remove deprecated ioutil usages

.golangci.yml

@@ -121,7 +121,7 @@ issues:
     - G307
     # gosec: Too many issues in popular repos
     - (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)
-    # gosec: False positive is triggered by 'src, err := ioutil.ReadFile(filename)'
+    # gosec: False positive is triggered by 'src, err := os.ReadFile(filename)'
     - Potential file inclusion via variable
 
     ##

authorize/evaluator/google_cloud_serverless.go

@@ -5,7 +5,6 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"strings"
@@ -82,7 +81,7 @@ func (src *gcpIdentityTokenSource) Token() (*oauth2.Token, error) {
 		}
 		defer func() { _ = res.Body.Close() }()
 
-		bs, err := ioutil.ReadAll(io.LimitReader(res.Body, GCPIdentityMaxBodySize))
+		bs, err := io.ReadAll(io.LimitReader(res.Body, GCPIdentityMaxBodySize))
 		if err != nil {
 			return nil, err
 		}

authorize/grpc.go

@@ -2,7 +2,7 @@ package authorize
 
 import (
 	"context"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"strings"
@@ -159,7 +159,7 @@ func getHTTPRequestFromCheckRequest(req *envoy_service_auth_v3.CheckRequest) *ht
 		Method:     hattrs.GetMethod(),
 		URL:        &u,
 		Header:     make(http.Header),
-		Body:       ioutil.NopCloser(strings.NewReader(hattrs.GetBody())),
+		Body:       io.NopCloser(strings.NewReader(hattrs.GetBody())),
 		Host:       hattrs.GetHost(),
 		RequestURI: hattrs.GetPath(),
 	}

config/autocert.go

@@ -4,7 +4,7 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"io/ioutil"
+	"os"
 
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 )
@@ -86,7 +86,7 @@ func (o *AutocertOptions) Validate() error {
 		}
 	}
 	if o.TrustedCAFile != "" {
-		if _, err := ioutil.ReadFile(o.TrustedCAFile); err != nil {
+		if _, err := os.ReadFile(o.TrustedCAFile); err != nil {
 			return fmt.Errorf("config: bad trusted certificate (bundle) file: %w", err)
 		}
 		if _, err := cryptutil.GetCertPool("", o.TrustedCAFile); err != nil {

config/autocert_test.go

@@ -8,7 +8,6 @@ import (
 	"crypto/x509/pkix"
 	"encoding/base64"
 	"encoding/pem"
-	"io/ioutil"
 	"math/big"
 	"os"
 	"testing"
@@ -91,7 +90,7 @@ func TestAutocertOptions_Validate(t *testing.T) {
 			}
 		},
 		"ok/trusted-ca-file": func(t *testing.T) test {
-			f, err := ioutil.TempFile("", "pomerium-test-ca")
+			f, err := os.CreateTemp("", "pomerium-test-ca")
 			require.NoError(t, err)
 			n, err := f.Write(certPEM)
 			require.NoError(t, err)
@@ -129,7 +128,7 @@ func TestAutocertOptions_Validate(t *testing.T) {
 			}
 		},
 		"fail/trusted-ca-combined": func(t *testing.T) test {
-			f, err := ioutil.TempFile("", "pomerium-test-ca")
+			f, err := os.CreateTemp("", "pomerium-test-ca")
 			require.NoError(t, err)
 			n, err := f.Write(certPEM)
 			require.NoError(t, err)

config/config_source.go

@@ -3,7 +3,7 @@ package config
 import (
 	"context"
 	"crypto/sha256"
-	"io/ioutil"
+	"os"
 	"sync"
 
 	"github.com/fsnotify/fsnotify"
@@ -250,7 +250,7 @@ func (src *FileWatcherSource) check(ctx context.Context, cfg *Config) {
 
 	for _, f := range fs {
 		_, _ = h.Write([]byte{0})
-		bs, err := ioutil.ReadFile(f)
+		bs, err := os.ReadFile(f)
 		if err == nil {
 			src.watcher.Add(f)
 			_, _ = h.Write(bs)

config/config_source_test.go

@@ -2,7 +2,6 @@ package config
 
 import (
 	"context"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"sync"
@@ -22,12 +21,12 @@ func TestFileWatcherSource(t *testing.T) {
 		return
 	}
 
-	err = ioutil.WriteFile(filepath.Join(tmpdir, "example.txt"), []byte{1, 2, 3, 4}, 0o600)
+	err = os.WriteFile(filepath.Join(tmpdir, "example.txt"), []byte{1, 2, 3, 4}, 0o600)
 	if !assert.NoError(t, err) {
 		return
 	}
 
-	err = ioutil.WriteFile(filepath.Join(tmpdir, "kubernetes-example.txt"), []byte{1, 2, 3, 4}, 0o600)
+	err = os.WriteFile(filepath.Join(tmpdir, "kubernetes-example.txt"), []byte{1, 2, 3, 4}, 0o600)
 	if !assert.NoError(t, err) {
 		return
 	}
@@ -50,7 +49,7 @@ func TestFileWatcherSource(t *testing.T) {
 		})
 	})
 
