnectionProtocol == TLS:
+	switch p.c.ConnectionProtocol {
+	case TLS:
 		dialFunc = p.dialTLS
 		addr = tlsAddr
-	case p.c.ConnectionProtocol == StartTLS:
+	case StartTLS:
 		dialFunc = p.dialStartTLS
 		addr = startTLSAddr
 	default: