From 5735d1d3542fc2e95cefc3b1e5a12ca73a81eb61 Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 8 May 2023 09:24:29 -0700 Subject: [PATCH 1/2] Bump go.mod golang version to 1.19 --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index 35fea23b..96e26a80 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/smallstep/certificates -go 1.18 +go 1.19 require ( cloud.google.com/go/longrunning v0.4.1 From 8b256f0351f9295eb2c91d81d7556e8f84a369dc Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 9 May 2023 23:47:28 -0700 Subject: [PATCH 2/2] address linter warning for go 1.19 --- acme/api/account_test.go | 27 ++++++--------- acme/api/handler.go | 2 +- acme/api/middleware_test.go | 4 +-- acme/api/revoke.go | 2 +- acme/api/revoke_test.go | 4 +-- acme/challenge.go | 12 +++---- acme/challenge_test.go | 20 +++++------ acme/common.go | 2 +- acme/db/nosql/account.go | 4 +-- acme/db/nosql/authz.go | 4 +-- acme/db/nosql/certificate.go | 2 +- acme/db/nosql/challenge.go | 3 +- acme/db/nosql/eab.go | 6 ++-- acme/db/nosql/nonce.go | 2 +- acme/db/nosql/nosql.go | 2 +- acme/db/nosql/order.go | 2 +- acme/order_test.go | 2 +- api/api.go | 4 +-- authority/admin/api/acme.go | 6 ++-- authority/admin/db/nosql/admin.go | 8 ++--- authority/admin/db/nosql/nosql.go | 2 +- authority/admin/db/nosql/policy.go | 2 +- authority/admin/db/nosql/provisioner.go | 8 ++--- authority/authorize.go | 4 +-- authority/config/config.go | 2 +- authority/linkedca.go | 8 ++--- authority/policy.go | 2 +- authority/provisioner/acme.go | 12 +++---- authority/provisioner/aws.go | 4 +-- authority/provisioner/azure.go | 6 ++-- authority/provisioner/controller.go | 6 ++-- authority/provisioner/gcp.go | 6 ++-- authority/provisioner/jwk.go | 8 ++--- authority/provisioner/k8sSA.go | 9 ++--- authority/provisioner/nebula.go | 12 +++---- authority/provisioner/noop.go | 18 +++++----- authority/provisioner/oidc.go | 6 ++-- authority/provisioner/provisioner.go | 14 ++++---- authority/provisioner/scep.go | 4 +-- authority/provisioner/sign_ssh_options.go | 4 +-- authority/provisioner/sshpop.go | 4 +-- authority/provisioner/x5c.go | 6 ++-- authority/ssh.go | 16 +++------ authority/ssh_test.go | 8 ++--- authority/tls.go | 14 ++------ authority/tls_test.go | 42 +++++++++++------------ authority/webhook_test.go | 4 +-- ca/adminClient.go | 4 +-- ca/bootstrap_test.go | 2 +- ca/client_test.go | 2 +- ca/identity/identity_test.go | 2 +- ca/renew.go | 4 +-- cas/apiv1/options_test.go | 7 ++-- cas/cas_test.go | 6 ++-- cas/cloudcas/cloudcas_test.go | 20 +++++------ cas/softcas/softcas.go | 2 +- cas/softcas/softcas_test.go | 7 ++-- cas/stepcas/issuer_test.go | 6 ++-- cas/stepcas/stepcas.go | 2 +- cas/stepcas/x5c_issuer_test.go | 3 +- cas/vaultcas/vaultcas.go | 4 +-- db/simple.go | 38 ++++++++++---------- pki/helm_test.go | 5 ++- policy/engine.go | 22 +++--------- scep/authority.go | 6 ++-- scep/service.go | 3 +- 66 files changed, 230 insertions(+), 264 deletions(-) diff --git a/acme/api/account_test.go b/acme/api/account_test.go index d46c9eed..c4cfaa02 100644 --- a/acme/api/account_test.go +++ b/acme/api/account_test.go @@ -34,31 +34,24 @@ var ( type fakeProvisioner struct{} -func (*fakeProvisioner) AuthorizeOrderIdentifier(ctx context.Context, identifier provisioner.ACMEIdentifier) error { +func (*fakeProvisioner) AuthorizeOrderIdentifier(context.Context, provisioner.ACMEIdentifier) error { return nil } - -func (*fakeProvisioner) AuthorizeSign(ctx context.Context, token string) ([]provisioner.SignOption, error) { +func (*fakeProvisioner) AuthorizeSign(context.Context, string) ([]provisioner.SignOption, error) { return nil, nil } - -func (*fakeProvisioner) IsChallengeEnabled(ctx context.Context, challenge provisioner.ACMEChallenge) bool { +func (*fakeProvisioner) IsChallengeEnabled(context.Context, provisioner.ACMEChallenge) bool { return true } - -func (*fakeProvisioner) IsAttestationFormatEnabled(ctx context.Context, format provisioner.ACMEAttestationFormat) bool { +func (*fakeProvisioner) IsAttestationFormatEnabled(context.Context, provisioner.ACMEAttestationFormat) bool { return true } - -func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool) { - return nil, false -} - -func (*fakeProvisioner) AuthorizeRevoke(ctx context.Context, token string) error { return nil } -func (*fakeProvisioner) GetID() string { return "" } -func (*fakeProvisioner) GetName() string { return "" } -func (*fakeProvisioner) DefaultTLSCertDuration() time.Duration { return 0 } -func (*fakeProvisioner) GetOptions() *provisioner.Options { return nil } +func (*fakeProvisioner) GetAttestationRoots() (*x509.CertPool, bool) { return nil, false } +func (*fakeProvisioner) AuthorizeRevoke(context.Context, string) error { return nil } +func (*fakeProvisioner) GetID() string { return "" } +func (*fakeProvisioner) GetName() string { return "" } +func (*fakeProvisioner) DefaultTLSCertDuration() time.Duration { return 0 } +func (*fakeProvisioner) GetOptions() *provisioner.Options { return nil } func newProv() acme.Provisioner { // Initialize provisioners diff --git a/acme/api/handler.go b/acme/api/handler.go index e6aad131..16713cf7 100644 --- a/acme/api/handler.go +++ b/acme/api/handler.go @@ -273,7 +273,7 @@ func shouldAddMetaObject(p *provisioner.ACME) bool { // NotImplemented returns a 501 and is generally a placeholder for functionality which // MAY be added at some point in the future but is not in any way a guarantee of such. -func NotImplemented(w http.ResponseWriter, r *http.Request) { +func NotImplemented(w http.ResponseWriter, _ *http.Request) { render.Error(w, acme.NewError(acme.ErrorNotImplementedType, "this API is not implemented")) } diff --git a/acme/api/middleware_test.go b/acme/api/middleware_test.go index 3db3773c..6e9587f5 100644 --- a/acme/api/middleware_test.go +++ b/acme/api/middleware_test.go @@ -24,7 +24,7 @@ import ( var testBody = []byte("foo") -func testNext(w http.ResponseWriter, r *http.Request) { +func testNext(w http.ResponseWriter, _ *http.Request) { w.Write(testBody) } @@ -328,7 +328,7 @@ func TestHandler_isPostAsGet(t *testing.T) { type errReader int -func (errReader) Read(p []byte) (n int, err error) { +func (errReader) Read([]byte) (int, error) { return 0, errors.New("force") } func (errReader) Close() error { diff --git a/acme/api/revoke.go b/acme/api/revoke.go index a8b98f3f..270a9fbb 100644 --- a/acme/api/revoke.go +++ b/acme/api/revoke.go @@ -151,7 +151,7 @@ func RevokeCert(w http.ResponseWriter, r *http.Request) { // the identifiers in the certificate are extracted and compared against the (valid) Authorizations // that are stored for the ACME Account. If these sets match, the Account is considered authorized // to revoke the certificate. If this check fails, the client will receive an unauthorized error. -func isAccountAuthorized(ctx context.Context, dbCert *acme.Certificate, certToBeRevoked *x509.Certificate, account *acme.Account) *acme.Error { +func isAccountAuthorized(_ context.Context, dbCert *acme.Certificate, certToBeRevoked *x509.Certificate, account *acme.Account) *acme.Error { if !account.IsValid() { return wrapUnauthorizedError(certToBeRevoked, nil, fmt.Sprintf("account '%s' has status '%s'", account.ID, account.Status), nil) } diff --git a/acme/api/revoke_test.go b/acme/api/revoke_test.go index c4182400..b1b7f5d6 100644 --- a/acme/api/revoke_test.go +++ b/acme/api/revoke_test.go @@ -258,7 +258,7 @@ func jwkEncode(pub crypto.PublicKey) (string, error) { // jwsFinal constructs the final JWS object. // Implementation taken from github.com/mholt/acmez, which seems to be based on // https://github.com/golang/crypto/blob/master/acme/jws.go. -func jwsFinal(sha crypto.Hash, sig []byte, phead, payload string) ([]byte, error) { +func jwsFinal(_ crypto.Hash, sig []byte, phead, payload string) ([]byte, error) { enc := struct { Protected string `json:"protected"` Payload string `json:"payload"` @@ -281,7 +281,7 @@ type mockCA struct { MockAreSANsallowed func(ctx context.Context, sans []string) error } -func (m *mockCA) Sign(cr *x509.CertificateRequest, opts provisioner.SignOptions, signOpts ...provisioner.SignOption) ([]*x509.Certificate, error) { +func (m *mockCA) Sign(*x509.CertificateRequest, provisioner.SignOptions, ...provisioner.SignOption) ([]*x509.Certificate, error) { return nil, nil } diff --git a/acme/challenge.go b/acme/challenge.go index a1d4067f..41bcf129 100644 --- a/acme/challenge.go +++ b/acme/challenge.go @@ -520,7 +520,7 @@ const ( coseAlgRS256 coseAlgorithmIdentifier = -257 ) -func doTPMAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*tpmAttestationData, error) { +func doTPMAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*tpmAttestationData, error) { ver, ok := att.AttStatement["ver"].(string) if !ok { return nil, NewError(ErrorBadAttestationStatementType, "ver not present") @@ -742,11 +742,7 @@ func validateAKCertificate(c *x509.Certificate) error { if err := validateAKCertificateExtendedKeyUsage(c); err != nil { return err } - if err := validateAKCertificateSubjectAlternativeNames(c); err != nil { - return err - } - - return nil + return validateAKCertificateSubjectAlternativeNames(c) } // validateAKCertificateSubjectAlternativeNames checks if the AK certificate @@ -828,7 +824,7 @@ type appleAttestationData struct { Fingerprint string } -func doAppleAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, att *attestationObject) (*appleAttestationData, error) { +func doAppleAttestationFormat(_ context.Context, prov Provisioner, _ *Challenge, att *attestationObject) (*appleAttestationData, error) { // Use configured or default attestation roots if none is configured. roots, ok := prov.GetAttestationRoots() if !ok { @@ -933,7 +929,7 @@ type stepAttestationData struct { Fingerprint string } -func doStepAttestationFormat(ctx context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*stepAttestationData, error) { +func doStepAttestationFormat(_ context.Context, prov Provisioner, ch *Challenge, jwk *jose.JSONWebKey, att *attestationObject) (*stepAttestationData, error) { // Use configured or default attestation roots if none is configured. roots, ok := prov.GetAttestationRoots() if !ok { diff --git a/acme/challenge_test.go b/acme/challenge_test.go index ff93bea3..74ff363c 100644 --- a/acme/challenge_test.go +++ b/acme/challenge_test.go @@ -148,7 +148,7 @@ func mustAttestApple(t *testing.T, nonce string) ([]byte, *x509.Certificate, *x5 return payload, leaf, ca.Root } -func mustAttestYubikey(t *testing.T, nonce, keyAuthorization string, serial int) ([]byte, *x509.Certificate, *x509.Certificate) { +func mustAttestYubikey(t *testing.T, _, keyAuthorization string, serial int) ([]byte, *x509.Certificate, *x509.Certificate) { ca, err := minica.New() fatalError(t, err) @@ -888,7 +888,7 @@ func TestChallenge_Validate(t *testing.T) { type errReader int -func (errReader) Read(p []byte) (n int, err error) { +func (errReader) Read([]byte) (int, error) { return 0, errors.New("force") } func (errReader) Close() error { @@ -1631,14 +1631,14 @@ func newTestTLSALPNServer(validationCert *tls.Certificate, opts ...func(*httptes // noopConn is a mock net.Conn that does nothing. type noopConn struct{} -func (c *noopConn) Read(_ []byte) (n int, err error) { return 0, io.EOF } -func (c *noopConn) Write(_ []byte) (n int, err error) { return 0, io.EOF } -func (c *noopConn) Close() error { return nil } -func (c *noopConn) LocalAddr() net.Addr { return &net.IPAddr{IP: net.IPv4zero, Zone: ""} } -func (c *noopConn) RemoteAddr() net.Addr { return &net.IPAddr{IP: net.IPv4zero, Zone: ""} } -func (c *noopConn) SetDeadline(t time.Time) error { return nil } -func (c *noopConn) SetReadDeadline(t time.Time) error { return nil } -func (c *noopConn) SetWriteDeadline(t time.Time) error { return nil } +func (c *noopConn) Read(_ []byte) (n int, err error) { return 0, io.EOF } +func (c *noopConn) Write(_ []byte) (n int, err error) { return 0, io.EOF } +func (c *noopConn) Close() error { return nil } +func (c *noopConn) LocalAddr() net.Addr { return &net.IPAddr{IP: net.IPv4zero, Zone: ""} } +func (c *noopConn) RemoteAddr() net.Addr { return &net.IPAddr{IP: net.IPv4zero, Zone: ""} } +func (c *noopConn) SetDeadline(time.Time) error { return nil } +func (c *noopConn) SetReadDeadline(time.Time) error { return nil } +func (c *noopConn) SetWriteDeadline(time.Time) error { return nil } func newTLSALPNValidationCert(keyAuthHash []byte, obsoleteOID, critical bool, names ...string) (*tls.Certificate, error) { privateKey, err := rsa.GenerateKey(rand.Reader, 2048) diff --git a/acme/common.go b/acme/common.go index 91cf772b..7d58305f 100644 --- a/acme/common.go +++ b/acme/common.go @@ -46,7 +46,7 @@ type PrerequisitesChecker func(ctx context.Context) (bool, error) // DefaultPrerequisitesChecker is the default PrerequisiteChecker and returns // always true. -func DefaultPrerequisitesChecker(ctx context.Context) (bool, error) { +func DefaultPrerequisitesChecker(context.Context) (bool, error) { return true, nil } diff --git a/acme/db/nosql/account.go b/acme/db/nosql/account.go index 1c3bec5d..8067a4b9 100644 --- a/acme/db/nosql/account.go +++ b/acme/db/nosql/account.go @@ -26,7 +26,7 @@ func (dba *dbAccount) clone() *dbAccount { return &nu } -func (db *DB) getAccountIDByKeyID(ctx context.Context, kid string) (string, error) { +func (db *DB) getAccountIDByKeyID(_ context.Context, kid string) (string, error) { id, err := db.db.Get(accountByKeyIDTable, []byte(kid)) if err != nil { if nosqlDB.IsErrNotFound(err) { @@ -38,7 +38,7 @@ func (db *DB) getAccountIDByKeyID(ctx context.Context, kid string) (string, erro } // getDBAccount retrieves and unmarshals dbAccount. -func (db *DB) getDBAccount(ctx context.Context, id string) (*dbAccount, error) { +func (db *DB) getDBAccount(_ context.Context, id string) (*dbAccount, error) { data, err := db.db.Get(accountTable, []byte(id)) if err != nil { if nosqlDB.IsErrNotFound(err) { diff --git a/acme/db/nosql/authz.go b/acme/db/nosql/authz.go index d63aa89e..be3b0fbb 100644 --- a/acme/db/nosql/authz.go +++ b/acme/db/nosql/authz.go @@ -32,7 +32,7 @@ func (ba *dbAuthz) clone() *dbAuthz { // getDBAuthz retrieves and unmarshals a database representation of the // ACME Authorization type. -func (db *DB) getDBAuthz(ctx context.Context, id string) (*dbAuthz, error) { +func (db *DB) getDBAuthz(_ context.Context, id string) (*dbAuthz, error) { data, err := db.db.Get(authzTable, []byte(id)) if nosql.IsErrNotFound(err) { return nil, acme.NewError(acme.ErrorMalformedType, "authz %s not found", id) @@ -121,7 +121,7 @@ func (db *DB) UpdateAuthorization(ctx context.Context, az *acme.Authorization) e } // GetAuthorizationsByAccountID retrieves and unmarshals ACME authz types from the database. -func (db *DB) GetAuthorizationsByAccountID(ctx context.Context, accountID string) ([]*acme.Authorization, error) { +func (db *DB) GetAuthorizationsByAccountID(_ context.Context, accountID string) ([]*acme.Authorization, error) { entries, err := db.db.List(authzTable) if err != nil { return nil, errors.Wrapf(err, "error listing authz") diff --git a/acme/db/nosql/certificate.go b/acme/db/nosql/certificate.go index 8f271ba5..35c55246 100644 --- a/acme/db/nosql/certificate.go +++ b/acme/db/nosql/certificate.go @@ -69,7 +69,7 @@ func (db *DB) CreateCertificate(ctx context.Context, cert *acme.Certificate) err // GetCertificate retrieves and unmarshals an ACME certificate type from the // datastore. -func (db *DB) GetCertificate(ctx context.Context, id string) (*acme.Certificate, error) { +func (db *DB) GetCertificate(_ context.Context, id string) (*acme.Certificate, error) { b, err := db.db.Get(certTable, []byte(id)) if nosql.IsErrNotFound(err) { return nil, acme.NewError(acme.ErrorMalformedType, "certificate %s not found", id) diff --git a/acme/db/nosql/challenge.go b/acme/db/nosql/challenge.go index c9224574..9af1ae0d 100644 --- a/acme/db/nosql/challenge.go +++ b/acme/db/nosql/challenge.go @@ -29,7 +29,7 @@ func (dbc *dbChallenge) clone() *dbChallenge { return &u } -func (db *DB) getDBChallenge(ctx context.Context, id string) (*dbChallenge, error) { +func (db *DB) getDBChallenge(_ context.Context, id string) (*dbChallenge, error) { data, err := db.db.Get(challengeTable, []byte(id)) if nosql.IsErrNotFound(err) { return nil, acme.NewError(acme.ErrorMalformedType, "challenge %s not found", id) @@ -69,6 +69,7 @@ func (db *DB) CreateChallenge(ctx context.Context, ch *acme.Challenge) error { // GetChallenge retrieves and unmarshals an ACME challenge type from the database. // Implements the acme.DB GetChallenge interface. func (db *DB) GetChallenge(ctx context.Context, id, authzID string) (*acme.Challenge, error) { + _ = authzID // unused input dbch, err := db.getDBChallenge(ctx, id) if err != nil { return nil, err diff --git a/acme/db/nosql/eab.go b/acme/db/nosql/eab.go index e3651151..e2a437dd 100644 --- a/acme/db/nosql/eab.go +++ b/acme/db/nosql/eab.go @@ -35,7 +35,7 @@ type dbExternalAccountKeyReference struct { } // getDBExternalAccountKey retrieves and unmarshals dbExternalAccountKey. -func (db *DB) getDBExternalAccountKey(ctx context.Context, id string) (*dbExternalAccountKey, error) { +func (db *DB) getDBExternalAccountKey(_ context.Context, id string) (*dbExternalAccountKey, error) { data, err := db.db.Get(externalAccountKeyTable, []byte(id)) if err != nil { if nosqlDB.IsErrNotFound(err) { @@ -160,6 +160,8 @@ func (db *DB) DeleteExternalAccountKey(ctx context.Context, provisionerID, keyID // GetExternalAccountKeys retrieves all External Account Binding keys for a provisioner func (db *DB) GetExternalAccountKeys(ctx context.Context, provisionerID, cursor string, limit int) ([]*acme.ExternalAccountKey, string, error) { + _, _ = cursor, limit // unused input + externalAccountKeyMutex.RLock() defer externalAccountKeyMutex.RUnlock() @@ -227,7 +229,7 @@ func (db *DB) GetExternalAccountKeyByReference(ctx context.Context, provisionerI return db.GetExternalAccountKey(ctx, provisionerID, dbExternalAccountKeyReference.ExternalAccountKeyID) } -func (db *DB) GetExternalAccountKeyByAccountID(ctx context.Context, provisionerID, accountID string) (*acme.ExternalAccountKey, error) { +func (db *DB) GetExternalAccountKeyByAccountID(context.Context, string, string) (*acme.ExternalAccountKey, error) { //nolint:nilnil // legacy return nil, nil } diff --git a/acme/db/nosql/nonce.go b/acme/db/nosql/nonce.go index e438c9ed..af85b183 100644 --- a/acme/db/nosql/nonce.go +++ b/acme/db/nosql/nonce.go @@ -39,7 +39,7 @@ func (db *DB) CreateNonce(ctx context.Context) (acme.Nonce, error) { // DeleteNonce verifies that the nonce is valid (by checking if it exists), // and if so, consumes the nonce resource by deleting it from the database. -func (db *DB) DeleteNonce(ctx context.Context, nonce acme.Nonce) error { +func (db *DB) DeleteNonce(_ context.Context, nonce acme.Nonce) error { err := db.db.Update(&database.Tx{ Operations: []*database.TxEntry{ { diff --git a/acme/db/nosql/nosql.go b/acme/db/nosql/nosql.go index 98f6a04d..d19e2987 100644 --- a/acme/db/nosql/nosql.go +++ b/acme/db/nosql/nosql.go @@ -48,7 +48,7 @@ func New(db nosqlDB.DB) (*DB, error) { // save writes the new data to the database, overwriting the old data if it // existed. -func (db *DB) save(ctx context.Context, id string, nu, old interface{}, typ string, table []byte) error { +func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string, table []byte) error { var ( err error newB []byte diff --git a/acme/db/nosql/order.go b/acme/db/nosql/order.go index 0c6bf795..fc8f2114 100644 --- a/acme/db/nosql/order.go +++ b/acme/db/nosql/order.go @@ -35,7 +35,7 @@ func (a *dbOrder) clone() *dbOrder { } // getDBOrder retrieves and unmarshals an ACME Order type from the database. -func (db *DB) getDBOrder(ctx context.Context, id string) (*dbOrder, error) { +func (db *DB) getDBOrder(_ context.Context, id string) (*dbOrder, error) { b, err := db.db.Get(orderTable, []byte(id)) if nosql.IsErrNotFound(err) { return nil, acme.NewError(acme.ErrorMalformedType, "order %s not found", id) diff --git a/acme/order_test.go b/acme/order_test.go index b8018c7b..2851bb19 100644 --- a/acme/order_test.go +++ b/acme/order_test.go @@ -301,7 +301,7 @@ func (m *mockSignAuth) LoadProvisionerByName(name string) (provisioner.Interface return m.ret1.(provisioner.Interface), m.err } -func (m *mockSignAuth) IsRevoked(sn string) (bool, error) { +func (m *mockSignAuth) IsRevoked(string) (bool, error) { return false, nil } diff --git a/api/api.go b/api/api.go index 0ac73317..7fe63e7d 100644 --- a/api/api.go +++ b/api/api.go @@ -288,7 +288,7 @@ func (h *caHandler) Route(r Router) { // New creates a new RouterHandler with the CA endpoints. // // Deprecated: Use api.Route(r Router) -func New(auth Authority) RouterHandler { +func New(Authority) RouterHandler { return &caHandler{} } @@ -335,7 +335,7 @@ func Version(w http.ResponseWriter, r *http.Request) { } // Health is an HTTP handler that returns the status of the server. -func Health(w http.ResponseWriter, r *http.Request) { +func Health(w http.ResponseWriter, _ *http.Request) { render.JSON(w, HealthResponse{Status: "ok"}) } diff --git a/authority/admin/api/acme.go b/authority/admin/api/acme.go index 0ce8d4d7..32f2bdcc 100644 --- a/authority/admin/api/acme.go +++ b/authority/admin/api/acme.go @@ -69,17 +69,17 @@ func NewACMEAdminResponder() ACMEAdminResponder { } // GetExternalAccountKeys writes the response for the EAB keys GET endpoint -func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, r *http.Request) { +func (h *acmeAdminResponder) GetExternalAccountKeys(w http.ResponseWriter, _ *http.Request) { render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm")) } // CreateExternalAccountKey writes the response for the EAB key POST endpoint -func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, r *http.Request) { +func (h *acmeAdminResponder) CreateExternalAccountKey(w http.ResponseWriter, _ *http.Request) { render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm")) } // DeleteExternalAccountKey writes the response for the EAB key DELETE endpoint -func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, r *http.Request) { +func (h *acmeAdminResponder) DeleteExternalAccountKey(w http.ResponseWriter, _ *http.Request) { render.Error(w, admin.NewError(admin.ErrorNotImplementedType, "this functionality is currently only available in Certificate Manager: https://u.step.sm/cm")) } diff --git a/authority/admin/db/nosql/admin.go b/authority/admin/db/nosql/admin.go index c0f90c2f..e30cea3a 100644 --- a/authority/admin/db/nosql/admin.go +++ b/authority/admin/db/nosql/admin.go @@ -40,7 +40,7 @@ func (dba *dbAdmin) clone() *dbAdmin { return &u } -func (db *DB) getDBAdminBytes(ctx context.Context, id string) ([]byte, error) { +func (db *DB) getDBAdminBytes(_ context.Context, id string) ([]byte, error) { data, err := db.db.Get(adminsTable, []byte(id)) if nosql.IsErrNotFound(err) { return nil, admin.NewError(admin.ErrorNotFoundType, "admin %s not found", id) @@ -102,7 +102,7 @@ func (db *DB) GetAdmin(ctx context.Context, id string) (*linkedca.Admin, error) // GetAdmins retrieves and unmarshals all active (not deleted) admins // from the database. // TODO should we be paginating? -func (db *DB) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) { +func (db *DB) GetAdmins(context.Context) ([]*linkedca.Admin, error) { dbEntries, err := db.db.List(adminsTable) if err != nil { return nil, errors.Wrap(err, "error loading admins") @@ -115,12 +115,10 @@ func (db *DB) GetAdmins(ctx context.Context) ([]*linkedca.Admin, error) { if errors.As(err, &ae) { if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) { continue - } else { - return nil, err } - } else { return nil, err } + return nil, err } if adm.AuthorityId != db.authorityID { continue diff --git a/authority/admin/db/nosql/nosql.go b/authority/admin/db/nosql/nosql.go index 32e05d92..02acf72a 100644 --- a/authority/admin/db/nosql/nosql.go +++ b/authority/admin/db/nosql/nosql.go @@ -36,7 +36,7 @@ func New(db nosqlDB.DB, authorityID string) (*DB, error) { // save writes the new data to the database, overwriting the old data if it // existed. -func (db *DB) save(ctx context.Context, id string, nu, old interface{}, typ string, table []byte) error { +func (db *DB) save(_ context.Context, id string, nu, old interface{}, typ string, table []byte) error { var ( err error newB []byte diff --git a/authority/admin/db/nosql/policy.go b/authority/admin/db/nosql/policy.go index 3023a3f6..0a529383 100644 --- a/authority/admin/db/nosql/policy.go +++ b/authority/admin/db/nosql/policy.go @@ -71,7 +71,7 @@ func (dbap *dbAuthorityPolicy) convert() *linkedca.Policy { return dbToLinked(dbap.Policy) } -func (db *DB) getDBAuthorityPolicyBytes(ctx context.Context, authorityID string) ([]byte, error) { +func (db *DB) getDBAuthorityPolicyBytes(_ context.Context, authorityID string) ([]byte, error) { data, err := db.db.Get(authorityPoliciesTable, []byte(authorityID)) if nosql.IsErrNotFound(err) { return nil, admin.NewError(admin.ErrorNotFoundType, "authority policy not found") diff --git a/authority/admin/db/nosql/provisioner.go b/authority/admin/db/nosql/provisioner.go index da116e0b..05b077f3 100644 --- a/authority/admin/db/nosql/provisioner.go +++ b/authority/admin/db/nosql/provisioner.go @@ -70,7 +70,7 @@ func (dbp *dbProvisioner) convert2linkedca() (*linkedca.Provisioner, error) { }, nil } -func (db *DB) getDBProvisionerBytes(ctx context.Context, id string) ([]byte, error) { +func (db *DB) getDBProvisionerBytes(_ context.Context, id string) ([]byte, error) { data, err := db.db.Get(provisionersTable, []byte(id)) if nosql.IsErrNotFound(err) { return nil, admin.NewError(admin.ErrorNotFoundType, "provisioner %s not found", id) @@ -132,7 +132,7 @@ func (db *DB) GetProvisioner(ctx context.Context, id string) (*linkedca.Provisio // GetProvisioners retrieves and unmarshals all active (not deleted) provisioners // from the database. -func (db *DB) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, error) { +func (db *DB) GetProvisioners(_ context.Context) ([]*linkedca.Provisioner, error) { dbEntries, err := db.db.List(provisionersTable) if err != nil { return nil, errors.Wrap(err, "error loading provisioners") @@ -145,12 +145,10 @@ func (db *DB) GetProvisioners(ctx context.Context) ([]*linkedca.Provisioner, err if errors.As(err, &ae) { if ae.IsType(admin.ErrorDeletedType) || ae.IsType(admin.ErrorAuthorityMismatchType) { continue - } else { - return nil, err } - } else { return nil, err } + return nil, err } if prov.AuthorityId != db.authorityID { continue diff --git a/authority/authorize.go b/authority/authorize.go index 1e50da89..31855d5b 100644 --- a/authority/authorize.go +++ b/authority/authorize.go @@ -315,7 +315,7 @@ func (a *Authority) authorizeRenew(ctx context.Context, cert *x509.Certificate) } // authorizeSSHCertificate returns an error if the given certificate is revoked. -func (a *Authority) authorizeSSHCertificate(ctx context.Context, cert *ssh.Certificate) error { +func (a *Authority) authorizeSSHCertificate(_ context.Context, cert *ssh.Certificate) error { var err error var isRevoked bool @@ -394,7 +394,7 @@ func (a *Authority) authorizeSSHRevoke(ctx context.Context, token string) error // AuthorizeRenewToken validates the renew token and returns the leaf // certificate in the x5cInsecure header. -func (a *Authority) AuthorizeRenewToken(ctx context.Context, ott string) (*x509.Certificate, error) { +func (a *Authority) AuthorizeRenewToken(_ context.Context, ott string) (*x509.Certificate, error) { var claims jose.Claims jwt, chain, err := jose.ParseX5cInsecure(ott, a.rootX509Certs) if err != nil { diff --git a/authority/config/config.go b/authority/config/config.go index 556f5407..ae284fb9 100644 --- a/authority/config/config.go +++ b/authority/config/config.go @@ -182,7 +182,7 @@ func (c *AuthConfig) init() { } // Validate validates the authority configuration. -func (c *AuthConfig) Validate(audiences provisioner.Audiences) error { +func (c *AuthConfig) Validate(provisioner.Audiences) error { if c == nil { return errors.New("authority cannot be undefined") } diff --git a/authority/linkedca.go b/authority/linkedca.go index 78afb243..3eaa76c9 100644 --- a/authority/linkedca.go +++ b/authority/linkedca.go @@ -381,19 +381,19 @@ func (c *linkedCaClient) IsSSHRevoked(serial string) (bool, error) { return resp.Status != linkedca.RevocationStatus_ACTIVE, nil } -func (c *linkedCaClient) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error { +func (c *linkedCaClient) CreateAuthorityPolicy(_ context.Context, _ *linkedca.Policy) error { return errors.New("not implemented yet") } -func (c *linkedCaClient) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, error) { +func (c *linkedCaClient) GetAuthorityPolicy(context.Context) (*linkedca.Policy, error) { return nil, errors.New("not implemented yet") } -func (c *linkedCaClient) UpdateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error { +func (c *linkedCaClient) UpdateAuthorityPolicy(_ context.Context, _ *linkedca.Policy) error { return errors.New("not implemented yet") } -func (c *linkedCaClient) DeleteAuthorityPolicy(ctx context.Context) error { +func (c *linkedCaClient) DeleteAuthorityPolicy(context.Context) error { return errors.New("not implemented yet") } diff --git a/authority/policy.go b/authority/policy.go index 38a57bec..986b45b8 100644 --- a/authority/policy.go +++ b/authority/policy.go @@ -154,7 +154,7 @@ func (a *Authority) checkProvisionerPolicy(ctx context.Context, provName string, // checkPolicy checks if a new or updated policy configuration results in the user // locking themselves or other admins out of the CA. -func (a *Authority) checkPolicy(ctx context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error { +func (a *Authority) checkPolicy(_ context.Context, currentAdmin *linkedca.Admin, otherAdmins []*linkedca.Admin, p *linkedca.Policy) error { // convert the policy; return early if nil policyOptions := authPolicy.LinkedToCertificates(p) if policyOptions == nil { diff --git a/authority/provisioner/acme.go b/authority/provisioner/acme.go index 38510af7..d52bbe0a 100644 --- a/authority/provisioner/acme.go +++ b/authority/provisioner/acme.go @@ -133,7 +133,7 @@ func (p *ACME) GetIDForToken() string { } // GetTokenID returns the identifier of the token. -func (p *ACME) GetTokenID(ott string) (string, error) { +func (p *ACME) GetTokenID(string) (string, error) { return "", errors.New("acme provisioner does not implement GetTokenID") } @@ -228,7 +228,7 @@ type ACMEIdentifier struct { // AuthorizeOrderIdentifier verifies the provisioner is allowed to issue a // certificate for an ACME Order Identifier. -func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIdentifier) error { +func (p *ACME) AuthorizeOrderIdentifier(_ context.Context, identifier ACMEIdentifier) error { x509Policy := p.ctl.getPolicy().getX509() // identifier is allowed if no policy is configured @@ -253,7 +253,7 @@ func (p *ACME) AuthorizeOrderIdentifier(ctx context.Context, identifier ACMEIden // AuthorizeSign does not do any validation, because all validation is handled // in the ACME protocol. This method returns a list of modifiers / constraints // on the resulting certificate. -func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *ACME) AuthorizeSign(context.Context, string) ([]SignOption, error) { opts := []SignOption{ p, // modifiers / withOptions @@ -274,7 +274,7 @@ func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e // the CA. It can be used to authorize revocation of a certificate. With the // ACME protocol, revocation authorization is specified and performed as part // of the client/server interaction, so this is a no-op. -func (p *ACME) AuthorizeRevoke(ctx context.Context, token string) error { +func (p *ACME) AuthorizeRevoke(context.Context, string) error { return nil } @@ -289,7 +289,7 @@ func (p *ACME) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error // IsChallengeEnabled checks if the given challenge is enabled. By default // http-01, dns-01 and tls-alpn-01 are enabled, to disable any of them the // Challenge provisioner property should have at least one element. -func (p *ACME) IsChallengeEnabled(ctx context.Context, challenge ACMEChallenge) bool { +func (p *ACME) IsChallengeEnabled(_ context.Context, challenge ACMEChallenge) bool { enabledChallenges := []ACMEChallenge{ HTTP_01, DNS_01, TLS_ALPN_01, } @@ -307,7 +307,7 @@ func (p *ACME) IsChallengeEnabled(ctx context.Context, challenge ACMEChallenge) // IsAttestationFormatEnabled checks if the given attestation format is enabled. // By default apple, step and tpm are enabled, to disable any of them the // AttestationFormat provisioner property should have at least one element. -func (p *ACME) IsAttestationFormatEnabled(ctx context.Context, format ACMEAttestationFormat) bool { +func (p *ACME) IsAttestationFormatEnabled(_ context.Context, format ACMEAttestationFormat) bool { enabledFormats := []ACMEAttestationFormat{ APPLE, STEP, TPM, } diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go index 0560877c..ab56b3fb 100644 --- a/authority/provisioner/aws.go +++ b/authority/provisioner/aws.go @@ -435,7 +435,7 @@ func (p *AWS) Init(config Config) (err error) { // AuthorizeSign validates the given token and returns the sign options that // will be used on certificate creation. -func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *AWS) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) { payload, err := p.authorizeToken(token) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "aws.AuthorizeSign") @@ -708,7 +708,7 @@ func (p *AWS) authorizeToken(token string) (*awsPayload, error) { } // AuthorizeSSHSign returns the list of SignOption for a SignSSH request. -func (p *AWS) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *AWS) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) { if !p.ctl.Claimer.IsSSHCAEnabled() { return nil, errs.Unauthorized("aws.AuthorizeSSHSign; ssh ca is disabled for aws provisioner '%s'", p.GetName()) } diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go index fcfbab27..c88a098d 100644 --- a/authority/provisioner/azure.go +++ b/authority/provisioner/azure.go @@ -182,6 +182,8 @@ func (p *Azure) GetEncryptedKey() (kid, key string, ok bool) { // GetIdentityToken retrieves from the metadata service the identity token and // returns it. func (p *Azure) GetIdentityToken(subject, caURL string) (string, error) { + _, _ = subject, caURL // unused input + // Initialize the config if this method is used from the cli. p.assertConfig() @@ -313,7 +315,7 @@ func (p *Azure) authorizeToken(token string) (*azurePayload, string, string, str // AuthorizeSign validates the given token and returns the sign options that // will be used on certificate creation. -func (p *Azure) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *Azure) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) { _, name, group, subscription, identityObjectID, err := p.authorizeToken(token) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "azure.AuthorizeSign") @@ -414,7 +416,7 @@ func (p *Azure) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) erro } // AuthorizeSSHSign returns the list of SignOption for a SignSSH request. -func (p *Azure) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *Azure) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) { if !p.ctl.Claimer.IsSSHCAEnabled() { return nil, errs.Unauthorized("azure.AuthorizeSSHSign; sshCA is disabled for provisioner '%s'", p.GetName()) } diff --git a/authority/provisioner/controller.go b/authority/provisioner/controller.go index ef96639f..25030fbc 100644 --- a/authority/provisioner/controller.go +++ b/authority/provisioner/controller.go @@ -111,7 +111,7 @@ type AuthorizeSSHRenewFunc func(ctx context.Context, p *Controller, cert *ssh.Ce // DefaultIdentityFunc return a default identity depending on the provisioner // type. For OIDC email is always present and the usernames might // contain empty strings. -func DefaultIdentityFunc(ctx context.Context, p Interface, email string) (*Identity, error) { +func DefaultIdentityFunc(_ context.Context, p Interface, email string) (*Identity, error) { switch k := p.(type) { case *OIDC: // OIDC principals would be: @@ -140,7 +140,7 @@ func DefaultIdentityFunc(ctx context.Context, p Interface, email string) (*Ident // will return an error if the provisioner has the renewal disabled, if the // certificate is not yet valid or if the certificate is expired and renew after // expiry is disabled. -func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certificate) error { +func DefaultAuthorizeRenew(_ context.Context, p *Controller, cert *x509.Certificate) error { if p.Claimer.IsDisableRenewal() { return errs.Unauthorized("renew is disabled for provisioner '%s'", p.GetName()) } @@ -162,7 +162,7 @@ func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certif // will return an error if the provisioner has the renewal disabled, if the // certificate is not yet valid or if the certificate is expired and renew after // expiry is disabled. -func DefaultAuthorizeSSHRenew(ctx context.Context, p *Controller, cert *ssh.Certificate) error { +func DefaultAuthorizeSSHRenew(_ context.Context, p *Controller, cert *ssh.Certificate) error { if p.Claimer.IsDisableRenewal() { return errs.Unauthorized("renew is disabled for provisioner '%s'", p.GetName()) } diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go index e9b372b2..2b5b932b 100644 --- a/authority/provisioner/gcp.go +++ b/authority/provisioner/gcp.go @@ -169,6 +169,8 @@ func (p *GCP) GetIdentityURL(audience string) string { // GetIdentityToken does an HTTP request to the identity url. func (p *GCP) GetIdentityToken(subject, caURL string) (string, error) { + _ = subject // unused input + audience, err := generateSignAudience(caURL, p.GetIDForToken()) if err != nil { return "", err @@ -220,7 +222,7 @@ func (p *GCP) Init(config Config) (err error) { // AuthorizeSign validates the given token and returns the sign options that // will be used on certificate creation. -func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *GCP) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) { claims, err := p.authorizeToken(token) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "gcp.AuthorizeSign") @@ -380,7 +382,7 @@ func (p *GCP) authorizeToken(token string) (*gcpPayload, error) { } // AuthorizeSSHSign returns the list of SignOption for a SignSSH request. -func (p *GCP) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *GCP) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) { if !p.ctl.Claimer.IsSSHCAEnabled() { return nil, errs.Unauthorized("gcp.AuthorizeSSHSign; sshCA is disabled for gcp provisioner '%s'", p.GetName()) } diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go index 59332996..45012d0e 100644 --- a/authority/provisioner/jwk.go +++ b/authority/provisioner/jwk.go @@ -143,14 +143,14 @@ func (p *JWK) authorizeToken(token string, audiences []string) (*jwtPayload, err // AuthorizeRevoke returns an error if the provisioner does not have rights to // revoke the certificate with serial number in the `sub` property. -func (p *JWK) AuthorizeRevoke(ctx context.Context, token string) error { +func (p *JWK) AuthorizeRevoke(_ context.Context, token string) error { _, err := p.authorizeToken(token, p.ctl.Audiences.Revoke) // TODO(hs): authorize the SANs using x509 name policy allow/deny rules (also for other provisioners with AuthorizeRevoke) return errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeRevoke") } // AuthorizeSign validates the given token. -func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *JWK) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) { claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign") @@ -209,7 +209,7 @@ func (p *JWK) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error } // AuthorizeSSHSign returns the list of SignOption for a SignSSH request. -func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *JWK) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) { if !p.ctl.Claimer.IsSSHCAEnabled() { return nil, errs.Unauthorized("jwk.AuthorizeSSHSign; sshCA is disabled for jwk provisioner '%s'", p.GetName()) } @@ -286,7 +286,7 @@ func (p *JWK) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, } // AuthorizeSSHRevoke returns nil if the token is valid, false otherwise. -func (p *JWK) AuthorizeSSHRevoke(ctx context.Context, token string) error { +func (p *JWK) AuthorizeSSHRevoke(_ context.Context, token string) error { _, err := p.authorizeToken(token, p.ctl.Audiences.SSHRevoke) // TODO(hs): authorize the principals using SSH name policy allow/deny rules (also for other provisioners with AuthorizeSSHRevoke) return errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSSHRevoke") diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go index e970616d..eb7084b3 100644 --- a/authority/provisioner/k8sSA.go +++ b/authority/provisioner/k8sSA.go @@ -72,7 +72,7 @@ func (p *K8sSA) GetIDForToken() string { } // GetTokenID returns an unimplemented error and does not use the input ott. -func (p *K8sSA) GetTokenID(ott string) (string, error) { +func (p *K8sSA) GetTokenID(string) (string, error) { return "", errors.New("not implemented") } @@ -148,6 +148,7 @@ func (p *K8sSA) Init(config Config) (err error) { // claims for case specific downstream parsing. // e.g. a Sign request will auth/validate different fields than a Revoke request. func (p *K8sSA) authorizeToken(token string, audiences []string) (*k8sSAPayload, error) { + _ = audiences // unused input jwt, err := jose.ParseSigned(token) if err != nil { return nil, errs.Wrap(http.StatusUnauthorized, err, @@ -207,13 +208,13 @@ func (p *K8sSA) authorizeToken(token string, audiences []string) (*k8sSAPayload, // AuthorizeRevoke returns an error if the provisioner does not have rights to // revoke the certificate with serial number in the `sub` property. -func (p *K8sSA) AuthorizeRevoke(ctx context.Context, token string) error { +func (p *K8sSA) AuthorizeRevoke(_ context.Context, token string) error { _, err := p.authorizeToken(token, p.ctl.Audiences.Revoke) return errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeRevoke") } // AuthorizeSign validates the given token. -func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *K8sSA) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) { claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign") @@ -253,7 +254,7 @@ func (p *K8sSA) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) erro } // AuthorizeSSHSign validates an request for an SSH certificate. -func (p *K8sSA) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *K8sSA) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) { if !p.ctl.Claimer.IsSSHCAEnabled() { return nil, errs.Unauthorized("k8ssa.AuthorizeSSHSign; sshCA is disabled for k8sSA provisioner '%s'", p.GetName()) } diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go index 02762a0a..9d418303 100644 --- a/authority/provisioner/nebula.go +++ b/authority/provisioner/nebula.go @@ -116,7 +116,7 @@ func (p *Nebula) GetEncryptedKey() (kid, key string, ok bool) { } // AuthorizeSign returns the list of SignOption for a Sign request. -func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *Nebula) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) { crt, claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign) if err != nil { return nil, err @@ -171,7 +171,7 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption, // AuthorizeSSHSign returns the list of SignOption for a SignSSH request. // Currently the Nebula provisioner only grants host SSH certificates. -func (p *Nebula) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *Nebula) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) { if !p.ctl.Claimer.IsSSHCAEnabled() { return