Merge branch 'master' into secrets

Author: itoffshore

acme/api/eab.go

@@ -129,7 +129,7 @@ func validateEABJWS(ctx context.Context, jws *jose.JSONWebSignature) (string, *a
 	keyID := header.KeyID
 	nonce := header.Nonce
 
-	if !(algorithm == jose.HS256 || algorithm == jose.HS384 || algorithm == jose.HS512) {
+	if algorithm != jose.HS256 && algorithm != jose.HS384 && algorithm != jose.HS512 {
 		return "", acme.NewError(acme.ErrorMalformedType, "'alg' field set to invalid algorithm '%s'", algorithm)
 	}
 

api/sshRenew.go

@@ -21,8 +21,8 @@ type SSHRenewRequest struct {
 
 // Validate validates the SSHSignRequest.
 func (s *SSHRenewRequest) Validate() error {
-	switch {
-	case s.OTT == "":
+	switch s.OTT {
+	case "":
 		return errs.BadRequest("missing or empty ott")
 	default:
 		return nil

authority/provisioner/acme.go

@@ -17,7 +17,7 @@ import (
 // ACMEChallenge represents the supported acme challenges.
 type ACMEChallenge string
 
-//nolint:stylecheck,revive // better names
+//nolint:staticcheck,revive // better names
 const (
 	// HTTP_01 is the http-01 ACME challenge.
 	HTTP_01 ACMEChallenge = "http-01"

authority/provisioner/utils_test.go

@@ -1042,10 +1042,12 @@ func generateAzureToken(sub, iss, aud, tenantID, subscriptionID, resourceGroup,
 	if err != nil {
 		return "", err
 	}
+
 	var xmsMirID string
-	if resourceType == "vm" {
+	switch resourceType {
+	case "vm":
 		xmsMirID = fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.Compute/virtualMachines/%s", subscriptionID, resourceGroup, resourceName)
-	} else if resourceType == "uai" {
+	case "uai":
 		xmsMirID = fmt.Sprintf("/subscriptions/%s/resourceGroups/%s/providers/Microsoft.ManagedIdentity/userAssignedIdentities/%s", subscriptionID, resourceGroup, resourceName)
 	}
 

authority/tls.go

@@ -610,7 +610,7 @@ func (a *Authority) Revoke(ctx context.Context, revokeOpts *RevokeOptions) error
 	}
 
 	// If not mTLS nor ACME, then get the TokenID of the token.
-	if !(revokeOpts.MTLS || revokeOpts.ACME) {
+	if !revokeOpts.MTLS && !revokeOpts.ACME {
 		token, err := jose.ParseSigned(revokeOpts.OTT)
 		if err != nil {
 			return errs.Wrap(http.StatusUnauthorized, err, "authority.Revoke; error parsing token", opts...)

ca/acmeClient_test.go

@@ -112,11 +112,11 @@ func TestNewACMEClient(t *testing.T) {
 			i := 0
 			srv.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 				assert.Equals(t, "step-http-client/1.0", r.Header.Get("User-Agent")) // check default User-Agent header
-				switch {
-				case i == 0:
+				switch i {
+				case 0:
 					render.JSONStatus(w, r, tc.r1, tc.rc1)
 					i++
-				case i == 1:
+				case 1:
 					w.Header().Set("Replay-Nonce", "abc123")
 					render.JSONStatus(w, r, []byte{}, 200)
 					i++

cas/stepcas/issuer.go

@@ -91,8 +91,8 @@ func validateX5CIssuer(iss *apiv1.CertificateIssuer) error {
 // not given, then it will download it from the CA. If the password is not set
 // it will be prompted.
 func validateJWKIssuer(iss *apiv1.CertificateIssuer) error {
-	switch {
-	case iss.Provisioner == "":
+	switch iss.Provisioner {
+	case "":
 		return errors.New("stepCAS `certificateIssuer.provisioner` cannot be empty")
 	default:
 		return nil

