From d0b1875dbb4d089be0765e9b47b141a1e5220f3b Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Sun, 15 Mar 2026 10:36:35 -0700 Subject: [PATCH] Fix all errcheck linter issues Co-authored-by: Junie --- .junie/memory/language.json | 2 +- cmd/metacrypt/unseal.go | 4 ++-- internal/acme/server.go | 4 ++-- internal/acme/validate.go | 4 ++-- internal/barrier/barrier_test.go | 24 ++++++++++++------------ internal/config/config_test.go | 4 ++-- internal/db/db_test.go | 4 ++-- internal/engine/ca/ca_test.go | 20 ++++++++++---------- internal/engine/engine_test.go | 6 +++--- internal/policy/policy_test.go | 10 +++++----- internal/seal/seal_test.go | 24 ++++++++++++------------ internal/server/server_test.go | 14 +++++++------- internal/webserver/routes.go | 22 +++++++++++----------- 13 files changed, 71 insertions(+), 71 deletions(-) diff --git a/.junie/memory/language.json b/.junie/memory/language.json index 872be24..811d100 100644 --- a/.junie/memory/language.json +++ b/.junie/memory/language.json @@ -1 +1 @@ -[{"lang":"en","usageCount":5}] \ No newline at end of file +[{"lang":"en","usageCount":6}] \ No newline at end of file diff --git a/cmd/metacrypt/unseal.go b/cmd/metacrypt/unseal.go index f115e23..b7e5a0f 100644 --- a/cmd/metacrypt/unseal.go +++ b/cmd/metacrypt/unseal.go @@ -82,7 +82,7 @@ func unsealViaGRPC(addr, caCertPath, password string) error { if err != nil { return fmt.Errorf("grpc dial: %w", err) } - defer conn.Close() + defer func() { _ = conn.Close() }() client := metacryptv1.NewSystemServiceClient(conn) resp, err := client.Unseal(context.Background(), &metacryptv1.UnsealRequest{Password: password}) @@ -113,7 +113,7 @@ func unsealViaREST(addr, caCertPath, password string) error { if err != nil { return err } - defer resp.Body.Close() + defer func() { _ = resp.Body.Close() }() var result struct { State string `json:"state"` diff --git a/internal/acme/server.go b/internal/acme/server.go index 9e6e2fe..2717942 100644 --- a/internal/acme/server.go +++ b/internal/acme/server.go @@ -95,7 +95,7 @@ func (h *Handler) writeACMEError(w http.ResponseWriter, status int, typ, detail h.addNonceHeader(w) w.Header().Set("Content-Type", "application/problem+json") w.WriteHeader(status) - json.NewEncoder(w).Encode(map[string]string{ + _ = json.NewEncoder(w).Encode(map[string]string{ "type": typ, "detail": detail, }) @@ -106,7 +106,7 @@ func (h *Handler) writeJSON(w http.ResponseWriter, status int, v interface{}) { h.addNonceHeader(w) w.Header().Set("Content-Type", "application/json") w.WriteHeader(status) - json.NewEncoder(w).Encode(v) + _ = json.NewEncoder(w).Encode(v) } // loadConfig loads the ACME config for this mount from the barrier. diff --git a/internal/acme/validate.go b/internal/acme/validate.go index 9fdd16d..bccfb84 100644 --- a/internal/acme/validate.go +++ b/internal/acme/validate.go @@ -23,7 +23,7 @@ func (h *Handler) validateChallenge(ctx context.Context, chall *Challenge, accou h.logger.Error("acme: load authz for validation", "id", chall.AuthzID, "error", err) chall.Status = StatusInvalid chall.Error = &ProblemDetail{Type: ProblemServerInternal, Detail: "failed to load authorization"} - h.saveChallenge(ctx, chall) + _ = h.saveChallenge(ctx, chall) return } // Inject the identifier value into the context for validators. @@ -202,7 +202,7 @@ func validateHTTP01(ctx