From 5a558a2cfb47cf8dbfd66c80bb5480d630a5c0f9 Mon Sep 17 00:00:00 2001 From: Jim Date: Sun, 1 Oct 2023 10:35:56 -0400 Subject: [PATCH] chore: add workflows to check for fmt and copywrite deltas --- .github/workflows/make-gen-delta.yml | 42 ++++++++ Makefile | 17 ++++ go.mod | 11 +- go.sum | 29 ++++-- jwt/docs.go | 26 ++--- jwt/keyset.go | 1 - ldap/client_test.go | 1 - ldap/conn_test.go | 2 +- oidc/access_token.go | 2 +- oidc/callback/authcode_test.go | 1 - oidc/config_test.go | 1 - oidc/docs.go | 6 +- oidc/examples/spa/request_cache.go | 2 - oidc/internal/base62/base62.go | 6 +- oidc/options_test.go | 1 - oidc/pkce_verifier.go | 1 - oidc/provider.go | 3 +- oidc/request_test.go | 1 - oidc/testing_provider.go | 117 +++++++++++----------- saml/models/metadata/entity_descriptor.go | 11 +- saml/response_test.go | 1 - saml/sp_test.go | 2 +- tools/tools.go | 24 +++++ util/util.go | 2 +- 24 files changed, 198 insertions(+), 112 deletions(-) create mode 100644 .github/workflows/make-gen-delta.yml create mode 100644 Makefile create mode 100644 tools/tools.go diff --git a/.github/workflows/make-gen-delta.yml b/.github/workflows/make-gen-delta.yml new file mode 100644 index 0000000..17fe3b6 --- /dev/null +++ b/.github/workflows/make-gen-delta.yml @@ -0,0 +1,42 @@ +name: "make-gen-delta" +on: + - workflow_dispatch + - push + - workflow_call + +permissions: + contents: read + +jobs: + make-gen-delta: + name: "Check for uncommitted changes from make gen" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + fetch-depth: '0' + - name: Determine Go version + id: get-go-version + # We use .go-version as our source of truth for current Go + # version, because "goenv" can react to it automatically. + run: | + echo "Building with Go $(cat .go-version)" + echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: "${{ steps.get-go-version.outputs.go-version }}" + - name: Running go mod tidy + run: | + go mod tidy + - name: Install Dependencies + run: | + make tools + - name: Running make gen + run: | + make gen + - name: Check for changes + run: | + git diff --exit-code + git status --porcelain + test -z "$(git status --porcelain)" diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..e1f9fe8 --- /dev/null +++ b/Makefile @@ -0,0 +1,17 @@ +# Format Go files, ignoring files marked as generated through the header defined at +# https://pkg.go.dev/cmd/go#hdr-Generate_Go_files_by_processing_source +.PHONY: fmt +fmt: + gofumpt -w $$(find . -name '*.go') + +.PHONY: gen +gen: fmt copywrite + +.PHONY: copywrite +copywrite: + copywrite headers + +.PHONY: tools +tools: + go generate -tags tools tools/tools.go + go install github.com/hashicorp/copywrite@v0.15.0 \ No newline at end of file diff --git a/go.mod b/go.mod index 8334f18..6cabc64 100644 --- a/go.mod +++ b/go.mod @@ -11,21 +11,26 @@ require ( github.com/hashicorp/go-uuid v1.0.3 github.com/stretchr/testify v1.8.1 github.com/yhat/scrape v0.0.0-20161128144610-24b7890b0945 - golang.org/x/net v0.7.0 + golang.org/x/net v0.9.0 golang.org/x/oauth2 v0.5.0 - golang.org/x/text v0.7.0 + golang.org/x/text v0.9.0 + mvdan.cc/gofumpt v0.5.0 ) require ( github.com/davecgh/go-spew v1.1.1 // indirect github.com/fatih/color v1.14.1 // indirect github.com/golang/protobuf v1.5.2 // indirect + github.com/google/go-cmp v0.5.9 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.17 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect golang.org/x/crypto v0.6.0 // indirect - golang.org/x/sys v0.5.0 // indirect + golang.org/x/mod v0.10.0 // indirect + golang.org/x/sync v0.1.0 // indirect + golang.org/x/sys v0.7.0 // indirect + golang.org/x/tools v0.8.0 // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/go.sum b/go.sum index e92c873..7d91435 100644 --- a/go.sum +++ b/go.sum @@ -7,6 +7,7 @@ github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk= github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w= github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg= +github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0XL9UY= github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -15,8 +16,9 @@ github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= @@ -28,11 +30,11 @@ github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+l github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= -github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= +github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= +github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc= github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= @@ -44,6 +46,7 @@ github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPn github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= @@ -63,6 +66,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= +golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk= +golang.org/x/mod v0.10.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= @@ -70,13 +75,15 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.3.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE= -golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g= -golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= +golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM= +golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= golang.org/x/oauth2 v0.3.0/go.mod h1:rQrIauxkUhJ6CuwEXwymO2/eh4xz2ZWF1nBkcxS+tGk= golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s= golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= +golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -90,8 +97,8 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU= -golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU= +golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA= @@ -100,11 +107,13 @@ golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo= -golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= +golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE= +golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= +golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= @@ -120,3 +129,5 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= +mvdan.cc/gofumpt v0.5.0 h1:0EQ+Z56k8tXjj/6TQD25BFNKQXpCvT0rnansIc7Ug5E= +mvdan.cc/gofumpt v0.5.0/go.mod h1:HBeVDtMKRZpXyxFciAirzdKklDlGu8aAy1wEbH5Y9js= diff --git a/jwt/docs.go b/jwt/docs.go index a5d5b7e..8b0c485 100644 --- a/jwt/docs.go +++ b/jwt/docs.go @@ -13,22 +13,22 @@ JOSE header validation provided by the the package includes the option to valida JWT signature verification is supported by providing keys from the following sources: - - JSON Web Key Set (JWKS) URL - - OIDC Discovery mechanism - - Local public keys + - JSON Web Key Set (JWKS) URL + - OIDC Discovery mechanism + - Local public keys JWT signature verification supports the following asymmetric algorithms as defined in https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1: - - RS256: RSASSA-PKCS1-v1_5 using SHA-256 - - RS384: RSASSA-PKCS1-v1_5 using SHA-384 - - RS512: RSASSA-PKCS1-v1_5 using SHA-512 - - ES256: ECDSA using P-256 and SHA-256 - - ES384: ECDSA using P-384 and SHA-384 - - ES512: ECDSA using P-521 and SHA-512 - - PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 - - PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 - - PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512 - - EdDSA: Ed25519 using SHA-512 + - RS256: RSASSA-PKCS1-v1_5 using SHA-256 + - RS384: RSASSA-PKCS1-v1_5 using SHA-384 + - RS512: RSASSA-PKCS1-v1_5 using SHA-512 + - ES256: ECDSA using P-256 and SHA-256 + - ES384: ECDSA using P-384 and SHA-384 + - ES512: ECDSA using P-521 and SHA-512 + - PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 + - PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 + - PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512 + - EdDSA: Ed25519 using SHA-512 */ package jwt diff --git a/jwt/keyset.go b/jwt/keyset.go index c0e3d1b..a842f49 100644 --- a/jwt/keyset.go +++ b/jwt/keyset.go @@ -28,7 +28,6 @@ import ( // KeySet represents a set of keys that can be used to verify the signatures of JWTs. // A KeySet is expected to be backed by a set of local or remote keys. type KeySet interface { - // VerifySignature parses the given JWT, verifies its signature, and returns the claims in its payload. // The given JWT must be of the JWS compact serialization form. VerifySignature(ctx context.Context, token string) (claims map[string]interface{}, err error) diff --git