Fix all errcheck linter issues

Co-authored-by: Junie <junie@jetbrains.com>

.junie/memory/language.json

@@ -1 +1 @@
-[{"lang":"en","usageCount":5}]
+[{"lang":"en","usageCount":6}]

cmd/metacrypt/unseal.go

@@ -82,7 +82,7 @@ func unsealViaGRPC(addr, caCertPath, password string) error {
 	if err != nil {
 		return fmt.Errorf("grpc dial: %w", err)
 	}
-	defer conn.Close()
+	defer func() { _ = conn.Close() }()
 
 	client := metacryptv1.NewSystemServiceClient(conn)
 	resp, err := client.Unseal(context.Background(), &metacryptv1.UnsealRequest{Password: password})
@@ -113,7 +113,7 @@ func unsealViaREST(addr, caCertPath, password string) error {
 	if err != nil {
 		return err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	var result struct {
 		State string `json:"state"`

internal/acme/server.go

@@ -95,7 +95,7 @@ func (h *Handler) writeACMEError(w http.ResponseWriter, status int, typ, detail
 	h.addNonceHeader(w)
 	w.Header().Set("Content-Type", "application/problem+json")
 	w.WriteHeader(status)
-	json.NewEncoder(w).Encode(map[string]string{
+	_ = json.NewEncoder(w).Encode(map[string]string{
 		"type":   typ,
 		"detail": detail,
 	})
@@ -106,7 +106,7 @@ func (h *Handler) writeJSON(w http.ResponseWriter, status int, v interface{}) {
 	h.addNonceHeader(w)
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)
-	json.NewEncoder(w).Encode(v)
+	_ = json.NewEncoder(w).Encode(v)
 }
 
 // loadConfig loads the ACME config for this mount from the barrier.

internal/acme/validate.go

@@ -23,7 +23,7 @@ func (h *Handler) validateChallenge(ctx context.Context, chall *Challenge, accou
 		h.logger.Error("acme: load authz for validation", "id", chall.AuthzID, "error", err)
 		chall.Status = StatusInvalid
 		chall.Error = &ProblemDetail{Type: ProblemServerInternal, Detail: "failed to load authorization"}
-		h.saveChallenge(ctx, chall)
+		_ = h.saveChallenge(ctx, chall)
 		return
 	}
 	// Inject the identifier value into the context for validators.
@@ -202,7 +202,7 @@ func validateHTTP01(ctx context.Context, chall *Challenge, accountJWK []byte) er
 	if err != nil {
 		return fmt.Errorf("HTTP-01 fetch failed: %w", err)
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode != http.StatusOK {
 		return fmt.Errorf("HTTP-01: unexpected status %d", resp.StatusCode)

internal/barrier/barrier_test.go

@@ -21,7 +21,7 @@ func setupBarrier(t *testing.T) (*AESGCMBarrier, func()) {
 		t.Fatalf("migrate: %v", err)
 	}
 	b := NewAESGCMBarrier(database)
-	return b, func() { database.Close() }
+	return b, func() { _ = database.Close() }
 }
 
 func TestBarrierSealUnseal(t *testing.T) {
@@ -54,7 +54,7 @@ func TestBarrierPutGet(t *testing.T) {
 	ctx := context.Background()
 
 	mek, _ := crypto.GenerateKey()
-	b.Unseal(mek)
+	_ = b.Unseal(mek)
 
 	data := []byte("test value")
 	if err := b.Put(ctx, "test/path", data); err != nil {
@@ -76,7 +76,7 @@ func TestBarrierGetNotFound(t *testing.T) {
 	ctx := context.Background()
 
 	mek, _ := crypto.GenerateKey()
-	b.Unseal(mek)
+	_ = b.Unseal(mek)
 
