From dd966c918a8fdd969dc62973512f93516d17137f Mon Sep 17 00:00:00 2001 From: "F." Date: Sat, 17 Jan 2026 16:56:38 +0100 Subject: [PATCH 1/4] test: harden cleanup and error handling; update lint allowlist MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Replace ad‑hoc teardown with t.Cleanup and assert removal via require.NoError across io/auth/mfa/converters/memory tests for more reliable cleanup. - Use secure file permissions in io tests (0600 instead of 0644). - Capture/log errors from SecureWriteFromReader and similar calls; standardize error verification in tests. - Introduce constants (e.g., JWT issuer, error messages) to de‑duplicate assertions and clarify expectations. - Wrap selected test errors with ewrap for consistent types. - Add targeted nolint directives to silence gosec false positives on test secrets. - Update .golangci.yaml allow-strs to include alice to reduce lint noise. No production code changes; test robustness and lint signal improved. --- .golangci.yaml | 2 +- internal/io/io_test.go | 12 ++++-- internal/io/write_fuzz_test.go | 5 ++- pkg/auth/jwt_test.go | 25 +++++++----- pkg/auth/paseto_test.go | 4 +- pkg/converters/convert_test.go | 72 +++++++++++++++++++--------------- pkg/io/copy_test.go | 11 +++++- pkg/io/dir_test.go | 5 ++- pkg/io/file_bench_test.go | 20 ++++++++-- pkg/io/file_test.go | 53 +++++++++++++++++++------ pkg/io/temp_test.go | 13 +++++- pkg/memory/reader_test.go | 4 +- pkg/mfa/hotp_test.go | 3 +- pkg/mfa/rate_limit_test.go | 6 ++- pkg/mfa/totp_test.go | 3 +- pkg/secrets/secrets_test.go | 2 + 16 files changed, 166 insertions(+), 74 deletions(-) diff --git a/.golangci.yaml b/.golangci.yaml index 1462f19..555dc28 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -138,7 +138,7 @@ linters: disabled: false arguments: - max-lit-count: "3" - allow-strs: '"","-","windows"' + allow-strs: '"","-","windows","alice"' allow-ints: "-1,0,1,2,10,1024,0o600,0o644,0o700,0o755,0666,0755" allow-floats: "0.0,1.0" diff --git a/internal/io/io_test.go b/internal/io/io_test.go index bc564f4..e04c934 100644 --- a/internal/io/io_test.go +++ b/internal/io/io_test.go @@ -84,14 +84,20 @@ func TestSecurePathSymlink(t *testing.T) { validPath := filepath.Join(tempDir, "valid.txt") symlinkPath := filepath.Join(tempDir, "symlink.txt") - err := os.WriteFile(validPath, []byte("test"), 0o644) + err := os.WriteFile(validPath, []byte("test"), 0o600) require.NoError(t, err) - t.Cleanup(func() { _ = os.Remove(validPath) }) + t.Cleanup(func() { + err = os.Remove(validPath) + require.NoError(t, err) + }) err = os.Symlink("/etc/hosts", symlinkPath) if err == nil { - t.Cleanup(func() { _ = os.Remove(symlinkPath) }) + t.Cleanup(func() { + err = os.Remove(symlinkPath) + require.NoError(t, err) + }) t.Run("symlink outside temp directory", func(t *testing.T) { t.Parallel() diff --git a/internal/io/write_fuzz_test.go b/internal/io/write_fuzz_test.go index fb367a8..eaeabf0 100644 --- a/internal/io/write_fuzz_test.go +++ b/internal/io/write_fuzz_test.go @@ -66,7 +66,10 @@ func FuzzSecureWriteFromReader(f *testing.F) { AllowSymlinks: allowSymlinks, } - _ = SecureWriteFromReader(path, bytes.NewReader(data), opts, nil) + err := SecureWriteFromReader(path, bytes.NewReader(data), opts, nil) + if err != nil { + t.Log("failed to write:", err) + } }) } diff --git a/pkg/auth/jwt_test.go b/pkg/auth/jwt_test.go index d362028..5c57b83 100644 --- a/pkg/auth/jwt_test.go +++ b/pkg/auth/jwt_test.go @@ -8,6 +8,8 @@ import ( "github.com/golang-jwt/jwt/v5" ) +const issuer = "sectools" + func TestJWTSignerMissingExpiration(t *testing.T) { t.Parallel() @@ -27,7 +29,7 @@ func TestJWTSignerMissingExpiration(t *testing.T) { func TestJWTSignVerifyRoundTrip(t *testing.T) { t.Parallel() - + //nolint:revive now := time.Date(2024, 10, 1, 12, 0, 0, 0, time.UTC) secret := []byte("supersecret") @@ -52,7 +54,7 @@ func TestJWTSignVerifyRoundTrip(t *testing.T) { } claims := jwt.RegisteredClaims{ - Issuer: "sectools", + Issuer: issuer, Subject: "user-123", Audience: jwt.ClaimStrings{"apps"}, IssuedAt: jwt.NewNumericDate(now), @@ -65,7 +67,9 @@ func TestJWTSignVerifyRoundTrip(t *testing.T) { } parsed := &jwt.RegisteredClaims{} - if err := verifier.Verify(token, parsed); err != nil { + + err = verifier.Verify(token, parsed) + if err != nil { t.Fatalf("expected verify success, got error: %v", err) } @@ -76,7 +80,7 @@ func TestJWTSignVerifyRoundTrip(t *testing.T) { func TestJWTVerifierAudienceMismatch(t *testing.T) { t.Parallel() - + //nolint:revive now := time.Date(2024, 10, 1, 12, 0, 0, 0, time.UTC) secret := []byte("supersecret") @@ -100,7 +104,7 @@ func TestJWTVerifierAudienceMismatch(t *testing.T) { } claims := jwt.RegisteredClaims{ - Issuer: "sectools", + Issuer: issuer, Audience: jwt.ClaimStrings{"different"}, ExpiresAt: jwt.NewNumericDate(now.Add(time.Hour)), } @@ -111,14 +115,16 @@ func TestJWTVerifierAudienceMismatch(t *testing.T) { } parsed := &jwt.RegisteredClaims{} - if err := verifier.Verify(token, parsed); !errors.Is(err, ErrJWTInvalidAudience) { + + err = verifier.Verify(token, parsed) + if !errors.Is(err, ErrJWTInvalidAudience) { t.Fatalf("expected ErrJWTInvalidAudience, got %v", err) } } func TestJWTVerifierKeySetRequiresKid(t *testing.T) { t.Parallel() - + //nolint:revive now := time.Date(2024, 10, 1, 12, 0, 0, 0, time.UTC) secret := []byte("supersecret") @@ -151,7 +157,7 @@ func TestJWTVerifierKeySetRequiresKid(t *testing.T) { } claims := jwt.RegisteredClaims{ - Issuer: "sectools", + Issuer: issuer, Audience: jwt.ClaimStrings{"apps"}, ExpiresAt: jwt.NewNumericDate(now.Add(time.Hour)), } @@ -161,7 +167,8 @@ func TestJWTVerifierKeySetRequiresKid(t *testing.T) { t.Fatalf("expected token, got error: %v", err) } - if err := verifier.Verify(tokenWithKid, &jwt.RegisteredClaims{}); err != nil { + err = verifier.Verify(tokenWithKid, &jwt.RegisteredClaims{}) + if err != nil { t.Fatalf("expected verify success, got error: %v", err) } diff --git a/pkg/auth/paseto_test.go b/pkg/auth/paseto_test.go index a5eafe3..9c7190b 100644 --- a/pkg/auth/paseto_test.go +++ b/pkg/auth/paseto_test.go @@ -10,7 +10,7 @@ import ( func TestPasetoLocalRoundTrip(t *testing.T) { t.Parallel() - + //nolint:revive now := time.Date(2024, 10, 1, 12, 0, 0, 0, time.UTC) key := paseto.NewV4SymmetricKey() @@ -49,7 +49,7 @@ func TestPasetoLocalRoundTrip(t *testing.T) { func TestPasetoPublicRoundTrip(t *testing.T) { t.Parallel() - + //nolint:revive now := time.Date(2024, 10, 1, 12, 0, 0, 0, time.UTC) secret := paseto.NewV4AsymmetricSecretKey() public := secret.Public() diff --git a/pkg/converters/convert_test.go b/pkg/converters/convert_test.go index f80db2b..d92e307 100644 --- a/pkg/converters/convert_test.go +++ b/pkg/converters/convert_test.go @@ -5,6 +5,11 @@ import ( "testing" ) +const ( + errMsgNegativeInput = "expected error for negative input" + errMsgOverflow = "expected overflow error" +) + func TestSafeUint64FromInt(t *testing.T) { t.Parallel() @@ -17,8 +22,9 @@ func TestSafeUint64FromInt(t *testing.T) { t.Fatalf("expected 10, got %d", value) } - if _, err = SafeUint64FromInt(-1); err == nil { - t.Fatalf("expected error for negative input") + _, err = SafeUint64FromInt(-1) + if err == nil { + t.Fatal(errMsgNegativeInput) } } @@ -34,8 +40,9 @@ func TestSafeUint64FromInt64(t *testing.T) { t.Fatalf("expected 42, got %d", value) } - if _, err = SafeUint64FromInt64(-5); err == nil { - t.Fatalf("expected error for negative input") + _, err = SafeUint64FromInt64(-5) + if err == nil { + t.Fatal(errMsgNegativeInput) } } @@ -54,8 +61,10 @@ func TestSafeIntFromInt64(t *testing.T) { maxInt := int64(^uint(0) >> 1) if maxInt < math.MaxInt64 { overflowCandidate := maxInt + 1 - if _, err = SafeIntFromInt64(overflowCandidate); err == nil { - t.Fatalf("expected overflow error") + + _, err = SafeIntFromInt64(overflowCandidate) + if err == nil { + t.Fatal(errMsgOverflow) } } } @@ -73,7 +82,7 @@ func TestSafeUintFromInt64(t *testing.T) { } if _, err = SafeUintFromInt64(-1); err == nil { - t.Fatalf("expected error for negative input") + t.Fatal(errMsgNegativeInput) } maxUint := uint64(^uint(0)) @@ -82,7 +91,7 @@ func TestSafeUintFromInt64(t *testing.T) { if maxUint < maxInt64 { overflowCandidate := int64(maxUint) + 1 if _, err = SafeUintFromInt64(overflowCandidate); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } } @@ -100,11 +109,11 @@ func TestSafeUint32FromInt64(t *testing.T) { } if _, err = SafeUint32FromInt64(-1); err == nil { - t.Fatalf("expected error for negative input") + t.Fatal(errMsgNegativeInput) } if _, err = SafeUint32FromInt64(int64(^uint32(0)) + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -121,11 +130,11 @@ func TestSafeUint16FromInt64(t *testing.T) { } if _, err = SafeUint16FromInt64(-1); err == nil { - t.Fatalf("expected error for negative input") + t.Fatal(errMsgNegativeInput) } if _, err = SafeUint16FromInt64(int64(^uint16(0)) + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -142,11 +151,11 @@ func