Fix several linter errors

Signed-off-by: Knut Ahlers <knut@ahlers.me>

audit.go

@@ -52,10 +52,8 @@ func (a *auditLogger) Log(event auditEvent, r *http.Request, extraFields map[str
 	evt["event_type"] = event
 	evt["remote_addr"] = a.findIP(r)
 
-	if extraFields != nil {
-		for k, v := range extraFields {
-			evt[k] = v
-		}
+	for k, v := range extraFields {
+		evt[k] = v
 	}
 
 	headers := map[string]string{}

auth_ldap.go

@@ -11,6 +11,11 @@ import (
 	yaml "gopkg.in/yaml.v2"
 )
 
+const (
+	authLDAPProtoLDAP  = "ldap"
+	authLDAPProtoLDAPs = "ldaps"
+)
+
 func init() {
 	registerAuthenticator(&authLDAP{})
 }
@@ -98,12 +103,13 @@ func (a authLDAP) DetectUser(res http.ResponseWriter, r *http.Request) (string,
 
 	if a.EnableBasicAuth {
 		if basicUser, basicPass, ok := r.BasicAuth(); ok {
-			if userDN, a, err := a.checkLogin(basicUser, basicPass, a.UsernameAttribute); err != nil {
+			userDN, a, err := a.checkLogin(basicUser, basicPass, a.UsernameAttribute)
+			if err != nil {
 				return "", nil, err
-			} else {
-				user = userDN
-				alias = a
 			}
+
+			user = userDN
+			alias = a
 		}
 	}
 
@@ -155,7 +161,7 @@ func (a authLDAP) Login(res http.ResponseWriter, r *http.Request) (string, []mfa
 		return "", nil, err
 	}
 
-	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
+	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned
 	sess.Options = mainCfg.GetSessionOpts()
 	sess.Values["user"] = userDN
 	sess.Values["alias"] = alias
@@ -185,7 +191,7 @@ func (a authLDAP) LoginFields() (fields []loginField) {
 // Logout is called when the user visits the logout endpoint and
 // needs to destroy any persistent stored cookies
 func (a authLDAP) Logout(res http.ResponseWriter, r *http.Request) (err error) {
-	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
+	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned
 	sess.Options = mainCfg.GetSessionOpts()
 	sess.Options.MaxAge = -1 // Instant delete
 	return sess.Save(r, res)
@@ -240,9 +246,9 @@ func (a authLDAP) portFromScheme(scheme, override string) string {
 	}
 
 	switch scheme {
-	case "ldap":
+	case authLDAPProtoLDAP:
 		return "389"
-	case "ldaps":
+	case authLDAPProtoLDAPs:
 		return "636"
 	default:
 		return ""
@@ -262,13 +268,14 @@ func (a authLDAP) dial() (*ldap.Conn, error) {
 	var l *ldap.Conn
 
 	switch u.Scheme {
-	case "ldap":
+	case authLDAPProtoLDAP:
 		l, err = ldap.Dial("tcp", fmt.Sprintf("%s:%s", host, a.portFromScheme(u.Scheme, port)))
 
-	case "ldaps":
+	case authLDAPProtoLDAPs:
 		tlsConfig := &tls.Config{ServerName: host}
 
 		if a.TLSConfig != nil && (a.TLSConfig.ValidateHostname != "" || a.TLSConfig.AllowInsecure) {
+			// #nosec G402 - InsecureSkipVerify is required for internal certs
 			tlsConfig = &tls.Config{
 				ServerName:         a.TLSConfig.ValidateHostname,
 				InsecureSkipVerify: a.TLSConfig.AllowInsecure,
@@ -288,7 +295,7 @@ func (a authLDAP) dial() (*ldap.Conn, error) {
 		return nil, fmt.Errorf("Unable to connect to LDAP: %s", err)
 	}
 
-	if err := l.Bind(a.ManagerDN, a.ManagerPassword); err != nil {
+	if err = l.Bind(a.ManagerDN, a.ManagerPassword); err != nil {
 		return nil, fmt.Errorf("Unable to authenticate with manager_dn: %s", err)
 	}
 

auth_simple.go

@@ -121,7 +121,7 @@ func (a authSimple) Login(res http.ResponseWriter, r *http.Request) (string, []m
 			continue
 		}
 
-		sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
+		sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned
 		sess.Options = mainCfg.GetSessionOpts()
 		sess.Values["user"] = u
 		return u, a.MFA[u], sess.Save(r, res)
@@ -153,7 +153,7 @@ func (a authSimple) LoginFields() (fields []loginField) {
 // Logout is called when the user visits the logout endpoint and
 // needs to destroy any persistent stored cookies
 func (a authSimple) Logout(res http.ResponseWriter, r *http.Request) (err error) {
-	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
+	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned
 	sess.Options = mainCfg.GetSessionOpts()
 	sess.Options.MaxAge = -1 // Instant delete
 	return sess.Save(r, res)

auth_yubikey.go

@@ -113,7 +113,7 @@ func (a authYubikey) Login(res http.ResponseWriter, r *http.Request) (string, []
 		return "", nil, errNoValidUserFound
 	}
 