cas/stepcas/stepcas_test.go

@@ -130,13 +130,13 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) {
 		_ = json.NewDecoder(r.Body).Decode(v)
 	}
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch {
-		case r.RequestURI == "/root/"+testRootFingerprint:
+		switch r.RequestURI {
+		case "/root/" + testRootFingerprint:
 			w.WriteHeader(http.StatusOK)
 			writeJSON(w, api.RootResponse{
 				RootPEM: api.NewCertificate(testRootCrt),
 			})
-		case r.RequestURI == "/sign":
+		case "/sign":
 			var msg api.SignRequest
 			parseJSON(r, &msg)
 			if msg.CsrPEM.DNSNames[0] == "fail.doe.org" {
@@ -148,7 +148,7 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) {
 			writeJSON(w, api.SignResponse{
 				CertChainPEM: []api.Certificate{api.NewCertificate(testCrt), api.NewCertificate(testIssCrt)},
 			})
-		case r.RequestURI == "/renew":
+		case "/renew":
 			if r.Header.Get("Authorization") == "Bearer fail" {
 				w.WriteHeader(http.StatusBadRequest)
 				fmt.Fprintf(w, `{"error":"fail","message":"fail"}`)
@@ -158,7 +158,7 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) {
 			writeJSON(w, api.SignResponse{
 				CertChainPEM: []api.Certificate{api.NewCertificate(testCrt), api.NewCertificate(testIssCrt)},
 			})
-		case r.RequestURI == "/revoke":
+		case "/revoke":
 			var msg api.RevokeRequest
 			parseJSON(r, &msg)
 			if msg.Serial == "fail" {
@@ -170,7 +170,7 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) {
 			writeJSON(w, api.RevokeResponse{
 				Status: "ok",
 			})
-		case r.RequestURI == "/provisioners":
+		case "/provisioners":
 			w.WriteHeader(http.StatusOK)
 			writeJSON(w, api.ProvisionersResponse{
 				NextCursor: "cursor",
@@ -188,7 +188,7 @@ func testCAHelper(t *testing.T) (*url.URL, *ca.Client) {
 					},
 				},
 			})
-		case r.RequestURI == "/provisioners?cursor=cursor":
+		case "/provisioners?cursor=cursor":
 			w.WriteHeader(http.StatusOK)
 			writeJSON(w, api.ProvisionersResponse{})
 		default:

cas/vaultcas/auth/approle/approle_test.go

@@ -16,15 +16,15 @@ func testCAHelper(t *testing.T) (*url.URL, *vault.Client) {
 	t.Helper()
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch {
-		case r.RequestURI == "/v1/auth/approle/login":
+		switch r.RequestURI {
+		case "/v1/auth/approle/login":
 			w.WriteHeader(http.StatusOK)
 			fmt.Fprintf(w, `{
 				  "auth": {
 					"client_token": "hvs.0000"
 				  }
 				}`)
-		case r.RequestURI == "/v1/auth/custom-approle/login":
+		case "/v1/auth/custom-approle/login":
 			w.WriteHeader(http.StatusOK)
 			fmt.Fprintf(w, `{
 				  "auth": {

cas/vaultcas/auth/aws/aws_test.go

@@ -16,15 +16,15 @@ func testCAHelper(t *testing.T) (*url.URL, *vault.Client) {
 	t.Helper()
 
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		switch {
-		case r.RequestURI == "/v1/auth/aws/login":
+		switch r.RequestURI {
+		case "/v1/auth/aws/login":
 			w.WriteHeader(http.StatusOK)
 			fmt.Fprintf(w, `{
 				  "auth": {
 					"client_token": "hvs.0000"
 				  }
 				}`)
-		case r.RequestURI == "/v1/auth/custom-aws/login":
+		case "/v1/auth/custom-aws/login":
 			w.WriteHeader(http.StatusOK)
 			fmt.Fprintf(w, `{
 				  "auth": {