lint

authorize/evaluator/opa/opa.go

@@ -5,5 +5,6 @@ package opa
 import _ "embed" // to embed files
 
 // HeadersRego is the headers.rego script.
+//
 //go:embed policy/headers.rego
 var HeadersRego string

cmd/pomerium/main.go

@@ -1,3 +1,4 @@
+// Package main contains pomerium
 package main
 
 import (

integration/cmd/pomerium-integration-tests/main.go

@@ -1,3 +1,4 @@
+// Package main contains the pomerium integration tests
 package main
 
 import (
@@ -78,12 +79,12 @@ func runGenerateConfiguration(ctx context.Context) error {
 		}
 		asYAML, _ := yaml.JSONToYAML([]byte(contents))
 
-		err = os.MkdirAll(filepath.Dir(dstPath), 0755)
+		err = os.MkdirAll(filepath.Dir(dstPath), 0o755)
 		if err != nil {
 			return fmt.Errorf("error creating directory (path=%s): %w", dstPath, err)
 		}
 
-		err = os.WriteFile(dstPath, asYAML, 0600)
+		err = os.WriteFile(dstPath, asYAML, 0o600)
 		if err != nil {
 			return fmt.Errorf("error writing file (path=%s): %w", dstPath, err)
 		}

integration/main_test.go

@@ -1,3 +1,4 @@
+// Package main contains the pomerium integration tests
 package main
 
 import (

internal/directory/azure/delta.go

@@ -51,10 +51,10 @@ func newDeltaCollection(p *Provider) *deltaCollection {
 //
 // It involves 4 steps:
 //
-//   1. an initial request to /v1.0/groups/delta
-//   2. one or more requests to /v1.0/groups/delta?$skiptoken=..., which comes from the @odata.nextLink
-//   3. a final response with @odata.deltaLink
-//   4. on the next call to sync, starting at @odata.deltaLink
+//  1. an initial request to /v1.0/groups/delta
+//  2. one or more requests to /v1.0/groups/delta?$skiptoken=..., which comes from the @odata.nextLink
+//  3. a final response with @odata.deltaLink
+//  4. on the next call to sync, starting at @odata.deltaLink
 //
 // Only the changed groups/members are returned. Removed groups/members have an @removed property.
 func (dc *deltaCollection) Sync(ctx context.Context) error {

internal/identity/claims.go

@@ -65,8 +65,7 @@ func (claims Claims) Claims(v interface{}) error {
 
 // Flatten flattens the claims to a FlattenedClaims map. For example:
 //
-//   { "a": { "b": { "c": 12345 } } } => { "a.b.c": [12345] }
-//
+//	{ "a": { "b": { "c": 12345 } } } => { "a.b.c": [12345] }
 func (claims Claims) Flatten() FlattenedClaims {
 	flattened := make(FlattenedClaims)
 	for k, v := range claims {

internal/identity/oidc/google/google.go

@@ -29,8 +29,9 @@ var defaultScopes = []string{oidc.ScopeOpenID, "profile", "email"}
 // having the user select which Google account they'd like to use.
 //
 // For more details, please see google's documentation:
-// 	https://developers.google.com/identity/protocols/oauth2/web-server#offline
-// 	https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
+//
+//	https://developers.google.com/identity/protocols/oauth2/web-server#offline
+//	https://developers.google.com/identity/protocols/oauth2/openid-connect#authenticationuriparameters
 var defaultAuthCodeOptions = map[string]string{"prompt": "select_account consent", "access_type": "offline"}
 
 // Provider is a Google implementation of the Authenticator interface.

internal/redisutil/client.go

@@ -100,27 +100,26 @@ func NewClientFromURL(rawURL string, tlsConfig *tls.Config) (redis.UniversalClie
 
