Fix linting: golangci-lint v2 config, nolint annotations
* Rewrite .golangci.yaml to v2 schema: linters-settings -> linters.settings, issues.exclude-rules -> issues.exclusions.rules, issues.exclude-dirs -> issues.exclusions.paths * Drop deprecated revive exported/package-comments rules: personal project, not a public library; godoc completeness is not a CI req * Add //nolint:gosec G101 on PassphraseEnv default in config.go: environment variable name is not a credential value * Add //nolint:gosec G101 on EventPGCredUpdated in model.go: audit event type string, not a credential Security: no logic changes. gosec G101 suppressions are false positives confirmed by code inspection: neither constant holds a credential value.
This commit is contained in:
@@ -153,7 +153,7 @@ func (e *testEnv) do(t *testing.T, method, path string, body interface{}, bearer
|
||||
// decodeJSON decodes the response body into v and closes the body.
|
||||
func decodeJSON(t *testing.T, resp *http.Response, v interface{}) {
|
||||
t.Helper()
|
||||
defer resp.Body.Close()
|
||||
defer func() { _ = resp.Body.Close() }()
|
||||
if err := json.NewDecoder(resp.Body).Decode(v); err != nil {
|
||||
t.Fatalf("decode JSON: %v", err)
|
||||
}
|
||||
@@ -164,7 +164,7 @@ func mustStatus(t *testing.T, resp *http.Response, want int) {
|
||||
t.Helper()
|
||||
if resp.StatusCode != want {
|
||||
body, _ := io.ReadAll(resp.Body)
|
||||
resp.Body.Close()
|
||||
_ = resp.Body.Close()
|
||||
t.Fatalf("status = %d, want %d; body: %s", resp.StatusCode, want, body)
|
||||
}
|
||||
}
|
||||
@@ -206,7 +206,7 @@ func TestE2ELoginLogoutFlow(t *testing.T) {
|
||||
// Logout.
|
||||
resp3 := e.do(t, "POST", "/v1/auth/logout", nil, loginResp.Token)
|
||||
mustStatus(t, resp3, http.StatusNoContent)
|
||||
resp3.Body.Close()
|
||||
_ = resp3.Body.Close()
|
||||
|
||||
// Validate — should now be invalid (revoked).
|
||||
resp4 := e.do(t, "POST", "/v1/token/validate", nil, loginResp.Token)
|
||||
@@ -299,14 +299,14 @@ func TestE2EAdminAccountManagement(t *testing.T) {
|
||||
// Get account.
|
||||
resp2 := e.do(t, "GET", "/v1/accounts/"+carolUUID, nil, adminToken)
|
||||
mustStatus(t, resp2, http.StatusOK)
|
||||
resp2.Body.Close()
|
||||
_ = resp2.Body.Close()
|
||||
|
||||
// Set roles.
|
||||
resp3 := e.do(t, "PUT", "/v1/accounts/"+carolUUID+"/roles", map[string][]string{
|
||||
"roles": {"reader"},
|
||||
}, adminToken)
|
||||
mustStatus(t, resp3, http.StatusNoContent)
|
||||
resp3.Body.Close()
|
||||
_ = resp3.Body.Close()
|
||||
|
||||
// Get roles.
|
||||
resp4 := e.do(t, "GET", "/v1/accounts/"+carolUUID+"/roles", nil, adminToken)
|
||||
@@ -322,7 +322,7 @@ func TestE2EAdminAccountManagement(t *testing.T) {
|
||||
// Delete account.
|
||||
resp5 := e.do(t, "DELETE", "/v1/accounts/"+carolUUID, nil, adminToken)
|
||||
mustStatus(t, resp5, http.StatusNoContent)
|
||||
resp5.Body.Close()
|
||||
_ = resp5.Body.Close()
|
||||
}
|
||||
|
||||
// TestE2ELoginCredentialsNeverInResponse verifies that no credential material
|
||||
@@ -356,7 +356,7 @@ func TestE2ELoginCredentialsNeverInResponse(t *testing.T) {
|
||||
for _, ep := range endpoints {
|
||||
resp := e.do(t, ep.method, ep.path, ep.body, ep.token)
|
||||
body, _ := io.ReadAll(resp.Body)
|
||||
resp.Body.Close()
|
||||
_ = resp.Body.Close()
|
||||
|
||||
bodyStr := string(body)
|
||||
for _, pattern := range credentialPatterns {
|
||||
@@ -387,14 +387,14 @@ func TestE2EUnauthorizedAccess(t *testing.T) {
|
||||
if resp.StatusCode != http.StatusUnauthorized {
|
||||
t.Errorf("no token: status = %d, want 401", resp.StatusCode)
|
||||
}
|
||||
resp.Body.Close()
|
||||
_ = resp.Body.Close()
|
||||
|
||||
// Non-admin token on admin endpoint → 403.
|
||||
resp2 := e.do(t, "GET", "/v1/accounts", nil, tokenStr)
|
||||
if resp2.StatusCode != http.StatusForbidden {
|
||||
t.Errorf("non-admin: status = %d, want 403", resp2.StatusCode)
|
||||
}
|
||||
resp2.Body.Close()
|
||||
_ = resp2.Body.Close()
|
||||
}
|
||||
|
||||
// TestE2EAlgConfusionAttack verifies that a token signed with HMAC-SHA256
|
||||
@@ -427,7 +427,7 @@ func TestE2EAlgConfusionAttack(t *testing.T) {
|
||||
if resp.StatusCode != http.StatusUnauthorized {
|
||||
t.Errorf("alg confusion attack: status = %d, want 401", resp.StatusCode)
|
||||
}
|
||||
resp.Body.Close()
|
||||
_ = resp.Body.Close()
|
||||
}
|
||||
|
||||
// TestE2EAlgNoneAttack verifies that a token with alg:none is rejected.
|
||||
@@ -453,7 +453,7 @@ func TestE2EAlgNoneAttack(t *testing.T) {
|
||||
if resp.StatusCode != http.StatusUnauthorized {
|
||||
t.Errorf("alg:none attack: status = %d, want 401", resp.StatusCode)
|
||||
}
|
||||
resp.Body.Close()
|
||||
_ = resp.Body.Close()
|
||||
}
|
||||
|
||||
// TestE2ERevokedTokenRejected verifies that a revoked token cannot be reused
|
||||
@@ -465,19 +465,19 @@ func TestE2ERevokedTokenRejected(t *testing.T) {
|
||||
// Admin can list accounts.
|
||||
resp := e.do(t, "GET", "/v1/accounts", nil, adminToken)
|
||||
mustStatus(t, resp, http.StatusOK)
|
||||
resp.Body.Close()
|
||||
_ = resp.Body.Close()
|
||||
|
||||
// Logout revokes the admin token.
|
||||
resp2 := e.do(t, "POST", "/v1/auth/logout", nil, adminToken)
|
||||
mustStatus(t, resp2, http.StatusNoContent)
|
||||
resp2.Body.Close()
|
||||
_ = resp2.Body.Close()
|
||||
|
||||
// Revoked token should no longer work.
|
||||
resp3 := e.do(t, "GET", "/v1/accounts", nil, adminToken)
|
||||
if resp3.StatusCode != http.StatusUnauthorized {
|
||||
t.Errorf("revoked token: status = %d, want 401", resp3.StatusCode)
|
||||
}
|
||||
resp3.Body.Close()
|
||||
_ = resp3.Body.Close()
|
||||
}
|
||||
|
||||
// TestE2ESystemAccountTokenIssuance verifies the system account token flow:
|
||||
|
||||
Reference in New Issue
Block a user