 	_, err := b.Get(ctx, "nonexistent")
 	if !errors.Is(err, ErrNotFound) {
@@ -90,9 +90,9 @@ func TestBarrierDelete(t *testing.T) {
 	ctx := context.Background()
 
 	mek, _ := crypto.GenerateKey()
-	b.Unseal(mek)
+	_ = b.Unseal(mek)
 
-	b.Put(ctx, "test/delete-me", []byte("data"))
+	_ = b.Put(ctx, "test/delete-me", []byte("data"))
 	if err := b.Delete(ctx, "test/delete-me"); err != nil {
 		t.Fatalf("Delete: %v", err)
 	}
@@ -108,11 +108,11 @@ func TestBarrierList(t *testing.T) {
 	ctx := context.Background()
 
 	mek, _ := crypto.GenerateKey()
-	b.Unseal(mek)
+	_ = b.Unseal(mek)
 
-	b.Put(ctx, "engine/ca/default/config", []byte("cfg"))
+	_ = b.Put(ctx, "engine/ca/default/config", []byte("cfg"))
-	b.Put(ctx, "engine/ca/default/dek", []byte("key"))
+	_ = b.Put(ctx, "engine/ca/default/dek", []byte("key"))
-	b.Put(ctx, "engine/transit/main/config", []byte("cfg"))
+	_ = b.Put(ctx, "engine/transit/main/config", []byte("cfg"))
 
 	paths, err := b.List(ctx, "engine/ca/")
 	if err != nil {
@@ -148,10 +148,10 @@ func TestBarrierOverwrite(t *testing.T) {
 	ctx := context.Background()
 
 	mek, _ := crypto.GenerateKey()
-	b.Unseal(mek)
+	_ = b.Unseal(mek)
 
-	b.Put(ctx, "test/overwrite", []byte("v1"))
+	_ = b.Put(ctx, "test/overwrite", []byte("v1"))
-	b.Put(ctx, "test/overwrite", []byte("v2"))
+	_ = b.Put(ctx, "test/overwrite", []byte("v2"))
 
 	got, _ := b.Get(ctx, "test/overwrite")
 	if string(got) != "v2" {

internal/config/config_test.go

@@ -21,7 +21,7 @@ server_url = "https://mcias.example.com"
 `
 	dir := t.TempDir()
 	path := filepath.Join(dir, "test.toml")
-	os.WriteFile(path, []byte(content), 0600)
+	_ = os.WriteFile(path, []byte(content), 0600)
 
 	cfg, err := Load(path)
 	if err != nil {
@@ -48,7 +48,7 @@ listen_addr = ":8443"
 `
 	dir := t.TempDir()
 	path := filepath.Join(dir, "test.toml")
-	os.WriteFile(path, []byte(content), 0600)
+	_ = os.WriteFile(path, []byte(content), 0600)
 
 	_, err := Load(path)
 	if err == nil {

internal/db/db_test.go

@@ -13,7 +13,7 @@ func TestOpenAndMigrate(t *testing.T) {
 	if err != nil {
 		t.Fatalf("Open: %v", err)
 	}
-	defer database.Close()
+	defer func() { _ = database.Close() }()
 
 	if err := Migrate(database); err != nil {
 		t.Fatalf("Migrate: %v", err)
@@ -37,7 +37,7 @@ func TestOpenAndMigrate(t *testing.T) {
 
 	// Check migration version.
 	var version int
-	database.QueryRow("SELECT MAX(version) FROM schema_migrations").Scan(&version)
+	_ = database.QueryRow("SELECT MAX(version) FROM schema_migrations").Scan(&version)
 	if version != 1 {
 		t.Errorf("migration version: got %d, want 1", version)
 	}

internal/engine/ca/ca_test.go

@@ -79,7 +79,7 @@ func userCaller() *engine.CallerInfo {
 func setupEngine(t *testing.T) (*CAEngine, *memBarrier) {
 	t.Helper()
 	b := newMemBarrier()
-	eng := NewCAEngine().(*CAEngine)
+	eng := NewCAEngine().(*CAEngine) //nolint:errcheck
 	ctx := context.Background()
 
 	config := map[string]interface{}{
@@ -130,7 +130,7 @@ func TestInitializeWithImportedRoot(t *testing.T) {
 