 // ParseClusterURL parses a redis-cluster URL. Format is:
 //
-//    redis+cluster://[username:password@]host:port[,host2:port2,...]/[?param1=value1[&param2=value=2&...]]
+//	redis+cluster://[username:password@]host:port[,host2:port2,...]/[?param1=value1[&param2=value=2&...]]
 //
 // Additionally TLS is supported with rediss+cluster, or redis+clusters. Supported query params:
 //
-//    max_redirects: int
-//    read_only: bool
-//    route_by_latency: bool
-//    route_randomly: bool
-//    max_retries: int
-//    min_retry_backoff: duration
-//    max_retry_backoff: duration
-//    dial_timeout: duration
-//    read_timeout: duration
-//    write_timeout: duration
-//    pool_size: int
-//    min_idle_conns: int
-//    max_conn_age: duration
-//    pool_timeout: duration
-//    idle_timeout: duration
-//    idle_check_frequency: duration
-//
+//	max_redirects: int
+//	read_only: bool
+//	route_by_latency: bool
+//	route_randomly: bool
+//	max_retries: int
+//	min_retry_backoff: duration
+//	max_retry_backoff: duration
+//	dial_timeout: duration
+//	read_timeout: duration
+//	write_timeout: duration
+//	pool_size: int
+//	min_idle_conns: int
+//	max_conn_age: duration
+//	pool_timeout: duration
+//	idle_timeout: duration
+//	idle_check_frequency: duration
 func ParseClusterURL(rawurl string) (*redis.ClusterOptions, error) {
 	u, err := url.Parse(rawurl)
 	if err != nil {
@@ -203,28 +202,27 @@ func ParseClusterURL(rawurl string) (*redis.ClusterOptions, error) {
 
 // ParseSentinelURL parses a redis-sentinel URL. Format is based on https://github.com/exponea/redis-sentinel-url:
 //
-//    redis+sentinel://[:password@]host:port[,host2:port2,...][/service_name[/db]][?param1=value1[&param2=value=2&...]]
+//	redis+sentinel://[:password@]host:port[,host2:port2,...][/service_name[/db]][?param1=value1[&param2=value=2&...]]
 //
 // Additionally TLS is supported with rediss+sentinel, or redis+sentinels. Supported query params:
 //
-//    slave_only: bool
-//    use_disconnected_slaves: bool
-//    query_sentinel_randomly: bool
-//    username: string (username for redis connection)
-//    password: string (password for redis connection)
-//    max_retries: int
-//    min_retry_backoff: duration
-//    max_retry_backoff: duration
-//    dial_timeout: duration
-//    read_timeout: duration
-//    write_timeout: duration
-//    pool_size: int
-//    min_idle_conns: int
-//    max_conn_age: duration
-//    pool_timeout: duration
-//    idle_timeout: duration
-//    idle_check_frequency: duration
-//
+//	slave_only: bool
+//	use_disconnected_slaves: bool
+//	query_sentinel_randomly: bool
+//	username: string (username for redis connection)
+//	password: string (password for redis connection)
+//	max_retries: int
+//	min_retry_backoff: duration
+//	max_retry_backoff: duration
+//	dial_timeout: duration
+//	read_timeout: duration
+//	write_timeout: duration
+//	pool_size: int
+//	min_idle_conns: int
+//	max_conn_age: duration
+//	pool_timeout: duration
+//	idle_timeout: duration
+//	idle_check_frequency: duration
 func ParseSentinelURL(rawurl string) (*redis.FailoverOptions, error) {
 	u, err := url.Parse(rawurl)
 	if err != nil {

internal/tests/xdserr/cmd/main.go

@@ -1,3 +1,4 @@
+// Package main contains the xdserr cmd
 package main
 
 import (
@@ -189,7 +190,8 @@ func saveConfig(ctx context.Context, client databroker.DataBrokerServiceClient,
 			Type: any.GetTypeUrl(),
 			Id:   "test_config",
 			Data: any,
-		}}})
+		}},
+	})
 	if err != nil {
 		return err
 	}