TestSafeUint8FromInt64(t *testing.T) { } if _, err = SafeUint8FromInt64(-1); err == nil { - t.Fatalf("expected error for negative input") + t.Fatal(errMsgNegativeInput) } if _, err = SafeUint8FromInt64(int64(^uint8(0)) + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -164,7 +173,7 @@ func TestSafeIntFromUint64(t *testing.T) { maxInt := uint64(^uint(0) >> 1) if _, err = SafeIntFromUint64(maxInt + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -181,7 +190,7 @@ func TestSafeInt32FromInt64(t *testing.T) { } if _, err = SafeInt32FromInt64(int64(1 << 31)); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -198,7 +207,7 @@ func TestSafeInt16FromInt64(t *testing.T) { } if _, err = SafeInt16FromInt64(int64(1 << 15)); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -215,7 +224,7 @@ func TestSafeInt8FromInt64(t *testing.T) { } if _, err = SafeInt8FromInt64(int64(1 << 7)); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -232,7 +241,7 @@ func TestSafeInt64FromUint64(t *testing.T) { } if _, err = SafeInt64FromUint64(uint64(math.MaxInt64) + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -249,7 +258,7 @@ func TestSafeUint32FromUint64(t *testing.T) { } if _, err = SafeUint32FromUint64(uint64(^uint32(0)) + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -275,7 +284,7 @@ func TestToInt64(t *testing.T) { } if _, err = ToInt64(uint64(math.MaxInt64) + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -292,11 +301,11 @@ func TestToInt32(t *testing.T) { } if _, err = ToInt32(uint64(1<<31) + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } if _, err = ToInt32(int64(-1<<31) - 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -315,13 +324,14 @@ func TestToInt(t *testing.T) { maxInt := int64(^uint(0) >> 1) minInt := -maxInt - 1 - if _, err = ToInt(uint64(maxInt) + 1); err == nil { - t.Fatalf("expected overflow error") + _, err = ToInt(uint64(maxInt) + 1) + if err == nil { + t.Fatal(errMsgOverflow) } if minInt > math.MinInt64 { if _, err = ToInt(minInt - 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } } @@ -339,7 +349,7 @@ func TestToUint64(t *testing.T) { } if _, err = ToUint64(int64(-1)); err == nil { - t.Fatalf("expected error for negative input") + t.Fatal(errMsgNegativeInput) } } @@ -356,11 +366,11 @@ func TestToUint32(t *testing.T) { } if _, err = ToUint32(int64(-1)); err == nil { - t.Fatalf("expected error for negative input") + t.Fatal(errMsgNegativeInput) } if _, err = ToUint32(uint64(^uint32(0)) + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } @@ -377,13 +387,13 @@ func TestToUint(t *testing.T) { } if _, err = ToUint(int64(-1)); err == nil { - t.Fatalf("expected error for negative input") + t.Fatal(errMsgNegativeInput) } maxUint := uint64(^uint(0)) if maxUint < math.MaxUint64 { if _, err = ToUint(maxUint + 1); err == nil { - t.Fatalf("expected overflow error") + t.Fatal(errMsgOverflow) } } } diff --git a/pkg/io/copy_test.go b/pkg/io/copy_test.go index 6652761..d379b22 100644 --- a/pkg/io/copy_test.go +++ b/pkg/io/copy_test.go @@ -22,8 +22,12 @@ func TestSecureCopyFileDefaultOptions(t *testing.T) { destPath := filepath.Join(os.TempDir(), destName) - t.Cleanup(func() { _ = os.Remove(destPath) }) + t.Cleanup(func() { + err = os.Remove(destPath) + require.NoError(t, err) + }) + //nolint:gosec readData, err := os.ReadFile(destPath) require.NoError(t, err) require.Equal(t, data, readData) @@ -65,5 +69,8 @@ func TestSecureCopyFileVerifyChecksum(t *testing.T) { destPath := filepath.Join(os.TempDir(), destName) - t.Cleanup(func() { _ = os.Remove(destPath) }) + t.Cleanup(func() { + err = os.Remove(destPath) + require.NoError(t, err) + }) } diff --git a/pkg/io/dir_test.go b/pkg/io/dir_test.go index 53c1be5..aab6f21 100644 --- a/pkg/io/dir_test.go +++ b/pkg/io/dir_test.go @@ -51,7 +51,10 @@ func TestSecureMkdirAllDefaultOptions(t *testing.T) { dirPath := filepath.Join(os.TempDir(), dirName) - t.Cleanup(func() { _ = os.RemoveAll(dirPath) }) + t.Cleanup(func() { + err = os.RemoveAll(dirPath) + require.NoError(t, err) + }) info, err := os.Stat(dirPath) require.NoError(t, err) diff --git a/pkg/io/file_bench_test.go b/pkg/io/file_bench_test.go index fbcd025..33cf2e6 100644 --- a/pkg/io/file_bench_test.go +++ b/pkg/io/file_bench_test.go @@ -4,6 +4,8 @@ import ( "os" "path/filepath" "testing" + + "github.com/stretchr/testify/require" ) func BenchmarkSecureReadFile(b *testing.B) { @@ -17,10 +19,18 @@ func BenchmarkSecureReadFile(b *testing.B) { b.Fatalf("failed to create temp file: %v", err) } - defer func() { _ = os.Remove(file.Name()) }() + defer func() { + err = os.Remove(file.Name()) + if err != nil { + b.Fatalf("failed to remove temp file: %v", err) + } + }() if _, err := file.Write(data); err != nil { - _ = file.Close() + err = file.Close() + if err != nil { + b.Fatalf("failed to close temp file: %v", err) + } b.Fatalf("failed to write temp data: %v", err) } @@ -62,7 +72,8 @@ func BenchmarkSecureWriteFile(b *testing.B) { path := file.Name() if err := file.Close(); err != nil { - _ = os.Remove(path) + err = os.Remove(path) + require.NoError(b, err) b.Fatalf("failed to close temp file: %v", err) } @@ -72,7 +83,8 @@ func BenchmarkSecureWriteFile(b *testing.B) { } b.Cleanup(func() { - _ = os.Remove(path) + err = os.Remove(path) + require.NoError(b, err) }) relPath, err := filepath.Rel(os.TempDir(), path) diff --git a/pkg/io/file_test.go b/pkg/io/file_test.go index d448792..e7e3b62 100644 --- a/pkg/io/file_test.go +++ b/pkg/io/file_test.go @@ -216,8 +216,13 @@ func TestSecureWriteFileDefaultOptions(t *testing.T) { err := client.WriteFile(filename, data) require.NoError(t, err) - defer func() { _ = os.Remove(filepath.Join(os.TempDir(), filename)) }() - + defer func() { + err = os.Remove(filepath.Join(os.TempDir(), filename)) + if err != nil { + t.Fatalf("failed to remove temp file: %v", err) + } + }() + //nolint:gosec readData, err := os.ReadFile(filepath.Join(os.TempDir(), filename)) require.NoError(t, err) assert.Equal(t, data, readData) @@ -235,8 +240,13 @@ func TestSecureWriteFileDisableAtomic(t *testing.T) { err = client.WriteFile(filename, data) require.NoError(t, err) - defer func() { _ = os.Remove(filepath.Join(os.TempDir(), filename)) }() - + defer func() { + err = os.Remove(filepath.Join(os.TempDir(), filename)) + if err != nil { + t.Fatalf("failed to remove temp file: %v", err) + } + }() + //nolint:gosec readData, err := os.ReadFile(filepath.Join(os.TempDir(), filename)) require.NoError(t, err) assert.Equal(t, data, readData) @@ -254,8 +264,13 @@ func TestSecureWriteFileDisableSync(t *testing.T) { err = client.WriteFile(filename, data) require.NoError(t, err) - defer func() { _ = os.Remove(filepath.Join(os.TempDir(), filename)) }() - + defer func() { + err = os.Remove(filepath.Join(os.TempDir(), filename)) + if err != nil { + t.Fatalf("failed to remove temp file: %v", err) + } + }() + //nolint:gosec readData, err := os.ReadFile(filepath.Join(os.TempDir(), filename)) require.NoError(t, err) assert.Equal(t, data, readData) @@ -267,7 +282,12 @@ func TestSecureWriteFileSyncDir(t *testing.T) { filename := filepath.Base(uniqueTempPath(t, "sectools-syncdir-")) data := []byte("sync-dir") - t.Cleanup(func() { _ = os.Remove(filepath.Join(os.TempDir(), filename)) }) + t.Cleanup(func() { + err := os.Remove(filepath.Join(os.TempDir(), filename)) + if err != nil { + t.Fatalf("failed to remove temp file: %v", err) + } + }) client, err := NewWithOptions(WithWriteSyncDir(true)) require.NoError(t, err) @@ -278,7 +298,7 @@ func TestSecureWriteFileSyncDir(t *testing.T) { } require.NoError(t, err) - + //nolint:gosec readData, err := os.ReadFile(filepath.Join(os.TempDir(), filename)) require.NoError(t, err) assert.Equal(t, data, readData) @@ -332,8 +352,13 @@ func TestSecureWriteFromReaderDefaultOptions(t *testing.T) { err := client.WriteFromReader(filename, strings.NewReader(data)) require.NoError(t, err) - t.Cleanup(func() { _ = os.Remove(filepath.Join(os.TempDir(), filename)) }) - + t.Cleanup(func() { + err = os.Remove(filepath.Join(os.TempDir(), filename)) + if err != nil { + t.Fatalf("failed to remove temp file: %v", err) + } + }) + //nolint:gosec readData, err := os.ReadFile(filepath.Join(os.TempDir(), filename)) require.NoError(t, err) assert.Equal(t, []byte(data), readData) @@ -363,7 +388,7 @@ func TestSecureReadFileWithOptionsDisallowPerms(t *testing.T) { } absPath, relPath := createTempFile(t, []byte("secret")) - + //nolint:gosec require.NoError(t, os.Chmod(absPath, 0o644)) client, err := NewWithOptions(WithReadDisallowPerms(0o004)) @@ -401,7 +426,8 @@ func createTempDir(t *testing.T) (string, string) { require.NoError(t, err) t.Cleanup(func() { - _ = os.RemoveAll(dir) + err = os.RemoveAll(dir) + require.NoError(t, err) }) relPath, err := filepath.Rel(os.TempDir(), dir) @@ -422,7 +448,8 @@ func createTempSymlink(t *testing.T, data []byte) (string, string, string) { } t.Cleanup(func() { - _ = os.Remove(linkAbs) + err = os.Remove(linkAbs) + require.NoError(t, err) }) return targetAbs, linkAbs, filepath.Base(linkAbs) diff --git a/pkg/io/temp_test.go b/pkg/io/temp_test.go index b3ea117..9357d3a 100644 --- a/pkg/io/temp_test.go +++ b/pkg/io/temp_test.go @@ -17,7 +17,13 @@ func TestSecureTempFileDefaultOptions(t *testing.T) { require.NoError(t, err) require.NotNil(t, file) - t.Cleanup(func() { _ = os.Remove(file.Name()) }) + t.Cleanup(func() { + err := os.Remove(file.Name()) + if err != nil { + t.Fatalf("failed to remove temp file: %v", err) + } + }) + require.NoError(t, file.Close()) require.True(t, strings.HasPrefix(file.Name(), os.TempDir())) @@ -30,7 +36,10 @@ func TestSecureTempDirDefaultOptions(t *testing.T) { dir, err := client.TempDir("sectools-tempdir-") require.NoError(t, err) - t.Cleanup(func() { _ = os.RemoveAll(dir) }) + t.Cleanup(func() { + err = os.RemoveAll(dir) + require.NoError(t, err) + }) info, err := os.Stat(dir) require.NoError(t, err) diff --git a/pkg/memory/reader_test.go b/pkg/memory/reader_test.go index 6979b2e..f302a06 100644 --- a/pkg/memory/reader_test.go +++ b/pkg/memory/reader_test.go @@ -5,6 +5,8 @@ import ( "errors" "strings" "testing" + + "github.com/hyp3rd/ewrap" ) func TestNewSecureBufferFromReader(t *testing.T) { @@ -54,7 +56,7 @@ func TestNewSecureBufferFromReaderNilReader(t *testing.T) { func TestNewSecureBufferFromReaderReadError(t *testing.T) { t.Parallel() - readErr := errors.New("boom") + readErr := ewrap.New("boom") reader := errorReader{err: readErr} _, err := NewSecureBufferFromReader(reader, 10) diff --git a/pkg/mfa/hotp_test.go b/pkg/mfa/hotp_test.go index 287a241..1e69773 100644 --- a/pkg/mfa/hotp_test.go +++ b/pkg/mfa/hotp_test.go @@ -9,7 +9,8 @@ import ( const ( hotpTestIssuer = "sectools" hotpTestAccount = "user@example.com" - hotpTestSecret = "JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP" // cspell:disable-line + //nolint:gosec + hotpTestSecret = "JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP" // cspell:disable-line ) func TestHOTPGenerateAndVerify(t *testing.T) { diff --git a/pkg/mfa/rate_limit_test.go b/pkg/mfa/rate_limit_test.go index 45e7732..ddfa13f 100644 --- a/pkg/mfa/rate_limit_test.go +++ b/pkg/mfa/rate_limit_test.go @@ -4,6 +4,8 @@ import ( "errors" "testing" "time" + + "github.com/hyp3rd/ewrap" ) type testRateLimiter struct { @@ -81,12 +83,12 @@ func TestBackupVerifyRateLimited(t *testing.T) { func TestRateLimiterErrorWraps(t *testing.T) { t.Parallel() - limiter := &testRateLimiter{allow: false, err: errors.New("backend")} + limiter := &testRateLimiter{allow: false, err: ewrap.New("backend")} helper, err := NewTOTP( totpTestSecret, WithTOTPRateLimiter(limiter), - WithTOTPClock(func() time.Time { return time.Now() }), + WithTOTPClock(time.Now), ) if err != nil { t.Fatalf("expected totp helper, got %v", err) diff --git a/pkg/mfa/totp_test.go b/pkg/mfa/totp_test.go index 0936844..13ae41b 100644 --- a/pkg/mfa/totp_test.go +++ b/pkg/mfa/totp_test.go @@ -10,7 +10,8 @@ import ( const ( totpTestIssuer = "sectools" totpTestAccount = "user@example.com" - totpTestSecret = "JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP" // cspell:disable-line + //nolint:gosec + totpTestSecret = "JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP" // cspell:disable-line ) func TestTOTPGenerateAndVerify(t *testing.T) { diff --git a/pkg/secrets/secrets_test.go b/pkg/secrets/secrets_test.go index fd38272..5bb72b6 100644 --- a/pkg/secrets/secrets_test.go +++ b/pkg/secrets/secrets_test.go @@ -486,6 +486,8 @@ func TestWithSecretMask(t *testing.T) { } // TestNestedStructureRedaction tests redaction of nested structures. +// +//nolint:funlen func TestNestedStructureRedaction(t *testing.T) { t.Parallel() From 34a7ab49715d5fd20b090b8b4c357160ad99d7c7 Mon Sep 17 00:00:00 2001 From: "F." Date: Sat, 17 Jan 2026 18:04:03 +0100 Subject: [PATCH 2/4] test: standardize error-message constants and helpers across test suite MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit • Replace inline t.Fatalf strings with shared constants (e.g., errMsgExpectedSigner/Token, errMsgUnexpected, errMsgDetector, errMsgExpectedRedactor) across jwt, paseto, converters, encoding, io, memory, mfa, password, sanitize, tokens, validate, and secrets packages. • Normalize test data (testValue, testValueInt64, int8Value, testEmail) and apply minor cleanup. • Refactor helper usage (createTempFile/createTempDir) for consistency. • Chore: expand .golangci.yaml allow-strs/allow-ints and add “unparam” to cspell ignore list. No production code changes; improves test consistency and prepares for stricter linting. --- .golangci.yaml | 4 +- cspell.json | 1 + pkg/auth/jwt_test.go | 27 ++-- pkg/auth/paseto_test.go | 11 +- pkg/converters/convert_test.go | 239 +++++++++++++++++------------- pkg/encoding/encoding_test.go | 16 +- pkg/io/file_bench_test.go | 13 +- pkg/io/file_test.go | 16 +- pkg/memory/reader_test.go | 6 +- pkg/memory/secure_buffer_test.go | 38 ++--- pkg/mfa/backup_test.go | 1 + pkg/mfa/hotp_test.go | 27 ++-- pkg/mfa/rate_limit_test.go | 19 ++- pkg/mfa/totp_test.go | 22 +-- pkg/password/argon2id_test.go | 8 +- pkg/password/bcrypt_test.go | 8 +- pkg/sanitize/nosql_detect_test.go | 10 +- pkg/sanitize/sql_test.go | 2 +- pkg/secrets/secrets_test.go | 43 +++--- pkg/tokens/tokens_test.go | 14 +- pkg/validate/email_test.go | 52 ++++--- pkg/validate/url_test.go | 12 +- 22 files changed, 333 insertions(+), 256 deletions(-) diff --git a/.golangci.yaml b/.golangci.yaml index 555dc28..1d80a5d 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -138,8 +138,8 @@ linters: disabled: false arguments: - max-lit-count: "3" - allow-strs: '"","-","windows","alice"' - allow-ints: "-1,0,1,2,10,1024,0o600,0o644,0o700,0o755,0666,0755" + allow-strs: '"","-","windows","alice","data","HS256","app","apps","sectools","hello","password","secret","stream","0xFF","0xFE","0xFD"' + allow-ints: "-1,0,1,2,10,1024,0o600,0o644,0o700,0o755,0666,0755,0xFF,0xFE,0xFD" allow-floats: "0.0,1.0" - name: cognitive-complexity diff --git a/cspell.json b/cspell.json index dc8350a..2d3a69b 100644 --- a/cspell.json +++ b/cspell.json @@ -212,6 +212,7 @@ "Tracef", "uid", "umask", + "unparam", "uppercasing", "URLHTTP", "userinfo", diff --git a/pkg/auth/jwt_test.go b/pkg/auth/jwt_test.go index 5c57b83..90f4880 100644 --- a/pkg/auth/jwt_test.go +++ b/pkg/auth/jwt_test.go @@ -8,7 +8,11 @@ import ( "github.com/golang-jwt/jwt/v5" ) -const issuer = "sectools" +const ( + issuer = "sectools" + errMsgExpectedSigner = "expected signer, got error: %v" + errMsgExpectedToken = "expected token, got error: %v" +) func TestJWTSignerMissingExpiration(t *testing.T) { t.Parallel() @@ -18,7 +22,7 @@ func TestJWTSignerMissingExpiration(t *testing.T) { WithJWTSigningKey([]byte("secret")), ) if err != nil { - t.Fatalf("expected signer, got error: %v", err) + t.Fatalf(errMsgExpectedSigner, err) } _, err = signer.Sign(jwt.RegisteredClaims{}) @@ -39,7 +43,7 @@ func TestJWTSignVerifyRoundTrip(t *testing.T) { WithJWTSigningKeyID("kid-1"), ) if err != nil { - t.Fatalf("expected signer, got error: %v", err) + t.Fatalf(errMsgExpectedSigner, err) } verifier, err := NewJWTVerifier( @@ -63,7 +67,7 @@ func TestJWTSignVerifyRoundTrip(t *testing.T) { token, err := signer.Sign(claims) if err != nil { - t.Fatalf("expected token, got error: %v", err) + t.Fatalf(errMsgExpectedToken, err) } parsed := &jwt.RegisteredClaims{} @@ -89,7 +93,7 @@ func TestJWTVerifierAudienceMismatch(t *testing.T) { WithJWTSigningKey(secret), ) if err != nil { - t.Fatalf("expected signer, got error: %v", err) + t.Fatalf(errMsgExpectedSigner, err) } verifier, err := NewJWTVerifier( @@ -111,7 +115,7 @@ func TestJWTVerifierAudienceMismatch(t *testing.T) { token, err := signer.Sign(claims) if err != nil { - t.Fatalf("expected token, got error: %v", err) + t.Fatalf(errMsgExpectedToken, err) } parsed := &jwt.RegisteredClaims{} @@ -134,7 +138,7 @@ func TestJWTVerifierKeySetRequiresKid(t *testing.T) { WithJWTSigningKeyID("kid-1"), ) if err != nil { - t.Fatalf("expected signer, got error: %v", err) + t.Fatalf(errMsgExpectedSigner, err) } signerWithoutKid, err := NewJWTSigner( @@ -142,7 +146,7 @@ func TestJWTVerifierKeySetRequiresKid(t *testing.T) { WithJWTSigningKey(secret), ) if err != nil { - t.Fatalf("expected signer, got error: %v", err) + t.Fatalf(errMsgExpectedSigner, err) } verifier, err := NewJWTVerifier( @@ -164,7 +168,7 @@ func TestJWTVerifierKeySetRequiresKid(t *testing.T) { tokenWithKid, err := signerWithKid.Sign(claims) if err != nil { - t.Fatalf("expected token, got error: %v", err) + t.Fatalf(errMsgExpectedToken, err) } err = verifier.Verify(tokenWithKid, &jwt.RegisteredClaims{}) @@ -174,10 +178,11 @@ func TestJWTVerifierKeySetRequiresKid(t *testing.T) { tokenWithoutKid, err := signerWithoutKid.Sign(claims) if err != nil { - t.Fatalf("expected token, got error: %v", err) + t.Fatalf(errMsgExpectedToken, err) } - if err := verifier.Verify(tokenWithoutKid, &jwt.RegisteredClaims{}); !errors.Is(err, ErrJWTMissingKeyID) { + err = verifier.Verify(tokenWithoutKid, &jwt.RegisteredClaims{}) + if !errors.Is(err, ErrJWTMissingKeyID) { t.Fatalf("expected ErrJWTMissingKeyID, got %v", err) } } diff --git a/pkg/auth/paseto_test.go b/pkg/auth/paseto_test.go index 9c7190b..85a2fde 100644 --- a/pkg/auth/paseto_test.go +++ b/pkg/auth/paseto_test.go @@ -58,7 +58,7 @@ func TestPasetoPublicRoundTrip(t *testing.T) { WithPasetoPublicSecretKey(secret), ) if err != nil { - t.Fatalf("expected signer, got error: %v", err) + t.Fatalf(errMsgExpectedSigner, err) } verifier, err := NewPasetoPublicVerifier( @@ -103,7 +103,9 @@ func TestPasetoMissingExpiration(t *testing.T) { } missingExp := paseto.NewToken() - if _, err := local.Encrypt(&missingExp); !errors.Is(err, ErrPasetoMissingExpiry) { + + _, err = local.Encrypt(&missingExp) + if !errors.Is(err, ErrPasetoMissingExpiry) { t.Fatalf("expected ErrPasetoMissingExpiry, got %v", err) } @@ -111,10 +113,11 @@ func TestPasetoMissingExpiration(t *testing.T) { signer, err := NewPasetoPublicSigner(WithPasetoPublicSecretKey(secret)) if err != nil { - t.Fatalf("expected signer, got error: %v", err) + t.Fatalf(errMsgExpectedSigner, err) } - if _, err := signer.Sign(&missingExp); !errors.Is(err, ErrPasetoMissingExpiry) { + _, err = signer.Sign(&missingExp) + if !errors.Is(err, ErrPasetoMissingExpiry) { t.Fatalf("expected ErrPasetoMissingExpiry, got %v", err) } } diff --git a/pkg/converters/convert_test.go b/pkg/converters/convert_test.go index d92e307..3c0628f 100644 --- a/pkg/converters/convert_test.go +++ b/pkg/converters/convert_test.go @@ -6,8 +6,16 @@ import ( ) const ( - errMsgNegativeInput = "expected error for negative input" - errMsgOverflow = "expected overflow error" + errMsgNegativeInput = "expected error for negative input" + errMsgOverflow = "expected overflow error" + errMsgUnexpected = "unexpected error: %v" + errMsgUnexpectedValue = "expected %v, got %d" +) + +const ( + testValue = 42 + testValueInt64 = 123 + int8Value = 12 ) func TestSafeUint64FromInt(t *testing.T) { @@ -15,7 +23,7 @@ func TestSafeUint64FromInt(t *testing.T) { value, err := SafeUint64FromInt(10) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } if value != 10 { @@ -31,13 +39,13 @@ func TestSafeUint64FromInt(t *testing.T) { func TestSafeUint64FromInt64(t *testing.T) { t.Parallel() - value, err := SafeUint64FromInt64(42) + value, err := SafeUint64FromInt64(testValue) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } _, err = SafeUint64FromInt64(-5) @@ -49,13 +57,13 @@ func TestSafeUint64FromInt64(t *testing.T) { func TestSafeIntFromInt64(t *testing.T) { t.Parallel() - value, err := SafeIntFromInt64(123) + value, err := SafeIntFromInt64(testValueInt64) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 123 { - t.Fatalf("expected 123, got %d", value) + if value != testValueInt64 { + t.Fatalf(errMsgUnexpectedValue, testValueInt64, value) } maxInt := int64(^uint(0) >> 1) @@ -72,16 +80,17 @@ func TestSafeIntFromInt64(t *testing.T) { func TestSafeUintFromInt64(t *testing.T) { t.Parallel() - value, err := SafeUintFromInt64(42) + value, err := SafeUintFromInt64(testValue) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } - if _, err = SafeUintFromInt64(-1); err == nil { + _, err = SafeUintFromInt64(-1) + if err == nil { t.Fatal(errMsgNegativeInput) } @@ -90,7 +99,9 @@ func TestSafeUintFromInt64(t *testing.T) { maxInt64 := uint64(^uint64(0) >> 1) if maxUint < maxInt64 { overflowCandidate := int64(maxUint) + 1 - if _, err = SafeUintFromInt64(overflowCandidate); err == nil { + + _, err = SafeUintFromInt64(overflowCandidate) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -99,20 +110,22 @@ func TestSafeUintFromInt64(t *testing.T) { func TestSafeUint32FromInt64(t *testing.T) { t.Parallel() - value, err := SafeUint32FromInt64(42) + value, err := SafeUint32FromInt64(testValue) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } - if _, err = SafeUint32FromInt64(-1); err == nil { + _, err = SafeUint32FromInt64(-1) + if err == nil { t.Fatal(errMsgNegativeInput) } - if _, err = SafeUint32FromInt64(int64(^uint32(0)) + 1); err == nil { + _, err = SafeUint32FromInt64(int64(^uint32(0)) + 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -120,20 +133,22 @@ func TestSafeUint32FromInt64(t *testing.T) { func TestSafeUint16FromInt64(t *testing.T) { t.Parallel() - value, err := SafeUint16FromInt64(42) + value, err := SafeUint16FromInt64(testValue) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } - if _, err = SafeUint16FromInt64(-1); err == nil { + _, err = SafeUint16FromInt64(-1) + if err == nil { t.Fatal(errMsgNegativeInput) } - if _, err = SafeUint16FromInt64(int64(^uint16(0)) + 1); err == nil { + _, err = SafeUint16FromInt64(int64(^uint16(0)) + 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -141,20 +156,22 @@ func TestSafeUint16FromInt64(t *testing.T) { func TestSafeUint8FromInt64(t *testing.T) { t.Parallel() - value, err := SafeUint8FromInt64(42) + value, err := SafeUint8FromInt64(testValue) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } - if _, err = SafeUint8FromInt64(-1); err == nil { + _, err = SafeUint8FromInt64(-1) + if err == nil { t.Fatal(errMsgNegativeInput) } - if _, err = SafeUint8FromInt64(int64(^uint8(0)) + 1); err == nil { + _, err = SafeUint8FromInt64(int64(^uint8(0)) + 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -162,17 +179,19 @@ func TestSafeUint8FromInt64(t *testing.T) { func TestSafeIntFromUint64(t *testing.T) { t.Parallel() - value, err := SafeIntFromUint64(123) + value, err := SafeIntFromUint64(testValueInt64) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 123 { - t.Fatalf("expected 123, got %d", value) + if value != testValueInt64 { + t.Fatalf(errMsgUnexpectedValue, testValueInt64, value) } maxInt := uint64(^uint(0) >> 1) - if _, err = SafeIntFromUint64(maxInt + 1); err == nil { + + _, err = SafeIntFromUint64(maxInt + 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -180,16 +199,17 @@ func TestSafeIntFromUint64(t *testing.T) { func TestSafeInt32FromInt64(t *testing.T) { t.Parallel() - value, err := SafeInt32FromInt64(123) + value, err := SafeInt32FromInt64(testValueInt64) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 123 { - t.Fatalf("expected 123, got %d", value) + if value != testValueInt64 { + t.Fatalf(errMsgUnexpectedValue, testValueInt64, value) } - if _, err = SafeInt32FromInt64(int64(1 << 31)); err == nil { + _, err = SafeInt32FromInt64(int64(1 << 31)) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -197,16 +217,17 @@ func TestSafeInt32FromInt64(t *testing.T) { func TestSafeInt16FromInt64(t *testing.T) { t.Parallel() - value, err := SafeInt16FromInt64(123) + value, err := SafeInt16FromInt64(testValueInt64) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 123 { - t.Fatalf("expected 123, got %d", value) + if value != testValueInt64 { + t.Fatalf(errMsgUnexpectedValue, testValueInt64, value) } - if _, err = SafeInt16FromInt64(int64(1 << 15)); err == nil { + _, err = SafeInt16FromInt64(int64(1 << 15)) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -214,16 +235,17 @@ func TestSafeInt16FromInt64(t *testing.T) { func TestSafeInt8FromInt64(t *testing.T) { t.Parallel() - value, err := SafeInt8FromInt64(12) + value, err := SafeInt8FromInt64(int8Value) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 12 { - t.Fatalf("expected 12, got %d", value) + if value != int8Value { + t.Fatalf("expected %d, got %d", int8Value, value) } - if _, err = SafeInt8FromInt64(int64(1 << 7)); err == nil { + _, err = SafeInt8FromInt64(int64(1 << 7)) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -231,16 +253,17 @@ func TestSafeInt8FromInt64(t *testing.T) { func TestSafeInt64FromUint64(t *testing.T) { t.Parallel() - value, err := SafeInt64FromUint64(123) + value, err := SafeInt64FromUint64(testValueInt64) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 123 { - t.Fatalf("expected 123, got %d", value) + if value != testValueInt64 { + t.Fatalf(errMsgUnexpectedValue, testValueInt64, value) } - if _, err = SafeInt64FromUint64(uint64(math.MaxInt64) + 1); err == nil { + _, err = SafeInt64FromUint64(uint64(math.MaxInt64) + 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -248,16 +271,17 @@ func TestSafeInt64FromUint64(t *testing.T) { func TestSafeUint32FromUint64(t *testing.T) { t.Parallel() - value, err := SafeUint32FromUint64(123) + value, err := SafeUint32FromUint64(testValueInt64) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 123 { - t.Fatalf("expected 123, got %d", value) + if value != testValueInt64 { + t.Fatalf(errMsgUnexpectedValue, testValueInt64, value) } - if _, err = SafeUint32FromUint64(uint64(^uint32(0)) + 1); err == nil { + _, err = SafeUint32FromUint64(uint64(^uint32(0)) + 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -265,25 +289,26 @@ func TestSafeUint32FromUint64(t *testing.T) { func TestToInt64(t *testing.T) { t.Parallel() - value, err := ToInt64(int32(123)) + value, err := ToInt64(int32(testValueInt64)) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 123 { - t.Fatalf("expected 123, got %d", value) + if value != testValueInt64 { + t.Fatalf(errMsgUnexpectedValue, testValueInt64, value) } - value, err = ToInt64(int8(-12)) + value, err = ToInt64(int8(-int8Value)) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != -12 { - t.Fatalf("expected -12, got %d", value) + if value != -int8Value { + t.Fatalf("expected %d, got %d", -int8Value, value) } - if _, err = ToInt64(uint64(math.MaxInt64) + 1); err == nil { + _, err = ToInt64(uint64(math.MaxInt64) + 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -291,20 +316,22 @@ func TestToInt64(t *testing.T) { func TestToInt32(t *testing.T) { t.Parallel() - value, err := ToInt32(uint16(42)) + value, err := ToInt32(uint16(testValue)) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } - if _, err = ToInt32(uint64(1<<31) + 1); err == nil { + _, err = ToInt32(uint64(1<<31) + 1) + if err == nil { t.Fatal(errMsgOverflow) } - if _, err = ToInt32(int64(-1<<31) - 1); err == nil { + _, err = ToInt32(int64(-1<<31) - 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -312,25 +339,26 @@ func TestToInt32(t *testing.T) { func TestToInt(t *testing.T) { t.Parallel() - value, err := ToInt(uint16(42)) + value, err := ToInt(uint16(testValue)) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } maxInt := int64(^uint(0) >> 1) minInt := -maxInt - 1 - + //nolint:gosec _, err = ToInt(uint64(maxInt) + 1) if err == nil { t.Fatal(errMsgOverflow) } if minInt > math.MinInt64 { - if _, err = ToInt(minInt - 1); err == nil { + _, err = ToInt(minInt - 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -339,16 +367,17 @@ func TestToInt(t *testing.T) { func TestToUint64(t *testing.T) { t.Parallel() - value, err := ToUint64(int32(42)) + value, err := ToUint64(int32(testValue)) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } - if _, err = ToUint64(int64(-1)); err == nil { + _, err = ToUint64(int64(-1)) + if err == nil { t.Fatal(errMsgNegativeInput) } } @@ -356,20 +385,22 @@ func TestToUint64(t *testing.T) { func TestToUint32(t *testing.T) { t.Parallel() - value, err := ToUint32(uint16(42)) + value, err := ToUint32(uint16(testValue)) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } - if _, err = ToUint32(int64(-1)); err == nil { + _, err = ToUint32(int64(-1)) + if err == nil { t.Fatal(errMsgNegativeInput) } - if _, err = ToUint32(uint64(^uint32(0)) + 1); err == nil { + _, err = ToUint32(uint64(^uint32(0)) + 1) + if err == nil { t.Fatal(errMsgOverflow) } } @@ -377,22 +408,24 @@ func TestToUint32(t *testing.T) { func TestToUint(t *testing.T) { t.Parallel() - value, err := ToUint(uint16(42)) + value, err := ToUint(uint16(testValue)) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } - if value != 42 { - t.Fatalf("expected 42, got %d", value) + if value != testValue { + t.Fatalf(errMsgUnexpectedValue, testValue, value) } - if _, err = ToUint(int64(-1)); err == nil { + _, err = ToUint(int64(-1)) + if err == nil { t.Fatal(errMsgNegativeInput) } maxUint := uint64(^uint(0)) if maxUint < math.MaxUint64 { - if _, err = ToUint(maxUint + 1); err == nil { + _, err = ToUint(maxUint + 1) + if err == nil { t.Fatal(errMsgOverflow) } } diff --git a/pkg/encoding/encoding_test.go b/pkg/encoding/encoding_test.go index 08610b3..828bb7f 100644 --- a/pkg/encoding/encoding_test.go +++ b/pkg/encoding/encoding_test.go @@ -6,6 +6,8 @@ import ( "testing" ) +const errMsgUnexpected = "expected decoded, got %v" + func TestBase64EncodeDecode(t *testing.T) { t.Parallel() @@ -18,7 +20,7 @@ func TestBase64EncodeDecode(t *testing.T) { decoded, err := DecodeBase64(encoded) if err != nil { - t.Fatalf("expected decoded, got %v", err) + t.Fatalf(errMsgUnexpected, err) } if string(decoded) != string(input) { @@ -56,7 +58,7 @@ func TestHexEncodeDecode(t *testing.T) { decoded, err := DecodeHex(encoded) if err != nil { - t.Fatalf("expected decoded, got %v", err) + t.Fatalf(errMsgUnexpected, err) } if string(decoded) != string(input) { @@ -95,8 +97,10 @@ func TestDecodeJSON(t *testing.T) { } var result payload - if err := DecodeJSON(data, &result); err != nil { - t.Fatalf("expected decoded, got %v", err) + + err = DecodeJSON(data, &result) + if err != nil { + t.Fatalf(errMsgUnexpected, err) } if result.Name != "alpha" { @@ -134,7 +138,7 @@ func TestDecodeJSONAllowUnknown(t *testing.T) { WithJSONAllowUnknownFields(true), ) if err != nil { - t.Fatalf("expected decoded, got %v", err) + t.Fatalf(errMsgUnexpected, err) } } @@ -181,7 +185,7 @@ func TestDecodeJSONReader(t *testing.T) { err := DecodeJSONReader(reader, &result) if err != nil { - t.Fatalf("expected decoded, got %v", err) + t.Fatalf(errMsgUnexpected, err) } if result.Name != "alpha" { diff --git a/pkg/io/file_bench_test.go b/pkg/io/file_bench_test.go index 33cf2e6..65150e6 100644 --- a/pkg/io/file_bench_test.go +++ b/pkg/io/file_bench_test.go @@ -26,7 +26,8 @@ func BenchmarkSecureReadFile(b *testing.B) { } }() - if _, err := file.Write(data); err != nil { + _, err = file.Write(data) + if err != nil { err = file.Close() if err != nil { b.Fatalf("failed to close temp file: %v", err) @@ -35,7 +36,8 @@ func BenchmarkSecureReadFile(b *testing.B) { b.Fatalf("failed to write temp data: %v", err) } - if err := file.Close(); err != nil { + err = file.Close() + if err != nil { b.Fatalf("failed to close temp file: %v", err) } @@ -71,14 +73,17 @@ func BenchmarkSecureWriteFile(b *testing.B) { } path := file.Name() - if err := file.Close(); err != nil { + + err = file.Close() + if err != nil { err = os.Remove(path) require.NoError(b, err) b.Fatalf("failed to close temp file: %v", err) } - if err := os.Remove(path); err != nil { + err = os.Remove(path) + if err != nil { b.Fatalf("failed to remove temp file: %v", err) } diff --git a/pkg/io/file_test.go b/pkg/io/file_test.go index e7e3b62..63641f5 100644 --- a/pkg/io/file_test.go +++ b/pkg/io/file_test.go @@ -398,7 +398,7 @@ func TestSecureReadFileWithOptionsDisallowPerms(t *testing.T) { require.ErrorIs(t, err, ErrPermissionsNotAllowed) } -func createTempFile(t *testing.T, data []byte) (string, string) { +func createTempFile(t *testing.T, data []byte) (filename, relPath string) { t.Helper() file, err := os.CreateTemp(t.TempDir(), "sectools-file-*") @@ -410,25 +410,20 @@ func createTempFile(t *testing.T, data []byte) (string, string) { require.NoError(t, file.Close()) t.Cleanup(func() { + //nolint:errcheck _ = os.Remove(file.Name()) }) - relPath, err := filepath.Rel(os.TempDir(), file.Name()) + relPath, err = filepath.Rel(os.TempDir(), file.Name()) require.NoError(t, err) return file.Name(), relPath } -func createTempDir(t *testing.T) (string, string) { +func createTempDir(t *testing.T) (dir, relPath string) { t.Helper() - dir, err := os.MkdirTemp("", "sectools-dir-*") - require.NoError(t, err) - - t.Cleanup(func() { - err = os.RemoveAll(dir) - require.NoError(t, err) - }) + dir = t.TempDir() relPath, err := filepath.Rel(os.TempDir(), dir) require.NoError(t, err) @@ -436,6 +431,7 @@ func createTempDir(t *testing.T) (string, string) { return dir, relPath } +//nolint:revive,unparam func createTempSymlink(t *testing.T, data []byte) (string, string, string) { t.Helper() diff --git a/pkg/memory/reader_test.go b/pkg/memory/reader_test.go index f302a06..3a34922 100644 --- a/pkg/memory/reader_test.go +++ b/pkg/memory/reader_test.go @@ -9,6 +9,8 @@ import ( "github.com/hyp3rd/ewrap" ) +const errMsgUnexpected = "unexpected error: %v" + func TestNewSecureBufferFromReader(t *testing.T) { t.Parallel() @@ -16,7 +18,7 @@ func TestNewSecureBufferFromReader(t *testing.T) { buf, err := NewSecureBufferFromReader(bytes.NewReader(input), int64(len(input))) if err != nil { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } if got := buf.Bytes(); !bytes.Equal(got, input) { @@ -65,7 +67,7 @@ func TestNewSecureBufferFromReaderReadError(t *testing.T) { } if !strings.Contains(err.Error(), "failed to read data") { - t.Fatalf("unexpected error: %v", err) + t.Fatalf(errMsgUnexpected, err) } } diff --git a/pkg/memory/secure_buffer_test.go b/pkg/memory/secure_buffer_test.go index 1f98656..780a290 100644 --- a/pkg/memory/secure_buffer_test.go +++ b/pkg/memory/secure_buffer_test.go @@ -15,20 +15,20 @@ func TestNewSecureBuffer(t *testing.T) { // Verify data was copied correctly if !bytes.Equal(buf.data, originalData) { - t.Errorf("Expected buffer data to equal original data") + t.Error("Expected buffer data to equal original data") } // Verify the buffer is using a different memory location originalData[0] = 'X' if buf.data[0] == 'X' { - t.Errorf("Buffer should contain a copy of the data, not a reference") + t.Error("Buffer should contain a copy of the data, not a reference") } // Test with empty data emptyBuf := NewSecureBuffer([]byte{}) if len(emptyBuf.data) != 0 { - t.Errorf("Expected empty buffer for empty input") + t.Error("Expected empty buffer for