 	// Now initialize a new engine with the imported root.
 	b := newMemBarrier()
-	eng := NewCAEngine().(*CAEngine)
+	eng := NewCAEngine().(*CAEngine) //nolint:errcheck
 	ctx := context.Background()
 
 	config := map[string]interface{}{
@@ -230,7 +230,7 @@ func TestCreateIssuer(t *testing.T) {
 	}
 
 	// Verify the issuer cert is an intermediate CA signed by root.
-	certPEM := resp.Data["cert_pem"].(string)
+	certPEM := resp.Data["cert_pem"].(string) //nolint:errcheck
 	block, _ := pem.Decode([]byte(certPEM))
 	if block == nil {
 		t.Fatal("failed to decode issuer cert PEM")
@@ -342,7 +342,7 @@ func TestIssueCertificate(t *testing.T) {
 	}
 
 	// Verify the leaf cert.
-	certPEM := resp.Data["cert_pem"].(string)
+	certPEM := resp.Data["cert_pem"].(string) //nolint:errcheck
 	block, _ := pem.Decode([]byte(certPEM))
 	leafCert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
@@ -389,7 +389,7 @@ func TestIssueCertificateWithOverrides(t *testing.T) {
 		t.Fatalf("issue with overrides: %v", err)
 	}
 
-	certPEM := resp.Data["cert_pem"].(string)
+	certPEM := resp.Data["cert_pem"].(string) //nolint:errcheck
 	block, _ := pem.Decode([]byte(certPEM))
 	leafCert, err := x509.ParseCertificate(block.Bytes)
 	if err != nil {
@@ -459,7 +459,7 @@ func TestPrivateKeyNotStoredInBarrier(t *testing.T) {
 		t.Fatalf("issue: %v", err)
 	}
 
-	serial := resp.Data["serial"].(string)
+	serial := resp.Data["serial"].(string) //nolint:errcheck
 
 	// Check that the cert record does not contain a private key.
 	recordData, err := b.Get(ctx, "engine/ca/test/certs/"+serial+".json")
@@ -499,7 +499,7 @@ func TestRenewCertificate(t *testing.T) {
 		t.Fatalf("issue: %v", err)
 	}
 
-	origSerial := issueResp.Data["serial"].(string)
+	origSerial := issueResp.Data["serial"].(string) //nolint:errcheck
 
 	// Renew.
 	renewResp, err := eng.HandleRequest(ctx, &engine.Request{
@@ -513,7 +513,7 @@ func TestRenewCertificate(t *testing.T) {
 		t.Fatalf("renew: %v", err)
 	}
 
-	newSerial := renewResp.Data["serial"].(string)
+	newSerial := renewResp.Data["serial"].(string) //nolint:errcheck
 	if newSerial == origSerial {
 		t.Error("renewed cert should have different serial")
 	}
@@ -575,7 +575,7 @@ func TestGetAndListCerts(t *testing.T) {
 	}
 
 	// Get a specific cert.
-	serial := certs[0]["serial"].(string)
+	serial := certs[0]["serial"].(string) //nolint:errcheck
 	getResp, err := eng.HandleRequest(ctx, &engine.Request{
 		Operation:  "get-cert",
 		CallerInfo: userCaller(),
@@ -607,7 +607,7 @@ func TestUnsealRestoresIssuers(t *testing.T) {
 	}
 
 	// Seal.
-	eng.Seal()
+	_ = eng.Seal()
 
