Update golangci-lint to 1.49.0 (gravitational#16507)

Update metalinter, fix a few lint warnings and replace deprecated linters. `deadcode`, `structcheck` and `varcheck` are abandoned and now replaced by [`unused`][1]. Since 1.19, `go fmt` reformats godocs according to https://go.dev/doc/comment. I've done a bulk-reformatting of the codebase to keep the linter happy. Backporting is mostly harmless (the exception being `lib/services/role_test.go`, that for some reason breaks the _old_ linter using the new format). [1]: https://golangci-lint.run/usage/linters/ * Bump golangci-lint version * Replace abandoned linters * Fix bodyclose on lib/auth/github.com * Fix bodyclose on lib/kube/proxy/streamproto/proto_test.go * Fix bodyclose on lib/srv/alpnproxy/proxy_test.go * Fix bodyclose on lib/web/conn_upgrade_test.go * Silence staticcheck on lib/kube/proxy/forwarder_test.go * Silence staticcheck on lib/utils/certs_test.go * Address BuildNameToCertificate deprecation warnings * Run `go fmt ./...` * Run `go fmt ./...` on api/ * Ignore formatting in role_test.go * Remove redundant initializers in lib/srv/uacc/ * Update e/
Somith11 · Sep 19, 2022 · a75fcc2 · a75fcc2
1 parent 739e4e1
commit a75fcc2
Show file tree

Hide file tree

Showing 143 changed files with 700 additions and 624 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -6,6 +6,12 @@ issues:
     - linters:
       - revive
       text: "exported: exported const"
+    # TODO(codingllama): Remove ignore after the new golangci-lint image lands.
+    # For some reason this particular files causes problems between different
+    # goimports versions.
+    - path: lib/services/role_test.go
+      linters:
+      - goimports
   exclude-use-default: true
   max-same-issues: 0
   max-issues-per-linter: 0
@@ -14,7 +20,6 @@ linters:
   disable-all: true
   enable:
     - bodyclose
-    - deadcode
     - depguard
     - goimports
     - gosimple
@@ -23,10 +28,8 @@ linters:
     - misspell
     - revive
     - staticcheck
-    - structcheck
-    - unused
     - unconvert
-    - varcheck
+    - unused
 
 linters-settings:
   depguard:

diff --git a/api/breaker/breaker.go b/api/breaker/breaker.go
@@ -298,10 +298,10 @@ func New(cfg Config) (*CircuitBreaker, error) {
 }
 
 // Execute calls the provided function depending on the CircuitBreaker state.
-// - StateStandby: all functions are executed.
-// - StateTripped: no functions are executed and ErrStateTripped is returned.
-// - StateRecovering: some functions are executed, some functions are not,
-//                    when not executed ErrLimitExceeded is returned.
+//   - StateStandby: all functions are executed.
+//   - StateTripped: no functions are executed and ErrStateTripped is returned.
+//   - StateRecovering: some functions are executed, some functions are not,
+//     when not executed ErrLimitExceeded is returned.
 //
 // The CircuitBreaker state is updated according to the outcome of executing the
 // provided function and the current state. See package docs for a more detailed