empty input") } } @@ -44,7 +44,7 @@ func TestClear(t *testing.T) { // Verify data was cleared if buf.data != nil { - t.Errorf("Buffer data should be nil after clearing") + t.Error("Buffer data should be nil after clearing") } // Test clearing an already cleared buffer @@ -59,7 +59,7 @@ func TestClearFast(t *testing.T) { buf.ClearFast() if buf.data != nil { - t.Errorf("Buffer data should be nil after fast clearing") + t.Error("Buffer data should be nil after fast clearing") } buf.ClearFast() // Should not panic @@ -77,12 +77,12 @@ func TestBytes(t *testing.T) { // Verify data matches if !bytes.Equal(retrievedData, testData) { - t.Errorf("Retrieved data doesn't match original data") + t.Error("Retrieved data doesn't match original data") } retrievedAlias := buf.Bytes() if !bytes.Equal(retrievedAlias, testData) { - t.Errorf("Bytes alias mismatch") + t.Error("Bytes alias mismatch") } } @@ -99,11 +99,11 @@ func TestString(t *testing.T) { // Verify string matches if str != string(testData) { - t.Errorf("String representation doesn't match original data") + t.Error("String representation doesn't match original data") } if unsafeStr != string(testData) { - t.Errorf("Unsafe string representation doesn't match original data") + t.Error("Unsafe string representation doesn't match original data") } } @@ -120,7 +120,7 @@ func TestFinalizer(t *testing.T) { }() // Force garbage collection - runtime.GC() + runtime.GC() //nolint:revive // We can't actually verify the Clear() was called by the finalizer // since we don't have access to the buffer anymore, but this at least @@ -132,7 +132,7 @@ func TestSecureBufferNilInput(t *testing.T) { buf := NewSecureBuffer(nil) if len(buf.data) != 0 { - t.Errorf("Expected 0 len data for nil input") + t.Error("Expected 0 len data for nil input") } } @@ -146,7 +146,7 @@ func TestSecureBufferLargeData(t *testing.T) { buf := NewSecureBuffer(largeData) if len(buf.data) != len(largeData) { - t.Errorf("Buffer size mismatch for large data") + t.Error("Buffer size mismatch for large data") } for i := range largeData { @@ -166,13 +166,13 @@ func TestSecureBufferMultipleCopies(t *testing.T) { buf2 := NewSecureBuffer(buf1.BytesCopy()) if !bytes.Equal(buf1.data, buf2.data) { - t.Errorf("Data mismatch between buffer copies") + t.Error("Data mismatch between buffer copies") } buf1.Clear() if buf2.data == nil { - t.Errorf("Clearing one buffer should not affect others") + t.Error("Clearing one buffer should not affect others") } } @@ -210,11 +210,11 @@ func TestSecureBufferZeroLengthData(t *testing.T) { buf := NewSecureBuffer(make([]byte, 0)) if buf.data == nil { - t.Errorf("Zero length buffer should not be nil") + t.Error("Zero length buffer should not be nil") } if len(buf.data) != 0 { - t.Errorf("Zero length buffer should have length 0") + t.Error("Zero length buffer should have length 0") } } @@ -226,18 +226,18 @@ func TestSecureBufferStringWithNonUTF8(t *testing.T) { str := buf.UnsafeString() if len(str) != len(invalidUTF8) { - t.Errorf("String length mismatch for non-UTF8 data") + t.Error("String length mismatch for non-UTF8 data") } } func TestZeroBytes(t *testing.T) { t.Parallel() - + //nolint:revive data := []byte{1, 2, 3, 4} ZeroBytes(data) if !bytes.Equal(data, []byte{0, 0, 0, 0}) { - t.Errorf("Expected zeroed bytes") + t.Error("Expected zeroed bytes") } ZeroBytes(nil) // Should not panic diff --git a/pkg/mfa/backup_test.go b/pkg/mfa/backup_test.go index 56e33d4..1b214f5 100644 --- a/pkg/mfa/backup_test.go +++ b/pkg/mfa/backup_test.go @@ -105,6 +105,7 @@ func TestBackupCodeInvalidAlphabet(t *testing.T) { } } +//nolint:revive func TestBackupCodeInvalidOptions(t *testing.T) { t.Parallel() diff --git a/pkg/mfa/hotp_test.go b/pkg/mfa/hotp_test.go index 1e69773..26f2b65 100644 --- a/pkg/mfa/hotp_test.go +++ b/pkg/mfa/hotp_test.go @@ -13,19 +13,24 @@ const ( hotpTestSecret = "JBSWY3DPEHPK3PXPJBSWY3DPEHPK3PXP" // cspell:disable-line ) +const ( + errExpectedCode = "expected code, got %v" + errExpectedHelper = "expected hotp helper, got %v" +) + func TestHOTPGenerateAndVerify(t *testing.T) { t.Parallel() helper, err := NewHOTP(hotpTestSecret) if err != nil { - t.Fatalf("expected hotp helper, got %v", err) + t.Fatalf(errExpectedHelper, err) } counter := uint64(1) code, err := helper.Generate(counter) if err != nil { - t.Fatalf("expected code, got %v", err) + t.Fatalf(errExpectedCode, err) } ok, next, err := helper.Verify(code, counter) @@ -47,14 +52,14 @@ func TestHOTPVerifyWindow(t *testing.T) { helper, err := NewHOTP(hotpTestSecret, WithHOTPWindow(1)) if err != nil { - t.Fatalf("expected hotp helper, got %v", err) + t.Fatalf(errExpectedHelper, err) } counter := uint64(5) code, err := helper.Generate(counter + 1) if err != nil { - t.Fatalf("expected code, got %v", err) + t.Fatalf(errExpectedCode, err) } ok, next, err := helper.Verify(code, counter) @@ -76,19 +81,19 @@ func TestHOTPResync(t *testing.T) { helper, err := NewHOTP(hotpTestSecret, WithHOTPResyncWindow(3)) if err != nil { - t.Fatalf("expected hotp helper, got %v", err) + t.Fatalf(errExpectedHelper, err) } counter := uint64(5) code1, err := helper.Generate(counter + 2) if err != nil { - t.Fatalf("expected code, got %v", err) + t.Fatalf(errExpectedCode, err) } code2, err := helper.Generate(counter + 3) if err != nil { - t.Fatalf("expected code, got %v", err) + t.Fatalf(errExpectedCode, err) } ok, next, err := helper.Resync(code1, code2, counter) @@ -110,19 +115,19 @@ func TestHOTPResyncRejectsNonConsecutive(t *testing.T) { helper, err := NewHOTP(hotpTestSecret, WithHOTPResyncWindow(3)) if err != nil { - t.Fatalf("expected hotp helper, got %v", err) + t.Fatalf(errExpectedHelper, err) } counter := uint64(5) code1, err := helper.Generate(counter + 1) if err != nil { - t.Fatalf("expected code, got %v", err) + t.Fatalf(errExpectedCode, err) } code2, err := helper.Generate(counter + 3) if err != nil { - t.Fatalf("expected code, got %v", err) + t.Fatalf(errExpectedCode, err) } ok, _, err := helper.Resync(code1, code2, counter) @@ -140,7 +145,7 @@ func TestHOTPInvalidCode(t *testing.T) { helper, err := NewHOTP(hotpTestSecret) if err != nil { - t.Fatalf("expected hotp helper, got %v", err) + t.Fatalf(errExpectedHelper, err) } _, _, err = helper.Verify("invalid", 0) diff --git a/pkg/mfa/rate_limit_test.go b/pkg/mfa/rate_limit_test.go index ddfa13f..10849d1 100644 --- a/pkg/mfa/rate_limit_test.go +++ b/pkg/mfa/rate_limit_test.go @@ -8,6 +8,11 @@ import ( "github.com/hyp3rd/ewrap" ) +const ( + errMsgExpectedTOTPHelper = "expected totp helper, got %v" + errMsgExpectedErrMFARateLimited = "expected ErrMFARateLimited, got %v" +) + type testRateLimiter struct { allow bool err error @@ -27,12 +32,12 @@ func TestTOTPVerifyRateLimited(t *testing.T) { helper, err := NewTOTP(totpTestSecret, WithTOTPRateLimiter(limiter)) if err != nil { - t.Fatalf("expected totp helper, got %v", err) + t.Fatalf(errMsgExpectedTOTPHelper, err) } _, err = helper.Verify("123456") if !errors.Is(err, ErrMFARateLimited) { - t.Fatalf("expected ErrMFARateLimited, got %v", err) + t.Fatalf(errMsgExpectedErrMFARateLimited, err) } if limiter.calls != 1 { @@ -47,12 +52,12 @@ func TestHOTPVerifyRateLimited(t *testing.T) { helper, err := NewHOTP(hotpTestSecret, WithHOTPRateLimiter(limiter)) if err != nil { - t.Fatalf("expected hotp helper, got %v", err) + t.Fatalf(errExpectedHelper, err) } _, _, err = helper.Verify("123456", 0) if !errors.Is(err, ErrMFARateLimited) { - t.Fatalf("expected ErrMFARateLimited, got %v", err) + t.Fatalf(errMsgExpectedErrMFARateLimited, err) } if limiter.calls != 1 { @@ -72,7 +77,7 @@ func TestBackupVerifyRateLimited(t *testing.T) { _, _, err = manager.Verify("ABCD", nil) if !errors.Is(err, ErrMFARateLimited) { - t.Fatalf("expected ErrMFARateLimited, got %v", err) + t.Fatalf(errMsgExpectedErrMFARateLimited, err) } if limiter.calls != 1 { @@ -91,11 +96,11 @@ func TestRateLimiterErrorWraps(t *testing.T) { WithTOTPClock(time.Now), ) if err != nil { - t.Fatalf("expected totp helper, got %v", err) + t.Fatalf(errMsgExpectedTOTPHelper, err) } _, err = helper.Verify("123456") if err == nil || !errors.Is(err, ErrMFARateLimited) { - t.Fatalf("expected ErrMFARateLimited, got %v", err) + t.Fatalf(errMsgExpectedErrMFARateLimited, err) } } diff --git a/pkg/mfa/totp_test.go b/pkg/mfa/totp_test.go index 13ae41b..fb2e891 100644 --- a/pkg/mfa/totp_test.go +++ b/pkg/mfa/totp_test.go @@ -16,7 +16,7 @@ const ( func TestTOTPGenerateAndVerify(t *testing.T) { t.Parallel() - + //nolint:revive now := time.Date(2024, time.January, 2, 15, 4, 5, 0, time.UTC) clock := func() time.Time { return now @@ -24,12 +24,12 @@ func TestTOTPGenerateAndVerify(t *testing.T) { helper, err := NewTOTP(totpTestSecret, WithTOTPClock(clock)) if err != nil { - t.Fatalf("expected totp helper, got %v", err) + t.Fatalf(errMsgExpectedTOTPHelper, err) } code, err := helper.Generate() if err != nil { - t.Fatalf("expected code, got %v", err) + t.Fatalf(errExpectedCode, err) } ok, err := helper.Verify(code) @@ -58,7 +58,7 @@ func TestTOTPGenerateAndVerify(t *testing.T) { func TestTOTPVerifySkew(t *testing.T) { t.Parallel() - + //nolint:revive now := time.Date(2024, time.January, 2, 15, 4, 5, 0, time.UTC) clock := func() time.Time { return now @@ -66,12 +66,12 @@ func TestTOTPVerifySkew(t *testing.T) { helper, err := NewTOTP(totpTestSecret, WithTOTPClock(clock), WithTOTPAllowedSkew(1)) if err != nil { - t.Fatalf("expected totp helper, got %v", err) + t.Fatalf(errMsgExpectedTOTPHelper, err) } code, err := helper.Generate() if err != nil { - t.Fatalf("expected code, got %v", err) + t.Fatalf(errExpectedCode, err) } now = now.Add(totpDefaultPeriod) @@ -88,7 +88,7 @@ func TestTOTPVerifySkew(t *testing.T) { func TestTOTPVerifyWithStep(t *testing.T) { t.Parallel() - + //nolint:revive now := time.Date(2024, time.January, 2, 15, 4, 5, 0, time.UTC) clock := func() time.Time { return now @@ -96,12 +96,12 @@ func TestTOTPVerifyWithStep(t *testing.T) { helper, err := NewTOTP(totpTestSecret, WithTOTPClock(clock)) if err != nil { - t.Fatalf("expected totp helper, got %v", err) + t.Fatalf(errMsgExpectedTOTPHelper, err) } code, err := helper.Generate() if err != nil { - t.Fatalf("expected code, got %v", err) + t.Fatalf(errExpectedCode, err) } ok, step, err := helper.VerifyWithStep(code) @@ -112,7 +112,7 @@ func TestTOTPVerifyWithStep(t *testing.T) { if !ok { t.Fatalf("expected valid code") } - + //nolint:gosec expectedStep := uint64(now.Unix() / int64(totpDefaultPeriod/time.Second)) if step != expectedStep { t.Fatalf("expected step %d, got %d", expectedStep, step) @@ -124,7 +124,7 @@ func TestTOTPInvalidCode(t *testing.T) { helper, err := NewTOTP(totpTestSecret) if err != nil { - t.Fatalf("expected totp helper, got %v", err) + t.Fatalf(errMsgExpectedTOTPHelper, err) } _, err = helper.Verify("invalid") diff --git a/pkg/password/argon2id_test.go b/pkg/password/argon2id_test.go index fc4cf30..e8e88c2 100644 --- a/pkg/password/argon2id_test.go +++ b/pkg/password/argon2id_test.go @@ -32,11 +32,11 @@ func TestArgon2idHashVerify(t *testing.T) { } if !ok { - t.Fatalf("expected password match") + t.Fatal("expected password match") } if needsRehash { - t.Fatalf("expected no rehash with same params") + t.Fatal("expected no rehash with same params") } stronger, err := NewArgon2id(Argon2idParams{ @@ -56,11 +56,11 @@ func TestArgon2idHashVerify(t *testing.T) { } if !ok { - t.Fatalf("expected password match") + t.Fatal("expected password match") } if !needsRehash { - t.Fatalf("expected rehash for stronger params") + t.Fatal("expected rehash for stronger params") } } diff --git a/pkg/password/bcrypt_test.go b/pkg/password/bcrypt_test.go index 5379a6f..6f5a72d 100644 --- a/pkg/password/bcrypt_test.go +++ b/pkg/password/bcrypt_test.go @@ -26,11 +26,11 @@ func TestBcryptHashVerify(t *testing.T) { } if !ok { - t.Fatalf("expected password match") + t.Fatal("expected password match") } if needsRehash { - t.Fatalf("expected no rehash with same cost") + t.Fatal("expected no rehash with same cost") } stronger, err := NewBcrypt(bcrypt.MinCost + 1) @@ -44,11 +44,11 @@ func TestBcryptHashVerify(t *testing.T) { } if !ok { - t.Fatalf("expected password match") + t.Fatal("expected password match") } if !needsRehash { - t.Fatalf("expected rehash with higher cost") + t.Fatal("expected rehash with higher cost") } } diff --git a/pkg/sanitize/nosql_detect_test.go b/pkg/sanitize/nosql_detect_test.go index 7523978..9af7fc8 100644 --- a/pkg/sanitize/nosql_detect_test.go +++ b/pkg/sanitize/nosql_detect_test.go @@ -5,12 +5,16 @@ import ( "testing" ) +const ( + errMsgDetector = "expected detector, got %v" +) + func TestNoSQLInjectionDetectorDefault(t *testing.T) { t.Parallel() detector, err := NewNoSQLInjectionDetector() if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } err = detector.Detect(`{"username":{"$ne":null}}`) @@ -34,7 +38,7 @@ func TestNoSQLInjectionDetectorCustomOperators(t *testing.T) { detector, err := NewNoSQLInjectionDetector(WithNoSQLDetectOperators("custom")) if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } err = detector.Detect(`{"$custom":true}`) @@ -48,7 +52,7 @@ func TestNoSQLInjectionDetectorMaxLength(t *testing.T) { detector, err := NewNoSQLInjectionDetector(WithNoSQLDetectMaxLength(1)) if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } err = detector.Detect("ab") diff --git a/pkg/sanitize/sql_test.go b/pkg/sanitize/sql_test.go index 87f425f..305424e 100644 --- a/pkg/sanitize/sql_test.go +++ b/pkg/sanitize/sql_test.go @@ -97,7 +97,7 @@ func TestSQLInjectionDetector(t *testing.T) { detector, err := NewSQLInjectionDetector() if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } err = detector.Detect("1 OR 1=1; --") diff --git a/pkg/secrets/secrets_test.go b/pkg/secrets/secrets_test.go index 5bb72b6..f2ab947 100644 --- a/pkg/secrets/secrets_test.go +++ b/pkg/secrets/secrets_test.go @@ -6,12 +6,17 @@ import ( "testing" ) +const ( + errMsgExpectedRedactor = "expected redactor, got %v" + errMsgDetector = "expected detector, got %v" +) + func TestSecretDetectorDetectAny(t *testing.T) { t.Parallel() detector, err := NewSecretDetector() if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } err = detector.DetectAny("AKIA1234567890ABCD12") @@ -25,7 +30,7 @@ func TestSecretDetectorRedact(t *testing.T) { detector, err := NewSecretDetector() if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } input := "token=ghp_abcdefghijklmnopqrstuvwxyz1234567890" @@ -49,7 +54,7 @@ func TestRedactorKeys(t *testing.T) { redactor, err := NewRedactor() if err != nil { - t.Fatalf("expected redactor, got %v", err) + t.Fatalf(errMsgExpectedRedactor, err) } fields := map[string]any{ @@ -72,12 +77,12 @@ func TestRedactorDetector(t *testing.T) { detector, err := NewSecretDetector() if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } redactor, err := NewRedactor(WithRedactionDetector(detector)) if err != nil { - t.Fatalf("expected redactor, got %v", err) + t.Fatalf(errMsgExpectedRedactor, err) } fields := map[string]any{ @@ -96,7 +101,7 @@ func TestSecretDetectorInputTooLong(t *testing.T) { detector, err := NewSecretDetector(WithSecretMaxLength(10)) if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } longInput := strings.Repeat("a", 11) @@ -283,7 +288,7 @@ func TestSecretDetectorEdgeCases(t *testing.T) { detector, err := NewSecretDetector() if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } t.Run("empty string", func(t *testing.T) { @@ -332,7 +337,7 @@ func TestRedactorEdgeCases(t *testing.T) { redactor, err := NewRedactor() if err != nil { - t.Fatalf("expected redactor, got %v", err) + t.Fatalf(errMsgExpectedRedactor, err) } t.Run("nil fields", func(t *testing.T) { @@ -373,7 +378,7 @@ func TestWithSecretPattern(t *testing.T) { WithSecretPattern("custom-pattern", `custom-[0-9]{4}`), ) if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } input := "My custom token is custom-1234" @@ -409,7 +414,7 @@ func TestWithSecretPatterns(t *testing.T) { detector, err := NewSecretDetector(WithSecretPatterns(patterns...)) if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } input := "Found test-123 and secret-abc" @@ -427,12 +432,12 @@ func TestWithSecretPatterns(t *testing.T) { // TestWithSecretMaxLength tests the WithSecretMaxLength option. func TestWithSecretMaxLength(t *testing.T) { t.Parallel() - + //nolint:revive maxLen := 20 detector, err := NewSecretDetector(WithSecretMaxLength(maxLen)) if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } t.Run("within limit", func(t *testing.T) { @@ -466,7 +471,7 @@ func TestWithSecretMask(t *testing.T) { detector, err := NewSecretDetector(WithSecretMask(customMask)) if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } input := "token=ghp_abcdefghijklmnopqrstuvwxyz1234567890" @@ -493,12 +498,12 @@ func TestNestedStructureRedaction(t *testing.T) { detector, err := NewSecretDetector() if err != nil { - t.Fatalf("expected detector, got %v", err) + t.Fatalf(errMsgDetector, err) } redactor, err := NewRedactor(WithRedactionDetector(detector)) if err != nil { - t.Fatalf("expected redactor, got %v", err) + t.Fatalf(errMsgExpectedRedactor, err) } t.Run("maps within maps", func(t *testing.T) { @@ -611,7 +616,7 @@ func TestWithRedactionKeys(t *testing.T) { WithRedactionKeys("custom_secret", "private_data"), ) if err != nil { - t.Fatalf("expected redactor, got %v", err) + t.Fatalf(errMsgExpectedRedactor, err) } fields := map[string]any{ @@ -642,7 +647,7 @@ func TestWithRedactionKeys(t *testing.T) { WithRedactionKeys("MySecret"), ) if err != nil { - t.Fatalf("expected redactor, got %v", err) + t.Fatalf(errMsgExpectedRedactor, err) } fields := map[string]any{ @@ -676,7 +681,7 @@ func TestWithRedactionMaxDepth(t *testing.T) { redactor, err := NewRedactor(WithRedactionMaxDepth(2)) if err != nil { - t.Fatalf("expected redactor, got %v", err) + t.Fatalf(errMsgExpectedRedactor, err) } // Create a deeply nested structure (depth > 