-	err = ioutil.WriteFile(filepath.Join(tmpdir, "example.txt"), []byte{5, 6, 7, 8}, 0o600)
+	err = os.WriteFile(filepath.Join(tmpdir, "example.txt"), []byte{5, 6, 7, 8}, 0o600)
 	if !assert.NoError(t, err) {
 		return
 	}
@@ -61,7 +60,7 @@ func TestFileWatcherSource(t *testing.T) {
 		t.Error("expected OnConfigChange to be fired after modifying a file")
 	}
 
-	err = ioutil.WriteFile(filepath.Join(tmpdir, "kubernetes-example.txt"), []byte{5, 6, 7, 8}, 0o600)
+	err = os.WriteFile(filepath.Join(tmpdir, "kubernetes-example.txt"), []byte{5, 6, 7, 8}, 0o600)
 	if !assert.NoError(t, err) {
 		return
 	}

config/envoyconfig/filemgr/filemgr.go

@@ -4,7 +4,6 @@ package filemgr
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 
@@ -41,7 +40,7 @@ func (mgr *Manager) BytesDataSource(fileName string, data []byte) *envoy_config_
 
 	filePath := filepath.Join(mgr.cfg.cacheDir, fileName)
 	if _, err := os.Stat(filePath); os.IsNotExist(err) {
-		err = ioutil.WriteFile(filePath, data, 0o600)
+		err = os.WriteFile(filePath, data, 0o600)
 		if err != nil {
 			log.Error(context.TODO()).Err(err).Msg("filemgr: error writing cache file, falling back to inline bytes")
 			return inlineBytes(data)
@@ -76,7 +75,7 @@ func (mgr *Manager) ClearCache() {
 
 // FileDataSource returns an envoy config data source based on a file.
 func (mgr *Manager) FileDataSource(filePath string) *envoy_config_core_v3.DataSource {
-	data, err := ioutil.ReadFile(filePath)
+	data, err := os.ReadFile(filePath)
 	if err != nil {
 		return inlineFilename(filePath)
 	}

config/envoyconfig/filemgr/filemgr_test.go

@@ -1,7 +1,6 @@
 package filemgr
 
 import (
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -34,7 +33,7 @@ func Test(t *testing.T) {
 
 	t.Run("file", func(t *testing.T) {
 		tmpFilePath := filepath.Join(dir, "test.txt")
-		_ = ioutil.WriteFile(tmpFilePath, []byte("TEST1"), 0o777)
+		_ = os.WriteFile(tmpFilePath, []byte("TEST1"), 0o777)
 
 		mgr := NewManager(WithCacheDir(dir))
 
@@ -45,7 +44,7 @@ func Test(t *testing.T) {
 			},
 		}, ds)
 
-		_ = ioutil.WriteFile(tmpFilePath, []byte("TEST2"), 0o777)
+		_ = os.WriteFile(tmpFilePath, []byte("TEST2"), 0o777)
 
 		ds = mgr.FileDataSource(tmpFilePath)
 		assert.Equal(t, &envoy_config_core_v3.DataSource{

config/options.go

@@ -7,7 +7,6 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"path/filepath"
@@ -669,7 +668,7 @@ func (o *Options) Validate() error {
 	}
 
 	if o.ClientCAFile != "" {
-		_, err := ioutil.ReadFile(o.ClientCAFile)
+		_, err := os.ReadFile(o.ClientCAFile)
 		if err != nil {
 			return fmt.Errorf("config: bad client ca file: %w", err)
 		}
@@ -947,7 +946,7 @@ func (o *Options) GetClientCA() ([]byte, error) {
 		return base64.StdEncoding.DecodeString(o.ClientCA)
 	}
 	if o.ClientCAFile != "" {
-		return ioutil.ReadFile(o.ClientCAFile)
+		return os.ReadFile(o.ClientCAFile)
 	}
 	return nil, nil
 }

config/options_test.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/base64"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"sync"
@@ -234,7 +233,7 @@ func Test_parsePolicyFile(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tempFile, _ := ioutil.TempFile("", "*.json")
+			tempFile, _ := os.CreateTemp("", "*.json")
 			defer tempFile.Close()
 			defer os.Remove(tempFile.Name())
 			tempFile.Write(tt.policyBytes)
@@ -344,7 +343,7 @@ func TestOptionsFromViper(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tempFile, _ := ioutil.TempFile("", "*.json")
+			tempFile, _ := os.CreateTemp("", "*.json")
 			defer tempFile.Close()
 			defer os.Remove(tempFile.Name())
 			tempFile.Write(tt.configBytes)
@@ -462,7 +461,7 @@ func Test_AutoCertOptionsFromEnvVar(t *testing.T) {
 		"ok/custom-ca-file": func(t *testing.T) test {
 			certPEM, err := newCACertPEM()
 			require.NoError(t, err)
-			f, err := ioutil.TempFile("", "pomerium-test-ca")
+			f, err := os.CreateTemp("", "pomerium-test-ca")
 			require.NoError(t, err)
 			n, err := f.Write(certPEM)
 			require.NoError(t, err)
@@ -531,8 +530,8 @@ func TestCertificatesArrayParsing(t *testing.T) {
 