-	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
+	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned
 	sess.Options = mainCfg.GetSessionOpts()
 	sess.Values["user"] = user
 	return user, nil, sess.Save(r, res)
@@ -136,7 +136,7 @@ func (a authYubikey) LoginFields() (fields []loginField) {
 // Logout is called when the user visits the logout endpoint and
 // needs to destroy any persistent stored cookies
 func (a authYubikey) Logout(res http.ResponseWriter, r *http.Request) (err error) {
-	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-"))
+	sess, _ := cookieStore.Get(r, strings.Join([]string{mainCfg.Cookie.Prefix, a.AuthenticatorID()}, "-")) // #nosec G104 - On error empty session is returned
 	sess.Options = mainCfg.GetSessionOpts()
 	sess.Options.MaxAge = -1 // Instant delete
 	return sess.Save(r, res)

main.go

@@ -96,11 +96,11 @@ func loadConfiguration() error {
 		return fmt.Errorf("Unable to read configuration file: %s", err)
 	}
 
-	if err := yaml.Unmarshal(yamlSource, &mainCfg); err != nil {
+	if err = yaml.Unmarshal(yamlSource, &mainCfg); err != nil {
 		return fmt.Errorf("Unable to load configuration file: %s", err)
 	}
 
-	if err := initializeAuthenticators(yamlSource); err != nil {
+	if err = initializeAuthenticators(yamlSource); err != nil {
 		return fmt.Errorf("Unable to configure authentication: %s", err)
 	}
 
@@ -148,17 +148,17 @@ func handleAuthRequest(res http.ResponseWriter, r *http.Request) {
 
 	switch err {
 	case errNoValidUserFound:
-		mainCfg.AuditLog.Log(auditEventValidate, r, map[string]string{"result": "no valid user found"})
+		mainCfg.AuditLog.Log(auditEventValidate, r, map[string]string{"result": "no valid user found"}) // #nosec G104 - This is only logging
 		http.Error(res, "No valid user found", http.StatusUnauthorized)
 
 	case nil:
 		if !mainCfg.ACL.HasAccess(user, groups, r) {
-			mainCfg.AuditLog.Log(auditEventAccessDenied, r, map[string]string{"username": user})
+			mainCfg.AuditLog.Log(auditEventAccessDenied, r, map[string]string{"username": user}) // #nosec G104 - This is only logging
 			http.Error(res, "Access denied for this resource", http.StatusForbidden)
 			return
 		}
 
-		mainCfg.AuditLog.Log(auditEventValidate, r, map[string]string{"result": "valid user found", "username": user})
+		mainCfg.AuditLog.Log(auditEventValidate, r, map[string]string{"result": "valid user found", "username": user}) // #nosec G104 - This is only logging
 
 		res.Header().Set("X-Username", user)
 		res.WriteHeader(http.StatusOK)
@@ -200,20 +200,20 @@ func handleLoginRequest(res http.ResponseWriter, r *http.Request) {
 		switch err {
 		case errNoValidUserFound:
 			auditFields["reason"] = "invalid credentials"
-			mainCfg.AuditLog.Log(auditEventLoginFailure, r, auditFields)
-			res.Header().Del("Set-Cookie") // Remove login cookie
+			mainCfg.AuditLog.Log(auditEventLoginFailure, r, auditFields) // #nosec G104 - This is only logging
+			res.Header().Del("Set-Cookie")                               // Remove login cookie
 			http.Redirect(res, r, "/login?go="+url.QueryEscape(r.FormValue("go")), http.StatusFound)
 			return
 
 		case nil:
-			mainCfg.AuditLog.Log(auditEventLoginSuccess, r, auditFields)
+			mainCfg.AuditLog.Log(auditEventLoginSuccess, r, auditFields) // #nosec G104 - This is only logging
 			http.Redirect(res, r, r.FormValue("go"), http.StatusFound)
 			return
 
 		default:
 			auditFields["reason"] = "error"
 			auditFields["error"] = err.Error()
-			mainCfg.AuditLog.Log(auditEventLoginFailure, r, auditFields)
+			mainCfg.AuditLog.Log(auditEventLoginFailure, r, auditFields) // #nosec G104 - This is only logging
 			log.WithError(err).Error("Login failed with unexpected error")
 			res.Header().Del("Set-Cookie") // Remove login cookie
 			http.Redirect(res, r, "/login?go="+url.QueryEscape(r.FormValue("go")), http.StatusFound)
@@ -233,7 +233,7 @@ func handleLoginRequest(res http.ResponseWriter, r *http.Request) {
 }
 
 func handleLogoutRequest(res http.ResponseWriter, r *http.Request) {
-	mainCfg.AuditLog.Log(auditEventLogout, r, nil)
+	mainCfg.AuditLog.Log(auditEventLogout, r, nil) // #nosec G104 - This is only logging
 	if err := logoutUser(res, r); err != nil {
 		log.WithError(err).Error("Failed to logout user")
 		http.Error(res, "Something went wrong", http.StatusInternalServerError)

mfa.go

@@ -22,10 +22,6 @@ type mfaConfig struct {
 	Attributes map[string]interface{} `yaml:"attributes"`
 }
 
-func newMFAConfig(provider string, attrs map[string]interface{}) mfaConfig {
-	return mfaConfig{Provider: provider, Attributes: attrs}
-}
-
 func (m mfaConfig) AttributeInt(key string) int {
 	if v, ok := m.Attributes[key]; ok && v != "" {
 		if sv, ok := v.(int); ok {
@@ -99,7 +95,7 @@ func initializeMFAProviders(yamlSource []byte) error {
 }
 
 func validateMFA(res http.ResponseWriter, r *http.Request, user string, mfaCfgs []mfaConfig) error {
-	if mfaCfgs == nil || len(mfaCfgs) == 0 {
+	if len(mfaCfgs) == 0 {
 		// User has no configured MFA devices, their MFA is automatically valid
 		return nil
 	}