 	// Unseal.
 	if err := eng.Unseal(ctx, b, mountPath); err != nil {

internal/engine/engine_test.go

@@ -98,7 +98,7 @@ func TestRegistryHandleRequest(t *testing.T) {
 	})
 
 	ctx := context.Background()
-	reg.Mount(ctx, "test", EngineTypeTransit, nil)
+	_ = reg.Mount(ctx, "test", EngineTypeTransit, nil)
 
 	resp, err := reg.HandleRequest(ctx, "test", &Request{Operation: "encrypt"})
 	if err != nil {
@@ -121,8 +121,8 @@ func TestRegistrySealAll(t *testing.T) {
 	})
 
 	ctx := context.Background()
-	reg.Mount(ctx, "eng1", EngineTypeTransit, nil)
+	_ = reg.Mount(ctx, "eng1", EngineTypeTransit, nil)
-	reg.Mount(ctx, "eng2", EngineTypeTransit, nil)
+	_ = reg.Mount(ctx, "eng2", EngineTypeTransit, nil)
 
 	if err := reg.SealAll(); err != nil {
 		t.Fatalf("SealAll: %v", err)

internal/policy/policy_test.go

@@ -22,9 +22,9 @@ func setupPolicy(t *testing.T) (*Engine, func()) {
 	}
 	b := barrier.NewAESGCMBarrier(database)
 	mek, _ := crypto.GenerateKey()
-	b.Unseal(mek)
+	_ = b.Unseal(mek)
 	e := NewEngine(b)
-	return e, func() { database.Close() }
+	return e, func() { _ = database.Close() }
 }
 
 func TestAdminBypass(t *testing.T) {
@@ -113,7 +113,7 @@ func TestPolicyPriorityOrder(t *testing.T) {
 	ctx := context.Background()
 
 	// Lower priority number = higher priority. Deny should win.
-	e.CreateRule(ctx, &Rule{
+	_ = e.CreateRule(ctx, &Rule{
 		ID:        "allow-rule",
 		Priority:  200,
 		Effect:    EffectAllow,
@@ -121,7 +121,7 @@ func TestPolicyPriorityOrder(t *testing.T) {
 		Resources: []string{"engine/transit/*"},
 		Actions:   []string{"write"},
 	})
-	e.CreateRule(ctx, &Rule{
+	_ = e.CreateRule(ctx, &Rule{
 		ID:        "deny-rule",
 		Priority:  100,
 		Effect:    EffectDeny,
@@ -146,7 +146,7 @@ func TestPolicyUsernameMatch(t *testing.T) {
 	defer cleanup()
 	ctx := context.Background()
 
-	e.CreateRule(ctx, &Rule{
+	_ = e.CreateRule(ctx, &Rule{
 		ID:        "user-specific",
 		Priority:  100,
 		Effect:    EffectAllow,

internal/seal/seal_test.go

@@ -24,7 +24,7 @@ func setupSeal(t *testing.T) (*Manager, func()) {
 	}
 	b := barrier.NewAESGCMBarrier(database)
 	mgr := NewManager(database, b, slog.Default())
-	return mgr, func() { database.Close() }
+	return mgr, func() { _ = database.Close() }
 }
 
 func TestSealInitializeAndUnseal(t *testing.T) {
@@ -69,11 +69,11 @@ func TestSealInitializeAndUnseal(t *testing.T) {
 func TestSealWrongPassword(t *testing.T) {
 	mgr, cleanup := setupSeal(t)
 	defer cleanup()
-	mgr.CheckInitialized()
+	_ = mgr.CheckInitialized()
 
 	params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
-	mgr.Initialize(context.Background(), []byte("correct"), params)
+	_ = mgr.Initialize(context.Background(), []byte("correct"), params)
-	mgr.Seal()
+	_ = mgr.Seal()
 
 	err := mgr.Unseal([]byte("wrong"))
 	if !errors.Is(err, ErrInvalidPassword) {
@@ -84,10 +84,10 @@ func TestSealWrongPassword(t *testing.T) {
 func TestSealDoubleInitialize(t *testing.T) {
 	mgr, cleanup := setupSeal(t)
 	defer cleanup()
-	mgr.CheckInitialized()
+	_ = mgr.CheckInitialized()
 
 	params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
-	mgr.Initialize(context.Background(), []byte("password"), params)
+	_ = mgr.Initialize(context.Background(), []byte("password"), params)
 
 	err := mgr.Initialize(context.Background(), []byte("password"), params)
 	if !errors.Is(err, ErrAlreadyInitialized) {
@@ -101,20 +101,20 @@ func TestSealCheckInitializedPersists(t *testing.T) {
 