diff --git a/api/breaker/doc.go b/api/breaker/doc.go
@@ -30,5 +30,4 @@
 //
 // * Config.OnTripped is called on transition (StateStandby -> StateTripped)
 // * Config.OnStandBy is called on transition (StateRecovering -> StateStandby)
-//
 package breaker
diff --git a/api/client/credentials.go b/api/client/credentials.go
@@ -83,7 +83,8 @@ func (c *tlsConfigCreds) SSHClientConfig() (*ssh.ClientConfig, error) {
 // KeyPair Credentials can only be used to connect directly to a Teleport Auth server.
 //
 // New KeyPair files can be generated with tsh or tctl.
-//  $ tctl auth sign --format=tls --user=api-user --out=path/to/certs
+//
+//	$ tctl auth sign --format=tls --user=api-user --out=path/to/certs
 //
 // The certificates' time to live can be specified with --ttl.
 //
@@ -142,8 +143,9 @@ func (c *keypairCreds) SSHClientConfig() (*ssh.ClientConfig, error) {
 // or through a reverse tunnel.
 //
 // A new identity file can be generated with tsh or tctl.
-//  $ tsh login --user=api-user --out=identity-file-path
-//  $ tctl auth sign --user=api-user --out=identity-file-path
+//
+//	$ tsh login --user=api-user --out=identity-file-path
+//	$ tctl auth sign --user=api-user --out=identity-file-path
 //
 // The identity file's time to live can be specified with --ttl.
 //
@@ -212,8 +214,9 @@ func (c *identityCredsFile) load() error {
 // or through a reverse tunnel.
 //
 // A new identity file can be generated with tsh or tctl.
-//  $ tsh login --user=api-user --out=identity-file-path
-//  $ tctl auth sign --user=api-user --out=identity-file-path
+//
+//	$ tsh login --user=api-user --out=identity-file-path
+//	$ tctl auth sign --user=api-user --out=identity-file-path
 //
 // The identity file's time to live can be specified with --ttl.
 //
@@ -288,7 +291,8 @@ func (c *identityCredsString) load() error {
 // tunnel address and make a connection through it.
 //
 // A new profile can be generated with tsh.
-//  $ tsh login --user=api-user
+//
+//	$ tsh login --user=api-user
 func LoadProfile(dir, name string) Credentials {
 	return &profileCreds{
 		dir:  dir,

diff --git a/api/client/doc_test.go b/api/client/doc_test.go
@@ -129,7 +129,9 @@ func ExampleNew() {
 }
 
 // Generate tsh profile with tsh.
-//  $ tsh login --user=api-user
+//
+//	$ tsh login --user=api-user
+//
 // Load credentials from the default directory and current profile, or specify the directory and profile.
 func ExampleCredentials_loadProfile() {
 	client.LoadProfile("", "")
@@ -143,8 +145,10 @@ func ExampleLoadProfile() {
 }
 
 // Generate identity file with tsh or tctl.
-//  $ tsh login --user=api-user --out=identity-file-path
-//  $ tctl auth sign --user=api-user --out=identity-file-path
+//
+//	$ tsh login --user=api-user --out=identity-file-path
+//	$ tctl auth sign --user=api-user --out=identity-file-path
+//
 // Load credentials from the specified identity file.
 func ExampleCredentials_loadIdentity() {
 	client.LoadIdentityFile("identity-file-path")
@@ -156,9 +160,11 @@ func ExampleLoadIdentityFile() {
 }
 
 // Generate identity file with tsh or tctl.
-//  $ tsh login --user=api-user --out=identity-file-path
-//  $ tctl auth sign --user=api-user --out=identity-file-path
-//  $ export TELEPORT_IDENTITY=$(cat identity-file-path)
+//
+//	$ tsh login --user=api-user --out=identity-file-path
+//	$ tctl auth sign --user=api-user --out=identity-file-path
+//	$ export TELEPORT_IDENTITY=$(cat identity-file-path)
+//
 // Load credentials from the envrironment variable.
 func ExampleCredentials_loadIdentityString() {
 	client.LoadIdentityFileFromString(os.Getenv("TELEPORT_IDENTITY"))
@@ -170,7 +176,9 @@ func ExampleLoadIdentityFileFromString() {
 }
 
 // Generate certificate key pair with tctl.
-//  $ tctl auth sign --format=tls --user=api-user --out=path/to/certs
+//
+//	$ tctl auth sign --format=tls --user=api-user --out=path/to/certs
+//
 // Load credentials from the specified certificate files.
 func ExampleCredentials_loadKeyPair() {
 	client.LoadKeyPair(

diff --git a/api/client/webclient/webclient.go b/api/client/webclient/webclient.go
@@ -105,8 +105,9 @@ func newWebClient(cfg *Config) (*http.Client, error) {
 