internal/tripper/chain.go

@@ -22,17 +22,23 @@ func NewChain(constructors ...Constructor) Chain {
 }
 
 // Then chains the trippers and returns the final http.RoundTripper.
-//     NewChain(m1, m2, m3).Then(h)
+//
+//	NewChain(m1, m2, m3).Then(h)
+//
 // is equivalent to:
-//     m1(m2(m3(h)))
+//
+//	m1(m2(m3(h)))
+//
 // When the request comes in, it will be passed to m1, then m2, then m3
 // and finally, the given roundtripper
 // (assuming every tripper calls the following one).
 //
 // A chain can be safely reused by calling Then() several times.
-//     stdStack := tripper.NewChain(ratelimitTripper, csrfTripper)
-//     tracePipe = stdStack.Then(traceTripper)
-//     authPipe = stdStack.Then(authTripper)
+//
+//	stdStack := tripper.NewChain(ratelimitTripper, csrfTripper)
+//	tracePipe = stdStack.Then(traceTripper)
+//	authPipe = stdStack.Then(authTripper)
+//
 // Note that constructors are called on every call to Then()
 // and thus several instances of the same tripper will be created
 // when a chain is reused in this way.
@@ -56,10 +62,10 @@ func (c Chain) Then(h http.RoundTripper) http.RoundTripper {
 //
 // Append returns a new chain, leaving the original one untouched.
 //
-//     stdChain := middleware.NewChain(m1, m2)
-//     extChain := stdChain.Append(m3, m4)
-//     // requests in stdChain go m1 -> m2
-//     // requests in extChain go m1 -> m2 -> m3 -> m4
+//	stdChain := middleware.NewChain(m1, m2)
+//	extChain := stdChain.Append(m3, m4)
+//	// requests in stdChain go m1 -> m2
+//	// requests in extChain go m1 -> m2 -> m3 -> m4
 func (c Chain) Append(constructors ...Constructor) Chain {
 	newCons := make([]Constructor, 0, len(c.constructors)+len(constructors))
 	newCons = append(newCons, c.constructors...)

internal/urlutil/signed.go

@@ -22,8 +22,7 @@ type SignedURL struct {
 
 // NewSignedURL creates a new copy of a URL that can be signed with a shared key.
 //
-// N.B. It is the user's responsibility to make sure the key is 256 bits and
-// 		the url is not nil.
+// N.B. It is the user's responsibility to make sure the key is 256 bits and the url is not nil.
 func NewSignedURL(key []byte, uri *url.URL) *SignedURL {
 	return &SignedURL{uri: *uri, key: key, timeNow: time.Now} // uri is copied
 }

pkg/cmd/pomerium/pomerium.go

@@ -1,5 +1,4 @@
 // Package pomerium houses the main pomerium CLI command.
-//
 package pomerium
 
 import (

pkg/contextutil/contextutil_test.go

@@ -10,11 +10,15 @@ import (
 
 func TestMerge(t *testing.T) {
 	t.Run("value", func(t *testing.T) {
-		ctx1 := context.WithValue(context.Background(), "key1", "value1")
-		ctx2 := context.WithValue(context.Background(), "key2", "value2")
+		type contextKey string
+		k1 := contextKey("key1")
+		k2 := contextKey("key2")
+
+		ctx1 := context.WithValue(context.Background(), k1, "value1")
+		ctx2 := context.WithValue(context.Background(), k2, "value2")
 		ctx3, _ := Merge(ctx1, ctx2)
-		assert.Equal(t, "value1", ctx3.Value("key1"))
-		assert.Equal(t, "value2", ctx3.Value("key2"))
+		assert.Equal(t, "value1", ctx3.Value(k1))
+		assert.Equal(t, "value2", ctx3.Value(k2))
 	})
 	t.Run("cancel", func(t *testing.T) {
 		ctx1, cancel1 := context.WithCancel(context.Background())

pkg/cryptutil/certificates_test.go

@@ -12,7 +12,8 @@ import (
 
 // A keypair for NIST P-256 / secp256r1
 // Generated using:
-//   openssl ecparam -genkey -name prime256v1 -outform PEM
+//
+//	openssl ecparam -genkey -name prime256v1 -outform PEM
 var pemECPrivateKeyP256 = `-----BEGIN EC PARAMETERS-----
 BggqhkjOPQMBBw==
 -----END EC PARAMETERS-----

pkg/cryptutil/kek.go

@@ -24,7 +24,6 @@ import (
 //   - Our KEKs are asymmetric Curve25519 keys. We use the *public* key to encrypt the DEK so only the *private* key can
 //     decrypt it.
 //   - Our DEKs are symmetric XChaCha20Poly1305 keys.
-//
 type KeyEncryptionKey interface {
 	ID() string
 	KeyBytes() []byte

pkg/cryptutil/x509_test.go

@@ -9,8 +9,9 @@ import (
 )
 