2) @@ -718,7 +723,7 @@ func TestWithRedactionMaxDepth(t *testing.T) { redactor, err := NewRedactor(WithRedactionMaxDepth(3)) if err != nil { - t.Fatalf("expected redactor, got %v", err) + t.Fatalf(errMsgExpectedRedactor, err) } fields := map[string]any{ diff --git a/pkg/tokens/tokens_test.go b/pkg/tokens/tokens_test.go index e02a4e1..37e7e0d 100644 --- a/pkg/tokens/tokens_test.go +++ b/pkg/tokens/tokens_test.go @@ -6,6 +6,8 @@ import ( "testing" ) +const errMsgValidator = "expected validator, got %v" + func TestTokenGenerateAndValidateBase64(t *testing.T) { t.Parallel() @@ -16,7 +18,7 @@ func TestTokenGenerateAndValidateBase64(t *testing.T) { validator, err := NewValidator() if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } token, err := generator.Generate() @@ -44,7 +46,7 @@ func TestTokenGenerateHex(t *testing.T) { validator, err := NewValidator(WithTokenEncoding(TokenEncodingHex)) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } token, err := generator.Generate() @@ -70,7 +72,7 @@ func TestTokenValidateMaxLength(t *testing.T) { WithTokenMinEntropyBits(8), ) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate("aaaaa") @@ -84,7 +86,7 @@ func TestTokenValidateInsufficientEntropy(t *testing.T) { validator, err := NewValidator(WithTokenMinEntropyBits(128)) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } // Note: make([]byte, 8) produces an all-zero token. This test exercises the @@ -103,7 +105,7 @@ func TestTokenValidateMinBytes(t *testing.T) { validator, err := NewValidator(WithTokenMinBytes(32)) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } short := base64.RawURLEncoding.EncodeToString(make([]byte, 16)) @@ -119,7 +121,7 @@ func TestTokenValidateWhitespace(t *testing.T) { validator, err := NewValidator() if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate("token with space") diff --git a/pkg/validate/email_test.go b/pkg/validate/email_test.go index 914f63d..6787e06 100644 --- a/pkg/validate/email_test.go +++ b/pkg/validate/email_test.go @@ -9,6 +9,12 @@ import ( "golang.org/x/net/idna" ) +const ( + errMsgValidator = "expected validator, got %v" + errMsgValidEmail = "expected valid email, got %v" + testEmail = "user@example.com" +) + type fakeResolver struct { mxRecords map[string][]*net.MX hosts map[string][]string @@ -37,12 +43,12 @@ func TestEmailValidateBasic(t *testing.T) { validator, err := NewEmailValidator() if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } - result, err := validator.Validate(context.Background(), "user@example.com") + result, err := validator.Validate(context.Background(), testEmail) if err != nil { - t.Fatalf("expected valid email, got %v", err) + t.Fatalf(errMsgValidEmail, err) } if result.DomainASCII != "example.com" { @@ -55,7 +61,7 @@ func TestEmailRejectDisplayName(t *testing.T) { validator, err := NewEmailValidator() if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "Name ") @@ -69,15 +75,15 @@ func TestEmailAllowDisplayName(t *testing.T) { validator, err := NewEmailValidator(WithEmailAllowDisplayName(true)) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } result, err := validator.Validate(context.Background(), "Name ") if err != nil { - t.Fatalf("expected valid email, got %v", err) + t.Fatalf(errMsgValidEmail, err) } - if result.Address != "user@example.com" { + if result.Address != testEmail { t.Fatalf("expected normalized address, got %s", result.Address) } } @@ -87,7 +93,7 @@ func TestEmailInvalidLocalPart(t *testing.T) { validator, err := NewEmailValidator() if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "user..dot@example.com") @@ -101,7 +107,7 @@ func TestEmailRequireTLD(t *testing.T) { validator, err := NewEmailValidator() if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "user@localhost") @@ -124,16 +130,16 @@ func TestEmailDomainVerificationMX(t *testing.T) { WithEmailDNSResolver(resolver), ) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } - result, err := validator.Validate(context.Background(), "user@example.com") + result, err := validator.Validate(context.Background(), testEmail) if err != nil { - t.Fatalf("expected valid email, got %v", err) + t.Fatalf(errMsgValidEmail, err) } if !result.DomainVerified || !result.VerifiedByMX { - t.Fatalf("expected mx verification") + t.Fatal("expected mx verification") } } @@ -151,16 +157,16 @@ func TestEmailDomainVerificationFallback(t *testing.T) { WithEmailDNSResolver(resolver), ) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } - result, err := validator.Validate(context.Background(), "user@example.com") + result, err := validator.Validate(context.Background(), testEmail) if err != nil { - t.Fatalf("expected valid email, got %v", err) + t.Fatalf(errMsgValidEmail, err) } if !result.DomainVerified || !result.VerifiedByA { - t.Fatalf("expected A record verification") + t.Fatal("expected A record verification") } } @@ -174,10 +180,10 @@ func TestEmailDomainVerificationUnverified(t *testing.T) { WithEmailDNSResolver(resolver), ) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } - _, err = validator.Validate(context.Background(), "user@example.com") + _, err = validator.Validate(context.Background(), testEmail) if !errors.Is(err, ErrEmailDomainUnverified) { t.Fatalf("expected ErrEmailDomainUnverified, got %v", err) } @@ -188,12 +194,12 @@ func TestEmailAllowIDN(t *testing.T) { validator, err := NewEmailValidator(WithEmailAllowIDN(true)) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } result, err := validator.Validate(context.Background(), "user@bücher.example") if err != nil { - t.Fatalf("expected valid email, got %v", err) + t.Fatalf(errMsgValidEmail, err) } ascii, err := idna.Lookup.ToASCII("bücher.example") @@ -211,7 +217,7 @@ func TestEmailIPLiteralDisallowed(t *testing.T) { validator, err := NewEmailValidator() if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "user@[127.0.0.1]") @@ -225,7 +231,7 @@ func TestEmailIPLiteralAllowed(t *testing.T) { validator, err := NewEmailValidator(WithEmailAllowIPLiteral(true)) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "user@[127.0.0.1]") diff --git a/pkg/validate/url_test.go b/pkg/validate/url_test.go index 5bf6e9d..02ec660 100644 --- a/pkg/validate/url_test.go +++ b/pkg/validate/url_test.go @@ -30,7 +30,7 @@ func TestURLValidateBasic(t *testing.T) { validator, err := NewURLValidator() if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "https://example.com/path") @@ -44,7 +44,7 @@ func TestURLRejectUserInfo(t *testing.T) { validator, err := NewURLValidator() if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "https://user:pass@example.com") @@ -60,7 +60,7 @@ func TestURLRejectPrivateIP(t *testing.T) { WithURLAllowIPLiteral(true), ) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "https://127.0.0.1") @@ -94,7 +94,7 @@ func TestURLRedirectCheck(t *testing.T) { WithURLHTTPClient(client), ) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } result, err := validator.Validate(context.Background(), "https://example.com/start") @@ -127,7 +127,7 @@ func TestURLRedirectLoop(t *testing.T) { WithURLHTTPClient(client), ) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "https://example.com/loop") @@ -145,7 +145,7 @@ func TestURLReputationBlock(t *testing.T) { WithURLReputationChecker(checker), ) if err != nil { - t.Fatalf("expected validator, got %v", err) + t.Fatalf(errMsgValidator, err) } _, err = validator.Validate(context.Background(), "https://example.com") From a1ab01930a4893842621ff692fece130bf24d883 Mon Sep 17 00:00:00 2001 From: "F." <62474964+hyp3rd@users.noreply.github.com> Date: Sat, 17 Jan 2026 18:17:37 +0100 Subject: [PATCH 3/4] Update pkg/converters/convert_test.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- pkg/converters/convert_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/converters/convert_test.go b/pkg/converters/convert_test.go index 3c0628f..cd7b4cc 100644 --- a/pkg/converters/convert_test.go +++ b/pkg/converters/convert_test.go @@ -304,7 +304,7 @@ func TestToInt64(t *testing.T) { } if value != -int8Value { - t.Fatalf("expected %d, got %d", -int8Value, value) + t.Fatalf(errMsgUnexpectedValue, -int8Value, value) } _, err = ToInt64(uint64(math.MaxInt64) + 1) From 42672f84de4f5dbe52ebef72a4fb0bab78ec5f8d Mon Sep 17 00:00:00 2001 From: "F." <62474964+hyp3rd@users.noreply.github.com> Date: Sat, 17 Jan 2026 18:17:48 +0100 Subject: [PATCH 4/4] Update pkg/converters/convert_test.go Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- pkg/converters/convert_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/converters/convert_test.go b/pkg/converters/convert_test.go index cd7b4cc..d6e3924 100644 --- a/pkg/converters/convert_test.go +++ b/pkg/converters/convert_test.go @@ -241,7 +241,7 @@ func TestSafeInt8FromInt64(t *testing.T) { } if value != int8Value { - t.Fatalf("expected %d, got %d", int8Value, value) + t.Fatalf(errMsgUnexpectedValue, int8Value, value) } _, err = SafeInt8FromInt64(int64(1 << 7))