 	testCertFileRef := "./testdata/example-cert.pem"
 	testKeyFileRef := "./testdata/example-key.pem"
-	testCertFile, _ := ioutil.ReadFile(testCertFileRef)
-	testKeyFile, _ := ioutil.ReadFile(testKeyFileRef)
+	testCertFile, _ := os.ReadFile(testCertFileRef)
+	testKeyFile, _ := os.ReadFile(testKeyFileRef)
 	testCertAsBase64 := base64.StdEncoding.EncodeToString(testCertFile)
 	testKeyAsBase64 := base64.StdEncoding.EncodeToString(testKeyFile)
 

config/policy.go

@@ -6,7 +6,6 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"net/url"
 	"os"
 	"regexp"
@@ -474,7 +473,7 @@ func (p *Policy) Validate() error {
 	}
 
 	if p.TLSDownstreamClientCAFile != "" {
-		bs, err := ioutil.ReadFile(p.TLSDownstreamClientCAFile)
+		bs, err := os.ReadFile(p.TLSDownstreamClientCAFile)
 		if err != nil {
 			return fmt.Errorf("config: couldn't load downstream client ca: %w", err)
 		}
@@ -486,7 +485,7 @@ func (p *Policy) Validate() error {
 			return fmt.Errorf("config: specified both `kubernetes_service_account_token_file` and `kubernetes_service_account_token`")
 		}
 
-		token, err := ioutil.ReadFile(p.KubernetesServiceAccountTokenFile)
+		token, err := os.ReadFile(p.KubernetesServiceAccountTokenFile)
 		if err != nil {
 			return fmt.Errorf("config: failed to load kubernetes service account token: %w", err)
 		}

databroker/cache_test.go

@@ -1,7 +1,6 @@
 package databroker
 
 import (
-	"io/ioutil"
 	"log"
 	"os"
 	"testing"
@@ -11,7 +10,7 @@ import (
 )
 
 func TestNew(t *testing.T) {
-	dir, err := ioutil.TempDir("", "example")
+	dir, err := os.MkdirTemp("", "example")
 	if err != nil {
 		log.Fatal(err)
 	}

integration/flows/flows.go

@@ -4,7 +4,7 @@ package flows
 import (
 	"context"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
@@ -111,7 +111,7 @@ func Authenticate(ctx context.Context, client *http.Client, url *url.URL, option
 		if err != nil {
 			return nil, err
 		}
-		bodyBytes, err := ioutil.ReadAll(res.Body)
+		bodyBytes, err := io.ReadAll(res.Body)
 		if err != nil {
 			return nil, err
 		}

internal/autocert/manager_test.go

@@ -13,7 +13,6 @@ import (
 	"encoding/pem"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"math/big"
 	"net"
 	"net/http"
@@ -548,7 +547,7 @@ func Test_configureTrustedRoots(t *testing.T) {
 			require.NoError(t, err)
 			ok := copy.AppendCertsFromPEM(ca.certPEM)
 			require.Equal(t, true, ok)
-			f, err := ioutil.TempFile("", "pomerium-test-ca")
+			f, err := os.CreateTemp("", "pomerium-test-ca")
 			require.NoError(t, err)
 			n, err := f.Write(ca.certPEM)
 			require.NoError(t, err)

internal/cmd/pomerium/pomerium_test.go

@@ -2,7 +2,6 @@ package pomerium
 
 import (
 	"context"
-	"io/ioutil"
 	"os"
 	"testing"
 	"time"
@@ -112,7 +111,7 @@ func Test_run(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tmpFile, err := ioutil.TempFile(os.TempDir(), "*.json")
+			tmpFile, err := os.CreateTemp(os.TempDir(), "*.json")
 			if err != nil {
 				t.Fatal("Cannot create temporary file", err)
 			}

internal/directory/okta/okta.go

@@ -8,7 +8,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"sort"
@@ -383,7 +382,7 @@ func newAPIError(res *http.Response) error {
 	if res == nil {
 		return nil
 	}
-	buf, _ := ioutil.ReadAll(io.LimitReader(res.Body, readLimit)) // limit to 100kb
+	buf, _ := io.ReadAll(io.LimitReader(res.Body, readLimit)) // limit to 100kb
 
 	err := &APIError{
 		HTTPStatusCode: res.StatusCode,

internal/envoy/envoy.go

@@ -10,7 +10,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -79,7 +78,7 @@ func NewServer(ctx context.Context, src config.Source, builder *envoyconfig.Buil
 
 		// Checksum is written at build time, if it's not empty we verify the binary
 		if files.Checksum() != "" {
-			bs, err := ioutil.ReadFile(envoyPath)
+			bs, err := os.ReadFile(envoyPath)
 			if err != nil {
 				return nil, fmt.Errorf("error reading envoy binary for checksum verification: %w", err)
 			}