a/ldap/client_test.go b/ldap/client_test.go index b85c7e5..e4007b7 100644 --- a/ldap/client_test.go +++ b/ldap/client_test.go @@ -79,7 +79,6 @@ func TestClient_renderUserSearchFilter(t *testing.T) { assert.Equal(tc.want, f) }) } - } func TestClient_NewClient(t *testing.T) { diff --git a/ldap/conn_test.go b/ldap/conn_test.go index ad73923..e22be8a 100644 --- a/ldap/conn_test.go +++ b/ldap/conn_test.go @@ -35,7 +35,7 @@ func Test_EscapeValue(t *testing.T) { // Fuzz_EscapeValue is only focused on finding panics func Fuzz_EscapeValue(f *testing.F) { - for tc, _ := range testcases { + for tc := range testcases { f.Add(tc) } f.Fuzz(func(t *testing.T, s string) { diff --git a/oidc/access_token.go b/oidc/access_token.go index 9375983..bb01703 100644 --- a/oidc/access_token.go +++ b/oidc/access_token.go @@ -5,7 +5,7 @@ package oidc import "encoding/json" -// AccessToken is an oauth access_token. +// AccessToken is an oauth access_token. type AccessToken string // RedactedAccessToken is the redacted string or json for an oauth access_token. diff --git a/oidc/callback/authcode_test.go b/oidc/callback/authcode_test.go index f5805ee..e18afb9 100644 --- a/oidc/callback/authcode_test.go +++ b/oidc/callback/authcode_test.go @@ -182,7 +182,6 @@ func Test_AuthCodeResponses(t *testing.T) { return } assert.Equal("login successful", string(contents)) - }) } } diff --git a/oidc/config_test.go b/oidc/config_test.go index 43f37e5..4dd3b00 100644 --- a/oidc/config_test.go +++ b/oidc/config_test.go @@ -852,7 +852,6 @@ func TestConfig_Hash(t *testing.T) { default: assert.NotEqual(got1, got2) } - }) } } diff --git a/oidc/docs.go b/oidc/docs.go index e7edca0..d768105 100644 --- a/oidc/docs.go +++ b/oidc/docs.go @@ -5,7 +5,6 @@ oidc is a package for writing clients that integrate with OIDC Providers using OIDC flows. - Primary types provided by the package: * Request: represents one OIDC authentication flow for a user. It contains the @@ -26,13 +25,13 @@ signing algorithms, additional scopes requested, etc) capabilities like: generating an auth URL, exchanging codes for tokens, verifying tokens, making user info requests, etc. -The oidc.callback package +# The oidc.callback package The callback package includes handlers (http.HandlerFunc) which can be used for the callback leg an OIDC flow. Callback handlers for both the authorization code flow (with optional PKCE) and the implicit flow are provided. -Example apps +# Example apps Complete concise example solutions: @@ -41,6 +40,5 @@ https://github.com/hashicorp/cap/tree/main/oidc/examples/cli/ * OIDC authentication SPA: https://github.com/hashicorp/cap/tree/main/oidc/examples/spa/ - */ package oidc diff --git a/oidc/examples/spa/request_cache.go b/oidc/examples/spa/request_cache.go index eb58234..4c2169e 100644 --- a/oidc/examples/spa/request_cache.go +++ b/oidc/examples/spa/request_cache.go @@ -25,7 +25,6 @@ func newRequestCache() *requestCache { return &requestCache{ c: map[string]extendedRequest{}, } - } // Read implements the callback.StateReader interface and will delete the state @@ -63,7 +62,6 @@ func (rc *requestCache) SetToken(id string, t oidc.Token) error { return nil } return fmt.Errorf("%s: %s not found", op, id) - } func (rc *requestCache) Delete(id string) { diff --git a/oidc/internal/base62/base62.go b/oidc/internal/base62/base62.go index 9f8c20d..348a040 100644 --- a/oidc/internal/base62/base62.go +++ b/oidc/internal/base62/base62.go @@ -12,8 +12,10 @@ import ( uuid "github.com/hashicorp/go-uuid" ) -const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" -const csLen = byte(len(charset)) +const ( + charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" + csLen = byte(len(charset)) +) // Random generates a random string using base-62 characters. // Resulting entropy is ~5.95 bits/character. diff --git a/oidc/options_test.go b/oidc/options_test.go index 7df8f0b..3308fab 100644 --- a/oidc/options_test.go +++ b/oidc/options_test.go @@ -33,7 +33,6 @@ func Test_WithNow(t *testing.T) { testOpts := tokenDefaults() testOpts.withNowFunc = testNow testAssertEqualFunc(t, opts.withNowFunc, testNow, "now = %p,want %p", opts.withNowFunc, testNow) - }) t.Run("reqOptions", func(t *testing.T) { opts := getReqOpts(WithNow(testNow)) diff --git a/oidc/pkce_verifier.go b/oidc/pkce_verifier.go index aa31b53..04d3490 100644 --- a/oidc/pkce_verifier.go +++ b/oidc/pkce_verifier.go @@ -26,7 +26,6 @@ const ( // // See: https://tools.ietf.org/html/rfc7636#section-4.1 type CodeVerifier interface { - // Verifier returns the code verifier (see: // https://tools.ietf.org/html/rfc7636#section-4.1) Verifier() string diff --git a/oidc/provider.go b/oidc/provider.go index 6f559d5..0917b92 100644 --- a/oidc/provider.go +++ b/oidc/provider.go @@ -295,7 +295,7 @@ func (p *Provider) Exchange(ctx context.Context, oidcRequest Request, authorizat } // Add the "openid" scope, which is a required scope for oidc flows scopes = append([]string{oidc.ScopeOpenID}, scopes...) - var oauth2Config = oauth2.Config{ + oauth2Config := oauth2.Config{ ClientID: p.config.ClientID, ClientSecret: string(p.config.ClientSecret), RedirectURL: oidcRequest.RedirectURL(), @@ -664,7 +664,6 @@ func (p *Provider) HTTPClientContext(ctx context.Context) (context.Context, erro c, err := p.HTTPClient() if err != nil { return nil, fmt.Errorf("%s: %w", op, err) - } // simple to implement as a wrapper for the coreos package return oidc.ClientContext(ctx, c), nil diff --git a/oidc/request_test.go b/oidc/request_test.go index 291391f..1119b87 100644 --- a/oidc/request_test.go +++ b/oidc/request_test.go @@ -108,7 +108,6 @@ func TestRequest_IsExpired(t *testing.T) { require.NoError(err) assert.True(oidcRequest.IsExpired()) }) - } func Test_WithImplicit(t *testing.T) { diff --git a/oidc/testing_provider.go b/oidc/testing_provider.go index 086aa1a..a8c7e5c 100644 --- a/oidc/testing_provider.go +++ b/oidc/testing_provider.go @@ -56,88 +56,91 @@ var ( // Once you've started a TestProvider http server with StartTestProvider(...), // the following test endpoints are supported: // -// * GET /.well-known/openid-configuration OIDC Discovery +// - GET /.well-known/openid-configuration OIDC Discovery // -// * GET or POST /authorize OIDC authorization supporting both -// the authorization code flow (with -// optional PKCE) and the implicit -// flow with form_post. +// - GET or POST /authorize OIDC authorization supporting both +// the authorization code flow (with +// optional PKCE) and the implicit +// flow with form_post. // -// * POST /token OIDC token +// - POST /token OIDC token // -// * GET /userinfo OAuth UserInfo +// - GET /userinfo OAuth UserInfo // -// * GET /.well-known/jwks.json JWKs used to verify issued JWT tokens +// - GET /.well-known/jwks.json JWKs used to verify issued JWT tokens // -// Making requests to these endpoints are facilitated by -// * TestProvider.HTTPClient which returns an http.Client for making requests. -// * TestProvider.CACert which the pem-encoded CA certificate used by the HTTPS server. +// Making requests to these endpoints are facilitated by +// +// - TestProvider.HTTPClient which returns an http.Client for making requests. +// +// - TestProvider.CACert which the pem-encoded CA certificate used by the HTTPS server. // // Runtime Configuration: -// * Issuer: Addr() returns the the current base URL for the test provider's -// running webserver, which can be used as an OIDC Issuer for discovery and -// is also used for the iss claim when issuing JWTs. // -// * Relying Party ClientID/ClientSecret: SetClientCreds(...) updates the -// creds and they are empty by default. +// - Issuer: Addr() returns the the current base URL for the test provider's +// running web server, which can be used as an OIDC Issuer for discovery and +// is also used for the iss claim when issuing JWTs. +// +// - Relying Party ClientID/ClientSecret: SetClientCreds(...) updates the +// creds and they are empty by default. // -// * Now: SetNowFunc(...) updates the provider's "now" function and time.Now -// is the default. +// - Now: SetNowFunc(...) updates the provider's "now" function and time.Now +// is the default. // -// * Subject: SetExpectedSubject(sub string) configures the expected subject for -// any JWTs issued by the provider (the default is "alice@example.com") +// - Subject: SetExpectedSubject(sub string) configures the expected subject for +// any JWTs issued by the provider (the default is "alice@example.com") // -// * Subject Passwords: SetSubjectInfo(...) configures a subject/password -// dictionary. If configured, then an interactive Login form is presented by -// the /authorize endpoint and the TestProvider becomes an interactive test -// provider using the provided subject/password dictionary. +// - Subject Passwords: SetSubjectInfo(...) configures a subject/password +// dictionary. If configured, then an interactive Login form is presented by +// the /authorize endpoint and the TestProvider becomes an interactive test +// provider using the provided subject/password dictionary. // -// * Expiry: SetExpectedExpiry(exp time.Duration) updates the expiry and -// now + 5 * time.Second is the default. +// - Expiry: SetExpectedExpiry(exp time.Duration) updates the expiry and +// now + 5 * time.Second is the default. // -// * Signing keys: SetSigningKeys(...) updates the keys and a ECDSA P-256 pair -// of priv/pub keys are the default with a signing algorithm of ES256 +// - Signing keys: SetSigningKeys(...) updates the keys and a ECDSA P-256 pair +// of priv/pub keys are the default with a signing algorithm of ES256 // -// * Authorization Code: SetExpectedAuthCode(...) updates the auth code -// required by the /authorize endpoint and the code is empty by default. +// - Authorization Code: SetExpectedAuthCode(...) updates the auth code +// required by the /authorize endpoint and the code is empty by default. // -// * Authorization Nonce: SetExpectedAuthNonce(...) updates the nonce required -// by the /authorize endpont and the nonce is empty by default. +// - Authorization Nonce: SetExpectedAuthNonce(...) updates the nonce required +// by the /authorize endpoint and the nonce is empty by default. // -// * Allowed RedirectURIs: SetAllowedRedirectURIs(...) updates the allowed -// redirect URIs and "https://example.com" is the default. +// - Allowed RedirectURIs: SetAllowedRedirectURIs(...) updates the allowed +// redirect URIs and "https://example.com" is the default. // -// * Custom Claims: SetCustomClaims(...) updates custom claims added to JWTs issued -// and the custom claims are empty by default. +// - Custom Claims: SetCustomClaims(...) updates custom claims added to JWTs issued +// and the custom claims are empty by default. // -// * Audiences: SetCustomAudience(...) updates the audience claim of JWTs issued -// and the ClientID is the default. +// - Audiences: SetCustomAudience(...) updates the audience claim of JWTs issued +// and the ClientID is the default. // -// * Authentication Time (auth_time): SetOmitAuthTimeClaim(...) allows you to -// turn off/on the inclusion of an auth_time claim in issued JWTs and the claim -// is included by default. +// - Authentication Time (auth_time): SetOmitAuthTimeClaim(...) allows you to +// turn off/on the inclusion of an auth_time claim in issued JWTs and the claim +// is included by default. // -// * Issuing id_tokens: SetOmitIDTokens(...) allows you to turn off/on the issuing of -// id_tokens from the /token endpoint. id_tokens are issued by default. +// - Issuing id_tokens: SetOmitIDTokens(...) allows you to turn off/on the issuing of +// id_tokens from the /token endpoint. id_tokens are issued by default. // -// * Issuing access_tokens: SetOmitAccessTokens(...) allows you to turn off/on -// the issuing of access_tokens from the /token endpoint. access_tokens are issued -// by default. +// - Issuing access_tokens: SetOmitAccessTokens(...) allows you to turn off/on +// the issuing of access_tokens from the /token endpoint. access_tokens are issued +// by default. // -// * Authorization State: SetExpectedState sets the value for the state parameter -// returned from the /authorized endpoint +// - Authorization State: SetExpectedState sets the value for the state parameter +// returned from the /authorized endpoint // -// * Token Responses: SetDisableToken disables the /token endpoint, causing -// it to return a 401 http status. +// - Token Responses: SetDisableToken disables the /token endpoint, causing +// it to return a 401 http status. // -// * Implicit Flow Responses: SetDisableImplicit disables implicit flow responses, -// causing them to return