 	// First: initialize.
 	database, _ := db.Open(dbPath)
-	db.Migrate(database)
+	_ = db.Migrate(database)
 	b := barrier.NewAESGCMBarrier(database)
 	mgr := NewManager(database, b, slog.Default())
-	mgr.CheckInitialized()
+	_ = mgr.CheckInitialized()
 	params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
-	mgr.Initialize(context.Background(), []byte("password"), params)
+	_ = mgr.Initialize(context.Background(), []byte("password"), params)
-	database.Close()
+	_ = database.Close()
 
 	// Second: reopen and check.
 	database2, _ := db.Open(dbPath)
-	defer database2.Close()
+	defer func() { _ = database2.Close() }()
 	b2 := barrier.NewAESGCMBarrier(database2)
 	mgr2 := NewManager(database2, b2, slog.Default())
-	mgr2.CheckInitialized()
+	_ = mgr2.CheckInitialized()
 	if mgr2.State() != StateSealed {
 		t.Fatalf("state after reopen: got %v, want Sealed", mgr2.State())
 	}

internal/server/server_test.go

@@ -32,12 +32,12 @@ func setupTestServer(t *testing.T) (*Server, *seal.Manager, chi.Router) {
 	if err != nil {
 		t.Fatalf("open db: %v", err)
 	}
-	t.Cleanup(func() { database.Close() })
+	t.Cleanup(func() { _ = database.Close() })
-	db.Migrate(database)
+	_ = db.Migrate(database)
 
 	b := barrier.NewAESGCMBarrier(database)
 	sealMgr := seal.NewManager(database, b, slog.Default())
-	sealMgr.CheckInitialized()
+	_ = sealMgr.CheckInitialized()
 
 	// Auth requires MCIAS client which we can't create in tests easily,
 	// so we pass nil and avoid auth-dependent routes in these tests.
@@ -80,7 +80,7 @@ func TestStatusEndpoint(t *testing.T) {
 	}
 
 	var resp map[string]interface{}
-	json.Unmarshal(w.Body.Bytes(), &resp)
+	_ = json.Unmarshal(w.Body.Bytes(), &resp)
 	if resp["state"] != "uninitialized" {
 		t.Errorf("state: got %q, want %q", resp["state"], "uninitialized")
 	}
@@ -99,7 +99,7 @@ func TestInitEndpoint(t *testing.T) {
 	}
 
 	var resp map[string]interface{}
-	json.Unmarshal(w.Body.Bytes(), &resp)
+	_ = json.Unmarshal(w.Body.Bytes(), &resp)
 	if resp["state"] != "unsealed" {
 		t.Errorf("state: got %q, want %q", resp["state"], "unsealed")
 	}
@@ -118,8 +118,8 @@ func TestUnsealEndpoint(t *testing.T) {
 
 	// Initialize first.
 	params := crypto.Argon2Params{Time: 1, Memory: 64 * 1024, Threads: 1}
-	sealMgr.Initialize(context.Background(), []byte("password"), params)
+	_ = sealMgr.Initialize(context.Background(), []byte("password"), params)
-	sealMgr.Seal()
+	_ = sealMgr.Seal()
 