 // doWithFallback attempts to execute an HTTP request using https, and then
 // fall back to plain HTTP under certain, very specific circumstances.
-//  * The caller must specifically allow it via the allowPlainHTTP parameter, and
-//  * The target host must resolve to the loopback address.
+//   - The caller must specifically allow it via the allowPlainHTTP parameter, and
+//   - The target host must resolve to the loopback address.
+//
 // If these conditions are not met, then the plain-HTTP fallback is not allowed,
 // and a the HTTPS failure will be considered final.
 func doWithFallback(clt *http.Client, allowPlainHTTP bool, extraHeaders map[string]string, req *http.Request) (*http.Response, error) {

diff --git a/api/profile/profile.go b/api/profile/profile.go
@@ -49,7 +49,6 @@ const (
 //
 // Profiles can be stored in a profile file, allowing TSH users to
 // type fewer CLI args.
-//
 type Profile struct {
 	// WebProxyAddr is the host:port the web proxy can be accessed at.
 	WebProxyAddr string `yaml:"web_proxy_addr,omitempty"`

diff --git a/api/types/system_role_test.go b/api/types/system_role_test.go
@@ -5,7 +5,7 @@ Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 
-    http://www.apache.org/licenses/LICENSE-2.0
+	http://www.apache.org/licenses/LICENSE-2.0
 
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,

diff --git a/api/utils/conv.go b/api/utils/conv.go
@@ -32,24 +32,23 @@ import (
 //
 // Example: assume you have two structs:
 //
-// type A struct {
-//     Name string `json:"name"`
-//	   Age  int    `json:"age"`
-// }
+//	type A struct {
+//	    Name string `json:"name"`
+//		   Age  int    `json:"age"`
+//	}
 //
-// type B struct {
-//	   FullName string `json:"name"`
-// }
+//	type B struct {
+//		   FullName string `json:"name"`
+//	}
 //
 // Now you can convert B to A:
 //
-//		b := &B{ FullName: "Bob Dilan"}
-//		var a *A
-//		utils.ObjectToStruct(b, &a)
-//		fmt.Println(a.Name)
-//
-//  > "Bob Dilan"
+//			b := &B{ FullName: "Bob Dilan"}
+//			var a *A
+//			utils.ObjectToStruct(b, &a)
+//			fmt.Println(a.Name)
 //
+//	 > "Bob Dilan"
 func ObjectToStruct(in interface{}, out interface{}) error {
 	bytes, err := json.Marshal(in)
 	if err != nil {

diff --git a/build.assets/Dockerfile b/build.assets/Dockerfile
@@ -165,9 +165,7 @@ ENV GOPATH="/go" \
 RUN go install github.com/google/[email protected]
 
 # Install golangci-lint.
-RUN (curl -L https://github.com/golangci/golangci-lint/releases/download/v1.46.0/golangci-lint-1.46.0-$(go env GOOS)-$(go env GOARCH).tar.gz | tar -xz && \
-     cp golangci-lint-1.46.0-$(go env GOOS)-$(go env GOARCH)/golangci-lint /bin/ && \
-     rm -r golangci-lint*)
+RUN go install github.com/golangci/golangci-lint/cmd/[email protected]
 
 # Install helm.
 RUN (mkdir -p helm-tarball && curl -L https://get.helm.sh/helm-v3.5.2-$(go env GOOS)-$(go env GOARCH).tar.gz | tar -C helm-tarball -xz && \

diff --git a/doc.go b/doc.go
@@ -18,23 +18,25 @@ of Linux servers via SSH or HTTPS. It is intended to be used instead of sshd.
 