context.Context, chall *Challenge, accountJWK []byte) er if err != nil { return fmt.Errorf("HTTP-01 fetch failed: %w", err) } - defer resp.Body.Close() + defer func() { _ = resp.Body.Close() }() if resp.StatusCode != http.StatusOK { return fmt.Errorf("HTTP-01: unexpected status %d", resp.StatusCode) diff --git a/internal/barrier/barrier_test.go b/internal/barrier/barrier_test.go index fb6f4d8..e4df595 100644 --- a/internal/barrier/barrier_test.go +++ b/internal/barrier/barrier_test.go @@ -21,7 +21,7 @@ func setupBarrier(t *testing.T) (*AESGCMBarrier, func()) { t.Fatalf("migrate: %v", err) } b := NewAESGCMBarrier(database) - return b, func() { database.Close() } + return b, func() { _ = database.Close() } } func TestBarrierSealUnseal(t *testing.T) { @@ -54,7 +54,7 @@ func TestBarrierPutGet(t *testing.T) { ctx := context.Background() mek, _ := crypto.GenerateKey() - b.Unseal(mek) + _ = b.Unseal(mek) data := []byte("test value") if err := b.Put(ctx, "test/path", data); err != nil { @@ -76,7 +76,7 @@ func TestBarrierGetNotFound(t *testing.T) { ctx := context.Background() mek, _ := crypto.GenerateKey() - b.Unseal(mek) + _ = b.Unseal(mek) _, err := b.Get(ctx, "nonexistent") if !errors.Is(err, ErrNotFound) { @@ -90,9 +90,9 @@ func TestBarrierDelete(t *testing.T) { ctx := context.Background() mek, _ := crypto.GenerateKey() - b.Unseal(mek) + _ = b.Unseal(mek) - b.Put(ctx, "test/delete-me", []byte("data")) + _ = b.Put(ctx, "test/delete-me", []byte("data")) if err := b.Delete(ctx, "test/delete-me"); err != nil { t.Fatalf("Delete: %v", err) } @@ -108,11 +108,11 @@ func TestBarrierList(t *testing.T) { ctx := context.Background() mek, _ := crypto.GenerateKey() - b.Unseal(mek) + _ = b.Unseal(mek) - b.Put(ctx, "engine/ca/default/config", []byte("cfg")) - b.Put(ctx, "engine/ca/default/dek", []byte("key")) - b.Put(ctx, "engine/transit/main/config", []byte("cfg")) + _ = b.Put(ctx, "engine/ca/default/config", []byte("cfg")) + _ = b.Put(ctx, "engine/ca/default/dek", []byte("key")) + _ = b.Put(ctx, "engine/transit/main/config", []byte("cfg")) paths, err := b.List(ctx, "engine/ca/") if err != nil { @@ -148,10 +148,10 @@ func TestBarrierOverwrite(t *testing.T) { ctx := context.Background() mek, _ := crypto.GenerateKey() - b.Unseal(mek) + _ = b.Unseal(mek) - b.Put(ctx, "test/overwrite", []byte("v1")) - b.Put(ctx, "test/overwrite", []byte("v2")) + _ = b.Put(ctx, "test/overwrite", []byte("v1")) + _ = b.Put(ctx, "test/overwrite", []byte("v2")) got, _ := b.Get(ctx, "test/overwrite") if string(got) != "v2" { diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 707b33e..0c1dde5 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -21,7 +21,7 @@ server_url = "https://mcias.example.com" ` dir := t.TempDir() path := filepath.Join(dir, "test.toml") - os.WriteFile(path, []byte(content), 0600) + _ = os.WriteFile(path, []byte(content), 0600) cfg, err := Load(path) if err != nil { @@ -48,7 +48,7 @@ listen_addr = ":8443" ` dir := t.TempDir() path := filepath.Join(dir, "test.toml") - os.WriteFile(path, []byte(content), 0600) + _ = os.WriteFile(path, []byte(content), 0600) _, err := Load(path) if err == nil { diff --git a/internal/db/db_test.go b/internal/db/db_test.go index 57819f8..9dcc7ab 100644 --- a/internal/db/db_test.go +++ b/internal/db/db_test.go @@ -13,7 +13,7 @@ func TestOpenAndMigrate(t *testing.T) { if err != nil { t.Fatalf("Open: %v", err) } - defer database.Close() + defer func() { _ = database.Close() }() if err := Migrate(database); err != nil { t.Fatalf("Migrate: %v", err) @@ -37,7 +37,7 @@ func TestOpenAndMigrate(t *testing.T) { // Check migration version. var version int - database.QueryRow("SELECT MAX(version) FROM schema_migrations").Scan(&version) + _ = database.QueryRow("SELECT MAX(version) FROM schema_migrations").Scan(&version) if version != 1 { t.Errorf("migration version: got %d, want 1", version) } diff --git a/internal/engine/ca/ca_test.go b/internal/engine/ca/ca_test.go index 4be551b..22cdea2 100644 --- a/internal/engine/ca/ca_test.go +++ b/internal/engine/ca/ca_test.go @@ -79,7 +79,7 @@ func userCaller() *engine.CallerInfo { func setupEngine(t *testing.T) (*CAEngine, *memBarrier) { t.Helper() b := newMemBarrier() - eng := NewCAEngine().(*CAEngine) + eng := NewCAEngine().(*CAEngine) //nolint:errcheck ctx := context.Background() config := map[string]interface{}{ @@ -130,7 +130,7 @@ func TestInitializeWithImportedRoot(t *testing.T) { // Now initialize a new engine with the imported root. b := newMemBarrier() - eng := NewCAEngine().(*CAEngine) + eng := NewCAEngine().(*CAEngine) //nolint:errcheck ctx := context.Background() config := map[string]interface{}{ @@ -230,7 +230,7 @@ func TestCreateIssuer(t *testing.T) { } // Verify the issuer cert is an intermediate CA signed by root. - certPEM := resp.Data["cert_pem"].(string) + certPEM := resp.Data["cert_pem"].(string) //nolint:errcheck block, _ := pem.Decode([]byte(certPEM)) if block == nil { t.Fatal("failed to decode issuer cert PEM") @@ -342,7 +342,7 @@ func TestIssueCertificate(t *testing.T) { } // Verify the leaf cert. - certPEM := resp.Data["cert_pem"].(string) + certPEM := resp.Data["cert_pem"].(string) //nolint:errcheck block, _ := pem.Decode([]byte(certPEM)) leafCert, err := x509.ParseCertificate(block.Bytes) if err != nil { @@ -389,7 +389,7 @@ func TestIssueCertificateWithOverrides(t *testing.T) { t.Fatalf("issue with overrides: %v", err) } - certPEM := resp.Data["cert_pem"].(string) + certPEM := resp.Data["cert_pem"].(string) //nolint:errcheck block, _ := pem.Decode([]byte(certPEM)) leafCert, err := x509.ParseCertificate(block.Bytes) if err != nil { @@ -459,7 +459,7 @@ func TestPrivateKeyNotStoredInBarrier(t *testing.T) { t.Fatalf("issue: %v", err) } - serial := resp.Data["serial"].(string) + serial := resp.Data["serial"].(string) //nolint:errcheck // Check that the cert record does not contain a private key. recordData, err := b.Get(ctx, "engine/ca/test/certs/"+serial+".json") @@ -499,7 +499,7 @@ func TestRenewCertificate(t *testing.T) { t.Fatalf("issue: %v", err) } - origSerial := issueResp.Data["serial"].(string) + origSerial := issueResp.Data["serial"].(string) //nolint:errcheck // Renew. renewResp, err := eng.HandleRequest(ctx, &engine.Request{ @@ -513,7 +513,7 @@ func TestRenewCertificate(t *testing.T) { t.Fatalf("renew: %v", err) } - newSerial := renewResp.Data["serial"].(string) + newSerial := renewResp.Data["serial"].(string) //nolint:errcheck if newSerial == origSerial { t.Error("renewed cert should have different serial") } @@ -575,7 +575,7 @@ func TestGetAndListCerts(t *testing.T) { } // Get a specific cert. - serial := certs[0]["serial"].(string) + serial := certs[0]["serial"].