nil, errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name) } @@ -275,12 +275,12 @@ func (p *Nebula) AuthorizeRenew(ctx context.Context, crt *x509.Certificate) erro } // AuthorizeRevoke returns an error if the token is not valid. -func (p *Nebula) AuthorizeRevoke(ctx context.Context, token string) error { +func (p *Nebula) AuthorizeRevoke(_ context.Context, token string) error { return p.validateToken(token, p.ctl.Audiences.Revoke) } // AuthorizeSSHRevoke returns an error if SSH is disabled or the token is invalid. -func (p *Nebula) AuthorizeSSHRevoke(ctx context.Context, token string) error { +func (p *Nebula) AuthorizeSSHRevoke(_ context.Context, token string) error { if !p.ctl.Claimer.IsSSHCAEnabled() { return errs.Unauthorized("ssh is disabled for nebula provisioner '%s'", p.Name) } @@ -291,12 +291,12 @@ func (p *Nebula) AuthorizeSSHRevoke(ctx context.Context, token string) error { } // AuthorizeSSHRenew returns an unauthorized error. -func (p *Nebula) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) { +func (p *Nebula) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) { return nil, errs.Unauthorized("nebula provisioner does not support SSH renew") } // AuthorizeSSHRekey returns an unauthorized error. -func (p *Nebula) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) { +func (p *Nebula) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error) { return nil, nil, errs.Unauthorized("nebula provisioner does not support SSH rekey") } diff --git a/authority/provisioner/noop.go b/authority/provisioner/noop.go index bba64eb8..0c523afa 100644 --- a/authority/provisioner/noop.go +++ b/authority/provisioner/noop.go @@ -18,7 +18,7 @@ func (p *noop) GetIDForToken() string { return "noop" } -func (p *noop) GetTokenID(token string) (string, error) { +func (p *noop) GetTokenID(string) (string, error) { return "", nil } @@ -33,35 +33,35 @@ func (p *noop) GetEncryptedKey() (kid, key string, ok bool) { return "", "", false } -func (p *noop) Init(config Config) error { +func (p *noop) Init(Config) error { return nil } -func (p *noop) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *noop) AuthorizeSign(context.Context, string) ([]SignOption, error) { return []SignOption{p}, nil } -func (p *noop) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error { +func (p *noop) AuthorizeRenew(context.Context, *x509.Certificate) error { return nil } -func (p *noop) AuthorizeRevoke(ctx context.Context, token string) error { +func (p *noop) AuthorizeRevoke(context.Context, string) error { return nil } -func (p *noop) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *noop) AuthorizeSSHSign(context.Context, string) ([]SignOption, error) { return []SignOption{p}, nil } -func (p *noop) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) { +func (p *noop) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) { //nolint:nilnil // fine for noop return nil, nil } -func (p *noop) AuthorizeSSHRevoke(ctx context.Context, token string) error { +func (p *noop) AuthorizeSSHRevoke(context.Context, string) error { return nil } -func (p *noop) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) { +func (p *noop) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error) { return nil, []SignOption{}, nil } diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go index 01881de6..882d0972 100644 --- a/authority/provisioner/oidc.go +++ b/authority/provisioner/oidc.go @@ -292,7 +292,7 @@ func (o *OIDC) authorizeToken(token string) (*openIDPayload, error) { // AuthorizeRevoke returns an error if the provisioner does not have rights to // revoke the certificate with serial number in the `sub` property. // Only tokens generated by an admin have the right to revoke a certificate. -func (o *OIDC) AuthorizeRevoke(ctx context.Context, token string) error { +func (o *OIDC) AuthorizeRevoke(_ context.Context, token string) error { claims, err := o.authorizeToken(token) if err != nil { return errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeRevoke") @@ -307,7 +307,7 @@ func (o *OIDC) AuthorizeRevoke(ctx context.Context, token string) error { } // AuthorizeSign validates the given token. -func (o *OIDC) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (o *OIDC) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) { claims, err := o.authorizeToken(token) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSign") @@ -463,7 +463,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption } // AuthorizeSSHRevoke returns nil if the token is valid, false otherwise. -func (o *OIDC) AuthorizeSSHRevoke(ctx context.Context, token string) error { +func (o *OIDC) AuthorizeSSHRevoke(_ context.Context, token string) error { claims, err := o.authorizeToken(token) if err != nil { return errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHRevoke") diff --git a/authority/provisioner/provisioner.go b/authority/provisioner/provisioner.go index f2e7e68f..a9b17066 100644 --- a/authority/provisioner/provisioner.go +++ b/authority/provisioner/provisioner.go @@ -298,43 +298,43 @@ type base struct{} // AuthorizeSign returns an unimplemented error. Provisioners should overwrite // this method if they will support authorizing tokens for signing x509 Certificates. -func (b *base) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (b *base) AuthorizeSign(context.Context, string) ([]SignOption, error) { return nil, errs.Unauthorized("provisioner.AuthorizeSign not implemented") } // AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite // this method if they will support authorizing tokens for revoking x509 Certificates. -func (b *base) AuthorizeRevoke(ctx context.Context, token string) error { +func (b *base) AuthorizeRevoke(context.Context, string) error { return errs.Unauthorized("provisioner.AuthorizeRevoke not implemented") } // AuthorizeRenew returns an unimplemented error. Provisioners should overwrite // this method if they will support authorizing tokens for renewing x509 Certificates. -func (b *base) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error { +func (b *base) AuthorizeRenew(context.Context, *x509.Certificate) error { return errs.Unauthorized("provisioner.AuthorizeRenew not implemented") } // AuthorizeSSHSign returns an unimplemented error. Provisioners should overwrite // this method if they will support authorizing tokens for signing SSH Certificates. -func (b *base) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { +func (b *base) AuthorizeSSHSign(context.Context, string) ([]SignOption, error) { return nil, errs.Unauthorized("provisioner.AuthorizeSSHSign not implemented") } // AuthorizeRevoke returns an unimplemented error. Provisioners should overwrite // this method if they will support authorizing tokens for revoking SSH Certificates. -func (b *base) AuthorizeSSHRevoke(ctx context.Context, token string) error { +func (b *base) AuthorizeSSHRevoke(context.Context, string) error { return errs.Unauthorized("provisioner.AuthorizeSSHRevoke not implemented") } // AuthorizeSSHRenew returns an unimplemented error. Provisioners should overwrite // this method if they will support authorizing tokens for renewing SSH Certificates. -func (b *base) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Certificate, error) { +func (b *base) AuthorizeSSHRenew(context.Context, string) (*ssh.Certificate, error) { return nil, errs.Unauthorized("provisioner.AuthorizeSSHRenew not implemented") } // AuthorizeSSHRekey returns an unimplemented error. Provisioners should overwrite // this method if they will support authorizing tokens for rekeying SSH Certificates. -func (b *base) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) { +func (b *base) AuthorizeSSHRekey(context.Context, string) (*ssh.Certificate, []SignOption, error) { return nil, nil, errs.Unauthorized("provisioner.AuthorizeSSHRekey not implemented") } diff --git a/authority/provisioner/scep.go b/authority/provisioner/scep.go index f098a6e4..b0acc8fe 100644 --- a/authority/provisioner/scep.go +++ b/authority/provisioner/scep.go @@ -73,7 +73,7 @@ func (s *SCEP) GetEncryptedKey() (string, string, bool) { } // GetTokenID returns the identifier of the token. -func (s *SCEP) GetTokenID(ott string) (string, error) { +func (s *SCEP) GetTokenID(string) (string, error) { return "", errors.New("scep provisioner does not implement GetTokenID") } @@ -186,7 +186,7 @@ func (s *SCEP) Init(config Config) (err error) { // AuthorizeSign does not do any verification, because all verification is handled // in the SCEP protocol. This method returns a list of modifiers / constraints // on the resulting certificate. -func (s *SCEP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (s *SCEP) AuthorizeSign(context.Context, string) ([]SignOption, error) { return []SignOption{ s, // modifiers / withOptions diff --git a/authority/provisioner/sign_ssh_options.go b/authority/provisioner/sign_ssh_options.go index f027c3a6..ee74ded3 100644 --- a/authority/provisioner/sign_ssh_options.go +++ b/authority/provisioner/sign_ssh_options.go @@ -311,7 +311,7 @@ type sshCertDefaultValidator struct{} // Valid returns an error if the given certificate does not contain the // necessary fields. We skip ValidPrincipals and Extensions as with custom // templates you can set them empty. -func (v *sshCertDefaultValidator) Valid(cert *ssh.Certificate, o SignSSHOptions) error { +func (v *sshCertDefaultValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) error { switch { case len(cert.Nonce) == 0: return errs.Forbidden("ssh certificate nonce cannot be empty") @@ -346,7 +346,7 @@ type sshDefaultPublicKeyValidator struct{} // TODO: this is the only validator that checks the key type. We should execute // this before the signing. We should add a new validations interface or extend // SSHCertOptionsValidator with the key. -func (v sshDefaultPublicKeyValidator) Valid(cert *ssh.Certificate, o SignSSHOptions) error { +func (v sshDefaultPublicKeyValidator) Valid(cert *ssh.Certificate, _ SignSSHOptions) error { if cert.Key == nil { return errs.BadRequest("ssh certificate key cannot be nil") } diff --git a/authority/provisioner/sshpop.go b/authority/provisioner/sshpop.go index c0246729..3c7528a2 100644 --- a/authority/provisioner/sshpop.go +++ b/authority/provisioner/sshpop.go @@ -187,7 +187,7 @@ func (p *SSHPOP) authorizeToken(token string, audiences []string, checkValidity // AuthorizeSSHRevoke validates the authorization token and extracts/validates // the SSH certificate from the ssh-pop header. -func (p *SSHPOP) AuthorizeSSHRevoke(ctx context.Context, token string) error { +func (p *SSHPOP) AuthorizeSSHRevoke(_ context.Context, token string) error { claims, err := p.authorizeToken(token, p.ctl.Audiences.SSHRevoke, true) if err != nil { return errs.Wrap(http.StatusInternalServerError, err, "sshpop.AuthorizeSSHRevoke") @@ -213,7 +213,7 @@ func (p *SSHPOP) AuthorizeSSHRenew(ctx context.Context, token string) (*ssh.Cert // AuthorizeSSHRekey validates the authorization token