 Teleport enables teams to easily adopt the best SSH practices like:
 
-	- No need to distribute keys: Teleport uses certificate-based access with
-	  automatic expiration time.
-	- Enforcement of 2nd factor authentication.
-	- Cluster introspection: every Teleport node becomes a part of a cluster
-	  and is visible on the Web UI.
-	- Record and replay SSH sessions for knowledge sharing and auditing purposes.
-	- Collaboratively troubleshoot issues through session sharing.
-	- Connect to clusters located behind firewalls without direct Internet
-	  access via SSH bastions.
-	- Ability to integrate SSH credentials with your organization identities
-	  via OAuth (Google Apps, Github).
-	- Keep the full audit log of all SSH sessions within a cluster.
+  - No need to distribute keys: Teleport uses certificate-based access with
+    automatic expiration time.
+  - Enforcement of 2nd factor authentication.
+  - Cluster introspection: every Teleport node becomes a part of a cluster
+    and is visible on the Web UI.
+  - Record and replay SSH sessions for knowledge sharing and auditing purposes.
+  - Collaboratively troubleshoot issues through session sharing.
+  - Connect to clusters located behind firewalls without direct Internet
+    access via SSH bastions.
+  - Ability to integrate SSH credentials with your organization identities
+    via OAuth (Google Apps, Github).
+  - Keep the full audit log of all SSH sessions within a cluster.
 
 Teleport web site:
+
 	https://gravitational.com/teleport/
 
 Teleport on Github:
+
 	https://github.com/gravitational/teleport
 */
 package teleport
diff --git a/dronegen/os_repos.go b/dronegen/os_repos.go
@@ -31,11 +31,11 @@ func promoteBuildOsRepoPipelines() []pipeline {
 
 // Used for one-off migrations of older versions.
 // Use cases include:
-//  * We want to support another OS while providing backwards compatibility
-//  * We want to support another OS version while providing backwards compatibility
-//  * A customer wants to be able to install an older version via APT/YUM even if we
-//      no longer support it
-//  * RPM migrations after new YUM pipeline is done
+//   - We want to support another OS while providing backwards compatibility
+//   - We want to support another OS version while providing backwards compatibility
+//   - A customer wants to be able to install an older version via APT/YUM even if we
+//     no longer support it
+//   - RPM migrations after new YUM pipeline is done
 func artifactMigrationPipeline() []pipeline {
 	migrationVersions := []string{
 		// These versions were migrated as a part of the new `promoteAptPipeline`

diff --git a/e b/e
diff --git a/integration/kube_integration_test.go b/integration/kube_integration_test.go
@@ -1213,13 +1213,11 @@ func tlsClientConfig(cfg *rest.Config) (*tls.Config, error) {
 		return nil, trace.BadParameter("failed to append certs from PEM")
 	}
 
-	tlsConfig := &tls.Config{
+	return &tls.Config{
 		RootCAs:      pool,
 		Certificates: []tls.Certificate{cert},
 		ClientAuth:   tls.RequireAndVerifyClientCert,
-	}
-	tlsConfig.BuildNameToCertificate()
-	return tlsConfig, nil
+	}, nil
 }
 
 func kubeProxyTLSConfig(cfg kube.ProxyConfig) (*tls.Config, error) {

diff --git a/integration/main_test.go b/integration/main_test.go
@@ -5,7 +5,7 @@ Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
 
-    http://www.apache.org/licenses/LICENSE-2.0
+	http://www.apache.org/licenses/LICENSE-2.0
 
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,

diff --git a/lib/auth/accountrecovery_test.go b/lib/auth/accountrecovery_test.go
@@ -42,10 +42,10 @@ import (
 )
 
 // TestGenerateAndUpsertRecoveryCodes tests the following:
-//  - generation of recovery codes are of correct format
-//  - recovery codes are upserted
-//  - recovery codes can be verified and marked used
-//  - reusing a used or non-existing token returns error
+//   - generation of recovery codes are of correct format
+//   - recovery codes are upserted
+//   - recovery codes can be verified and marked used
+//   - reusing a used or non-existing token returns error
 func TestGenerateAndUpsertRecoveryCodes(t *testing.T) {
 	t.Parallel()
 	srv := newTestTLSServer(t)

diff --git a/lib/auth/apiserver.go b/lib/auth/apiserver.go
@@ -1040,11 +1040,12 @@ type githubAuthRawResponse struct {
 	HostSigners []json.RawMessage `json:"host_signers"`
 }
 