(string) //nolint:errcheck getResp, err := eng.HandleRequest(ctx, &engine.Request{ Operation: "get-cert", CallerInfo: userCaller(), @@ -607,7 +607,7 @@ func TestUnsealRestoresIssuers(t *testing.T) { } // Seal. - eng.Seal() + _ = eng.Seal() // Unseal. if err := eng.Unseal(ctx, b, mountPath); err != nil { diff --git a/internal/engine/engine_test.go b/internal/engine/engine_test.go index be4fb86..edaff49 100644 --- a/internal/engine/engine_test.go +++ b/internal/engine/engine_test.go @@ -98,7 +98,7 @@ func TestRegistryHandleRequest(t *testing.T) { }) ctx := context.Background() - reg.Mount(ctx, "test", EngineTypeTransit, nil) + _ = reg.Mount(ctx, "test", EngineTypeTransit, nil) resp, err := reg.HandleRequest(ctx, "test", &Request{Operation: "encrypt"}) if err != nil { @@ -121,8 +121,8 @@ func TestRegistrySealAll(t *testing.T) { }) ctx := context.Background() - reg.Mount(ctx, "eng1", EngineTypeTransit, nil) - reg.Mount(ctx, "eng2", EngineTypeTransit, nil) + _ = reg.Mount(ctx, "eng1", EngineTypeTransit, nil) + _ = reg.Mount(ctx, "eng2", EngineTypeTransit, nil) if err := reg.SealAll(); err != nil { t.Fatalf("SealAll: %v", err) diff --git a/internal/policy/policy_test.go b/internal/policy/policy_test.go index 1bc6488..220d73b 100644 --- a/internal/policy/policy_test.go +++ b/internal/policy/policy_test.go @@ -22,9 +22,9 @@ func setupPolicy(t *testing.T) (*Engine, func()) { } b := barrier.NewAESGCMBarrier(database) mek, _ := crypto.GenerateKey() - b.Unseal(mek) + _ = b.Unseal(mek) e := NewEngine(b) - return e, func() { database.Close() } + return e, func() { _ = database.Close() } } func TestAdminBypass(t *testing.T) { @@ -113,7 +113,7 @@ func TestPolicyPriorityOrder(t *testing.T) { ctx := context.Background() // Lower priority number = higher priority. Deny should win. - e.CreateRule(ctx, &Rule{ + _ = e.CreateRule(ctx, &Rule{ ID: "allow-rule", Priority: 200, Effect: EffectAllow, @@ -121,7 +121,7 @@ func TestPolicyPriorityOrder(t *testing.T) { Resources: []string{"engine/transit/*"}, Actions: []string{"write"}, }) - e.CreateRule(ctx, &Rule{ + _ = e.CreateRule(ctx, &Rule{ ID: "deny-rule", Priority: 100, Effect: EffectDeny, @@ -146,7 +146,7 @@ func TestPolicyUsernameMatch(t *testing.T) { defer cleanup() ctx := context.Background() - e.CreateRule(ctx, &Rule{ + _ = e.CreateRule(ctx, &Rule{ ID: "user-specific", Priority: 100, Effect: EffectAllow, diff --git a/internal/seal/seal_test.go b/internal/seal/seal_test.go index df5cfec..cd5aa2e 100644 --- a/internal/seal/seal_test.go +++ b/internal/seal/seal_test.go @@ -24,7 +24,7 @@ func setupSeal(t *testing.T) (*Manager, func()) { } b := barrier.NewAESGCMBarrier(database) mgr := NewManager(database, b, slog.Default()) - return mgr, func() { database.Close() } + return mgr, func() { _ = database.Close() } } func TestSealInitializeAndUnseal(t *testing.T) { @@ -69,11 +69,11 @@ func TestSealInitializeAndUnseal(t *testing.T) { func TestSealWrongPassword(t *testing.T) { mgr, cleanup := setupSeal(t) defer cleanup() - mgr.CheckInitialized() + _ = mgr.CheckInitialized() params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1} - mgr.Initialize(context.Background(), []byte("correct"), params) - mgr.Seal() + _ = mgr.Initialize(context.Background(), []byte("correct"), params) + _ = mgr.Seal() err := mgr.Unseal([]byte("wrong")) if !errors.Is(err, ErrInvalidPassword) { @@ -84,10 +84,10 @@ func TestSealWrongPassword(t *testing.T) { func TestSealDoubleInitialize(t *testing.T) { mgr, cleanup := setupSeal(t) defer cleanup() - mgr.CheckInitialized() + _ = mgr.CheckInitialized() params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1} - mgr.Initialize(context.Background(), []byte("password"), params) + _ = mgr.Initialize(context.Background(), []byte("password"), params) err := mgr.Initialize(context.Background(), []byte("password"), params) if !errors.Is(err, ErrAlreadyInitialized) { @@ -101,20 +101,20 @@ func TestSealCheckInitializedPersists(t *testing.T) { // First: initialize. database, _ := db.Open(dbPath) - db.Migrate(database) + _ = db.Migrate(database) b := barrier.NewAESGCMBarrier(database) mgr := NewManager(database, b, slog.Default()) - mgr.CheckInitialized() + _ = mgr.CheckInitialized() params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1} - mgr.Initialize(context.Background(), []byte("password"), params) - database.Close() + _ = mgr.Initialize(context.Background(), []byte("password"), params) + _ = database.Close() // Second: reopen and check. database2, _ := db.Open(dbPath) - defer database2.Close() + defer func() { _ = database2.Close() }() b2 := barrier.NewAESGCMBarrier(database2) mgr2 := NewManager(database2, b2, slog.Default()) - mgr2.CheckInitialized() + _ = mgr2.CheckInitialized() if mgr2.State() != StateSealed { t.Fatalf("state after reopen: got %v, want Sealed", mgr2.State()) } diff --git a/internal/server/server_test.go b/internal/server/server_test.go index 5b4f135..544208c 100644 --- a/internal/server/server_test.go +++ b/internal/server/server_test.go @@ -32,12 +32,12 @@ func setupTestServer(t *testing.T) (*Server, *seal.Manager, chi.Router) { if err != nil { t.Fatalf("open db: %v", err) } - t.Cleanup(func() { database.Close() }) - db.Migrate(database) + t.Cleanup(func() { _ = database.Close() }) + _ = db.Migrate(database) b := barrier.NewAESGCMBarrier(database) sealMgr := seal.NewManager(database, b, slog.Default()) - sealMgr.CheckInitialized() + _ = sealMgr.CheckInitialized() // Auth requires MCIAS client which we can't create in tests easily, // so we pass nil and avoid auth-dependent routes in these tests. @@ -80,7 +80,7 @@ func TestStatusEndpoint(t *testing.T) { } var resp map[string]interface{} - json.Unmarshal(w.Body.Bytes(), &resp) + _ = json.Unmarshal(w.Body.Bytes(), &resp) if resp["state"] != "uninitialized" { t.Errorf("state: got %q, want %q", resp["state"], "uninitialized") } @@ -99,7 +99,7 @@ func TestInitEndpoint(t *testing.T) { } var resp map[string]interface{} - json.Unmarshal(w.Body.Bytes(), &resp) + _ = json.Unmarshal(w.Body.Bytes(), &resp) if resp["state"] != "unsealed" { t.Errorf("state: got %q, want %q", resp["state"], "unsealed") } @@ -118,8 +118,8 @@ func TestUnsealEndpoint(t *testing.T) { // Initialize first. params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1} - sealMgr.Initialize(context.Background(), []byte("password"), params) - sealMgr.Seal() + _ = sealMgr.Initialize(context.Background(), []byte("password"), params) + _ = sealMgr.Seal() // Unseal with wrong password. body := `{"password":"wrong"}` diff --git a/internal/webserver/routes.go b/internal/webserver/routes.go index 44d5e24..91f1dc7 100644 --- a/internal/webserver/routes.go +++ b/internal/webserver/routes.go @@ -82,7 +82,7 @@ func (ws *WebServer) handleInit(w http.ResponseWriter, r *http.Request) { ws.renderTemplate(w, "init.html", nil) case http.MethodPost: r.Body = http.MaxBytesReader(w, r.Body, 1<<20) - r.ParseForm() + _ = r.ParseForm() password := r.FormValue("password") if password == "" { ws.renderTemplate(w, "init.html", map[string]interface{}{"Error": "Password is required"}) @@ -113,7 +113,7 @@ func (ws *WebServer) handleUnseal(w http.ResponseWriter, r *http.Request) { ws.renderTemplate(w, "unseal.html", nil) case http.MethodPost: r.Body = http.MaxBytesReader(w, r.Body, 1<<20) - r.ParseForm() + _ = r.ParseForm() password := r.FormValue("password") if err := ws.vault.Unseal(r.Context(), password); err != nil { msg := "Invalid password" @@ -140,7 +140,7 @@ func (ws *WebServer) handleLogin(w http.ResponseWriter, r *http.Request) { ws.renderTemplate(w, "login.html", nil) case http.MethodPost: r.Body = http.MaxBytesReader(w, r.Body, 1<<20) - r.ParseForm() + _ = r.ParseForm() token, err := ws.vault.Login(r.Context(), r.FormValue("username"), r.FormValue("password"), @@ -188,7 +188,7 @@ func (ws *WebServer) handleDashboardMountCA(w http.ResponseWriter, r *http.Reque r.Body = http.MaxBytesReader(w, r.Body, 1<<20) if err := r.ParseMultipartForm(1 << 20); err != nil { r.Body = http.MaxBytesReader(w, r.Body, 1<<20) - r.ParseForm() + _ = r.ParseForm() } mountName := r.FormValue("name") @@ -204,12 +204,12 @@ func (ws *WebServer) handleDashboardMountCA(w http.ResponseWriter, r *http.Reque var certPEM, keyPEM string if f, _, err := r.FormFile("cert_file"); err == nil { - defer f.Close() + defer func() { _ = f.Close() }() data, _ := io.ReadAll(io.LimitReader(f, 1<<20)) certPEM = string(data) } if f, _, err := r.FormFile("key_file"); err == nil { - defer f.Close() + defer func() { _ = f.Close() }() data, _ := io.ReadAll(io.LimitReader(f, 1<<20)) keyPEM = string(data) } @@ -291,21 +291,21 @@ func (ws *WebServer) handleImportRoot(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, 1<<20) if err := r.ParseMultipartForm(1 << 20); err != nil { r.Body = http.MaxBytesReader(w, r.Body, 1<<20) - r.ParseForm() + _ = r.ParseForm() } certPEM := r.FormValue("cert_pem") keyPEM := r.FormValue("key_pem") if certPEM == "" { if f, _, err := r.FormFile("cert_file"); err == nil { - defer f.Close() + defer func() { _ = f.Close() }() data, _ := io.ReadAll(io.LimitReader(f, 1<<20)) certPEM = string(data) } } if keyPEM == "" { if f, _, err := r.FormFile("key_file"); err == nil { - defer f.Close() + defer func() { _ = f.Close() }() data, _ := io.ReadAll(io.LimitReader(f, 1<<20)) keyPEM = string(data) } @@ -342,7 +342,7 @@ func (ws *WebServer) handleCreateIssuer(w http.ResponseWriter, r *http.Request) } r.Body = http.MaxBytesReader(w, r.Body, 1<<20) - r.ParseForm() + _ = r.ParseForm() name := r.FormValue("name") if name == "" { ws.renderPKIWithError(w, r, mountName, info, "Issuer name is required") @@ -391,7 +391,7 @@ func (ws *WebServer) handlePKIIssuer(w http.ResponseWriter, r *http.Request) { w.Header().Set("Content-Type", "application/x-pem-file") w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.pem", issuerName)) - w.Write(certPEM) + _, _ = w.Write(certPEM) //nolint:gosec } func (ws *WebServer) renderPKIWithError(w http.ResponseWriter, r *http.Request, mountName string, info *TokenInfo, errMsg string) {