a 401 http status. +// - Implicit Flow Responses: SetDisableImplicit disables implicit flow responses, +// causing them to return a 401 http status. // -// * PKCE verifier: SetPKCEVerifier(oidc.CodeVerifier) sets the PKCE code_verifier -// and PKCEVerifier() returns the current verifier. +// - PKCE verifier: SetPKCEVerifier(oidc.CodeVerifier) sets the PKCE code_verifier +// and PKCEVerifier() returns the current verifier. // -// * UserInfo: SetUserInfoReply sets the UserInfo endpoint response and -// UserInfoReply() returns the current response. +// - UserInfo: SetUserInfoReply sets the UserInfo endpoint response and +// UserInfoReply() returns the current response. type TestProvider struct { httpServer *httptest.Server caCert string @@ -351,7 +354,6 @@ func getTestProviderOpts(t TestingT, opt ...Option) testProviderOptions { } // withTestSubject provides the option to provide a subject -// func withTestSubject(s string) Option { return func(o interface{}) { if o, ok := o.(*testProviderOptions); ok { @@ -361,7 +363,6 @@ func withTestSubject(s string) Option { } // withTestNonce provides the option to provide a nonce -// func withTestNonce(n string) Option { return func(o interface{}) { if o, ok := o.(*testProviderOptions); ok { diff --git a/saml/models/metadata/entity_descriptor.go b/saml/models/metadata/entity_descriptor.go index 63fc555..dc1fe2c 100644 --- a/saml/models/metadata/entity_descriptor.go +++ b/saml/models/metadata/entity_descriptor.go @@ -152,20 +152,17 @@ type AuthnAuthorityDescriptor struct { NameIDFormats []core.NameIDFormat } -type PDPDescriptor struct { -} +type PDPDescriptor struct{} // AttributeAuthorityDescriptor is a compatibiity requirement // for supporting legacy or other SPs that rely on queries for // attributes. -type AttributeAuthorityDescriptor struct { -} +type AttributeAuthorityDescriptor struct{} // AffiliationDescriptor represents a group of other -// entitites, such as related service providers that +// entities, such as related service providers that // share a persistent NameID. -type AffiliationDescriptor struct { -} +type AffiliationDescriptor struct{} // X509Data contains one ore more identifiers of keys or X509 certifactes. // See https://www.w3.org/TR/xmldsig-core1/#sec-X509Data diff --git a/saml/response_test.go b/saml/response_test.go index 38ebc19..574b38b 100644 --- a/saml/response_test.go +++ b/saml/response_test.go @@ -269,7 +269,6 @@ func TestServiceProvider_ParseResponseCustomACS(t *testing.T) { require.ErrorContains(t, err, c.err) }) } - } // From https://www.samltool.com/generic_sso_res.php diff --git a/saml/sp_test.go b/saml/sp_test.go index 9370fa3..77aabb4 100644 --- a/saml/sp_test.go +++ b/saml/sp_test.go @@ -221,7 +221,7 @@ func Test_ServiceProvider_FetchMetadata_Cache(t *testing.T) { if tt.expectErrorOnRefresh { r.Error(err) return - } + } r.NoError(err) r.NotNil(got2) diff --git a/tools/tools.go b/tools/tools.go new file mode 100644 index 0000000..5446130 --- /dev/null +++ b/tools/tools.go @@ -0,0 +1,24 @@ +// Copyright (c) HashiCorp, Inc. +// SPDX-License-Identifier: MPL-2.0 + +//go:build tools +// +build tools + +// This file ensures tool dependencies are kept in sync. This is the +// recommended way of doing this according to +// https://github.com/golang/go/wiki/Modules#how-can-i-track-tool-dependencies-for-a-module +// To install the following tools at the version used by this repo run: +// $ make tools +// or +// $ go generate -tags tools tools/tools.go + +package tools + +// NOTE: This must not be indented, so to stop goimports from trying to be +// helpful, it's separated out from the import block below. Please try to keep +// them in the same order. +//go:generate go install mvdan.cc/gofumpt + +import ( + _ "mvdan.cc/gofumpt" +) diff --git a/util/util.go b/util/util.go index f2b5f03..0097e50 100644 --- a/util/util.go +++ b/util/util.go @@ -31,7 +31,7 @@ func IsWSL() (bool, error) { isDocker := strings.Contains(strings.ToLower(string(cgroupData)), "/docker/") isLxc := strings.Contains(strings.ToLower(string(cgroupData)), "/lxc/") isMsLinux := strings.Contains(strings.ToLower(string(procData)), "microsoft") - + return isMsLinux && !(isDocker || isLxc), nil }