-/* validateGithubAuthRequest validates Github auth callback redirect
+/*
+validateGithubAuthRequest validates Github auth callback redirect
 
-   POST /:version/github/requests/validate
+	POST /:version/github/requests/validate
 
-   Success response: githubAuthRawResponse
+	Success response: githubAuthRawResponse
 */
 func (s *APIServer) validateGithubAuthCallback(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error) {
 	var req validateGithubAuthCallbackReq
@@ -1085,9 +1086,10 @@ func (s *APIServer) validateGithubAuthCallback(auth ClientI, w http.ResponseWrit
 // HTTP GET /:version/events?query
 //
 // Query fields:
-//	'from'  : time filter in RFC3339 format
-//	'to'    : time filter in RFC3339 format
-//  ...     : other fields are passed directly to the audit backend
+//
+//		'from'  : time filter in RFC3339 format
+//		'to'    : time filter in RFC3339 format
+//	 ...     : other fields are passed directly to the audit backend
 func (s *APIServer) searchEvents(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error) {
 	var err error
 	to := time.Now().In(time.UTC)
@@ -1168,8 +1170,9 @@ func (s *APIServer) searchSessionEvents(auth ClientI, w http.ResponseWriter, r *
 
 // HTTP GET /:version/sessions/:id/stream?offset=x&bytes=y
 // Query parameters:
-//   "offset"   : bytes from the beginning
-//   "bytes"    : number of bytes to read (it won't return more than 512Kb)
+//
+//	"offset"   : bytes from the beginning
+//	"bytes"    : number of bytes to read (it won't return more than 512Kb)
 func (s *APIServer) getSessionChunk(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error) {
 	sid, err := session.ParseID(p.ByName("id"))
 	if err != nil {
@@ -1206,7 +1209,8 @@ func (s *APIServer) getSessionChunk(auth ClientI, w http.ResponseWriter, r *http
 
 // HTTP GET /:version/sessions/:id/events?maxage=n
 // Query:
-//    'after' : cursor value to return events newer than N. Defaults to 0, (return all)
+//
+//	'after' : cursor value to return events newer than N. Defaults to 0, (return all)
 func (s *APIServer) getSessionEvents(auth ClientI, w http.ResponseWriter, r *http.Request, p httprouter.Params, version string) (interface{}, error) {
 	sid, err := session.ParseID(p.ByName("id"))
 	if err != nil {

diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
@@ -3790,15 +3790,15 @@ func (a *ServerWithRoles) SignDatabaseCSR(ctx context.Context, req *proto.Databa
 //
 // This certificate can be requested by:
 //
-//  - Cluster administrator using "tctl auth sign --format=db" command locally
-//    on the auth server to produce a certificate for configuring a self-hosted
-//    database.
-//  - Remote user using "tctl auth sign --format=db" command with a remote
-//    proxy (e.g. Teleport Cloud), as long as they can impersonate system
-//    role Db.
-//  - Database service when initiating connection to a database instance to
-//    produce a client certificate.
-//  - Proxy service when generating mTLS files to a database
+//   - Cluster administrator using "tctl auth sign --format=db" command locally
+//     on the auth server to produce a certificate for configuring a self-hosted
+//     database.
+//   - Remote user using "tctl auth sign --format=db" command with a remote
+//     proxy (e.g. Teleport Cloud), as long as they can impersonate system
+//     role Db.
+//   - Database service when initiating connection to a database instance to
+//     produce a client certificate.
+//   - Proxy service when generating mTLS files to a database
 func (a *ServerWithRoles) GenerateDatabaseCert(ctx context.Context, req *proto.DatabaseCertRequest) (*proto.DatabaseCertResponse, error) {
 	// Check if the User can `create` DatabaseCertificates
 	err := a.action(apidefaults.Namespace, types.KindDatabaseCertificate, types.VerbCreate)