 // generated using:
-//   openssl genpkey -algorithm x25519 -out priv.pem
-//   openssl pkey -in priv.pem -out pub.pem -pubout
+//
+//	openssl genpkey -algorithm x25519 -out priv.pem
+//	openssl pkey -in priv.pem -out pub.pem -pubout
 var (
 	rawPrivateX25519Key = []byte(`-----BEGIN PRIVATE KEY-----
 MC4CAQAwBQYDK2VuBCIEIKALoNgzCksH0v0Bc7Ghl8vGin4MAIKpmtZSmaMN0Vtb

pkg/encoding/base58/doc.go

@@ -8,7 +8,7 @@
 Package base58 provides an API for working with modified base58 and Base58Check
 encodings.
 
-Modified Base58 Encoding
+# Modified Base58 Encoding
 
 Standard base58 encoding is similar to standard base64 encoding except, as the
 name implies, it uses a 58 character alphabet which results in an alphanumeric

pkg/grpc/databroker/leaser.go

@@ -59,7 +59,6 @@ func NewLeasers(leaseName string, ttl time.Duration, client DataBrokerServiceCli
 //
 // 1. ctx is canceled
 // 2. a non-cancel error is returned from handler
-//
 func (locker *Leaser) Run(ctx context.Context) error {
 	retryTicker := time.NewTicker(locker.ttl / 2)
 	defer retryTicker.Stop()

pkg/policy/criteria/criteria.go

@@ -179,8 +179,7 @@ func NewCriterionSessionRule(
 
 // NewCriterionTerm creates a new rego term for a criterion:
 //
-//    [true, {"reason"}]
-//
+//	[true, {"reason"}]
 func NewCriterionTerm(value bool, reasons ...Reason) *ast.Term {
 	var terms []*ast.Term
 	for _, r := range reasons {
@@ -194,8 +193,7 @@ func NewCriterionTerm(value bool, reasons ...Reason) *ast.Term {
 
 // NewCriterionTermWithAdditionalData creates a new rego term for a criterion with additional data:
 //
-//    [true, {"reason"}, {"key": "value"}]
-//
+//	[true, {"reason"}, {"key": "value"}]
 func NewCriterionTermWithAdditionalData(value bool, reason Reason, additionalData map[string]interface{}) *ast.Term {
 	var kvs [][2]*ast.Term
 	for k, v := range additionalData {

pkg/policy/parser/grammar.go

@@ -91,9 +91,8 @@ func RulesFromArray(a Array) ([]Rule, error) {
 //
 // One form is supported:
 //
-// 1. An object where the keys are the actions and the values are an object with "and", "or", or "not" fields:
-//    `{ "allow": { "and": [ {"groups": "group1"} ] } }`
-//
+//  1. An object where the keys are the actions and the values are an object with "and", "or", or "not" fields:
+//     `{ "allow": { "and": [ {"groups": "group1"} ] } }`
 func RulesFromObject(o Object) ([]Rule, error) {
 	var rules []Rule
 	for k, v := range o {
@@ -237,9 +236,8 @@ func CriteriaFromArray(a Array) ([]Criterion, error) {
 //
 // One form is supported:
 //
-// 1. An object where the keys are the names with a sub path and the values are the corresponding
-//    data for each Criterion: `{ "groups": "group1" }`
-//
+//  1. An object where the keys are the names with a sub path and the values are the corresponding
+//     data for each Criterion: `{ "groups": "group1" }`
 func CriterionFromObject(o Object) (*Criterion, error) {
 	if len(o) != 1 {
 		return nil, fmt.Errorf("each criteria may only contain a single key and value")

pkg/policy/parser/json.go

@@ -139,7 +139,9 @@ func (o Object) Clone() Value {
 }
 
 // Falsy returns true if the value is considered Javascript falsy:
-//   https://developer.mozilla.org/en-US/docs/Glossary/Falsy.
+//
+//	https://developer.mozilla.org/en-US/docs/Glossary/Falsy.
+//
 // If the field is not found in the object it is *not* falsy.
 func (o Object) Falsy(field string) bool {
 	v, ok := o[field]