and extracts/validates // the SSH certificate from the ssh-pop header. -func (p *SSHPOP) AuthorizeSSHRekey(ctx context.Context, token string) (*ssh.Certificate, []SignOption, error) { +func (p *SSHPOP) AuthorizeSSHRekey(_ context.Context, token string) (*ssh.Certificate, []SignOption, error) { claims, err := p.authorizeToken(token, p.ctl.Audiences.SSHRekey, true) if err != nil { return nil, nil, errs.Wrap(http.StatusInternalServerError, err, "sshpop.AuthorizeSSHRekey") diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go index e60533b7..d2a7c954 100644 --- a/authority/provisioner/x5c.go +++ b/authority/provisioner/x5c.go @@ -187,13 +187,13 @@ func (p *X5C) authorizeToken(token string, audiences []string) (*x5cPayload, err // AuthorizeRevoke returns an error if the provisioner does not have rights to // revoke the certificate with serial number in the `sub` property. -func (p *X5C) AuthorizeRevoke(ctx context.Context, token string) error { +func (p *X5C) AuthorizeRevoke(_ context.Context, token string) error { _, err := p.authorizeToken(token, p.ctl.Audiences.Revoke) return errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeRevoke") } // AuthorizeSign validates the given token. -func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *X5C) AuthorizeSign(_ context.Context, token string) ([]SignOption, error) { claims, err := p.authorizeToken(token, p.ctl.Audiences.Sign) if err != nil { return nil, errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeSign") @@ -256,7 +256,7 @@ func (p *X5C) AuthorizeRenew(ctx context.Context, cert *x509.Certificate) error } // AuthorizeSSHSign returns the list of SignOption for a SignSSH request. -func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption, error) { +func (p *X5C) AuthorizeSSHSign(_ context.Context, token string) ([]SignOption, error) { if !p.ctl.Claimer.IsSSHCAEnabled() { return nil, errs.Unauthorized("x5c.AuthorizeSSHSign; sshCA is disabled for x5c provisioner '%s'", p.GetName()) } diff --git a/authority/ssh.go b/authority/ssh.go index 7d990904..f9371d60 100644 --- a/authority/ssh.go +++ b/authority/ssh.go @@ -52,7 +52,7 @@ func (a *Authority) GetSSHFederation(context.Context) (*config.SSHKeys, error) { } // GetSSHConfig returns rendered templates for clients (user) or servers (host). -func (a *Authority) GetSSHConfig(ctx context.Context, typ string, data map[string]string) ([]templates.Output, error) { +func (a *Authority) GetSSHConfig(_ context.Context, typ string, data map[string]string) ([]templates.Output, error) { if a.sshCAUserCertSignKey == nil && a.sshCAHostCertSignKey == nil { return nil, errs.NotFound("getSSHConfig: ssh is not configured") } @@ -146,7 +146,7 @@ func (a *Authority) GetSSHBastion(ctx context.Context, user, hostname string) (* } // SignSSH creates a signed SSH certificate with the given public key and options. -func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) { +func (a *Authority) SignSSH(_ context.Context, key ssh.PublicKey, opts provisioner.SignSSHOptions, signOpts ...provisioner.SignOption) (*ssh.Certificate, error) { var ( certOptions []sshutil.Option mods []provisioner.SSHCertModifier @@ -663,11 +663,7 @@ func callEnrichingWebhooksSSH(webhookCtl webhookController, cr sshutil.Certifica if err != nil { return err } - if err := webhookCtl.Enrich(whEnrichReq); err != nil { - return err - } - - return nil + return webhookCtl.Enrich(whEnrichReq) } func callAuthorizingWebhooksSSH(webhookCtl webhookController, cert *sshutil.Certificate, certTpl *ssh.Certificate) error { @@ -680,9 +676,5 @@ func callAuthorizingWebhooksSSH(webhookCtl webhookController, cert *sshutil.Cert if err != nil { return err } - if err := webhookCtl.Authorize(whAuthBody); err != nil { - return err - } - - return nil + return webhookCtl.Authorize(whAuthBody) } diff --git a/authority/ssh_test.go b/authority/ssh_test.go index b24be941..9a5c0d09 100644 --- a/authority/ssh_test.go +++ b/authority/ssh_test.go @@ -55,7 +55,7 @@ func (m sshTestModifier) Modify(cert *ssh.Certificate, _ provisioner.SignSSHOpti type sshTestCertModifier string -func (m sshTestCertModifier) Modify(cert *ssh.Certificate, opts provisioner.SignSSHOptions) error { +func (m sshTestCertModifier) Modify(*ssh.Certificate, provisioner.SignSSHOptions) error { if m == "" { return nil } @@ -64,7 +64,7 @@ func (m sshTestCertModifier) Modify(cert *ssh.Certificate, opts provisioner.Sign type sshTestCertValidator string -func (v sshTestCertValidator) Valid(crt *ssh.Certificate, opts provisioner.SignSSHOptions) error { +func (v sshTestCertValidator) Valid(*ssh.Certificate, provisioner.SignSSHOptions) error { if v == "" { return nil } @@ -73,7 +73,7 @@ func (v sshTestCertValidator) Valid(crt *ssh.Certificate, opts provisioner.SignS type sshTestOptionsValidator string -func (v sshTestOptionsValidator) Valid(opts provisioner.SignSSHOptions) error { +func (v sshTestOptionsValidator) Valid(provisioner.SignSSHOptions) error { if v == "" { return nil } @@ -82,7 +82,7 @@ func (v sshTestOptionsValidator) Valid(opts provisioner.SignSSHOptions) error { type sshTestOptionsModifier string -func (m sshTestOptionsModifier) Modify(cert *ssh.Certificate, opts provisioner.SignSSHOptions) error { +func (m sshTestOptionsModifier) Modify(*ssh.Certificate, provisioner.SignSSHOptions) error { if m == "" { return nil } diff --git a/authority/tls.go b/authority/tls.go index b7531ce3..6e967920 100644 --- a/authority/tls.go +++ b/authority/tls.go @@ -303,7 +303,7 @@ func (a *Authority) isAllowedToSignX509Certificate(cert *x509.Certificate) error // AreSANsAllowed evaluates the provided sans against the // authority X.509 policy. -func (a *Authority) AreSANsAllowed(ctx context.Context, sans []string) error { +func (a *Authority) AreSANsAllowed(_ context.Context, sans []string) error { return a.policyEngine.AreSANsAllowed(sans) } @@ -969,11 +969,7 @@ func callEnrichingWebhooksX509(webhookCtl webhookController, attData *provisione if err != nil { return err } - if err := webhookCtl.Enrich(whEnrichReq); err != nil { - return err - } - - return nil + return webhookCtl.Enrich(whEnrichReq) } func callAuthorizingWebhooksX509(webhookCtl webhookController, cert *x509util.Certificate, leaf *x509.Certificate, attData *provisioner.AttestationData) error { @@ -993,9 +989,5 @@ func callAuthorizingWebhooksX509(webhookCtl webhookController, cert *x509util.Ce if err != nil { return err } - if err := webhookCtl.Authorize(whAuthBody); err != nil { - return err - } - - return nil + return webhookCtl.Authorize(whAuthBody) } diff --git a/authority/tls_test.go b/authority/tls_test.go index 5d63b3dd..efcb78f8 100644 --- a/authority/tls_test.go +++ b/authority/tls_test.go @@ -1146,18 +1146,17 @@ func TestAuthority_Renew(t *testing.T) { assert.False(t, reflect.DeepEqual(ext1, ext2)) } continue - } else { - found := false - for _, ext2 := range leaf.Extensions { - if reflect.DeepEqual(ext1, ext2) { - found = true - break - } - } - if !found { - t.Errorf("x509 extension %s not found in renewed certificate", ext1.Id.String()) + } + found := false + for _, ext2 := range leaf.Extensions { + if reflect.DeepEqual(ext1, ext2) { + found = true + break } } + if !found { + t.Errorf("x509 extension %s not found in renewed certificate", ext1.Id.String()) + } } } @@ -1363,18 +1362,17 @@ func TestAuthority_Rekey(t *testing.T) { assert.False(t, reflect.DeepEqual(ext1, ext2)) } continue - } else { - found := false - for _, ext2 := range leaf.Extensions { - if reflect.DeepEqual(ext1, ext2) { - found = true - break - } - } - if !found { - t.Errorf("x509 extension %s not found in renewed certificate", ext1.Id.String()) + } + found := false + for _, ext2 := range leaf.Extensions { + if reflect.DeepEqual(ext1, ext2) { + found = true + break } } + if !found { + t.Errorf("x509 extension %s not found in renewed certificate", ext1.Id.String()) + } } } @@ -1936,14 +1934,14 @@ func TestAuthority_CRL(t *testing.T) { tc := f() t.Run(name, func(t *testing.T) { if crlBytes, err := tc.auth.GetCertificateRevocationList(); err == nil { - crl, parseErr := x509.ParseCRL(crlBytes) + crl, parseErr := x509.ParseRevocationList(crlBytes) if parseErr != nil { t.Errorf("x509.ParseCertificateRequest() error = %v, wantErr %v", parseErr, nil) return } var cmpList []string - for _, c := range crl.TBSCertList.RevokedCertificates { + for _, c := range crl.RevokedCertificates { cmpList = append(cmpList, c.SerialNumber.String()) } diff --git a/authority/webhook_test.go b/authority/webhook_test.go index b80c8f66..0e713af7 100644 --- a/authority/webhook_test.go +++ b/authority/webhook_test.go @@ -14,7 +14,7 @@ type mockWebhookController struct { var _ webhookController = &mockWebhookController{} -func (wc *mockWebhookController) Enrich(req *webhook.RequestBody) error { +func (wc *mockWebhookController) Enrich(*webhook.RequestBody) error { for key, data := range wc.respData { wc.templateData.SetWebhook(key, data) } @@ -22,6 +22,6 @@ func (wc *mockWebhookController) Enrich(req *webhook.RequestBody) error { return wc.enrichErr } -func (wc *mockWebhookController) Authorize(req *webhook.RequestBody) error { +func (wc *mockWebhookController) Authorize(*webhook.RequestBody) error { return wc.authorizeErr } diff --git a/ca/adminClient.go b/ca/adminClient.go index 5cfaaf15..18221146 100644 --- a/ca/adminClient.go +++ b/ca/adminClient.go @@ -269,7 +269,7 @@ retry: } // GetAdmins returns all admins from the GET /admin/admins request to the CA. -func (c *AdminClient) GetAdmins(opts ...AdminOption) ([]*linkedca.Admin, error) { +func (c *AdminClient) GetAdmins(...AdminOption) ([]*linkedca.Admin, error) { var ( cursor = "" admins = []*linkedca.Admin{} @@ -474,7 +474,7 @@ retry: } // GetProvisioners returns all admins from the GET /admin/admins request to the CA. -func (c *AdminClient) GetProvisioners(opts ...AdminOption) (provisioner.List, error) { +func (c *AdminClient) GetProvisioners(...AdminOption) (provisioner.List, error) { var ( cursor = "" provs = provisioner.List{} diff --git a/ca/bootstrap_test.go b/ca/bootstrap_test.go index 974ba1f1..9477a53e 100644 --- a/ca/bootstrap_test.go +++ b/ca/bootstrap_test.go @@ -35,7 +35,7 @@ func newLocalListener() net.Listener { return l } -func setMinCertDuration(d time.Duration) func() { +func setMinCertDuration(time.Duration) func() { tmp := minCertDuration minCertDuration = 1 * time.Second return func() { diff --git a/ca/client_test.go b/ca/client_test.go index dff7fd41..6292e3ea 100644 --- a/ca/client_test.go +++ b/ca/client_test.go @@ -126,7 +126,7 @@ func parseCertificate(data string) *x509.Certificate { return cert } -func parseCertificateRequest(data string) *x509.CertificateRequest { +func parseCertificateRequest(string) *x509.CertificateRequest { block, _ := pem.Decode([]byte(csrPEM)) if block == nil { panic("failed to parse certificate request PEM") diff --git a/ca/identity/identity_test.go b/ca/identity/identity_test.go index 9a2422b3..6e71a1fd 100644 --- a/ca/identity/identity_test.go +++ b/ca/identity/identity_test.go @@ -367,7 +367,7 @@ func (r *renewer) GetRootCAs() *x509.CertPool { return r.pool } -func (r *renewer) Renew(tr http.RoundTripper) (*api.SignResponse, error) { +func (r *renewer) Renew(http.RoundTripper) (*api.SignResponse, error) { return r.sign, r.err } diff --git a/ca/renew.go b/ca/renew.go index ea4c5764..9385e1df 100644 --- a/ca/renew.go +++ b/ca/renew.go @@ -109,7 +109,7 @@ func (r *TLSRenewer) Stop() bool { // GetCertificate returns the current server certificate. // // This method is set in the tls.Config GetCertificate property. -func (r *TLSRenewer) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { +func (r *TLSRenewer) GetCertificate(*tls.ClientHelloInfo) (*tls.Certificate, error) { return r.getCertificate(), nil } @@ -118,7 +118,7 @@ func (r *TLSRenewer) GetCertificate(clientHello *tls.ClientHelloInfo) (*tls.Cert // request. It's intended to be use by the certificate authority server. // // This method is set in the tls.Config GetCertificate property. -func (r *TLSRenewer) GetCertificateForCA(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { +func (r *TLSRenewer) GetCertificateForCA(*tls.ClientHelloInfo) (*tls.Certificate, error) { return r.getCertificateForCA(), nil } diff --git a/cas/apiv1/options_test.go b/cas/apiv1/options_test.go index 2442b0af..d48b63df 100644 --- a/cas/apiv1/options_test.go +++ b/cas/apiv1/options_test.go @@ -12,18 +12,19 @@ type testCAS struct { name string } -func (t *testCAS) CreateCertificate(req *CreateCertificateRequest) (*CreateCertificateResponse, error) { +func (t *testCAS) CreateCertificate(*CreateCertificateRequest) (*CreateCertificateResponse, error) { return nil, nil } -func (t *testCAS) RenewCertificate(req *RenewCertificateRequest) (*RenewCertificateResponse, error) { +func (t *testCAS) RenewCertificate(*RenewCertificateRequest) (*RenewCertificateResponse, error) { return nil, nil } -func (t *testCAS) RevokeCertificate(req *RevokeCertificateRequest) (*RevokeCertificateResponse, error) { +func (t *testCAS) RevokeCertificate(*RevokeCertificateRequest) (*RevokeCertificateResponse, error) { return nil, nil } +//nolint:gocritic // ignore sloppy test func name func mockRegister(t *testing.T) { t.Helper() Register(SoftCAS, func(ctx context.Context, opts Options) (CertificateAuthorityService, error) { diff --git a/cas/cas_test.go b/cas/cas_test.go index f971c5a8..9fc06567 100644 --- a/cas/cas_test.go +++ b/cas/cas_test.go @@ -18,15 +18,15 @@ import ( type mockCAS struct{} -func (m *mockCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) { +func (m *mockCAS) CreateCertificate(*apiv1.CreateCertificateRequest) (*apiv1.CreateCertificateResponse, error) { panic("not implemented") } -func (m *mockCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) { +func (m *mockCAS) RenewCertificate(*apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) { panic("not implemented") } -func (m *mockCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) { +func (m *mockCAS) RevokeCertificate(*apiv1.RevokeCertificateRequest) (*apiv1.RevokeCertificateResponse, error) { panic("not implemented") } diff --git a/cas/cloudcas/cloudcas_test.go b/cas/cloudcas/cloudcas_test.go index d4e92a32..95446ee6 100644 --- a/cas/cloudcas/cloudcas_test.go +++ b/cas/cloudcas/cloudcas_test.go @@ -194,43 +194,43 @@ func (b *badSigner) Public() crypto.PublicKey { return b.pub } -func (b *badSigner) Sign(rnd io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) { +func (b *badSigner) Sign(io.Reader, []byte, crypto.SignerOpts) ([]byte, error) { return nil, fmt.Errorf("💥") } -func (c *testClient) CreateCertificate(ctx context.Context, req *pb.CreateCertificateRequest, opts ...gax.CallOption) (*pb.Certificate, error) { +func (c *testClient) CreateCertificate(context.Context, *pb.CreateCertificateRequest, ...gax.CallOption) (*pb.Certificate, error) { return c.certificate, c.err } -func (c *testClient) RevokeCertificate(ctx context.Context, req *pb.RevokeCertificateRequest, opts ...gax.CallOption) (*pb.Certificate, error) { +func (c *testClient) RevokeCertificate(context.Context, *pb.RevokeCertificateRequest, ...gax.CallOption) (*pb.Certificate, error) { return c.certificate, c.err } -func (c *testClient) GetCertificateAuthority(ctx context.Context, req *pb.GetCertificateAuthorityRequest, opts ...gax.CallOption) (*pb.CertificateAuthority, error) { +func (c *testClient) GetCertificateAuthority(context.Context, *pb.GetCertificateAuthorityRequest, ...gax.CallOption) (*pb.CertificateAuthority, error) { return c.certificateAuthority, c.err } -func (c *testClient) CreateCertificateAuthority(ctx context.Context, req *pb.CreateCertificateAuthorityRequest, opts ...gax.CallOption) (*privateca.CreateCertificateAuthorityOperation, error) { +func (c *testClient) CreateCertificateAuthority(context.Context, *pb.CreateCertificateAuthorityRequest, ...gax.CallOption) (*privateca.CreateCertificateAuthorityOperation, error) { return nil, errors.New("use NewMockCertificateAuthorityClient") } -func (c *testClient) FetchCertificateAuthorityCsr(ctx context.Context, req *pb.FetchCertificateAuthorityCsrRequest, opts ...gax.CallOption) (*pb.FetchCertificateAuthorityCsrResponse, error) { +func (c *testClient) FetchCertificateAuthorityCsr(context.Context, *pb.FetchCertificateAuthorityCsrRequest, ...gax.CallOption) (*pb.FetchCertificateAuthorityCsrResponse, error) { return nil, errors.New("use NewMockCertificateAuthorityClient") } -func (c *testClient) ActivateCertificateAuthority(ctx context.Context, req *pb.ActivateCertificateAuthorityRequest, opts ...gax.CallOption) (*privateca.ActivateCertificateAuthorityOperation, error) { +func (c *testClient) ActivateCertificateAuthority(context.Context, *pb.ActivateCertificateAuthorityRequest, ...gax.CallOption) (*privateca.ActivateCertificateAuthorityOperation, error) { return nil, errors.New("use NewMockCertificateAuthorityClient") } -func (c *testClient) EnableCertificateAuthority(ctx context.Context, req *pb.EnableCertificateAuthorityRequest, opts ...gax.CallOption) (*privateca.EnableCertificateAuthorityOperation, error) { +func (c *testClient) EnableCertificateAuthority(context.Context, *pb.EnableCertificateAuthorityRequest, ...gax.CallOption) (*privateca.EnableCertificateAuthorityOperation, error) { return nil, errors.New("use NewMockCertificateAuthorityClient") } -func (c *testClient) GetCaPool(ctx context.Context, req *pb.GetCaPoolRequest, opts ...gax.CallOption) (*pb.CaPool, error) { +func (c *testClient) GetCaPool(context.Context, *pb.GetCaPoolRequest, ...gax.CallOption) (*pb.CaPool, error) { return nil, errors.New("use NewMockCertificateAuthorityClient") } -func (c *testClient) CreateCaPool(ctx context.Context, req *pb.CreateCaPoolRequest, opts ...gax.CallOption) (*privateca.CreateCaPoolOperation, error) { +func (c *testClient) CreateCaPool(context.Context, *pb.CreateCaPoolRequest, ...gax.CallOption) (*privateca.CreateCaPoolOperation, error) { return nil, errors.New("use NewMockCertificateAuthorityClient") } diff --git a/cas/softcas/softcas.go b/cas/softcas/softcas.go index 6eae9e9e..58be8aab 100644 --- a/cas/softcas/softcas.go +++ b/cas/softcas/softcas.go @@ -36,7 +36,7 @@ type SoftCAS struct { // New creates a new CertificateAuthorityService implementation using Golang or KMS // crypto. -func New(ctx context.Context, opts apiv1.Options) (*SoftCAS, error) { +func New(_ context.Context, opts apiv1.Options) (*SoftCAS, error) { if !opts.IsCreator { switch { case len(opts.CertificateChain) == 0 && opts.CertificateSigner == nil: diff --git a/cas/softcas/softcas_test.go b/cas/softcas/softcas_test.go index 5c8a2f1f..11bf217a 100644 --- a/cas/softcas/softcas_test.go +++ b/cas/softcas/softcas_test.go @@ -101,7 +101,7 @@ type mockKeyManager struct { errClose error } -func (m *mockKeyManager) GetPublicKey(req *kmsapi.GetPublicKeyRequest) (crypto.PublicKey, error) { +func (m *mockKeyManager) GetPublicKey(*kmsapi.GetPublicKeyRequest) (crypto.PublicKey, error) { signer := testSigner if m.signer != nil { signer = m.signer @@ -121,7 +121,7 @@ func (m *mockKeyManager) CreateKey(req *kmsapi.CreateKeyRequest) (*kmsapi.Create }, m.errCreateKey } -func (m *mockKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (crypto.Signer, error) { +func (m *mockKeyManager) CreateSigner(*kmsapi.CreateSignerRequest) (crypto.Signer, error) { signer := testSigner if m.signer != nil { signer = m.signer @@ -129,7 +129,7 @@ func (m *mockKeyManager) CreateSigner(req *kmsapi.CreateSignerRequest) (crypto.S return signer, m.errCreatesigner } -func (m *mockKeyManager) CreateDecrypter(req *kmsapi.CreateDecrypterRequest) (crypto.Decrypter, error) { +func (m *mockKeyManager) CreateDecrypter(*kmsapi.CreateDecrypterRequest) (crypto.Decrypter, error) { return nil, nil } @@ -147,6 +147,7 @@ func (b *badSigner) Sign(_ io.Reader, _ []byte, _ crypto.SignerOpts) ([]byte, er return nil, fmt.Errorf("💥") } +//nolint:gocritic // ignore sloppy test func name func mockNow(t *testing.T) { tmp := now now = func() time.Time { diff --git a/cas/stepcas/issuer_test.go b/cas/stepcas/issuer_test.go index ff4f45f5..2a47d885 100644 --- a/cas/stepcas/issuer_test.go +++ b/cas/stepcas/issuer_test.go @@ -15,11 +15,11 @@ import ( type mockErrIssuer struct{} -func (m mockErrIssuer) SignToken(subject string, sans []string, info *raInfo) (string, error) { +func (m mockErrIssuer) SignToken(string, []string, *raInfo) (string, error) { return "", apiv1.NotImplementedError{} } -func (m mockErrIssuer) RevokeToken(subject string) (string, error) { +func (m mockErrIssuer) RevokeToken(string) (string, error) { return "", apiv1.NotImplementedError{} } @@ -29,7 +29,7 @@ func (m mockErrIssuer) Lifetime(d time.Duration) time.Duration { type mockErrSigner struct{} -func (s *mockErrSigner) Sign(payload []byte) (*jose.JSONWebSignature, error) { +func (s *mockErrSigner) Sign([]byte) (*jose.JSONWebSignature, error) { return nil, apiv1.NotImplementedError{} } diff --git a/cas/stepcas/stepcas.go b/cas/stepcas/stepcas.go index 7c0dc86f..9f94c6ae 100644 --- a/cas/stepcas/stepcas.go +++ b/cas/stepcas/stepcas.go @@ -157,7 +157,7 @@ func (s *StepCAS) RevokeCertificate(req *apiv1.RevokeCertificateRequest) (*apiv1 // GetCertificateAuthority returns the root certificate of the certificate // authority using the configured fingerprint. -func (s *StepCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) { +func (s *StepCAS) GetCertificateAuthority(*apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) { resp, err := s.client.Root(s.fingerprint) if err != nil { return nil, err diff --git a/cas/stepcas/x5c_issuer_test.go b/cas/stepcas/x5c_issuer_test.go index 3f7f372f..c32490ef 100644 --- a/cas/stepcas/x5c_issuer_test.go +++ b/cas/stepcas/x5c_issuer_test.go @@ -22,10 +22,11 @@ func (b noneSigner) Public() crypto.PublicKey { return []byte(b) } -func (b noneSigner) Sign(rnd io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { +func (b noneSigner) Sign(_ io.Reader, digest []byte, _ crypto.SignerOpts) (signature []byte, err error) { return digest, nil } +//nolint:gocritic // ignore sloppy test func name func fakeTime(t *testing.T) { t.Helper() tmp := timeNow diff --git a/cas/vaultcas/vaultcas.go b/cas/vaultcas/vaultcas.go index cac49c13..8d3797f4 100644 --- a/cas/vaultcas/vaultcas.go +++ b/cas/vaultcas/vaultcas.go @@ -127,7 +127,7 @@ func (v *VaultCAS) CreateCertificate(req *apiv1.CreateCertificateRequest) (*apiv // GetCertificateAuthority returns the root certificate of the certificate // authority using the configured fingerprint. -func (v *VaultCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) { +func (v *VaultCAS) GetCertificateAuthority(*apiv1.GetCertificateAuthorityRequest) (*apiv1.GetCertificateAuthorityResponse, error) { secret, err := v.client.Logical().Read(v.config.PKIMountPath + "/cert/ca_chain") if err != nil { return nil, fmt.Errorf("error reading ca chain: %w", err) @@ -161,7 +161,7 @@ func (v *VaultCAS) GetCertificateAuthority(req *apiv1.GetCertificateAuthorityReq // RenewCertificate will always return a non-implemented error as renewals // are not supported yet. -func (v *VaultCAS) RenewCertificate(req *apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) { +func (v *VaultCAS) RenewCertificate(*apiv1.RenewCertificateRequest) (*apiv1.RenewCertificateResponse, error) { return nil, apiv1.NotImplementedError{Message: "vaultCAS does not support renewals"} } diff --git a/db/simple.go b/db/simple.go index 6321e86f..dbef2d61 100644 --- a/db/simple.go +++ b/db/simple.go @@ -20,24 +20,24 @@ type SimpleDB struct { usedTokens *sync.Map } -func newSimpleDB(c *Config) (*SimpleDB, error) { +func newSimpleDB(*Config) (*SimpleDB, error) { db := &SimpleDB{} db.usedTokens = new(sync.Map) return db, nil } // IsRevoked noop -func (s *SimpleDB) IsRevoked(sn string) (bool, error) { +func (s *SimpleDB) IsRevoked(string) (bool, error) { return false, nil } // IsSSHRevoked noop -func (s *SimpleDB) IsSSHRevoked(sn string) (bool, error) { +func (s *SimpleDB) IsSSHRevoked(string) (bool, error) { return false, nil } // Revoke returns a "NotImplemented" error. -func (s *SimpleDB) Revoke(rci *RevokedCertificateInfo) error { +func (s *SimpleDB) Revoke(*RevokedCertificateInfo) error { return ErrNotImplemented } @@ -52,22 +52,22 @@ func (s *SimpleDB) GetCRL() (*CertificateRevocationListInfo, error) { } // StoreCRL returns a "NotImplemented" error. -func (s *SimpleDB) StoreCRL(crlInfo *CertificateRevocationListInfo) error { +func (s *SimpleDB) StoreCRL(*CertificateRevocationListInfo) error { return ErrNotImplemented } // RevokeSSH returns a "NotImplemented" error. -func (s *SimpleDB) RevokeSSH(rci *RevokedCertificateInfo) error { +func (s *SimpleDB) RevokeSSH(*RevokedCertificateInfo) error { return ErrNotImplemented } // GetCertificate returns a "NotImplemented" error. -func (s *SimpleDB) GetCertificate(serialNumber string) (*x509.Certificate, error) { +func (s *SimpleDB) GetCertificate(string) (*x509.Certificate, error) { return nil, ErrNotImplemented } // StoreCertificate returns a "NotImplemented" error. -func (s *SimpleDB) StoreCertificate(crt *x509.Certificate) error { +func (s *SimpleDB) StoreCertificate(*x509.Certificate) error { return ErrNotImplemented } @@ -90,12 +90,12 @@ func (s *SimpleDB) UseToken(id, tok string) (bool, error) { } // IsSSHHost returns a "NotImplemented" error. -func (s *SimpleDB) IsSSHHost(principal string) (bool, error) { +func (s *SimpleDB) IsSSHHost(string) (bool, error) { return false, ErrNotImplemented } // StoreSSHCertificate returns a "NotImplemented" error. -func (s *SimpleDB) StoreSSHCertificate(crt *ssh.Certificate) error { +func (s *SimpleDB) StoreSSHCertificate(*ssh.Certificate) error { return ErrNotImplemented } @@ -112,7 +112,7 @@ func (s *SimpleDB) Shutdown() error { // nosql.DB interface implementation // // Open opens the database available with the given options. -func (s *SimpleDB) Open(dataSourceName string, opt ...database.Option) error { +func (s *SimpleDB) Open(string, ...database.Option) error { return ErrNotImplemented } @@ -122,43 +122,43 @@ func (s *SimpleDB) Close() error { } // Get returns the value stored in the given table/bucket and key. -func (s *SimpleDB) Get(bucket, key []byte) ([]byte, error) { +func (s *SimpleDB) Get([]byte, []byte) ([]byte, error) { return nil, ErrNotImplemented } // Set sets the given value in the given table/bucket and key. -func (s *SimpleDB) Set(bucket, key, value []byte) error { +func (s *SimpleDB) Set([]byte, []byte, []byte) error { return ErrNotImplemented } // CmpAndSwap swaps the value at the given bucket and key if the current // value is equivalent to the oldValue input. Returns 'true' if the // swap was successful and 'false' otherwise. -func (s *SimpleDB) CmpAndSwap(bucket, key, oldValue, newValue []byte) ([]byte, bool, error) { +func (s *SimpleDB) CmpAndSwap([]byte, []byte, []byte, []byte) ([]byte, bool, error) { return nil, false, ErrNotImplemented } // Del deletes the data in the given table/bucket and key. -func (s *SimpleDB) Del(bucket, key []byte) error { +func (s *SimpleDB) Del([]byte, []byte) error { return ErrNotImplemented } // List returns a list of all the entries in a given table/bucket. -func (s *SimpleDB) List(bucket []byte) ([]*database.Entry, error) { +func (s *SimpleDB) List([]byte) ([]*database.Entry, error) { return nil, ErrNotImplemented } // Update performs a transaction with multiple read-write commands. -func (s *SimpleDB) Update(tx *database.Tx) error { +func (s *SimpleDB) Update(*database.Tx) error { return ErrNotImplemented } // CreateTable creates a table or a bucket in the database. -func (s *SimpleDB) CreateTable(bucket []byte) error { +func (s *SimpleDB) CreateTable([]byte) error { return ErrNotImplemented } // DeleteTable deletes a table or a bucket in the database. -func (s *SimpleDB) DeleteTable(bucket []byte) error { +func (s *SimpleDB) DeleteTable([]byte) error { return ErrNotImplemented } diff --git a/pki/helm_test.go b/pki/helm_test.go index ea1c4acd..508f8c3e 100644 --- a/pki/helm_test.go +++ b/pki/helm_test.go @@ -196,7 +196,7 @@ func setKeyPair(t *testing.T, p *PKI) { } // setCertificates sets some static, gibberish intermediate and root CA certificate and key bytes. -func setCertificates(t *testing.T, p *PKI) { +func setCertificates(_ *testing.T, p *PKI) { raw := []byte("these are just some fake root CA cert bytes") p.Files[p.Root[0]] = encodeCertificate(&x509.Certificate{Raw: raw}) p.Files[p.RootKey[0]] = pem.EncodeToMemory(&pem.Block{ @@ -213,8 +213,7 @@ func setCertificates(t *testing.T, p *PKI) { } // setSSHSigningKeys sets some static, gibberish ssh user and host CA certificate and key bytes. -func setSSHSigningKeys(t *testing.T, p *PKI) { - +func setSSHSigningKeys(_ *testing.T, p *PKI) { if !p.options.enableSSH { return } diff --git a/policy/engine.go b/policy/engine.go index c02fd7a9..56457325 100755 --- a/policy/engine.go +++ b/policy/engine.go @@ -244,30 +244,21 @@ func (e *NamePolicyEngine) IsX509CertificateRequestAllowed(csr *x509.Certificate return nil } -// AreSANSAllowed verifies that all names in the slice of SANs are allowed. +// AreSANsAllowed verifies that all names in the slice of SANs are allowed. // The SANs are first split into DNS names, IPs, email addresses and URIs. func (e *NamePolicyEngine) AreSANsAllowed(sans []string) error { dnsNames, ips, emails, uris := x509util.SplitSANs(sans) - if err := e.validateNames(dnsNames, ips, emails, uris, []string{}); err != nil { - return err - } - return nil + return e.validateNames(dnsNames, ips, emails, uris, []string{}) } // IsDNSAllowed verifies a single DNS domain is allowed. func (e *NamePolicyEngine) IsDNSAllowed(dns string) error { - if err := e.validateNames([]string{dns}, []net.IP{}, []string{}, []*url.URL{}, []string{}); err != nil { - return err - } - return nil + return e.validateNames([]string{dns}, []net.IP{}, []string{}, []*url.URL{}, []string{}) } // IsIPAllowed verifies a single IP domain is allowed. func (e *NamePolicyEngine) IsIPAllowed(ip net.IP) error { - if err := e.validateNames([]string{}, []net.IP{ip}, []string{}, []*url.URL{}, []string{}); err != nil { - return err - } - return nil + return e.validateNames([]string{}, []net.IP{ip}, []string{}, []*url.URL{}, []string{}) } // IsSSHCertificateAllowed verifies that all principals in an SSH certificate are allowed. @@ -276,10 +267,7 @@ func (e *NamePolicyEngine) IsSSHCertificateAllowed(cert *ssh.Certificate) error if err != nil { return err } - if err := e.validateNames(dnsNames, ips, emails, []*url.URL{}, principals); err != nil { - return err - } - return nil + return e.validateNames(dnsNames, ips, emails, []*url.URL{}, principals) } // splitPrincipals splits SSH certificate principals into DNS names, emails and usernames. diff --git a/scep/authority.go b/scep/authority.go index 8ba9c9c9..23c28813 100644 --- a/scep/authority.go +++ b/scep/authority.go @@ -115,7 +115,7 @@ func (a *Authority) GetLinkExplicit(provName string, abs bool, baseURL *url.URL, // getLinkExplicit returns an absolute or partial path to the given resource and a base // URL dynamically obtained from the request for which the link is being calculated. -func (a *Authority) getLinkExplicit(provisionerName string, abs bool, baseURL *url.URL, inputs ...string) string { +func (a *Authority) getLinkExplicit(provisionerName string, abs bool, baseURL *url.URL, _ ...string) string { link := "/" + provisionerName if abs { // Copy the baseURL value from the pointer. https://github.com/golang/go/issues/38351 @@ -182,7 +182,7 @@ func (a *Authority) GetCACertificates(ctx context.Context) ([]*x509.Certificate, } // DecryptPKIEnvelope decrypts an enveloped message -func (a *Authority) DecryptPKIEnvelope(ctx context.Context, msg *PKIMessage) error { +func (a *Authority) DecryptPKIEnvelope(_ context.Context, msg *PKIMessage) error { p7c, err := pkcs7.Parse(msg.P7.Content) if err != nil { return fmt.Errorf("error parsing pkcs7 content: %w", err) @@ -389,7 +389,7 @@ func (a *Authority) SignCSR(ctx context.Context, csr *x509.CertificateRequest, m } // CreateFailureResponse creates an appropriately signed reply for PKI operations -func (a *Authority) CreateFailureResponse(ctx context.Context, csr *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error) { +func (a *Authority) CreateFailureResponse(_ context.Context, _ *x509.CertificateRequest, msg *PKIMessage, info FailInfoName, infoText string) (*PKIMessage, error) { config := pkcs7.SignerInfoConfig{ ExtraSignedAttributes: []pkcs7.Attribute{ { diff --git a/scep/service.go b/scep/service.go index a4efe27e..85f7c73f 100644 --- a/scep/service.go +++ b/scep/service.go @@ -13,7 +13,8 @@ type Service struct { decrypter crypto.Decrypter } -func NewService(ctx context.Context, opts Options) (*Service, error) { +// NewService returns a new Service type. +func NewService(_ context.Context, opts Options) (*Service, error) { if err := opts.Validate(); err != nil { return nil, err }