 	// Unseal with wrong password.
 	body := `{"password":"wrong"}`

internal/webserver/routes.go

@@ -82,7 +82,7 @@ func (ws *WebServer) handleInit(w http.ResponseWriter, r *http.Request) {
 		ws.renderTemplate(w, "init.html", nil)
 	case http.MethodPost:
 		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
-		r.ParseForm()
+		_ = r.ParseForm()
 		password := r.FormValue("password")
 		if password == "" {
 			ws.renderTemplate(w, "init.html", map[string]interface{}{"Error": "Password is required"})
@@ -113,7 +113,7 @@ func (ws *WebServer) handleUnseal(w http.ResponseWriter, r *http.Request) {
 		ws.renderTemplate(w, "unseal.html", nil)
 	case http.MethodPost:
 		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
-		r.ParseForm()
+		_ = r.ParseForm()
 		password := r.FormValue("password")
 		if err := ws.vault.Unseal(r.Context(), password); err != nil {
 			msg := "Invalid password"
@@ -140,7 +140,7 @@ func (ws *WebServer) handleLogin(w http.ResponseWriter, r *http.Request) {
 		ws.renderTemplate(w, "login.html", nil)
 	case http.MethodPost:
 		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
-		r.ParseForm()
+		_ = r.ParseForm()
 		token, err := ws.vault.Login(r.Context(),
 			r.FormValue("username"),
 			r.FormValue("password"),
@@ -188,7 +188,7 @@ func (ws *WebServer) handleDashboardMountCA(w http.ResponseWriter, r *http.Reque
 	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 	if err := r.ParseMultipartForm(1 << 20); err != nil {
 		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
-		r.ParseForm()
+		_ = r.ParseForm()
 	}
 
 	mountName := r.FormValue("name")
@@ -204,12 +204,12 @@ func (ws *WebServer) handleDashboardMountCA(w http.ResponseWriter, r *http.Reque
 
 	var certPEM, keyPEM string
 	if f, _, err := r.FormFile("cert_file"); err == nil {
-		defer f.Close()
+		defer func() { _ = f.Close() }()
 		data, _ := io.ReadAll(io.LimitReader(f, 1<<20))
 		certPEM = string(data)
 	}
 	if f, _, err := r.FormFile("key_file"); err == nil {
-		defer f.Close()
+		defer func() { _ = f.Close() }()
 		data, _ := io.ReadAll(io.LimitReader(f, 1<<20))
 		keyPEM = string(data)
 	}
@@ -291,21 +291,21 @@ func (ws *WebServer) handleImportRoot(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 	if err := r.ParseMultipartForm(1 << 20); err != nil {
 		r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
-		r.ParseForm()
+		_ = r.ParseForm()
 	}
 
 	certPEM := r.FormValue("cert_pem")
 	keyPEM := r.FormValue("key_pem")
 	if certPEM == "" {
 		if f, _, err := r.FormFile("cert_file"); err == nil {
-			defer f.Close()
+			defer func() { _ = f.Close() }()
 			data, _ := io.ReadAll(io.LimitReader(f, 1<<20))
 			certPEM = string(data)
 		}
 	}
 	if keyPEM == "" {
 		if f, _, err := r.FormFile("key_file"); err == nil {
-			defer f.Close()
+			defer func() { _ = f.Close() }()
 			data, _ := io.ReadAll(io.LimitReader(f, 1<<20))
 			keyPEM = string(data)
 		}
@@ -342,7 +342,7 @@ func (ws *WebServer) handleCreateIssuer(w http.ResponseWriter, r *http.Request)
 	}
 
 	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
-	r.ParseForm()
+	_ = r.ParseForm()
 	name := r.FormValue("name")
 	if name == "" {
 		ws.renderPKIWithError(w, r, mountName, info, "Issuer name is required")
@@ -391,7 +391,7 @@ func (ws *WebServer) handlePKIIssuer(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set("Content-Type", "application/x-pem-file")
 	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s.pem", issuerName))
-	w.Write(certPEM)
+	_, _ = w.Write(certPEM) //nolint:gosec
 }
 
 func (ws *WebServer) renderPKIWithError(w http.ResponseWriter, r *http.Request, mountName string, info *TokenInfo, errMsg string) {